Data Processing Agreement (DPA)
Last modified: August 28, 2022
2. Subject Matter of this Agreement
2.1. The object of the service provision by the Processor for the Controller is the use of data of the Controller for the use of the BQ Software provided by the Processor. The software enables an objective behavioral analysis of decision makers in the finance and investment sector. This generates algorithmically and on the basis of an automated dialogue from science-based stimuli (e.g. questions, tasks and scenarios) feature profiles and behavioral predictions of the users as well as recommendations for decision support and behavior optimization. In this context, the scope, nature and purpose of the data processing are limited to the use of the data categories listed under point 2.2. Special categories of data pursuant to Articles 9 and 10 of the GDPR may only be processed in the systems of the Processor with the written consent of the Controller.
2.2. The following categories of data are processed:
First name, last name, e-mail address, risk attitudes, perceptions and attitudes towards market and investment issues, personality, interests and values, decision-making and information processing style, behavior in investment simulations and amount of fictitious investments, behavioral and cognitive information processing and biases, sentiment and risk assessments about the money and financial markets, response behavior, sociodemographic and firmographic characteristics on gender, age, educational and professional background, professional position, length of work experience, country of occupation, company type and size.
2.3. The following categories of data subjects will be subject to the processing:
Clients, employees, investment target employees.
2.4. The processing of data by the Processor shall generally take place within the European Union or in another contracting state of the Agreement on the European Economic Area (EEA). The Processor is nevertheless permitted to process data outside the EEA in compliance with the provisions of this Agreement if it informs the Controller in advance of the location of the data processing and the requirements of Articles 44 – 48 of the GDPR are met or an exception pursuant to Article 49 of the GDPR applies. The Controller acknowledges that the Processor may also agree with sub-processors on processing outside the EEA, provided that such processing is carried out under the conditions of Art. 44 – 48 of the GDPR or an exception pursuant to Art. 49 of the GDPR exists.
3. Duration of the Agreement
3.1. The term of this Agreement shall be governed by and shall correspond to the term of the respective main agreement, unless the provisions of this agreement give rise to obligations exceeding the aforesaid term.
4. Duties of the Processor
4.1. Right to issue instructions
The Processor shall not make any decision on its own responsibility regarding the way in which the Controller’s data is used. The Processor shall use data and processing results exclusively within the scope of the Controller’s order and on the basis of documented written instructions and shall return them exclusively to the Controller or shall only carry out transfers on the basis of the Controller’s written order. If, in the opinion of the Processor, a written instruction from the Controller violates data protection law, the Processor shall comply with its legal obligation to warn the Controller. The Controller must have issued a written order to use the data provided for the Controller’s own purposes (see Section 4.10.).
4.2. Official order
If the Processor is requested to release data of the Controller on the basis of an official order, the Processor must – if legally permissible – inform the Controller immediately and refer the authorities to the Controller.
The Processor declares that all persons entrusted with data processing have been obligated to maintain data secrecy and confidentiality or that they are subject to an appropriate legal obligation of confidentiality. In particular, the confidentiality obligation of the person entrusted with the Data Processing shall remain in force even after the termination of his/her activity and leaving the Processor.
The confidentiality obligation shall also apply to legal entities and partnerships.
4.4. Data Security
The Processor shall take sufficient security measures pursuant to Art 28 (3) lit c and Art 32 of the GDPR, in particular in connection with Art 5 (1) of the GDPR, in order to prevent data from being used improperly or made accessible to third parties without authorization. The measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the type, scope and purposes of the processing shall be taken into account. The Processor shall take all necessary measures to ensure the security of the Processing pursuant to Art 32 (1) of the GDPR. Technical and organizational measures to be taken by the Processor in principle are listed in Appendix 1, for example.
4.5. Data subject rights
The Processor shall implement the technical and organizational measures to enable the Controller to fulfill the rights of the Data Subjects under Chapter III of the GDPR (information, access, rectification and erasure, data portability, objection as well as automated decision-making in individual cases) at any time within the statutory period and shall provide the Controller with all information necessary for this purpose. If a corresponding request is addressed to the Processor and the Processor indicates that the Applicant mistakenly considers it to be the Controller of the data application it operates, the Processor shall forward the request to the Controller without undue delay and notify the Applicant thereof.
The Controller shall have the right to inspect and control at any time, including through third parties commissioned by it, the processing of the data provided by it. This shall also include the right of the Controller to carry out inspections (by the Controller itself or by an auditor appointed by it) at the premises of the Processor. The Processor shall provide the Controller with any information necessary to monitor compliance with this Agreement.
