Terms of Use

General Terms and Conditions (Software License)

1 Scope / Services 

1.1 These General Terms and Conditions (hereinafter referred to as “Terms and Conditions (Software License)”) shall apply to the configuration and use of software by ZkSystems GmbH, Kutschstallhof am Neuen Markt 9e, 14467 Potsdam (hereinafter referred to as the “Provider”) and you as a Customer (hereinafter referred to as the “Customer”).

1.2 Additionally, conflicting or deviating terms and conditions of the Customer shall only become part of the contract if the Provider has expressly agreed to them in writing.

2 Services of the Parties

2.1 The content, scope and precise specification of the services and functionalities of the software to be provided by the Provider are set out in the offer or in the order form (hereinafter both the offer and the order form together referred to as the “offer”).

2.2 For the use of the software, the system requirements specified in the offer must be met by the Customer. For on-premise use, this may include installation of the software on a dedicated server.

2.3 The Provider is entitled, but not obliged, to expand and further develop the software. The Provider reserves the right to offer non-mandatory extensions and further developments only against payment of an additional fee. The provisions of this contract shall apply accordingly to such extensions or further developments.

2.4 The Provider may change the functional scope of the software to a reasonable extent, e.g. if there is an important reason – for example for security reasons – and the performance features defined in the offer are essentially retained. 

2.5 The Customer grants to the Provider a non-exclusive license without limitation in time or place to all content which she/he transfers to Provider’s servers in the context of the use of the software, to use the content to the extent necessary to perform the agreement with the Customer, in particular to copy the content and make it accessible to third parties according to the Customer’s settings. The Provider is entitled to grant sub-licenses to its sub-contractors in performance to the extent necessary for the performance of the agreement. Furthermore, the license is not transferable. The Provider is entitled to retain Customer content beyond the duration of the Agreement insofar as this is technically or legally necessary. In particular Provider is authorized to keep backup copies of the contents provided by the Customer and to store temporarily or permanently such information which is required for accounting, documentation and billing purposes.

2.6 The Customer guarantees that she/he will take note of all applicable legal regulations, in particular copyright and data protection law, when using the software. The Customer indemnifies Provider from all claims of third parties which these asserts against Provider because of the use of the platform by the Customer. Provider will inform the Customer without undue delay of any claims asserted by third parties and provide the information and documents necessary for defense on request. In addition, Provider will either let the Customer defend her-/himself or will do so in consultation with the Customer. In particular Provider will neither acknowledge nor put claims asserted by third parties beyond dispute without consultation with the Customer. The provisions of this clause apply accordingly to contractual penalties as well as fines and administrative fines imposed by court or official authorities, insofar as the Customer is responsible for them.

2.7 The Customer should – within the limits of what is technically reasonable and possible – ensure that the normal business operations of the Customer continue to function properly, even if the software is not available, regardless of whether this is due to a fault of the Provider or the Customer.

3 Term 

3.1 If the Customer opted for a monthly option, the contract ends at the end of the following month. If the Customer opted for a yearly option, this contract is concluded for a period of 12 months. The contract shall commence on the date stated in the offer (hereinafter referred to as “start of contract”) – if not stated otherwise in the offer.

3.2 For yearly payment, the purchased licenses shall be automatically renewed each year for a further year after expiry of the term defined in § 3 para.1. For monthly or yearly payment, the purchased licenses shall be automatically renewed each month for a further month after expiry of the term defined in § 3 para.1. If no continuation is desired, the parties can unsubscribe on the website/application or notify the other party in writing that the contract will not be extended. 

4 Remuneration

4.1 The remuneration results from the offer that can be seen on the website or that is provided in writing (for example, if Customer is an enterprise). The offer shall define whether billing is annual or monthly. The monthly license and maintenance fees shall be invoiced monthly or annually. The first monthly or annual payment (plus set-up costs according to §4.4, if any) shall be due at the beginning of the contract with a payment term of 14 days. Further invoices will be issued annually/monthly, starting with the date of the commencement of the contract plus the respective period of usage.

