Data Processing Agreement

1. Definitions

1.1. Capitalized terms not defined herein shall have the meanings ascribed to them in the Master Services Agreement, found at www.parcelLab.com/legal, the version of which is in effect as of the Effective Date of the applicable Order Form.

2. Scope and duration

2.1. The subject of the data processing agreement comprises parcelLab Services described in the Agreement. This includes in particular the analysis and processing of user, recipient and shipment information. Direct communication shall be carried out by parcelLab in accordance with Customer’s specifications. Customer’s domain is used via whitelisting/white-labeling. Customer has the possibility to add further content (follow-up purchase survey, product recommendations etc.) in the communication sent out through the ParcelLab Service.

2.2. The duration of this data processing agreement corresponds to the duration of the Agreement.

3. Specification of the data processing agreement

3.1. parcelLab shall analyse and evaluate the data transmitted by Customer and the logistics service provider. The evaluation includes the performance of the logistics service providers, the transparent display of shipment events (location- and time-related timestamps/status messages of the logistics service providers) as well as the click and opening behaviour of the recipients in the communication sent out through the ParcelLab Service.

3.2. The processing shall be carried out exclusively within a member state of the European Union or within a member state of the European Economic Area (EEA). Every transfer of personal data to a country which is not a member state of either the EU or the EEA requires the prior consent of Customer and shall only occur if the requirements of arts. 44 et seqq. GDPR have been met.

3.3. The personal data comprises the following data types/categories

      • name
      • address (street, postcode, city and country)
      • contact information (email address, phone number)
      • ordering information (order number, product number)
      • shipment number and service provider

3.4. The categories of data subjects comprise customers of Customer who place orders with Customer.

4. Technical and Organisational Measures

4.1. Before the start of the processing, parcelLab shall document the implementation of the necessary technical and organisational measures with regard to the execution of this data processing agreement, and shall present these documented measures to Customer for inspection. Upon acceptance by Customer, the documented measures become part of the data processing agreement. Insofar as the inspection/audit by Customer shows the need for amendments, such amendments shall be implemented by mutual agreement.

4.2. The Processor shall establish data security in accordance with arts. 28(3)(c), 32 and 5(1) and (2) GDPR as described in Appendix 1. The measures for data security and to guarantee an appropriate protection level in relation to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of art. 32(1) GDPR must be taken into account.

4.3. The technical and organisational measures are subject to technical progress and further development. In this respect, parcelLab may implement alternative adequate measures. In doing so, the security level of the defined measures must not be reduced. Substantial changes must be documented.

5. Correction, restriction and erasure of personal data

5.1. The Processor may not on its own authority correct, erase or restrict the processing of personal data that is being processed on behalf of Customer, but only upon documented instructions from Customer. Insofar as a data subject contacts parcelLab directly concerning a rectification, erasure, or restriction of processing, parcelLab will immediately forward the data subject’s request to Customer.

5.2. Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by parcelLab in accordance with documented instructions from Customer without undue delay.

6. Quality assurance and other duties of parcelLab

In addition to complying with the rules set out in this data processing agreement, parcelLab shall comply with the statutory requirements referred to in arts. 28 to 33 GDPR; accordingly, parcelLab ensures, in particular, compliance with the following requirements:

6.1. The Processor has appointed an external Data Protection Officer. The external Data Protection officer can be contacted at the following e-mail address: dataprotection@parcellab.com

6.2. Confidentiality in accordance with art. 28(3)(2)(b), arts. 29 and 32(4) GDPR: The Processor entrusts only those employees with the data processing outlined in this data processing agreement who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. The Processor and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from Customer, which includes the powers granted in this data processing agreement, unless required to do so by law.

6.3. Implementation of and compliance with all technical and organisational measures necessary for this data processing agreement in accordance with arts. 28(3)(2)(c) and 32 GDPR as described in Appendix 1.

