Data Order Processing Agreement

1. Scope and Subject Matter of the Contract

1.1 TATVIC ANALYTICS PRIVATE LIMITED, 4th Floor Office No 402 -403, Campus Corner-II, 100FT Road, Prahladnagar, Ahmedabad- 380015, Gujarat and/or its affiliates (hereinafter called “Reselling Partner”) provides all services to their Clients in connection with the Usercentrics services on the basis of these General Terms & Conditions (hereinafter referred to as “GTC”), unless otherwise regulated in the respective contract. “Clients” within the meaning of these GTC are companies, legal entities under public law and special funds under public law.

1.2 Reselling Partner is a reselling Partner as part of the Partner Program of Usercentrics GmbH, Sendlinger Strasse 7, 80331 Munich (hereinafter “Usercentrics”). Reselling Partner is granted licenses by Usercentrics to the Usercentrics services. These licenses are granted by Reselling Partner to the Clients on the basis of these GTC and the conditions of the offer. The exclusive contractual partner of the Client is Reselling Partner.

1.3 These GTC apply to Usercentrics services. The Usercentrics services within the meaning of these GTC include provided software and provided Usercentrics-codes for integration into clients’ domains/apps.

2. Conclusion, Duration and Termination of Contract

2.1 The contract is concluded upon signature of both parties. Insofar as Reselling Partner has not yet been granted by Usercentrics the necessary rights for the provision of the Usercentrics services to the Client at the time of signing, the contract between the Client and Reselling Partner does not come into effect until Usercentrics also countersigns the offer made to the new Client by the Reselling Partner and thus confirms the granting of rights to the Reselling Partner.

2.2 The term of the contract and, accordingly, the billing shall begin upon the date defined in the Order Form as the Effective Date.

2.3 This Agreement shall commence on the Effective Date and shall remain in effect for an initial period of twelve (12) months unless a longer term has been contractually agreed on (“Regular Contract Term”); thereafter, this Agreement shall be extended for one or more additional periods of 12 months each (a “Renewal Term”), unless either party notifies the other party (30) days prior to the expiration of the then-current term that it does not wish to renew this Agreement. The termination does not require any justification and must be declared in writing to other party. (Each Regular Contract Term and Renewal Term is referred to herein as the “Term”).

2.4 Reselling Partner shall be entitled to forthwith terminate this Agreement in case of failure of the Client to make timely payment. 

2.5 Reselling Partner is entitled to irrevocably delete all data stored during the period of the Agreement after the Agreement has ended. At the request of the Client, data can be exported in accordance with the specifications of Reselling Partner. In this case, the Client is responsible for saving his data on his local system in good time. In so far, as this concerns personal data, the provisions of the Data Processing Agreement (DPA) take precedence.

2.6 Upon termination of the contract, the Client is obligated to delete without request all reproductions of the provided software and the Usercentrics code. If the Usercentrics-code is not or not completely removed from the Client’s domains/apps immediately after the end of the contract, Usercentrics is entitled to demand the fee agreed between Reselling Partner and the Client for the duration and until the Usercentrics-code is completely removed from the Client’s domains/apps. The removal of the Usercentrics code is to be regarded as incomplete if, among other things, if data is still transmitted from the Client’s domains/apps to the Usercentrics servers.

2.7 In the event of termination of this Agreement, the contractual relationship between the Client and the Reselling Partner will either be taken over by Usercentrics at the request of the Client at Usercentrics’ discretion or Usercentrics will make the Client an offer to conclude a new Agreement for the Usercentrics services.