4.2 Licenses for users, robots, modules, workflows or interfaces beyond those specified in the offer can be purchased at any time. The price per license from the offer applies. If new licenses are purchased in the middle of a month or year, the costs for the first month or the first year will be charged prorated on a daily basis. From the following month or year, all licenses will be invoiced.

4.3 At the request of the Customer, the Provider shall carry out training/onboarding, insofar as capacities exist for this on the part of the Provider; any costs shall be communicated in advance.

4.4 The Provier may offer to provide development services against reasonable remuneration, including (a) the modification of existing software functions in accordance with the Customer’s specifications and (b) the creation of new software functions based on Customer specifications (jointly or individually hereinafter “Deliverables”), provided this is agreed with the Customer and subject to the terms of this Agreement. Upon completion of a new Deliverable as agreed with the Customer, the Provider shall (i) make it available to the Customer; and (ii) demonstrate its functionality in accordance with the relevant Order. Each Deliverable shall be deemed to be accepted if the Customer does not confirm acceptance or use the Deliverable within 2 weeks. The license granted by Provider under Clause 4.1 shall apply mutatis mutandis to all Deliverables supplied by Provider unless otherwise agreed in the relevant Order. All IP Rights in the Deliverables shall be owned by Provider and shall remain with Provider. Unless expressly agreed otherwise, the remuneration agreed with the Customer shall be exclusive of travel expenses and other third-party costs incurred.

5 Availability  

5.1 No specific availability of the software is guaranteed, but the Provider shall ensure a predominantly uninterrupted availability of the software from the time of start of software use. Availability is deemed to be the Customer’s ability to use all main functions of the software. Excluded from this are necessary planned maintenance work, implementation of software updates – the Customer will be informed at least two weeks before the time of the update and the update of the software will only take place in the period between 22:00 and 5:00 (CET) and only if it is reasonable for the Customer – as well as disruptions that are not within the control of the Provider; in particular force majeure (see below). The Provider shall, as far as possible, inform the Customer in good time in text form about planned maintenance work. However, the Provider expressly reserves the right to carry out unannounced maintenance work if necessary, in particular if this is required for data and operational security.

5.2 Excluded from the aforementioned availability are availability losses caused by the failure of third-party software, failure of the on-premise servers provided, failure of the IT systems to be integrated, connection problems of the VPN connection or other Customer-side failures of the IT systems in the execution environment as well as due to operational disruptions, caused by an event of force majeure or other unavoidable events outside the Provider’s sphere of influence and which could not be averted with reasonable effort and could not have been foreseen even with due diligence, which make the Provider’s obligations under the offer considerably more difficult or impossible in whole or in part, e. g. e.g. strikes, lockouts, extraordinary weather conditions, power failures, operational or traffic disruptions and transport obstructions, and which release the Provider from its obligations for the duration of such event.

5.3 The Software is hosted and runs on the Cloud. If the execution of the Robot is on-premise or takes place locally, orchestration and monitoring will continue to take place partially on the Cloud. The specified minimum availability can change from the third-party cloud provider’s side and fall below the contractually agreed minimum availability without the Provider being able to influence this. The Provider is objectively and technically prevented from guaranteeing the Customer higher availability of the software than the cloud provider. The Customer acknowledges this circumstance and waives the right to assert claims and rights against the Provider as a result of insufficient minimum availability. 

5.4 The Customer shall notify the Provider immediately of any impairment of the availability of the software. As long as no impairment of availability has been reported, it shall be assumed that the software was continuously available. If the agreed availability is not met, the Customer shall be compensated by extending the agreed term of the license free of charge. The license shall be extended by the cumulative time of the individual interruptions. Should the cumulative time of all interruptions be less than 24 hours, the license shall be extended by 1 day.

6 Technical support 

6.1 For cost free services the Provider provides warranty according to the applicable statutory provisions. For the rest, the Provider shall provide warranty for defects in the provision of the software exclusively in accordance with the following provisions.

6.2 A support case exists if the software does not fulfil the contractual functions in an essential way (hereinafter “malfunction”). The Customer shall inform the Provider immediately of all malfunctions by email or telephone call.

6.3 If the Customer reports a support case, she/he shall provide as detailed a description as possible of the respective malfunction in order to enable the most efficient troubleshooting possible. 

