Dies ist die archivierte Version

 

 

 

Data Processing Agreement aleno

 

Last Modified: July 2020

 

Preamble

The Parties have entered into a contract regarding the Controller’s use of the cloud-based restaurant management software aleno (“ Software”) as amended from time to time (“ Contract”). Under the Contract, the Processor will provide various types of services to the Controller (“ Services”). In order to provide these Services, the Processor is required to process personal data on behalf of the Controller (“ Personal Data”). The Personal Data processed under the Contract will consist of the personal data of the Controller’s customers and the individual users who access the Software on behalf of the Controller (“ Data Subjects”).

The Parties have agreed to enter into this Data Processing Agreement (“ Agreement”) to regulate the processing of Personal Data and ensure compliance with the EU General Data Protection Regulation (“ GDPR”) as well as other regulations regarding the processing of Personal Data that are applicable to the Parties (“ Data Protection Legislation”).

 

1. Interpretation

In this Agreement, except where the context otherwise requires:

  • headings and the table of contents do not affect the interpretation of this Agreement;
  • unless otherwise stated, any reference to “writing” or “written” includes e-mail as well as any other form or electronic communication;
  • any reference to the terms “including” will be construed without limitation;
  • any reference to a statute or a statutory provision is a reference to it as amended or re-enacted and includes all subordinate legislation made pursuant to it;
  • any reference to an agreement, exhibit or other document is to it as amended or replaced; and
  • in the event of any inconsistency between any Exhibit and the main body of this Agreement, the Exhibits will prevail to the extent of the inconsistency.

 

2. Distribution of Roles

The Controller determines the purposes and means of the processing of the Personal Data by the Processor and therefore qualifies as a controller as defined in Art. 4 (7) GPDR. The Processor processes the Personal Data on behalf of the Controller and therefore qualifies as a processor as defined in Art. 4 (8) GDPR. If the Controller itself acts as processor with regard to the Personal Data, the Controller warrants that the appointment of the Processor has been authorized by the relevant controller.

 

3. Scope

By entering into this Agreement, the Controller instructs the Processor to process the Personal Data on its behalf. The Processor will only process Personal Data for the purposes set out in the Contract and in this Agreement. The types of Personal Data to be processed by the Processor and the categories of Data Subject are specified in Exhibit A.

The Controller is entitled to delete and/or add additional types of Personal Data, categories of Data Subjects and/or purposes for which the Personal Data is processed by forwarding an updated version of Exhibit A to the Processor. The updated version of Exhibit A shall be deemed incorporated into this Agreement upon the Processor’s receipt.

 

4. Responsibilities of Processor

4.1 Instructions

Except where expressly permitted by Article 28 (3)(a) GDPR, the Processor shall only process Personal Data in accordance with the written instructions of the Controller. Where the Processor believes that an instruction is in breach of the Data Protection Legislation, the Processor shall notify the Controller without undue delay. The Processor shall be entitled to suspending the performance on such instruction until the Controller confirms or modifies such instruction.

 

4.2  Transfers Outside of the European Economic Area and Switzerland

The Processor may transfer the Personal Data to countries and recipients outside the European Economic Area and Switzerland, provided that such country or recipient guarantees an adequate level of protection and satisfies the other obligations pursuant to this Agreement or as otherwise provided by the GDPR, such as through the use of model clauses or the EU-U.S. or Swiss-U.S. Privacy Shield Frameworks.

 

4.3 Technical and Organizational Measures

The Processor shall implement appropriate technical and organizational security measures (“ TOMs”) as set forth in Exhibit B to protect the Personal Data against accidental or unlawful destruction, loss or alteration and against unauthorised disclosure, abuse or other processing in violation of the Data Protection Legislation.

The Controller is aware of the TOMs and is responsible for ensuring that they provide an adequate level of protection against the risks of the data to be processed as set forth in Article 32 GDPR. The Processor may update or modify the TOMs, provided that such modifications do not materially decrease the overall security of the Personal Data.

 

4.4 Confidentiality

The Processor will grant access to the Personal Data only to employees, contractors and sub-processors who need such access for the scope of their performance and are subject to appropriate confidentiality arrangements (“ Authorized Persons”).

The Processor will ensure that the Authorized Persons are prohibited from processing the Personal Data outside the scope of the instructions and that their confidentiality obligation will survive the termination of the Contract and this Agreement.

 

4.5 Duty to Inform and Assist

The Processor shall assist the Controller in ensuring compliance with the Data Protection Legislation and provide all necessary information to support the Controller in fulfilling its obligations set out in Articles 33 to 36 GDPR.

Where a Data Subject asserts a claim or request for rectification, erasure or access against the Processor, the Processor shall refer the Data Subject to the Controller, provided that a referral to the Controller is possible based on the information provided by the Data Subject. The Processor shall forward the Data Subject’s claim to the Controller without undue delay.

The Processor shall provide full cooperation and assistance in relation to the Controller’s obligation to respond to a claim but shall not be liable in cases where the Controller fails to respond to the Data Subject’s claim in a correct or timely manner.