3. Prices and Term of Payment

3.1 The prices for the services used by the Client are determined by the signed Order Form. 

3.2 The calculation of the base fee to be paid by the clients’ results from the Order Form or completed online Order Form. The basis of the calculation of the basic fee is the total number of sessions per year for clients’ domains and the monthly average DAU (daily active users) for apps, as described in the Order Form. At the time of the contract is concluded, the expected number of sessions/DAU is estimated. The client shall provide Usercentrics with the information necessary for calculating the base fee. Usercentrics reserves the right to check the client’s information on the sessions/DAU and, in the event of deviations, to use the measured sessions/DAU as the basis for calculating the base fee. The verification shall be carried out by counting the sessions/DAU  by querying the Settings ID. The resulting base fee, for the entire contract term, is payable in advance. Payment for the invoice shall be made by the Client before the Effective Date. 

Usercentrics reserves the right to change the Client to the corresponding higher sessions/DAU on the domains/apps specified at the beginning of the contract are exceeded by at least 10% during three consecutive months. The price difference resulting in comparison to the original Order Form shall be invoiced by Reselling Partner for the remaining contract. Payment must be made within 7 days of the invoice date.

3.3 Invoicing shall be done for the entire contract term in advance. Invoices for managed services are sent after service has been provided. Reselling Partner is entitled to send the invoice in the form of an email. 

3.4 Late payment fees shall be charged at a rate of 3% p.m. compounded monthly. The right to claim higher damages for late payment remains reserved.

3.5 Clients may only offset with counterclaims that have not been contradicted or that have been recognized by a court.

3.6 A change within the package offered by Usercentrics with a higher annual fee is possible at any time. The desired change must be indicated informally and requires confirmation by Usercentrics in order to be effective. The tariff change is binding and is considered to be a new contract under the terms and conditions applicable to the chosen tariff. With the change to another tariff, a new Regular Contract Term for the use of the Usercentrics software begins. Unused usage fees of the old contract are counted against the fees of the contract.

3.7 The fee for each Renewal Term shall increase by seven percent (7%) above the Base Fee applicable in the immediately preceding Term. The change of the price occurs regardless of the change to a higher package.

3.8 All applicable indirect taxes as may be applicable time to time (for e.g. goods and services tax (GST) will be invoiced to Client in addition to the agreed Fees. The Client shall be responsible for the payment of all taxes and agrees to pay the Reselling Partner for the Services without any reduction in taxes, save and except any deduction of Tax Deducted At Source (TDS) applicable under the Income-Tax Act, and no other deductions shall be made from the Fees payable to Reselling Partner.  Any additional amount deducted by the Client from the Fees shall be reimbursed by the Client to the Reselling Partner within 07 (seven) days from the end of the respective month or the Client shall be liable to indemnify the Reselling Partner. The Client shall provide the TDS Certificates to the Reselling Partner within 7 (seven) days of the expiry of the statutory limitation period for depositing the TDS with the income tax authorities.

3.9 If the Client is required by law to withhold any taxes from Client’s payments to the Reselling Partner, the Client must intimate the Reselling Partner in advance and provide the Reselling Partner with an official tax receipt/certificate or other appropriate documentation to support the reduction in payments.

4. Warranty

4.1 The nature of the Usercentrics services is conclusively regulated in the contract and the documentation of the Usercentrics services. A material defect shall only be given if a deviation from the documentation of the Usercentrics Services or contractually agreed quality differs significantly. A further quality agreement requires explicit written confirmation. A particular quality cannot be derived from advertising materials or public statements if the specific content has not been expressly confirmed in writing by Usercentrics. The assumption of a guarantee is only valid if Usercentrics explicitly confirms it in writing.

4.2 Insofar as the Client can assert claims for defects against Usercentrics, regarding Usercentrics’ services, throughout the course of providing a paid service (such as defects in the software or Usercentrics-code provided), the defects shall be eliminated by Usercentrics, at Usercentrics’ option. This shall be undertaken either by providing a modified version of the software or the Usercentrics-code (e.g. an update) or by providing the Client with reasonable instructions for a workaround, provided that this does not unreasonably impair the usability of the Usercentrics Services.

4.3 In the case of a free service provision (Free Trial and Package “Free”) Usercentrics is not obliged to rectify defects.