6.4. Customer and parcelLab shall cooperate, on request, with the supervisory authority in performance of its tasks.

6.5. Customer shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this data processing agreement. This also applies insofar as parcelLab is under investigation or is party to an investigation by a competent authority in connection with infringements to any civil or criminal law, or administrative rule or regulation regarding the processing of personal data in connection with the processing of this data processing agreement.

6.6. Insofar as Customer is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a data subject or by a third party or any other claim in connection with the data processing agreement data processing by parcelLab, parcelLab shall make every effort to support Customer.

6.7. The Processor shall periodically monitor the internal processes and the technical and organisational measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.

6.8. Verifiability of the technical and organisational measures conducted by Customer as part of Customer’s supervisory powers referred to in sec. 7 of this data processing agreement.

7. Subcontracting

7.1. Subcontracting for the purpose of this Agreement is to be understood as services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal/transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Processor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of Customer’s data, even in the case of outsourced ancillary services.

7.2. The Customer grants the Processor general authority to commission subcontractors (additional processors) for the purposes of providing the Services under the Agreement. Customer agrees to the commissioning of the following subcontractors on the condition of a contractual agreement in accordance with art. 28(2)–(4) GDPR:

Subcontractor Address/country Service
Amazon Web Services EMEA SARL 38 avenue John F. Kennedy, L1855 Luxembourg Cloud infrastructure (server location: Frankfurt, Germany)
Mailjet GmbH Berliner Allee 26, D-40212 Düsseldorf, Germany Outbound Mail Provider (server location: Frankfurt, Germany & St. Ghislain, Belgium)
parcelLab GmbH Kapellenweg 6 81371 Munich, Germany Customer success, Account Management, Professional Services, Support and Maintenance, Software Development and Quality Assurance

7.3. If the Processor appoints a new subcontractor or intends to make any changes concerning the addition or replacement of the subcontractors, it shall provide Customer with seven (7) business days’ prior written notice, during which the Customer can object to the appointment or replacement. If the Customer does not object, the Processor may proceed with the appointment or replacement.

7.4. The transfer of personal data from Customer to the subcontractor and processing of personal data by the subcontractor shall only start after all requirements have been met.

7.5. If the subcontractor provides the agreed service outside the EU/EEA, parcelLab shall ensure compliance with EU data protection law by appropriate measures. The same applies if service providers are to be used within the meaning of sec. 1(2).

7.6. All contractual provisions in the contract chain shall be communicated to and agreed with each and every additional subcontractor.

8. Supervisory powers of Customer

8.1. Customer has the right, after consultation with parcelLab, to carry out inspections or to have them carried out by a designated auditor. It has the right to convince itself of the compliance with this agreement by parcelLab in his business operations by means of random checks, which are ordinarily to be announced in good time.

8.2. The Processor shall ensure that Customer is able to verify compliance with the obligations of parcelLab in accordance with art. 28 GDPR. The Processor undertakes to give Customer the necessary information on request and, in particular, to demonstrate the execution of the technical and organisational measures.

8.3. Evidence of such measures may be provided by

      • compliance with approved codes of conduct pursuant to art. 40 GDPR;
      • certification according to an approved certification procedure in accordance with art. 42 GDPR;
      • current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, data protection officer, IT security department, data privacy auditor, quality auditor)
      • a suitable certification by IT security or data protection auditing.

8.4. The Processor may claim remuneration for enabling Customer’s inspections.

9. Communication in the case of infringements by parcelLab

9.1. The Processor shall assist Customer in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in arts. 32 to 36 of the GDPR. These include:

      • ensuring an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events;
      • the obligation to report a personal data breach immediately to Customer;
      • the duty to assist Customer with regard to Customer’s obligation to provide information to the data subject concerned and to immediately provide Customer with all relevant information in this regard;
      • supporting Customer with any data protection impact assessment;
      • supporting Customer with regard any to consultation of the supervisory authority.