 

5. Data Breach Notification

If the Processors becomes aware of a personal data breach as defined by Article 4 of the GDPR (“ Data Breach”), the Processor shall notify the Controller without undue delay Such notice shall include, to the extent reasonably available to the Processor, the information required for the Controller to fulfil its obligations under Articles 33 and 34 of the GDPR. The notification shall not be construed as an acknowledgement by the Processor of any fault or liability with respect to the Data Breach. The Controller shall remain responsible for complying with Articles 33 and 34 of the GDPR. However, upon request of the Controller, the Processor shall provide reasonable assistance in accordance with the Data Protection Legislation in notifying the relevant supervisory authorities and/or the Data Subjects.

 

6.  Engagement of Sub-Processors

The Controller hereby authorizes the Processor to subcontract its processing activities under the Contract and this Agreement to other data processors (“ Sub-Processors”). Where the Processor sub-contracts its processing activities to a Sub-Processor, it will do so only by way of a written agreement which imposes the same data protection obligations on the Sub-Processor as are imposed on the Processor under this Agreement. If the Sub-Processor fails to fulfill its obligations under such written agreement, the Processor shall remain fully liable to the Controller for the performance of the sub-processor’s obligations.

The list of Sub-Processors that are currently engaged by the Processor is available at https://knowledge.aleno.me/en/kb/gdpr-subprocessor (“ List of Sub-Processors”). The List of Sub-Processors may be amended by the Processor from time to time in accordance with this Agreement. When a new Sub-Processors is engaged, the Processor shall notify the Controller by updating the List of Sub-Contractors. 

 

7.  Responsibilities and Indemnification of Controller

The Controller understands and acknowledges that he is solely responsible for its use of the Services, including the responsibility to make appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data, and that the Processor has no obligation to protect Personal Data that the Controller elects to store or transfer outside of the systems of the Processor, including offline or on-premises storage.

The Controller represents and warrants that it will comply with the Data Protection Legislation and that it has valid legal basis for the processing of all Personal Data by the Processor. The Controller shall indemnify, defend, and hold harmless the Processor from and against all costs, expenses, fines, fees (including reasonable attorneys’ fees) arising from all third-party claims arising from or related to any actual or alleged processing of Personal Data by the Processor on behalf of the Controller without a valid legal basis.

 

8. Compliance Audits

Upon the Controller’s written request, the Processor shall permit the Controller, or any third party mutually agreed upon by the Controller and the Processor, to audit the Processor’s data processing activities to enable the Controller to verify that the Processor and/or sub-processors are in full compliance with their obligations under this Agreement and the Data Protection Legislation.

To request an audit, the Controller must submit a detailed proposed audit plan to the Processor at least six (6) weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. The Processor will review the proposed audit plan and provide the Controller with any concerns or questions The Processor will cooperate with the Controller to agree on a final audit plan.

Audits can be conducted at the Processor’s place of business, provided that the auditors conduct the audit during the Processor’s normal business hours and that the auditors take all reasonable measures to prevent unnecessary disruption to the Processor’s operations. The Controller agrees to treat all information acquired during any audits as confidential information of the Processor and to maintain the confidentiality of such information to the same nature and extent that the Controller maintains its own confidential information.

The Controller may not request more than one audit in any twelve (12) calendar month period. Additionally, a supervisory authority may conduct an audit to the extent required by the GDPR. All audits conducted under this Agreement will be at the Controller’s expense. The Controller shall reimburse the Processor for any time expended by the Processor or its Sub-Processors in connection with any audits or inspections under this Section 8 at the Processor’s services rates, which shall be made available to Customer upon request.

 

9. Liability

The total combined liability of either Party to the other Party arising out of or in connection with this Agreement, whether in contract, tort (including negligence) or any other theory of liability, shall be subject to the same limitations of liability as agreed upon by the Parties in the Contract.

 

10.  Termination

This Agreement shall remain in force as long as the Processor is processing Personal Data on behalf of the Controller in connection with the Contract. Upon request of the Controller, the Processor shall delete or anonymize all Personal Data processed on behalf of the Controller shall confirm the deletion or anonymization of the Personal Data in writing.

 

11.  Miscellaneous

No modification of this Agreement and/or any of its components shall be valid and binding unless made in writing. For the purpose of this Section, email shall not be sufficient.

No provision of this Agreement shall create a partnership between the Parties or constitute a Party the agent of the other Party for any purpose. Neither Party shall have the authority to bind, contract in the name of or create a liability for the other Party in any way or for any purpose and neither Party shall hold itself out as having authority to do the same.

The rights and remedies of the Parties under this Agreement exist in addition to any statutory rights or remedies, including the Data Protection Legislation.

If any provision of these Terms of Use should be invalid in any jurisdiction under applicable law, the legality and enforceability of the remaining provisions hereof shall not in any way be affected or impaired thereby. In such an event, the User and the Provider commit themselves to compose a legally valid replacement rule which approaches the invalid provision as closely as possible within the economic intent of these Terms of Use. With this in mind, these Terms of User shall be interpreted as though the invalid provision had been omitted from the outset.