4.4 Warranty claims of the Client are limited to one year.

5. Client’s Obligations to Cooperate 

5.1 The Client receives authentication tokens that identify and authorize them to access the APIs and other relevant components of the Usercentrics instance, such as data storage or user interfaces. It is the Client’s responsibility to ensure that such authentication information is kept secure and not to allow access to unauthorized third parties. The Client provides Usercentrics with a list of the IP addresses authorized to access the APIs and keeps Usercentrics up to date on all changes relevant to the authorized IP addresses. The Client will be granted access to the latest documentation on the API endpoints, which will be made available to the Client for interaction with the service. The documentation can be made available in various formats, in particular via an online website with authentication mechanisms from Usercentrics and / or third parties.

5.2 The Client must inform themselves about the essential functional features of the Usercentrics services and their technical requirements (e.g. with regard to hardware requirements, the operating system, databases, interfaces). It is further the Client’s responsibility to seek advice on questions of doubt from Usercentrics employees or expert third parties before concluding the Agreement. The Client has to ensure the technical requirements necessary for a faultless integration of the Usercentrics services in their domains/apps.

5.3 The Client is solely responsible for checking whether the contractually agreed Usercentrics services meet the legal requirements that apply to the Client. In particular, it is solely the Client’s responsibility to choose a configuration of the Usercentrics services which complies with applicable data protection regulations. 

5.4 The Client grants Reselling Partner and Usercentrics the right to use the Client’s name and logo as a reference for its own advertising purposes for the duration of the contract.

6. Grant of Rights

6.1 The Client may only use the Usercentrics services if this is necessary for the contractual use. Reselling Partner grants the Client a simple, non-transferable right to deploy the Usercentrics services that is limited in time to the period of the Agreement. All copyrights and other intellectual or industrial property rights and exclusive rights to services that are developed or made available in accordance with the contract, in particular to software, databases or know-how, remain with Usercentrics or its licensors.

6.2 The Client is not permitted to change the Usercentrics software or Usercentrics codes provided by Reselling Partner or to manipulate them in any other way. Nor is the Client permitted to change or remove labels, copyright notices and non-disclosure notices in software or other materials provided by Usercentrics. Legally mandatory rights of the Client according to §§ 69d f. of the German Copyright Law shall remain unaffected.

6.3 Reselling Partner may assume that the Client has all necessary rights of use to all software installed or operated by him that interacts with the Usercentrics services.

6.4 The Client grants Usercentrics the right under the conditions regulated in this Section, to create anonymous analyses with compiled data for which (in part) Clients and information resulting from the use of the Usercentrics solution by the Client (“Analysis”). The data is anonymized and compiled for the analysis so that it cannot be traced back to individual companies or natural persons. The analysis data is used for product improvement, development of new products and services, resource and support improvement, improvements in product performance, verification of security and data integrity, identification of industry trends and developments, creation of indices and anonymous benchmarking.

7. Data protection and Confidentiality 

7.1 For the processing of personal data on behalf of the Client, the parties conclude a separate Data Processing Agreement (DPA). In the event of contradictions, their regulations precede these General Terms and Conditions.

7.2 Each party protects the confidential information of the other party from use or access by unauthorized individuals with reasonable care.

7.2.1 “Confidential Information” means (i) any information exchanged between the parties in the context of or in connection with this Agreement, either expressly marked in writing as “confidential” or in a similar manner, (ii) oral information expressly designated by the issuing party as confidential, and (iii) regardless of the above provisions, any information from which it is clear that they need to be kept confidential.

7.2.2 The obligation of confidentiality does not apply to information that is already generally known at the time of conclusion of the contract or which can verifiably become subsequently known without breach of the contractual obligations. The obligation of confidentiality also does not apply to confidential information to the extent that the disclosing party may prove to them that it (i) has obtained or received it lawfully from third parties; (ii) for the provision of contractual services to the other party, must be passed on to third parties legitimately engaged for this purpose; (iii) must be disclosed by law or by decision of a court or an order of an authority; or (iv) by professionally committed advisors and lawyers.