The Processor shall support the Controller by taking appropriate technical or organizational measures to comply with the obligations set out in Art 32 to 36 GDPR (data security measures, notifications of personal data breaches to the supervisory authority, notification of the person affected by a personal data breach, data protection impact assessment, prior consultation).
4.8. Data protection impact assessment
In particular, the Processor shall, upon request of the Controller, assist the Controller in ensuring compliance with all obligations of the Controller in relation to data protection impact assessments and prior consultation, including the obligations of the Controller under Articles 35 and 36 of the GDPR, where the Controller does not otherwise have access to the relevant information and such information is available to the Processor. The Processor shall provide the Controller with appropriate assistance in cooperating with the Supervisory Authority in the performance of its tasks.
4.9. Processing directory
The Processor shall maintain a processing directory for the present commissioned processing in accordance with Art 30 GDPR.
4.10. Return of personal data
Within three months after the termination of this Agreement, the Processor shall either hand over to the Controller or destroy on the Controller’s behalf all Processing Results and documents containing Data. The right to choose in this respect shall be incumbent on the Controller. If the Processor processes the data in a special technical format, the Processor is obliged to hand over the data after the termination of this Agreement either in this format or, at the request of the Controller, in the format in which it received the data from the Controller or in another common format. The only exceptions are those personal data that are subject to an obligation to store personal data under Union law or by law.
The processor is entitled, even after termination of the contract, to further process the data in anonymized form for future product developments and product enhancements as well as for the improvement of algorithms and machine learning processes. In the event of further processing by the Processor, all user data shall be anonymized by the Processor to such an extent that it cannot be attributed to either the responsible party or the Users.
5.1. The Controller hereby authorizes in a general manner the use of sub-processors by the Processor. The additional processors currently used by the Processor are listed in Appendix 2. In general, contractual relationships with service providers that have as their object the testing or maintenance of data processing procedures or systems by other bodies or other ancillary services, even if access to data cannot be ruled out in the process, are not subject to approval, as long as the Processor makes appropriate arrangements to protect the confidentiality of the data.
5.2. The Processor shall inform the Controller of any intended changes regarding the involvement or replacement of additional processors. In individual cases, the Controller shall have the right to object to the commissioning of a potential additional processor. An objection may only be raised by the Controller for good cause to be proven to the Processor. If the Controller does not raise an objection within 14 days of receipt of the notification, its right to object with regard to the corresponding commissioning shall expire. If the Controller raises an objection, the Processor shall be entitled to terminate the main agreement and this agreement with a notice period of 3 months.
5.3. If the Processor uses another sub-processor to carry out certain processing activities on behalf of the Controller, the Processor shall impose the same data protection obligations on this sub-processor by way of a contract. The parties agree that this requirement is met if the contract has a level of protection corresponding to this contract or if the additional processor is subject to the obligations set out in Art. 28(3) GDPR.
5.4. Subject to the requirements of Section 2.4 of this agreement, the provisions in this Section 5. shall also apply if an additional processor in a third country is engaged. The Controller hereby authorizes the Processor, on behalf of the Controller, to enter into a contract with the additional processor incorporating the EU Standard Contractual Clauses for the transfer of personal data to processors in third countries of 4.6.2021. The Controller agrees to cooperate to the extent necessary in fulfilling the requirements pursuant to Art. 49 GDPR.
6.1. There are no verbal ancillary agreements to this order processing contract. Amendments or supplements to this contract must be made in writing. This shall also apply to any waiver of the written form requirement.
6.2. Should any provision of this contract be invalid or ineffective, it shall be replaced by a provision that comes as close as possible in its result to the invalid or ineffective provision. The remaining provisions shall remain unaffected.
6.3. This contract shall be governed by Austrian law to the exclusion of its conflict of law rules and the UN Convention on Contracts for the International Sale of Goods. All disputes arising from or in connection with this contract shall be decided exclusively by the Commercial Court of Vienna.
Appendix 1: Technical and organizational measures
Within its area of responsibility, the Processor shall take the following technical and organizational measures when collecting, processing and using Customer Personal Data.
1. Preventive security measures – measures to prevent a successful attack
1.1. Technical measures
Logical access control
Access authorizations are assigned according to the “need-to-know” principle.
All access to personal data is granted only after successful authentication.
If passwords are used for authentication, they are at least eight characters long. Passwords are stored exclusively in encrypted form. Two-factor authentication is used for security-critical applications.
Encryption during transmission
Personal data is encrypted during transmission over the Internet.
Encryption of mobile devices
Mobile devices and mobile data carriers are encrypted, at least to the extent that sensitive data is stored on these devices.
A firewall is used to separate the internal network from the Internet and – as far as possible – block incoming network traffic.