6.4 As soon as the Customer has provided the Provider with all the necessary information, the resolution process will begin. The Provider shall, at its discretion, rectify or re-perform the services. When using third-party software which the Provider has licensed for use by the Customer, the rectification of defects shall consist of the procurement and installation of generally available upgrades, updates or patches. The provision of instructions for use with which the Customer can reasonably circumvent defects that have occurred in order to use the software in accordance with the contract shall also be deemed to be rectification of defects. If the defect-free provision of the services fails for reasons for which the Provider is responsible, even within a reasonable period of time set by the Customer in writing (e-mail is sufficient), the Customer may reduce the agreed remuneration by a reasonable amount. The right to a reduction is limited to the amount of the annual fixed price relating to the defective part of the service.

6.5 If the reduction pursuant to clause 5.4 reaches the maximum amount specified in clause 5.4 in two consecutive months or in two months of a quarter, the Customer may terminate the contract without notice. 

6.6 The Provider shall inform the Customer about the elimination of the malfunction. 

6.7 If the customer’s IT systems are updated, it may be necessary to reconfigure the software. Under these circumstances, the Customer must reconfigure the workflows or robots used. In the event of such an update, the Provider can nevertheless not guarantee the contractual functionality of the software.

7 Intellectual property and license

7.1 The Provider reserves the unrestricted rights of use and modification of its software and all its components.

7.2 At the commencement of the contract, the Provider grants the Customer the non-exclusive, worldwide, non-transferable and non-sublicensable right, limited in time to the term of the contract, to use the software in accordance with the contract. Without prejudice to any actions covered by §§ 69 d or 69 e UrhG and thus permitted by law, the Customer shall not be entitled to any other or further rights of use to the software.

7.3 Components of the software which are recognizably subject to the rights of third parties and in particular open source licenses are excluded from the granting of rights. In particular, such components shall be deemed recognizable which are disclosed by the Provider within the software or in supplied text files as third-party content upon request. There is no access to the source code underlying the software provided.

7.4 The software is made available to the Customer solely for the purpose of optimizing internal processes (contractual use). Commercial use of the software and all its components is not permitted to the Customer, i.e. resale or any other form of making the software available to third parties is not permitted.

7.5 The Provider retains ownership and/or all copyright rights of use in all offers made as well as calculations, illustrations, mock-ups, catalogues and other documents and aids made available to the Customer. The Customer may not make these items accessible to third parties, use them, allow them to be used, publish them or reproduce them, either as such or in terms of content, without the express consent of the Provider.

8 Extraordinary termination

8.1 Ordinary termination is excluded during the term in accordance with clause 3. 

8.2 The contract may be terminated extraordinarily with immediate effect because of an important reason. The termination must be in writing.

9 Liability

9.1 The Provider is liable for cost free services according to the applicable statutory provisions.

9.2 In all other respects the Provider is unrestrictedly liable for intent and gross negligence and for damages caused by injury to life, body or health.

9.3 In cases of simple negligence the Provider is liable for the breach of a primary contractual obligation (Kardinalpflichten according to German law). A primary contractual obligation in the sense of this clause is an obligation whose performance enables the performance of the Agreement and on whose performance the Customer may therefore regularly rely.

9.4 In the case of clause 9.3 the Provider is not liable for lack of economic success, lost profits and indirect damages. Liability pursuant to the above clause 9.3 is limited to the typical, foreseeable damage at the time of conclusion of the Agreement.

9.5 In the case of 9.3 liability for damages due to loss of data is limited to the amount of data recovery that would have been incurred even if the Customer had regularly backed up the data in accordance with the risk.

9.6 The limitations of liability apply accordingly in favor of employees, agents and assistants in performance of the Provider.

9.7 Any liability of the Provider for given guarantees (which must be explicitly designated as such) and for claims based on the German Product Liability Act remains unaffected.

9.8 Any further liability of the Provider is excluded.

10 Data security, data protection, data processing agreement

10.1 The Customer is aware that the Provider collects and uses various Customer-related, but not personal, data for the purpose of developing, optimizing, providing and continuously improving the functional software product. Acceptance of the offer constitutes consent to data processing.