7.2.3 In the event that one of the parties has reason to believe that there has been an unauthorized loss, access or disclosure of the other party’s confidential information, it shall notify the other party without delay.

7.3 Nothing herein shall limit Usercentrics from disclosing the terms of this contract to potential financing sources, security holders, strategic partners and advisors.

8. Right of Modifications 

8.1 The Usercentrics services are state-of-the-art and are designed in such a way that they are geared to the interests of all Clients of the Usercentrics services. Usercentrics is entitled to adapt and change the range of Usercentrics services in line with technical progress. Usercentrics does not have to pay attention to a possible downward compatibility with third-party software that is not up-to-date, and / or to a possible interoperability with third-party software; unless such interoperability is expressly agreed as a quality between Reselling Partner and the Client. Reselling Partner will announce significant technical changes as far as possible and reasonable in advance. If a technical change in this sense represents an unaccaptable change for the Client, the Client shall have a special right of termination.

8.2 Changes to these GTC will be offered by Usercentrics in text form no later than two months before the proposed date of their effective date. The contracting party shall be considered to have given its consent if it has not notified its rejection before the proposed date of effectiveness of the amendments. Usercentrics will specifically draw the Client’s attention to this consent requirement.

9. Liability

9.1 Reselling Partner is only liable in the event of negligent breach of an essential contractual obligation; thus a duty that is essential for achieving the purpose of the Agreement (cardinal duty). In the latter case, the liability of Reselling Partner remains limited to the amount of damage that is foreseeable and typical according to the nature of the subject of the Agreement.

9.3 In the case of liability in accordance with Section 9.1, liability is limited to one-month amount of fees paid by the Client to the Reselling Partner.

9.4 Insofar as the liability of Reselling Partner is excluded or limited, this also applies to the personal liability of employees, other employees, organs, representatives and vicarious agents of Usercentrics.

9.5 In the event of liability due to willful intent, gross negligence, personal injury or under Product Liability Law, the statutory limitation periods apply. Otherwise, a limitation period of one year applies to all claims for damages or reimbursement of wasted expenditure by the Client in the case of contractual and non-contractual liability. The limitation period begins in accordance with the statutory provisions. However, it begins no later than 5 years after the claim arises.

10. Miscellaneous

10.1 Reselling Partner is entitled to use subcontractors in whole or in part for the services owed. Any deviating regulations of a separate Data Processing Agreement (DPA) remain unaffected.

10.2 The contractual relationship existing between the contracting parties is exclusively subject to the law of the India. The exclusive place of jurisdiction for all disputes arising from and/or in connection with the contract, to the extent permitted by law, Registered office of the Reselling Partner.

10.3 Amendments and additions to the contract as well as all declarations of intent and declarations for the exercise of design rights, in particular terminations, reminders or setting deadlines, must be in writing, unless another form in the contract is expressly provided for. This also applies to the renunciation of the written form requirement.

10.4  The Client shall have the right to convince themselves of the Contractor’s compliance with this Agreement in its business operations by means of spot checks, which must normally be notified in good time. The Contractor undertakes to provide the Client, on request, with the necessary information to maintain their commitment to order control and to provide the relevant evidence.

11. Erasure of data and return of data media

At the discretion and request of the Client – at the latest upon termination of the Agreement – the Contractor shall hand over to the Client all documents, processing and usage results and data stocks that have come into their possession in connection with the contractual relationship, or destroy them in accordance with data protection laws after prior consent.The same applies to test and scrap material. Deletion logs must be presented upon request.
The Contractor is obliged to retain documents which serve as proof for the proper processing of the data and according to the order in accordance with the statutory retention periods, even beyond the termination of this Agreement. The Contractor can hand them over to the Client for their convenience at the end of the Agreement.

