Data protection agreement

1 Data Protection Agreement (hereinafter also referred to as contract) concerning the processing of personal data on behalf of

0. Scope of Application

This Data Protection Agreement (hereinafter also referred to as "Contract" or "Agreement") concerning the processing of personal data on behalf (data processing according to Art. 28 GDPR and Art. 9 FADP) applies to the use of the IT and both online and offline fundraising infrastructure available through www.raisenow.com or www.altruja.de, and all connected websites, digital services, browser plugins, or applications, as well as the underlying software (together referred to as the “Services”). The client is the data controller (hereinafter referred to as "Client"), and RaiseNow AG along with its wholly-owned subsidiary, Altruja GmbH, act as the data processor (hereinafter referred to as "Data Processor").

By signing the individual contract, the client expressly acknowledges this Agreement.

If the client does not agree to this Agreement, they cannot access the Services.

Definition

Unless defined otherwise herein, all terms shall have the same meaning as in the Swiss Federal Act on Data Protection (FADP). It is assumed that most terms in the FADP correspond to those in the GDPR. In the event that there is a significant difference between the definition of a term in the FADP and the GDPR, the definition in the GDPR shall prevail, except for the definition of personal data.

1. Subject and Duration of the Agreement

The assignment includes the following:
Operational processing of personal data within the scope of service provision

The Data Processor processes personal data for the Client in accordance with Art. 28 GDPR and Art. 9 FADP based on this Agreement.

The contractually agreed service shall be exclusively provided in a Member State of the European Union or in a contracting state of the Agreement on the European Economic Area or Switzerland. Any relocation of the service or parts thereof to a third country requires the prior consent of the Client and may only occur if the special requirements of Art. 44 et seq. GDPR as well as Section 2 of the FADP are met (e.g., adequacy decision by the Commission, standard contractual clauses, approved codes of conduct).

The duration of the contract is determined by the main contract.

2. Purpose, Scope, and Nature of Processing, Type of Personal Data, and Categories of Data Subjects

The processing of personal data on behalf is exclusively purpose-bound.

The purpose, scope, and nature are as follows:

The purposes pursued with the transfer of personal data to the Data Processor and processing by the Data Processor are described in Annex 3 to this Agreement.

Annex 3 is an integral part of this Agreement.

3. Rights and Obligations as well as Directives of the Client

The Client is solely responsible for assessing the legality of the processing and for safeguarding the rights of the data subjects according to Arts. 12 to 22 GDPR as well as the FADP. Nonetheless, the Data Processor is obliged to forward all such inquiries, if they are recognizably addressed exclusively to the Client, directly to the Client without delay.

Changes in the subject matter of processing and procedural changes are to be recorded in writing or in a documented electronic format.

The Client shall issue all orders, partial orders, and instructions generally in writing or in a documented electronic format. Oral instructions must be confirmed in writing or in a documented electronic format without delay.

The Client is entitled to convince themselves of the compliance with the technical and organizational measures taken by the Data Processor and the obligations set out in this Agreement in an appropriate manner before the start of processing and then regularly, as stipulated in No. 5.

The Client shall immediately inform the Data Processor if they detect errors or irregularities when inspecting the results of the order.

The Client is obliged to treat all knowledge of business secrets and data security measures of the Data Processor acquired in the course of the contractual relationship confidentially. This obligation continues even after the end of this Agreement.

4. Authorized Directives of the Client, Recipients of Instructions from the Data Processor

For instructions to be used communication channel:

Email to datenschutz@raisenow.com

In case of a change or a long-term prevention of contact persons, the contractual partner must be informed immediately and in principle in writing or electronically. The instructions are to be kept for their validity period and then for three full calendar years.

5. Obligations of the Data Processor

The Data Processor processes personal data exclusively within the framework of the agreements made and according to the instructions of the Client unless he is obliged to a different processing by the law of Switzerland, the European Union, or the EU member states to which the Data Processor is subject (e.g., investigations by law enforcement or national security authorities); in such a case, the Data Processor shall inform the Controller/Client of these legal requirements before processing, provided that the relevant law does not prohibit such notification due to an important public interest.

he Data Processor shall not use the personal data provided for processing for any other purposes, especially not for its own purposes. Copies or duplicates of the personal data – except for backup copies – are not created without the knowledge of the Client.