10.2 The parties shall comply with the applicable data protection provisions, in particular those applicable in Germany. As the ordering party, the Customer shall be responsible for the compliance of her/his employees with data protection regulations. 

10.3 The Customer shall issue the Provider with a separate written order for data processing, which can be found at https://zksystems.io/nutzungsbedingungen-und-AVV/ (see “Annex – Data Processing Agreement). In the event of contradictions between this contract and the data processing agreement, the latter shall take precedence.

11 Confidentiality

11.1 The parties are obliged to keep permanently secret and not to disclose to third parties all information about the respective other party which has become known to them in connection with this Agreement or which becomes known to them in connection with this Agreement and which is marked as confidential or is recognisable as business and trade secrets on the basis of other circumstances (hereinafter: “Confidential Information”), unless the respective other party has expressly consented in writing to the disclosure or use or the information must be disclosed on the basis of a law, a court decision or an administrative decision. 

11.2 The information is not Confidential Information if it was previously known to the other party without such information being subject to a confidentiality obligation, is generally known or becomes known without breach of the assumed confidentiality obligations, is disclosed to the other party by a third party without breach of a confidentiality obligation.

12 Severability Clause

Should individual provisions of this contract be invalid or unenforceable or become invalid or unenforceable after conclusion of the contract, this shall not affect the validity of the rest of the contract. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision the effects of which come as close as possible to the economic objective pursued by the contracting parties with the invalid or unenforceable provision. The above provisions shall apply mutatis mutandis in the event that the contract proves to be incomplete.

13 Final provisions

13.1 The Provider is entitled to use third parties (for example freelance software programmers) as subcontractors in the provision of the services.

13.2 The law of the Federal Republic of Germany shall apply. The place of jurisdiction is the registered office of the Provider.

13.3 The cancellation, amendment or supplementation of the contract must be in writing in order to be effective.

Annex - Data Processing Agreement

This Data Processing Agreement (“DPA”) specifies the data protection obligations and rights of the Parties in connection with the processing of personal data processed by ZkSystems GmbH, Kutschstallhof am Neuen Markt 9e, 14467 Potsdam (hereinafter “Contractor“) for the Customer (hereinafter “Customer“) under the contract concluded between the Parties on the use of the ZkSystems software (hereinafter “Main Agreement“).

1. Scope of Application

When providing the services in accordance with the Main Agreement, the Contractor shall process personal data which the Customer has provided for the purpose of providing the services and in respect of which the Customer acts as the responsible party in the sense of data protection law (“Customer Data”). In the event of contradictions between this DPA and provisions of other agreements, in particular of the Main Agreement, the regulations of this DPA shall take precedence.

2. Customer Data

2.1. The Contractor will process the Customer Data exclusively on behalf of the Customer and in accordance with the Customer’s instructions, unless the Contractor is legally required to do otherwise under the law of the European Union or a member state. In such a case, the Contractor shall notify Customer of these legal requirements prior to processing, unless the law in question prohibits such information for an important public interest. 

2.2. Unless otherwise agreed in the Main Agreement, the processing of Customer Data by the Contractor shall be carried out exclusively in the nature, to the extent and for the purpose specified in Annex 1 to this DPA; the processing shall only concern the types of personal data and categories of data subjects specified therein.

2.3. The duration of the processing corresponds to the duration of the Main Agreement.

2.4. Personal data is generally processed in member states of the European Union or in another state that is a party to the Agreement on the European Economic Area (“EEA“). Subject to compliance with the provisions of this DPA, the Contractor is also permitted to process Customer Data outside the EEA or to have it processed by other contractors in accordance with Clause 5 of this DPA, if the conditions of Articles 44 to 48 GDPR (General Data Protection Regulation) are fulfilled or an exception in accordance with Art. 49 GDPR exists. If the conclusion of standard contractual clauses is required for this purpose, the Customer hereby authorises the Contractor to conclude these clauses on his behalf with any further processor. If this is not possible, the Contractor shall, on the instructions of the Customer, immediately enforce against the further processors all instructions and rights to which the data exporter is entitled under the EU standard contractual clauses and assign them to the Customer upon request.