12. Liability

The internal liability of the parties ensuing from this Agreement is based on the liability provisions in the Contractor’s GTC, unless otherwise stated in the Description of Services, in the offer or in a separate Agreement between the parties. The statutory provisions pursuant to Art. 82 GDPR shall apply to third-party liability.

Annex 1 – Technical and organizational measures / security concept of Usercentrics

Technical and organizational measures (TOM)

within the meaning of Art. 28 para. 3 lit. c 32 GDPR

Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany (hereinafter “Usercentrics”) processes personal data on behalf of its customers. Usercentrics is aware of its responsibility as a processor. Accordingly, technical and organizational measures have been taken to significantly reduce risks and potential hazards that arise in connection with the processing of personal data. How a level of security and data protection that complies with the GDPR is achieved can be found in the following technical and organizational measures. These are deemed to be agreed upon with the controller.

Table of contents

  1. Measures to ensure confidentiality (Art. 32 para. 1 lit. b GDPR)
  2. Measures to ensure integrity (Art. 32 para. 1 lit. b GDPR)
  3. Measures to ensure resilience & availability (Art. 32 para. 1 lit. b GDPR)
  4. Measures to restore availability (Art. 32 para. 1 lit. c GDPR)
  5. Measures for the pseudonymization of personal data (Art. 32 para. 1 lit. a GDPR)
  6. Procedures for the regular review, assessment and evaluation of the effectiveness of the technical and organizational measures (Art. 32 para. 1 lit. d GDPR)

1. Ensuring confidentiality (Art. 32 para. 1 lit. b GDPR)

Usercentrics takes measures to implement the requirement of confidentiality. This includes, among other things, measures for physical access, electronic access control and internal access control. The technical and organizational measures taken in this context are intended to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

Physical Access control

  • Where personal data is the subject of processing, it is stored in systems that are secure (e.g. ISO/IEC 27001/27017/27018/27701). 
  • Access to Google Cloud infrastructure – more information on measures can be found here: https://cloud.google.com/security
  • All systems and devices are updated at regular intervals (software update).
  • All systems are regularly checked for vulnerabilities.
  • There is no critical IT infrastructure (server systems) on the premises of Usercentrics. Nevertheless, physical access to office space is protected with security measures to the greatest possible extent. These include: 
    • Access to the office is only possible for employees and service providers (e.g. cleaning service) with personalized door transponders/locking cylinders and logged key/transponder issue/return.
    • The use of surveillance cameras (inside – e.g. entrance area).
    • Visitors must ring the bell, register in person, identify themselves and are not allowed to move freely around the premises.

Electronic Access control

  • Access to personal data is restricted to a limited group of employees, requires their designated login credentials (user ID and password) and access is only via encrypted means (HTTPS, TLS/SSL).
  • Group accounts / system logins only for specific applications.
  • Separate user IDs for privileged authorizations.
  • User IDs are deactivated/deleted immediately when employees leave the company.
  • Passwords are not stored in clear text or transmitted unencrypted.
  • For user authentication, password requirements are: 8-12 characters long; 3-4 character types are to be used; upper & lower case; no common terms; the password is to be changed immediately if there is a reason/indication of misuse; temporary passwords are to be updated immediately after account activation by the user.
  • Two-factor authentication is used wherever possible.
  • Session management.
  • Internal IT security policies.
  • Automatic locking of clients (e.g. employee workstations) after a defined period of time without user activity (also password-protected screen saver or automatic pause).

Internal Access control

  • Access is in accordance with an authorization concept and crypto concept.
  • Use of a user and user group management system and access rights management.
  • SSH is deactivated wherever possible.
  • Graduated authorizations are assigned depending on the employee’s area of activity. The minimum principle is always applied here.