Measures against malware
Anti-virus software is used on all systems wherever possible. All incoming emails are automatically scanned for malware.
Management of security vulnerabilities
As far as possible, automatic installation of security updates is activated on all devices.
1.2. Organizational measures
Internal responsibilities for data security issues are defined.
Obligation of employees to maintain confidentiality
Employees are obligated to maintain confidentiality beyond the duration of their employment. In particular, they are obliged to disclose personal data to third parties only on the express instruction of a superior.
Training and information measures
Employees are trained on data security issues (internally or externally) and appropriately informed about data security issues (e.g. password security).
Orderly termination of employment
Upon termination of employment, all accounts of the departing employee shall be blocked immediately and all keys of the departing employee shall be removed.
Management of computer hardware
Records are kept of which employees have been assigned which terminal devices (e.g. PC, laptop, cell phone).
Procedures are in place to control the accuracy of personal data entered.
No duplication of user accounts
Each user has his or her own user account. Sharing of user accounts is prohibited.
No unnecessary use of administrative accounts
User accounts with administrative rights are used only in exceptional cases – regular use of IT systems is done without administrative rights.
Selection of service providers
When selecting service providers, the level of data security offered by the service provider is taken into account. The use of a service provider that is to be classified as a processor is only carried out after the conclusion of a processing contract.
Secure data disposal
Paper containing personal data is always shredded or handed over to an external service provider for secure destruction. Data carriers are completely overwritten or physically destroyed before disposal so that the data stored on them cannot be recovered.
1.3. Physical measures
Physical access control
Persons from outside the company are only allowed to enter the company premises if accompanied by a person from the company.
Keys that allow access to the company premises or parts thereof are only issued to particularly trustworthy persons and only to the extent that and for as long as these persons actually require their own key.
2. Detectives security measures – measures to detect an attack
2.1. Technical measures
Scans for malware
Regular scans for malware (anti-virus scans) are performed to identify malware that has already compromised an IT system.
Automatic checking of log files
Insofar as the security log files of several systems are collected centrally on one system, an automated evaluation of the log files is performed in order to identify possible security breaches.
2.2. Organizational measures
Detection of security breaches by employees
All employees are instructed on how to recognize and report security breaches (e.g., computer hardware that can no longer be found, reports from anti-virus software).
Technical procedures are in place to enable employees to report anomalies and irregularities in technical systems to the appropriate persons.
Regular audits are carried out (e.g., checking whether all critical security updates have been installed). In particular, regular audits are carried out of the access and access authorizations granted (which employee is assigned which user account with which access rights; which persons have which keys).
Manual checking of log files
If log files are kept (e.g., of unsuccessful authentication attempts), they are checked at regular intervals.
3. Reactive security measures – measures to respond to an attack
3.1. Technical measures
Data backups are made regularly and stored securely.
Data recovery concept
A concept for the rapid recovery of data backups has been developed in order to restore regular operations promptly after a security breach.
Automatic removal of malware
The anti-virus software used has the function of automatically removing malware.
3.2. Organizational measures
Obligation to notify employees
All employees are instructed to report security breaches immediately to a previously defined internal office or person.
Reporting obligation for external service providers
All service providers are provided with contact information for reporting security breaches.
Reporting obligation for responding to security breaches
An appropriate process shall be in place to ensure that security breaches can be reported to the Data Protection Authority within 72 hours of becoming aware of the security breach. In particular, all employees shall be provided with the emergency telephone numbers of the persons to be involved (e.g., emergency telephone number for IT support).
4. Deterrent security measures – measures to mitigate attacker motivation
4.1. Technical measures
Users receive automatic warnings in case of risky IT usage (e.g. by the web browser if an encrypted website does not use a correct SSL/TLS certificate).
4.2. Organizational measures
Sanctions in case of attacks by own employees
All employees are informed that attacks on the company’s own IT systems will not be tolerated and may have serious consequences under labor law.
Logging of accesses
Access to applications, in particular the entry, deletion and modification of data, is logged.
Appendix 2: List of Sub-Processors
|Sub-Processor||Product||Use / Service||Data Center Location|
|Google (US)||Google Cloud Platform||Hosting infrastructure||EU (NL)|
|Google (US)||Google reCAPTCHA||Spam protection for form entries||USA|
|Hotjar (MLT)||Hotjar||Online behavior analysis||EU|
|Hubspot (US)||Hubspot||CRM, marketing||EU|
|Microsoft (US)||Microsoft 365||Documentation, collaboration||EU|
|Mailjet (F)||Mailjet||Mail infrastructure||EU|
|Stripe, Inc. (US)||Stripe||Payment processing||IRL / USA|
|Typeform, S.L. (ES)||Typeform||Online surveys||EU|