2.5. The instructions are set out in the Main Agreement. In addition, the Customer is entitled to issue instructions on the nature, scope, purposes and means of processing Customer Data. These instructions must be in written form or text form. Oral instructions will be confirmed by the Customer in written form or by e-mail. All instructions shall be documented by the parties. The persons authorised to give instructions and the recipients of instructions are listed in Annex 1. In the event of a change or a long-term inability of the persons named to carry out the instructions, the successor or representative must be named to the contractual partner in text form without delay. 

2.6. If the Contractor is of the opinion that an instruction of the Customer violates this DPA, the GDPR or other data protection regulations of the European Union or the member states, the Contractor shall inform the Customer of this immediately in written form or text form. The Contractor is entitled to suspend the execution of such an instruction until the Customer confirms it in written form or text form. If the Customer insists on the execution of an instruction in spite of the reservations expressed by the Contractor, the Customer shall indemnify the Contractor against all damages and costs incurred by the contractor in executing the Customer’s instruction. The Contractor will inform the Customer about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of the Customer and will conduct the defence at the discretion of the Contractor in coordination with the Customer or leave it to the Customer.

3. Requirement for Personnel

3.1. The Contractor shall obligate all personnel under his authority who have access to Customer Data to maintain confidentiality, unless they are subject to appropriate statutory confidentiality obligations. 

3.2. The Contractor shall ensure that personnel under his authority who have access to Customer Data only process this data in accordance with this DPA and the Customer’s instructions, unless they are required to do so under the laws of the European Union or the member states.

4. Security of Processing

4.1. Taking into account the state of the art, the costs of implementation and – as far as known to the Contractor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, the Contractor shall implement appropriate technical and organisational measures to ensure a level of security for the Customer Data appropriate to the risk.

4.2. Prior to the beginning of the processing of the Customer Data, the Contractor shall in particular implement the technical and organisational measures specified in Annex 3 to this DPA and maintain them for the duration of the Main Agreement and ensure that the processing of Customer Data is carried out in accordance with these measures.

4.3. Since the technical and organisational measures are subject to technical progress, Contractor is entitled and obliged to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Annex 3. If the Contractor makes significant changes to the measures specified in Annex 3, he will inform the Customer of such changes in advance.

4.4. It is incumbent on the Customer to check the technical and organisational measures taken by the Contractor, in particular whether these are also sufficient with regard to circumstances of data processing of which the Contractor is not aware.

5. Use of Sub-Processors

5.1. The Contractor uses the sub-processors listed in Annex 2 for the processing of Customer Data. These are deemed to be approved upon conclusion of this DPA.

5.2. The Contractor may use further sub-processors to process Customer Data subject to the following conditions: The Contractor shall inform the Customer at least 15 working days before making use of the further sub-processor in text form or written form. Unless the Customer raises an objection within 5 working days, the commissioning is deemed approved.

5.3. If the Customer objects to the use of a further sub-processor, the Contractor shall be entitled, at its option, to continue to provide the services without the corresponding processor or to terminate the Main Agreement and this DPA at the time of the planned use of the processor.

5.4. The Contractor must obligate each further processor by means of a written agreement in the same way as the Contractor is obligated to the Customer under this agreement.

5.5. The Contractor shall be obliged to select and use only those sub-processors who offer sufficient guarantees that the appropriate technical and organisational measures are implemented in such a way that the processing of the Customer Data is carried out in accordance with the requirements of the GDPR and this DPA.

6. Rights of the Data Subjects

6.1. The Contractor shall take all reasonable technical and organisational measures to assist the Customer in fulfilling its obligation to respond to requests from affected persons to exercise their rights.

6.2. The Contractor will in particular: 

– immediately inform the Customer if a data subject should contact Contractor directly with a request to exercise his rights in relation to Customer Data;

– immediately provide the Customer with all information in his possession concerning the processing of Customer Data which the Customer requires to answer the request of a data subject and which the Customer does not have at his disposal;

– Customer Data can be corrected, deleted or limited in processing immediately upon instruction of the Customer; 

– ensure that the Customer can and does receive the Customer Data processed in the area of responsibility of the Contractor in a structured, common and machine-readable format, provided that the data subject has a right of data transferability with respect to the Customer with regard to the Customer Data.