 

12. Governing Law and Jurisdiction

This Agreement shall be governed by and construed in accordance with Swiss law, excluding the Swiss conflict of law rules. The application of the United Nations Convention for Contracts for the International Sales of Goods is hereby expressly excluded.

Any dispute, controversy or claim arising out of or in connection with this Agreement or the breach, termination, existence, legal competence or invalidity thereof, shall be exclusively settled by the courts of Zurich, Switzerland.

 

 

Exhibit A – Scope of Processing Activities

1. Nature and Purpose of Processing

The Processor will process Personal Data for the following purpose:

  • Processing of customer reservations at Controller’s restaurants
  • Monitoring the occupancy rate of Controller’s restaurants
  • Analysis of customers and customer behaviour
  • Exporting Personal Data via application programming interface (API) by configuring webhooks or connecting the Personal Data with applications provided by third parties such as Zapier and automate.io.

2. Categories of Data Subjects

The Processor will process Personal Data of the following categories of Data Subjects:

  • Customers of restaurants that are owned by the Controller (“ Customers”)
  • Users who can access the Software on behalf of the Controller, such as employees, contractors or independent third parties (“ Users”)

 

3. Types of Personal Data

3.1 Customer Data

The Processor will process the following types of Personal Data of the Customers:

  • Personal information of Customers (including first name, last name, gender, preferred language, phone number, email address, home address, company affiliations, anonymous credit card number)
  • Information about previous restaurant visits of Customers (including time and date of visit, number of guests, duration of visit, type of table, amount of expenses)
  • Information about future restaurants visits of Customers (including time and date of reservation, number of guests, type of table, comments written by Customers, credit card number used for reservation, Customer’s path to reservation)
  • General information about restaurant visits of Customers (including overall number of visits, overall amount of expenses, overall number of no-shows)
  • Categorization of Customers based on categories created by Controller

 

3.2 User Data

The Processor will process the following types of Personal Data of the Employees:

  • Personal information of Users (including first name, last name, abbreviation, email address and role within the Controller’s ecosystem)

The Processors has the option to create anonymous user profiles in his account. In this case, the Processor will not be processing any Personal Data of the Users.

 

Exhibit B – Technical and Organizational Measures (TOMs)

Specification of the technical and organizational measures used by the Processor to ensure compliance with the applicable data protection legislation:

Encryption and Transfer of Personal Data (Art. 32 para. 1 a GDPR)

  • All transfers of Personal Data between the Processor and the Controller are executed through the secure communication protocol HTTPS which is encrypted using Transport Layer Security (TLS).
  • All Personal Data that is transferred to the Processor by the Controller is stored in encrypted form on secure servers hosted by Amazon Web Services and is decrypted on the client side when the Controller accesses the Personal Data. Amazon Web Services uses industry standard AES-256 encryption to secure the Personal Data. All keys are fully managed by Amazon Web Services.
  • The Processor can only export Personal Data in anonymized form.

Confidentiality of Personal Data (Art. 32 para. 1 b GDPR)

Physical Access Control

  • The physical office building of the Processor can only be accessed by its employees (controlled distribution of keys).
  • External persons, including third parties providing services to the Processor, can only enter the physical office building when they are accompanied by employees. In case of absence of all employees, the doors to the office building are locked.

System and Data Access Control

  • The access to the Personal Data is protected by passwords and a hash key. For security reasons, all passwords must have a minimum length, use special characters and be changed periodically. The Processor does not store any passwords of the Authorized Persons on its servers.
  • Every Authorized Person uses a separate account set up by an administrator to get access to the Personal Data. This enables the Processor to identify all Authorized Persons in the system. The maximum number of failed login-attempts for every account is limited by Google. To prevent access to Personal Data by not authorized persons, all accounts are protected by two factor authentication (2FA).
  • All devices that are used by the Authorized Persons are protected by a firewall and have a screen lock with password protection.

 

  Integrity of Personal Data (Art. 32 para. 1 b GDPR)

  • All Personal Data transferred to the Processor by the Controller is stored on single tenant dedicated EC2 virtual servers that are provided by Amazon Web Services and created solely for the Processor. These virtual servers are fully isolated and not share logical data storage or processing with other customers.
  • The Controller has complete control over the integrity of the Personal Data and can use the rights management system provided by the Processor to define the access rights of its employees. The Processor does not change or delete any Personal Data unless so requested by the Controller or the Data Subjects.
  • The Processors is currently building an internal control system that enables the Processor to monitor the activities of the Authorized Persons and track all changes that are made to the Personal Data.

Availability of Personal Data and Resilience of Systems (Art. 32 para. 1 b GDPR)

  • The database and application servers on which the Personal Data is stored are running on a cluster with containers and are fully scalable. In case of performance issues, the Processor we will be informed immediately and be able to add more containers to provide a resilience system.
  • The data centers of Amazon Web Services are compliant with a number of physical security and information security standards. These standards include an uninterruptible power supply, fire and humidity detectors, virus protection, firewall and a separation of test, development and production systems.
  • All Personal Data transferred to the Processor by the Controller can be restored to any point in time with the fully managed backup solution provided by Amazon Web Services that enables the Processor to query continuous backup snapshots.