9.2. The Processor may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of parcelLab.

10. Authority of Customer to issue instructions

10.1. Instructions shall be sent to the following parcelLab representatives:

Tobias Buxhoidt, CEO, +49 173 402 8389

Anton Eder, COO, +49 172 824 2022

Julian Krenge, CTO, +49 171 551 1577

10.2. Customer shall confirm any oral instructions in writing to support@parcellab.com.

10.3. The Processor shall inform Customer immediately if they consider that an instruction violates any data protection laws. The Processor shall then be entitled to suspend the execution of the relevant instructions until Customer confirms or changes them.

11. Deletion and return of personal data

11.1. Copies or duplicates of the data shall never be created without the knowledge of Customer, with the exception of backup copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.

11.2. After conclusion of the contracted work, or earlier upon request by Customer, at the latest upon termination of the Agreement, parcelLab shall hand over to Customer or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the data processing agreement that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.

11.3. Documentation which is used to demonstrate data processing in accordance with the data processing agreement shall be stored beyond the duration of the data processing agreement by parcelLab in accordance with the respective retention periods. It may hand such documentation over to Customer at the end of duration of the data processing agreement to relieve parcelLab of this contractual obligation.

Appendix 1

Technical and Organisational Measures

parcelLab undertakes to implement the following technical and organisational measures in accordance with art. 28(3)(2)(c), 32 GDPR. Changes to the measures described below require the prior consent of Customer.

1. Pseudonymisation

The data will not be pseudonymised.

2. Encoding

The transmission to storage of personal data is encrypted so that the confidentiality and integrity of the data is protected:

  • Data carrier encryption according to AWS EBS Encryption or LUKS LVM/XTS with 512bit AES
  • Encryption of transport protocols
  • Use of SFTP
  • AES-256 Encryption Standard
3. Privacy

a. Physical access control

parcelLab takes the following measures, among others, to prevent unauthorised access to the data processing equipment with which data is processed or used:

Due to a manual locking system, access to the premises of parcelLab is only possible for authorised employees. The keys shall only be issued to authorised employees or contractual partners of parcelLab. A key book shall also be kept. The key book is available in the form of an overview in the “Nuki” application. This key book can be used to control employee authorisations for access to the premises. A logging of visitors does not take place. Visitors are only permitted access to the data processing areas in exceptional cases and under the supervision of the responsible persons. In such a case the visit will be logged.

b. Access control

Among other things, parcelLab takes the following measures to prevent the use of data processing equipment by unauthorized persons:

Secure access connections and authentication control technologies are implemented to regulate access to parcelLab production systems and internal support tools. Access restrictions are based on an authentication service developed and distributed by parcelLab based on Secure Socket Layer (SSL) certificates. This service also provides encryption methods to ensure data security during transmission. Access to internal support tools for authorised users is controlled by Access Control Lists (ACL). Encryption techniques are used to secure user authentication and administrator sessions over the Internet. Remote data access on production systems requires a connection to the corporate network that is governed by certificate-based and logged authentication (SSH key). The production systems run in a VPN (Virtual Private Network). Access is only granted after certificate-based authentication. A second level of security is ensured by the encrypted and password-protected database. The CTO is responsible for managing access authorisations.

parcelLab follows a formal process to allow or deny access to parcelLab resources. Various access protection mechanisms help to provide secure and flexible access. Unique user IDs, strong passwords and periodic access list checks are provided to ensure appropriate use of user accounts. All groups that have access to parcelLab services undergo a regular review.

Password management for in-house applications is controlled by a password management tool. Access can be assigned and revoked based on group rules. Administrator access is the responsibility of the CTO.

There are two roles for accessing production systems. The admin has access to the encrypted and password-protected database. Admin roles are protected by 2-factor authentication. Authenticated developers only have access to the VPN. For access in parcelLab internal systems, roles are defined in the password management tool. These are not described in a formalised authorization concept.