7. Other Obligations of the Contractor to assist the Customer

7.1. The Contractor shall notify the Customer immediately after becoming aware of any Customer Data breach, in particular incidents that lead to the destruction, loss, alteration or unauthorised disclosure of or access to Customer Data. 

7.2. In the event of any violation of the protection of Customer Data, Contractor shall, without delay, take all necessary and reasonable measures to remedy the violation of the protection of Customer Data and, if necessary, to mitigate its possible adverse effects.

7.3. If the Customer is obliged to provide information to a government authority or a third-party regarding the processing of Customer Data or to cooperate with such entities in any other way, the Contractor is obliged to assist the Customer in providing such information or in fulfilling other obligations to cooperate.

7.4. Taking into account the information available to him, the Contractor will assist the Customer in complying with the obligations set out in Art. 32 GDPR.

7.5. In the event that the Customer is obliged to inform the supervisory authorities and/or data subjects in accordance with Art. 33, 34 GDPR, the Contractor shall, at the request of the Customer, assist the Customer in complying with these obligations. In particular, the Contractor is obliged to document all potential violations of Customer Data breaches, including all related facts, in a manner that enables the Customer to prove compliance with any relevant statutory reporting obligations.

7.6. The Contractor shall support the Customer within the scope of what is reasonable in any data protection impact assessments to be carried out by him and, if necessary, subsequent consultations with the supervisory authorities in accordance with Art. 35, 36 GDPR.

8. Detection and Return of Customer Data

8.1. Upon the instruction of the Customer, the Contractor shall, upon termination of the Main Agreement, either delete all Customer Data completely or return it to the Customer and delete any existing copies, unless the law of the European Union or a member state requires the Contractor to continue storing Customer Data.

8.2. However, the Contractor shall be entitled to keep backup copies of the Customer Data for a period of 30 days, provided that deletion of the Customer’s data from these backup copies is technically impossible or impossible with regard to Art. 32 GDPR. For this period the rights and obligations of the parties under this DPA with regard to the backup copies shall continue to apply in deviation from Clause 2.3.

8.3. Documentation which serves as proof of the orderly and proper processing of the Customer Data must be kept by the Contractor in accordance with the statutory retention periods beyond the end of the agreement.

9. Evidence & Checks

9.1. The Contractor shall ensure and regularly check that the processing of Customer Data is carried out in accordance with this DPA, including the scope of processing of Customer Data as set out in Annex 1 and the Customer’s instructions.

9.2. The Contractor shall document the implementation of the obligations under this DPA in a suitable manner and shall provide the Customer with all necessary evidence of the Contractor’s compliance with the obligations under the GDPR and this DPA at the Customer’s request. 

9.3. The Customer shall be entitled to audit the Contractor prior to the start of the processing of Customer Data and regularly during the term of the Main Agreement with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organisational measures in accordance with Annex 3, either himself or through a qualified and auditor who is obliged to maintain secrecy; this shall include inspections. Contractor shall allow such inspections and shall contribute to such inspections by taking all reasonable and appropriate measures; inter alia by granting the necessary access and access rights and by providing all necessary information.

9.4. As far as possible, the checks and inspections should not hinder the Contractor in his normal business operations and should not place an excessive burden on him. In particular, inspections on the Contractor’s premises should not take place more than once per calendar year and only during the Contractor’s normal business hours without any specific reason. The Customer must notify the Contractor of inspections in good time in writing or text form.

9.5. In accordance with the provisions of the GDPR, the Customer and the Contractor are subject to public controls by the competent supervisory authority. At the request of the Customer, the Contractor shall provide the supervisory authority with the desired information and give it the opportunity for verification; this includes inspections at the contractor’s premises by the supervisory authority or by persons appointed by it. In this context, the Contractor shall grant the competent supervisory authority the necessary rights of access, information and inspection.

10. Liability

The parties shall be liable within the scope of this DPA in accordance with the statutory provisions. 