Further measures

    • Strict separation control: If there are different purposes, data is not processed together. Here, a client separation (logical or physical) / function separation is supported.
    • Each system in its respective stage is operated on its own server for its respective function (separation of development, test and production systems, separation of functions).
    • If the respective purpose for data processing ceases to exist, the data is deleted. This is done in accordance with the deletion concept.
    • The encryption of data-at-rest is done via AES256 with different keys per data segment. Data-in-transport is encrypted using TLS 1.3.

2. Ensuring integrity (Art. 32 para. 1 lit. b GDPR)

Measures are taken that serve the requirement of integrity. This includes, among other things, measures to control input, but also those that generally contribute to protection against unauthorized or unlawful processing, destruction or unintentional damage.

Transfer control

Measures to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons during electronic transmission or while being transported or stored on data media, and that it is possible to verify and establish to which bodies personal data is intended to be transmitted by data transmission equipment:

  • The transmission of data (e.g. emails) is encrypted.
  • Data encryption is always used when data is transported to devices. This regulation applies, for example, to the work computers used by our employees, as well as external hard drives or USB sticks. Internal encryption requirements also apply to memory cards and CDs/DVD-ROMs.
  • Only secure wireless networks (WLAN) are used, all of which are encrypted with WPA-2.
  • If necessary, VPN technology is used.
  • If data carriers, data and printouts are no longer used, they are securely deleted or destroyed. This ensures to the greatest possible extent that data cannot be recovered.
  • If necessary, the data transfer is logged.

Input control

Measures to ensure that it is possible to check and establish retroactively whether, at what time and by whom personal data have been entered, changed or removed in data processing systems:

  • High standards in the legally compliant drafting of contracts for the processing of personal data with subcontractors, which contain provisions of control options.
  • Use of logging and log evaluation systems to document user input. If adjustments are made to systems that process personal data, this is recorded and kept as required (e.g. in the form of log files).
  • The logic of data input and output is checked (checking file paths, etc.).
  • Obtain information from service providers regarding the measures taken to implement data protection requirements.
  • Verbal instructions are confirmed in writing.

3. Ensuring availability (Art. 32 para. 1 lit b GDPR)

Measures to ensure that personal data are protected against accidental destruction or loss.

Specific measures for our production environment (Consent Management Platform) & related systems

Usercentrics does not operate its own server resources in its own data centres. Where processing is carried out by subcontractors, the following measures, among others, apply, before and during data processing:

  • Monitoring/supervision of system activities by our employees.
  • Our productive environment is backed up at regular intervals or data mirroring procedures are used.
  • Hardware (especially servers) is decommissioned after a check of the data carriers used in it and, if necessary, after the relevant data records have been backed up.
  • The systems are protected by an uninterruptible power supply (UPS).
  • A multi-layer virus protection and firewall architecture is used.
  • The data centres used have fire/water and temperature early warning systems in the server rooms as well as fire doors.
  • Data files collected for different purposes are stored separately.
  • Regular patch management.
  • Load balancing.
  • Data storage is added as part of dynamic processes.
  • Penetration and load tests are carried out regularly.
  • The load limit for each data processing system is set above the necessary minimum in advance of data processing.
  • Regular training of the personnel deployed.

For the production system (CMP) and related systems, Google Cloud resources (Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043 USA) are used.

A distinction is made between the following resource categories: static hosting, APIs and databases.

Statically hosted resources are stored on servers within the member states of the EU (excluding Zurich and London) and are provided by a global CDN network cache with an availability of at least 99.95% (https://cloud.google.com/cdn/sla).

APIs or dynamically hosted resources are hosted on servers within EU member states, primarily Frankfurt and Belgium. For some resources, a global CDN network cache is in use.

Databases are hosted on servers within EU member states, primarily Frankfurt and Belgium. 

Further information can be found at:

https://cloud.google.com/terms/data-processing-terms#appendix-2-security-measures

Further measures

If companies are commissioned with the processing of personal data, this is always subject to the condition of an existing order processing contract that complies with the requirements of Article 28 of the GDPR. Corresponding sample contracts are provided for this purpose. These also ensure that Usercentrics is informed of possible threats to availability at an early stage.

