Data Processing Agreement

Background

Within the scope of the Framework Agreement, the Processor (CAOS Ltd.) processes Personal Data on behalf of the Customer (Responsible Party), collectively the "Parties".

This Annex to the Agreement governs the Parties' data protection obligations in addition to the provisions of the Agreement.

Subject matter, duration, nature and purpose of the processing as well as the type of personal data and categories of data subjects

This annex reflects the commitment of both parties to abide by the applicable data protection laws for the processing of Personal Data for the purpose of Processor's execution of the Framework Agreement.

The duration of the Processing shall correspond to the duration of the Agreement, unless otherwise provided for in this Annex or unless individual provisions obviously result in obligations going beyond this.

In particular, the following Personal Data are part of the processing:

Type of personal data	Examples	Affected data subjects
Basic data	Surname and first name Email addresses User name	All users
Login data	Randomly generated ID Password Public keys / certificates ("FIDO2", "U2F", "x509", ...) User names or identifiers of external login providers Phone number(s)	All users Password: Users who use authentication methods with password. Public Keys: Users who use an authentication procedure with cryptographic keys. External login provider identifiers: Users who use an external login provider. Phone number: Users who use authentication methods with SMS
Profile data	Profile pictures Gender Language Nickname Display name Phone number(s)	Users who voluntarily add profile data
Communication data	Emails Chats Call metadata	Customers and users who communicate with us directly (e.g. support)
Payment data	Billing address Payment information Customer number Customer history Credit rating information	Customers who use services that require payment Credit rating information: Only customers who pay by invoice
Usage meta data	User agent IP addresses Operating system Time and date URL Referrer URL Accept Language	All users

Scope and responsibility

Under this Agreement, the Processor shall process Personal Data on behalf of the Customer.

This Annex applies to all processing of Customer's data (including data of the users of Customer's organization) with reference to persons ("Personal Data") which is related to the Agreement and which is carried out by the Processor, its employees or agents.

The Customer shall be responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the transfer of data to the Processor as well as for the lawfulness of the data processing.

The Processor is responsible for taking appropriate technical and organizational protection measures so that its processing complies with the legal requirements and ensures the protection of the rights of the Data Subjects.

Obligations of the processor

Bound by directions

The Processor processes personal data in accordance with its privacy policy (cf. Privacy Policy) and on the documented directions of the Customer. The initial direction result from the Agreement. Subsequent instructions shall be given either in writing, whereby e-mail shall suffice, or orally with immediate written confirmation.

If the Processor is of the opinion that a direction of the Customer violates the Agreement, the GDPR or other data protection provisions of the EU, EU Member States or Switzerland, it shall inform the Customer thereof and shall be entitled to suspend the Processing until the instruction is withdrawn or confirmed.

Obligation of the processing persons to confidentiality

The Processor shall ensure that the persons authorized to process the Personal Data have committed themselves to confidentiality, unless they are already subject to an appropriate statutory duty of confidentiality.

Technical and organizational measures

The Processor has taken appropriate technical and organizational security measures, maintains them for the duration of the Processing and updates them on an ongoing basis in accordance with the current state of technology.

The technical and organizational security measures are described in more detail in the annex to this appendix.

Involvement of subcontracted processors

A current and complete list of involved and approved sub-processors can be found at https://zitadel.com/trust/.

The Processor is entitled to involve additional sub-processors. In this case, the Processor shall inform the Responsible Party about any intended change regarding sub-processors and update the list at https://zitadel.com/trust. The Customer has the right to object to such changes. If the Parties are unable to reach a mutual agreement within 90 days of receipt of the objection by the Processor, the Customer may terminate the Agreement extraordinarily.

The Processor obligates itself to impose on all sub-processors, by means of a contract (or in another appropriate manner), the same data protection obligations as are imposed on it by this Annex. In particular, sufficient guarantees shall be provided that the appropriate technical and organizational measures are implemented in such a way that the processing by the sub-processor is carried out in accordance with the legal requirements. If the sub-processor fails to comply with its data protection obligations, the processor shall be liable to the customer for this as for its own conduct.

Assistance in responding to requests

The Processor shall support the Customer as far as possible with suitable technical and organizational measures in fulfilling its obligation to respond to requests to exercise the data subject's rights. The parties shall agree separately on the compensation of the Processor for this.

Further support for the customer

The Processor shall, taking into account the nature of the processing and the information available to it, assist the Customer in complying with its obligations in connection with the security of the processing, any notifications of personal data breaches, and any data protection impact assessments.

Deletion or destruction after termination

Upon Customer's request, the Processor shall delete personal data received after the end of the agreement, unless there is a legal obligation for the Processor to store or further process such data.

Information and control rights of the customer

The Processor shall provide the Customer with all information necessary to demonstrate compliance with the obligations set forth in this annex. It shall enable and contribute to audits, including inspections, carried out by the Customer or an auditor appointed by the Customer.

The procedure to be followed in the event of directions that are presumed to be unlawful is governed by the section Bound by directions of this Appendix.

Annex regarding security measures

The Processor has taken the following organizational and technical security measures to ensure a level of protection of the Personal Data processed that is appropriate to the risk:

Pseudonymization / Encryption

The following measures for pseudonymization and encryption exist:

All communication is encrypted with TLS >1.2 with PFS
Critical data is exclusively stored in encrypted form
Storage media that store customer data are always encrypted
Passwords are irreversibly stored with a hash function (bcrypt)
Data for web analytics are pseudonymized and do not contain any personal data

Ensuring certain properties of the systems and services

Confidentiality

The following confidentiality measures exist:

Implementation of information security policies
Implementation of secure authentication policies

Integrity

The following integrity measures exist:

Code and container images are automatically checked for vulnerabilities
An automated system is used to keep dependencies up to date
Secrets are automatically rotated whenever possible and are short-lived (for example, signing keys)
Changes to code or infrastructure require mandatory review by at least one other employee

Availability

The following measures of availability exist:

Operation of the systems in combination with a CDN/DDoS mitigation service
High availability operation
Geo-redundant operation over at least two data centers

Load capacity

The following measures of availability exist:

Automatic scaling of resources
Monitoring, logging, tracing and alerting

Restoring availability and access

The following measures exist to restore availability and access:

Implementation of a backup concept
Emergency plan
Testing of the emergency plan

Regular review, assessment and evaluation of effectiveness

The following measures exist for regular review, assessment and evaluation of effectiveness:

At least annual audit and evaluation of processes within the framework of an information security management system
Responsible Disclosure and Bug Bounty policies
External audit of system security ("penetration testing")

Entry into force

This agreement is valid from 15.07.2022.

Last revised: June 14, 2022

Background​

Subject matter, duration, nature and purpose of the processing as well as the type of personal data and categories of data subjects​

Scope and responsibility​

Obligations of the processor​

Bound by directions​

Obligation of the processing persons to confidentiality​

Technical and organizational measures​

Involvement of subcontracted processors​

Assistance in responding to requests​

Further support for the customer​

Deletion or destruction after termination​

Information and control rights of the customer​

Annex regarding security measures​

Pseudonymization / Encryption​

Ensuring certain properties of the systems and services​

Confidentiality​

Integrity​

Availability​

Load capacity​

Restoring availability and access​

Regular review, assessment and evaluation of effectiveness​

Entry into force​