Annex 1 - Purpose, nature and scope of data processing, type of data and categories of data subjects

Purpose of the data processing

Operation of AI- and RPA-based configuration software with the aim that the user creates her/his own workflows to create data or process and extract data from a system, document, excel or file and to transfer this data to another target system, as well as training of AI algorithms. Data transfer happens via API, database and robotic process automation within the user interface. 

Type and scope of data processing

– Conversion
– Linking, organization and ordering
– Readout and adjustment

Type of applications operated: Self-operated web-based software solution (“Software-as-a-Service”) and applications of contract processors as defined in Annex 2. Place of data processing: Germany or EEA (according to Annex 2) or locally on premise on Customer’s servers.

Type of data

– Surnames and first names
– Company affiliation
– Contact information (address, phone number, e-mail)
– Further data that the Customer uses when she/he configures their workflows

Categories of data subjects

– End customers and other contacts (e.g. interested parties) of the Customer
– Employees of end Customers and other contacts of the Customer
– Employees of the Customer

Authorized persons and contact persons of the Customer

According to order form/offer

Recipients of instructions of the Contractor

Diana Rees, Managing Director, ZkSystems GmbH, Kutschstallhof am Neuen Markt 9e, 14467 Potsdam

Annex 2 - Other processors

Amazon Web Services
Inc P.O. Box 81226 Seattle, WA 98108- 1226, United States of America

Provision and technical maintenance of the AWS Services for the operation of the ZkSystems Software. The following GCU has been agreed as part of the Service Agreement with AWS Inc:

https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pd

https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf 

The following services (applications) are used by the subcontracted data processor Amazon Webservices (AWS): RDS, elastic beanstalk, lambda, ec2.

The services are executed on server locations in Germany (Frankfurt).

Annex 3 - Technical and organizational measures

1. Confidentiality

Confidentiality Protection

AWS Inc. fulfills the following certifications (SOC1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC2, SOC3, FISMA, DoD SRG, PCI DSS Level 1, ISO 9001 / ISO 27001, ITAR, FIPS 140-2, MCTS Tier3) and implements AWS Inc. the requirements catalog Cloud Computing (C5) of the Federal Office for Information Security. 

Access

Unauthorized persons must be denied access to data processing systems.

Office level

– Alarm system
– Security locks
– Key regulation

Application level (including AWS)

– Video surveillance of the buildings
– Electronic Intrusion Detection System
– Chip card/transponder locking system
– Employee and visitor badges
– Wearing of badges in the data center
– Reception with logging of visitors
– Permanent accompaniment of the visitors by employees

  • It must be prevented that data processing systems can be used by unauthorised persons.

Office level

– Password rules
– Key rules
– Encryption of data carriers
– Authentication with user + password

Application level (AWS)

– AWS Network: Firewalls
– AWS Network: Authentication
– Password rules
– Authentication with user + password

It must be ensured that systemic data access is only possible to the extent authorized and required, e.g. through encryption.

– Encryption of data carriers
– Authorization concept
– Password rules
– Reduce the number of administrators to the “essentials
– Administration of user rights only through system administrator rights
– Data transmission exclusively via HTTPS

Forwarding

It must be ensured that personal data is not accessed without authorization during transmission, transport or on data carriers and that it can be determined to which bodies the data has been disclosed, e.g. by means of encryption.

– Data transmission takes place exclusively via HTTPS

2. Integrity

Data separation

It must be ensured that data collected for different purposes can be processed separately.

– Storage of data from different systems on data carriers separated by virtualization
– Determination of database rights
– Logical Customer separation (on the software side)
– Creation of an authorization concept

3. Availability

It must be ensured that personal data is protected against loss.

Application level

– Replication of data storage 
– Daily creation of encrypted back-ups of the data

System Requirements for Desktop Application (Creator App)

For browser-based workflows

– Chrome version 90.0.4430.212
– Mac version 11 or higher or Windows 10
– Internet connection

For local application workflows (executed locally) 

– Mac version 11 or higher or Windows 10
– Internet connection

For Enterprise Edition with execution on dedicated server 

– Dedicated (virtual) Windows Server (at least 2016) with 64-bit processor
– Internet connection
– Windows 10 with 4 GB RAM and 8 GB disk space
– Note: The user name of the Windows user must not contain any special characters (_,.!?”&%$§)