  • Use of virus software on employee computers.
  • The storage of data on employee computers is reduced as much as possible. Data is stored on secure cloud systems. 
  • Standard software used is subject to a preliminary check and may only be obtained from limited secure sources.
  • The internal office IT is protected by an uninterruptible power supply (UPS) in the routing room.
  • Emergency plans with concrete instructions for action have been established for security and data protection breaches.

4. Ensuring recoverability (Art. 32 para. 1 lit. b GDPR)

In the event of a physical or technical incident, measures are in place to ensure rapid availability and, as part of a plan of action, go beyond mere data backup. In order to be able to restore ongoing operations in these disaster scenarios, the following is undertaken:

Specific measures for our production environment (CMP) & related systems

  • Daily backup of all server resources by the hosting provider (Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043 USA).
  • Disaster recovery.
  • Conclusion of service level agreements (SLAs) with service providers.
  • Multi-level backup procedures.
  • Redundant storage (cluster setups / geo-redundancy) of data (e.g. hard disk mirroring).
  • Use of firewall, IDS/IPS.
  • Fire and extinguishing water protection.
  • Alarm monitoring.
  • Failure, disaster and recovery plans and scenarios.

Further information:

https://cloud.google.com/security

5. Measures for pseudonymization of personal data

Pseudonymization is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. The following measures are taken for this purpose:

  • Establish a strict privacy-by-design approach.
  • Establish a pseudonymization concept (including definition of the data to be replaced; pseudonymization rules, description of procedure).
  • A SHA-256 cryptographic hash is used for pseudonymization.

6. Procedures for the regular review, assessment and evaluation of the effectiveness of technical and organizational measures

A regular review, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the secure processing of personal data is carried out through the following measures:

Data protection management system

All procedures, any requests from authorities, contracts and directories are kept for documentation and transparency purposes. Changes are also documented.

Information Security Management System

All concepts, processes and risk analyses are kept in an internal ISMS.

Processing of data on behalf of Usercentrics or by subcontractors

Commissioning is always preceded by an extensive selection process and a PreCheck. We check whether our high standards described here are also met by potential processors. Only when this has been done and a processing contract that complies with the requirements of Article 28 GDPR has been concluded may processing take place. In addition to the PreChecks, we also carry out recurring audits in order to permanently maintain the required level. The agreed-upon services are specifically set out in the order processing contracts in order to clearly delineate the scope of the order.

Training and employee awareness

At the start of their employment with Usercentrics, all employees receive all important information on the topic of data protection and information security and are obligated to maintain confidentiality. With regular (refresher) training and selective provision of information (articles, cases, etc.), we ensure a constantly high level of employee awareness.

Up-to-dateness of the security concept

The security concept is subject to regular revision and adapted as necessary.

Responsibilities

Responsibility for the implementation of the measures and processes described here lies within the responsible departments or specialist areas. Regular monitoring is carried out in part by the Data Protection Officer and the Information Security Officer.

Further measures

  • Reviewing information on newly emerging vulnerabilities and other risk factors, including revision of the risk analysis and assessment, if necessary.
  • Auditing of the Data Protection Officer and the Information Security Officer as well as regular process controls through appropriate quality management.

Contact details of the data protection officer:

SECUWING GmbH & Co. KG Maximilian Hartung, Frauentorstr. 9, 86152 Augsburg, Germany, epost@datenschutz-agentur.de, Tel. +49 (0) 821 907 86 450

Contact details of the Information Security Officer:

activeMind AG Jan Baumgärtner, Potsdamer Str. 3, 80802 Munich, Germany, Baumgaertner@activemind.de, Tel. +49 (0) 89 9192 94 900

Internal data protection coordination:

Legal Department, Sendlinger Str. 7, 80331 Munich, Germany,  legal@usercentrics.com 

Scroll to Top