The Data Processor ensures the contractual execution of all agreed measures in the area of processing of personal data as per the contract.

In fulfilling the rights of the data subjects according to Arts. 12 to 22 GDPR and the FADP by the Client, in the creation of the records of processing activities and in required data protection impact assessments of the Client, the Data Processor shall cooperate to the necessary extent and support the Client as far as possible. He must forward the required information to the function authorized to issue instructions specified in No. 4 without delay.

The Data Processor will immediately alert the Client if, in his opinion, an instruction issued by the Client is in violation of legal provisions. The Data Processor is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed by the Controller after verification.

The Data Processor is obliged to correct, delete, or restrict the processing of personal data from the contractual relationship if the Client demands this via an instruction and legitimate interests of the Data Processor do not contradict. The Client may also instruct the Data Processor to anonymize the data instead of deleting it. To request automatic anonymization, please contact datenschutz@raisenow.com.

Disclosures of personal data from the contractual relationship to third parties or the data subject may only be made by the Data Processor following prior instruction or consent by the Client.

The Data Processor agrees that the Client – generally after scheduling an appointment – is entitled to verify the compliance with data protection and data security regulations as well as the contractual agreements to an appropriate and necessary extent, especially by obtaining information and inspecting the stored data and data processing programs as well as through on-site inspections and audits. The costs are borne by the client, to the extent that RaiseNow has announced them and the client has approved them.

The Data Processor assures that he will cooperate in these controls as necessary.

The Data Processor commits to maintaining confidentiality regarding the personal data of the Client processed in accordance with the contract. This obligation continues even after the end of the contract.

The Data Processor assures that he will familiarize the employees involved in the execution of the work with the relevant provisions of data protection before commencing their activities and obligate them to confidentiality in a suitable manner for the duration of their activities as well as after the end of the employment relationship. The Data Processor monitors compliance with data protection regulations in his business.

The Data Processor has appointed the following as the Data Protection Officer: 

IITR Datenschutz GmbH
Dr. Sebastian Kraska
Eschenrieder Str. 62c
82194 Gröbenzell
Germany
datenschutz@raisenow.com

A change of the Data Protection Officer must be communicated to the Client without delay.

6.Obligations of the Data Processor to Notify in Case of Processing Disturbances and Breaches of Personal Data Protection

The Data Processor shall immediately notify the Client of any disturbances, violations by the Data Processor or persons employed by him, as well as against data protection provisions or the determinations made in the contract and the suspicion of data protection violations or irregularities in the processing of personal data. This is especially true with regard to any reporting and notification obligations of the Client according to Art. 33 and Art. 34 GDPR or Art. 24 FADP, as applicable. The Data Processor assures to support the Client as necessary in his obligations according to Art. 33 and 34 GDPR or Art. 24 FADP.

7. Subcontracting Relationships with Subcontractors for Core Services

The Client grants the Data Processor general authorization for future engagement of subcontractors for processing the Client's data. The Data Processor must ensure that he carefully selects the subcontractor, especially considering the technical and organizational measures taken by this subcontractor in the sense of Art. 32 GDPR and Art. 8 FADP. If the subcontractor fails to fulfill its data protection obligations, the contractor is liable to the Client for this failure.

The Data Processor informs the Controller 2 weeks in advance about any intended change regarding the addition of new or the replacement of existing subcontractors. The Client has the opportunity to object to such changes if there is a significant data protection reason, e.g., if the previously agreed and assured technical and organizational measures by the Data Processor cannot be fully guaranteed (§ 28 para. 2 sentence 2 GDPR) or if the subcontractor violates the provisions of the AVV or other data protection regulations. In this case, the intended change may not be implemented.