Authorisation at parcelLab Services is enforced at any time on all levels of the respective system. The granting or processing of access rights is based on the user’s job responsibilities or on a need-to-know basis and must be authorised and approved by the applicant’s responsible supervisor. Approvals are made using workflow tools. Access to production systems is only granted to trained users who are authorised for the respective action. Similarly, access to production systems is immediately withdrawn in the event of termination.

The routers are configured accordingly to protect parcelLab internal network domains from unauthorised external connections and to ensure that computer connections and data flows do not violate the logical access control of the systems. Changes to the hardware network components or other configuration require the consent of the designated person in charge.

parcelLab has a firewall configuration rule that defines acceptable ports that can be used on a parcelLab firewall. Only required ports and services are open. Access to change the firewall configuration is limited to the internal security operations team. The security operations team regularly reviews critical firewall rules.

c. Data access control

Among other things, parcelLab takes the following measures to ensure that those authorised to use a data processing system can only access the data subject to their access authorisation and that stored or processed data cannot be read, copied, changed or removed without authorisation:

Website operators can adjust their analysis options via an administration console provided by parcelLab. Access to the administrator console is restricted to the website operator or persons authorised by the website operator by means of a user name and password and also to authorised parcelLab employees. Each access is also logged by means of a session login. For authorised access, a registration link will be sent to the website operator by email. For the registration a password identification from letters, numbers and special characters is required, whereby a certain safety standard is ensured.

The access controls described above (cf. point b) secure access to the inventory data recorded as part of the services. Access is restricted by the authorisation concept to employees of parcelLab with corresponding responsibilities.

d. Handover control

Among other things, parcelLab takes the following measures to ensure that data cannot be read, copied, altered or removed without authorisation during electronic transmission, during transport or storage on data carriers, and that it is possible to check and determine to which places data transmission by data transmission equipment is intended:

  • Establishment of VPN tunnels
  • (Anonymous) logging of all exports, data information or data deletions on behalf of the client, as well as automatic data deletions at agreed intervals
  • Creation of an overview of regular call-off and transmission processes by the client
  • Passing on data in anonymised or pseudonymised form

Access to the systems for evaluation and anonymisation is subject to effective access controls, which are described under c).

parcelLab trains its employees regarding the risks of cloud-based services. The employees commit themselves to inform parcelLab immediately in case of loss or theft of a data protection relevant device.

e. Deletion of data

The time or frequency of the data deletion is determined by the client.

f. Separation control

Separate processing of data collected for different purposes is ensured by multi-client capability.

4. Integrity

a. Transfer control

No unauthorised reading, copying, modification or removal during electronic transmission or transport by encryption via https (hypertext transfer protocol secure).

b. Input control

Determine whether and by whom personal data has been entered, altered or removed into data processing systems through logging and document management.

5. Availability

a. Ensuring availability

Protection against accidental or deliberate destruction or loss through a backup strategy and a firewall, so that rapid recoverability (Art. 32 para. 1 item c GDPR) is ensured.

The backup strategy for the primary database cluster consists of three levels:

(1) Multi-availability zone database cluster with hot redundancy and continuous backup to separate nodes,

(2) hourly, automatic image-level backup for recovery in less than 10 minutes and

(3) daily off-site backups for disaster cases. All primary systems such as the API run in triple hot redundancy across three availability zones.

b. Earmarking

The subject matter of the order to parcelLab shall include the services, work and/or performances described and agreed in more detail in the main contract.

6. Load capacity of the systems

Load-dependent scalable micro services on flexible cloud infrastructure are implemented.

7. Recovery after incident

Redundant backup servers are implemented (see 5.a).

8. Regular review of technical and organisational measures

Data protection management, Incident-Response-Management and data protection-friendly default settings (Art. 25 para. 2 GDPR) have been implemented.

9. Documentation

Documentations which serve as proof of the orderly and proper processing of customer data shall be stored beyond the end of the contract in accordance with the respective retention periods.