Currently, the subcontractors documented in Annex 1 are employed by the Data Processor for processing personal data to the extent specified there.

The Client agrees to the engagement of the subcontractors listed in Annex 1.

8. Technical and Organizational Measures according to Art. 32 GDPR and Art. 8 FADP

A level of protection appropriate to the risk to the rights and freedoms of natural persons affected by the processing is ensured for the specific contract processing. For this purpose, the protection goals such as confidentiality, integrity, and availability of the systems and services as well as their resilience in relation to the type, scope, circumstances, and purposes of the processing are taken into account in such a way that the risk is permanently reduced through suitable technical and organizational remedial measures. For the contract-compliant processing of personal data, an appropriate and comprehensible methodology for risk assessment is used, which considers the probability of occurrence and severity of the risks to the rights and freedoms of the persons affected by the processing.

The data protection concept described in Annex 2 represents the minimum requirements of the technical and organizational measures suitable for the identified risk, taking into account the protection goals according to the state of the art, detailed and with special consideration of the IT systems and processing processes used by the Data Processor. This also describes the procedure for regular review, assessment, and evaluation of the effectiveness of technical and organizational measures to ensure data protection-compliant processing.

9. Obligations of the Data Processor upon Termination of the Contract

Upon termination of this Agreement, the Data Processor (and any subcontractor) is obliged to immediately return all personal data and copies thereof covered by this contract, including personal data transmitted by the Client, and, insofar as this is not possible, delete or anonymize these personal data and copies at the Client's discretion; or, if the applicable legislation to the Data Processor prohibits the return or anonymization of the personal data covered by this contract, inform the Client about this and treat the personal data confidentially and not actively process it further.

10. Miscellaneous

Agreements on technical and organizational measures as well as control and audit documents (also for subcontractors) are to be kept by both contracting parties for their validity period and then for three full calendar years.

Written form or a documented electronic format is generally required for ancillary agreements.

Should the ownership or the personal data to be processed by the Client at the Data Processor be endangered by third-party actions (such as attachment or seizure), by insolvency or composition proceedings, or by other events, the Data Processor must notify the Client immediately.

Annex 1 - Subcontracting Relationships

The following subcontracting relationships currently exist in connection with the contract processing:

Subcontractors may vary depending on the scope of services.

Company

Address

Services

Amazon Web Services, Inc.

aws.amazon.com/de

410 Terry Avenue North

Seattle WA 98109

USA

Server/Infrastructure

Datatrans AG

www.datatrans.ch

Kreuzbühlstrasse 26

8008 Zurich

Switzerland

Payment Service

Provider

Stripe Inc.

www.stripe.com

185 Berry Street, Suite 550

San Francisco, CA 94107

USA

Payment Service

Provider

MNC AG

www.mnc.ch

Bahnhofplatz 17

8400 Winterthur

Switzerland

Payment Service

Provider
Text Giving Services 

Nine Internet Solutions AG

www.nine.ch

Albisriederstrasse 243a

8047 Zurich

Switzerland

Server/infrastructure for Peer-to-Peer and Employee Giving

Rackspace International GmbH

www.rackspace.com

Pfingstweidstrasse 60

8005 Zurich

Switzerland

Server/infrastructure

SEPAone

www.sepaone.com

Charlottenstrasse 2

10696 Berlin

Germany

Payment Service

Provider

TWINT AG

www.twint.ch

Stauffacherstrasse 41

8004 Zurich

Switzerland

Payment Service

Provider

PayPal

22-24 Boulevard Royal

L-2449 Luxembourg

Luxembourg

Payment Service Provider

Elastic
elastic.co

Elasticsearch AS

Postboks 539

1373 Asker

Norway

Server/Infrastructure 

Atlassian
atlassian.com

Level 6, 341 George Street,

Sydney, NSW 2000 

Australia

Server/Infrastructure

84codes (RabbitMQ)
84codes.com

Hälsingegatan 49

113 31 Stockholm

Sweden

Server/Infrastructure

Twilio

www.twilio.com

EEA Headquarters

25-28 North Wall Quay

Dublin 1

Ireland

Two-Factor Authentication RaiseNow Hub

 

Weunity AG
www.weunity.com

Hardturmstrasse 101
8005 Zürich, Swiss

TWINT Donation Platform (service)

Annex 2 - Technical and Organizational Measures/Data Protection Concept

The Data Processor assures to comply with the following minimum requirements in its data protection concept. It describes the measures required for the secure handling of personal data by the Data Processor within the scope of contract processing. The basis for this data protection concept is the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), and possibly further measures demanded by the interested parties. In this context, the Data Processor primarily adheres to the provisions of Articles 24, 25, and 32 GDPR as well as Art. 8 FADP.

1. Confidentiality

1.1 Admission Control

Personal data is exclusively hosted on servers by Amazon located in Frankfurt, on servers by Rackspace located in London, and on servers by nine (nine.ch) located in Zurich. Amazon and Rackspace are not only GDPR-ready but also PCI-DSS certified.

1.2 Access Control

Measures that ensure that only authorized persons can access data processing systems with the right to access, and that personal data cannot be read, copied, altered, or removed without authorization during processing, use, and after storage.

  • Number of administrators reduced to the "necessary minimum"
  • Virtual access to systems only via VPN from the internal network and public-key authentication
  • Two-factor authentication for all employees to view personal data
  • Use of paper shredders
  • Proper destruction of data carriers

1.3 Pseudonymization

Evaluations must be pseudonymized unless the reference to the person is mandatory for the result.

1.4 Separation Control

Measures that ensure data collected for different purposes can be processed separately.

- Separation of production and test systems
- Only data directly serving the actual purpose is collected, stored, and processed.

2. Integrity

2.1 Transfer Control

Measures that ensure personal data cannot be read, copied, altered, or removed without authorization during electronic transmission or transport, and that it is possible to verify and ascertain to which bodies personal data has been transmitted by data transmission equipment.

  • Exporting of personal data is logged
  • Policies for data sharing are documented and known to the affected employees
  • The connection to database systems is protected
  • Regulations for data protection-compliant destruction of data carriers
  • Encryption methods according to current technology standards are used for transmissions (API requests via TLS 1.2, website accesses via SSL);

2.2 Input Control

Measures that ensure it is subsequently possible to check and ascertain if and by whom personal data has been entered, modified, or removed in data processing systems.

  • Traceability of data entry, modification, and deletion by individual usernames (logging)

3. Availability and Resilience

Measures that ensure personal data is protected against accidental destruction or loss.

  • A backup concept exists
  • Responsible persons and representatives are named
  • Redundant server infrastructure

Procedures for regular review, assessment, and evaluation

  • Data protection management system implemented;
  • A security device exists
  • Quarterly vulnerability tests and annual PCI-DSS SAQ D Level 2 review
  • Data protection-friendly presets (Art. 25 para. 2 GDPR, Art. 7 FADP)
  • Anonymization possible after a defined interval
    4. Procedures for Regular Review, Assessment, and Evaluation

4. Procedures for regular review, assessment, and evaluation

A procedure for monitoring data protection within the company must be implemented. This must include the obligation of employees to data secrecy, the training and sensitization of employees, and the regular auditing of data processing procedures. A continuous reporting and processing procedure must be introduced for data protection violations and the safeguarding of data subject rights. This must also include informing the client.

Annex 3 - Description of Transmission and Processing

1. Catalog of personal data to be transferred and processed:

  • Personal data such as name, address, email, phone, birthday
  • Communication preferences, communication data
  • Payment-related data such as bank account details, donation transactions, duration and direct debit orders or SEPA mandates, credit card data

2. Purpose of Transmission and Processing

  • The nature and purpose of processing personal data by the Data Processor arise from the business relationships between the client and the contractor or the concluded main contract.

3. Categories of Affected Persons

  • Supporters (donors, members, sponsors, patrons, guardians, fundraising participants)
  • Prospects used for transfers