DPA
2.5.2025
WebPros Terms of Service – Annex 2 – Data Processing Agreement
Between
XOVI GmbH, Hohenzollernring 72, 50672 Cologne / Germany
accordingly (the licensor will hereinafter be referred to as the “Data Processor”), and the customer, entering into a Service relationship on basis of the underlying WebPros Terms of Service (“Customer” or the “Data Controller”)
(each a “Party”, collectively the “Parties” hereto).
By entering into a Service relationship with the Data Processor this Data Processing Agreement (the Agreement”), including all exhibits hereto are made integral parts of the underlying WebPros Terms of Service, being the contractual basis of the commercial relationship.
This Agreement specifies the Parties’ data protection obligations according to Art. 28 General Data Protection Regulation (“GDPR”) in regards to the Processing of personal data by the Data Processor on behalf of the Data Controller, as stipulated or established via the WebPros Terms of Service this DPA is attached to, or any other contractual understanding between the Parties, which involves the processing of personal data on behalf of the Data Controller (collectively the “Base Agreement”). It applies to all activities performed in connection with the Base Agreement in the course of which the Data Processor, or a 3rd party acting on its behalf (the “Sub-Processor”), may come into contact with or process personal data belonging to the Data Controller or its’ customers on behalf of the Data Controller. The applicability of this Agreement is conditioned upon the existence of a data processing activity performed by the Data Processor on behalf of the Data Controller. In the absence of such processing activity, this Agreement will not apply.
This Data Processing Agreement will come into force and effect on the first date, the Customer makes use of a WebPros Service on basis of the Base Agreement (the “Effective Date”) and will be bound to the term of the Base Agreement, unless terminated by either Party giving the other at least 3 months prior written notice of its intention to terminate. This Agreement will terminate automatically at the termination or expiry of the Base Agreement. All Exhibits hereto place integral parts of this Data Processing Agreement upon signature hereof.
§1 Definitions
(1) “Personal Data”
Personal Data means any information relating to an identified or identifiable natural person (the “Data Subject”).
(2) “Processing”
Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(3) “Instruction”
Instruction means any written instruction, issued by the Data Controller to the Data Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, de-personalizing, blocking, deletion, making available). Instructions will initially be specified in the Base Agreement and may, from time to time thereafter, be amended, amplified or replaced by Controller in separate written instructions (individual instructions).
(4) “Data Controller”
Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
(5) “Data Processor”
Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
(6) “GDPR”
GDPR means the EU General Data Protection Regulation 2016/679.
(7) “EU Standard Contractual Clauses” or “EUSCC” means a set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or EEA, as issued by the European Commission (Decision C (2021) 3972).
(8) This Agreement applies to the Processing of Personal Data by WebPros on behalf of the Customer in the course of providing Services under the Base Agreement. For the purposes of this Data Processing Agreement:
The Customer may in some cases be considered as a Data Processor for a third-party Data Controller, and WebPros may in such situations be a Sub-Processor to Process Personal Data on the Customer’s behalf. For simplification purposes, WebPros is hereinafter referred to as a Data Processor and the Customer is hereinafter referred to as a Data Controller. Any notifications given by the third -party Data Controller to the Customer will in such cases be conveyed to WebPros insofar as the notifications relate to the Services provided by WebPros. In addition, any instructions given by the Customer to WebPros relating to the Processing of Personal Data should not in such cases contradict or conflict with the instructions given by the third-party Data Controller.
§ 2 Scope and Responsibility
(1) The provisions of this DPA shall apply whenever the Data Processor, in the course of its main contractual services, gains access to personal data (hereinafter referred to as ‘Data’) for which the Data Controller is responsible within the meaning of data protection law. In these cases, the Data Processor processes data on behalf of and in accordance with the instructions of the Data Controller within the meaning of Article 28 GDPR (contract data processing).
The Data Controller remains the controller in the sense of data protection law. The Data Controller is responsible for compliance with all data protection requirements, in particular the GDPR, but also for ensuring that the legal rights of data subjects in connection with personal data are observed.
(2) The data processing by the Data Processor is carried out in the manner, scope and for the purpose specified in Exihibit 1 to this Agreement; the processing concerns the types of personal data and categories of data subjects specified therein. The duration of the processing corresponds to the term of the Base Agreement.
(3) The Data Processor is entitled to anonymise or aggregate the data so that it is no longer possible to draw conclusions about individual data subjects, and to use it in this form for the purposes of designing, developing and optimising it in line with requirements, and for providing the service agreed under the main contract. The Parties agree that data anonymised or aggregated in the manner described above is no longer personal data within the meaning of this contract.
(4) Data processing by the Data Processor shall generally take place within the European Union (EU) or in another country that is a party to the Agreement on the European Economic Area (EEA). Nevertheless, the Data Processor is also permitted to process Data Controller data outside the EEA in compliance with the provisions of this contract, provided that the Data Processor informs the Data Controller in advance of the location of the data processing and the requirements of Articles 44 – 48 GDPR are met or an exception according to Article 49 GDPR applies.
§ 3 Obligations of Processor
(1) The Data Processor will collect, process and use Personal Data only in compliance with and within the scope of the Data Controller’s Instructions or as specified and agreed in the Base Agreement.
(2) Within the Data Processor’s area of responsibility, the Data Processor will structure its internal corporate organization for compliance with the specific requirements of the protection of Personal Data, established by GDPR, local data protection laws or any other applicable privacy and data protection laws and regulations currently in effect (the “Data Protection Laws”). The Data Processor will take the appropriate technical and organizational measures to ensure a level of security appropriate to the risk to the Data Controller’s Personal Data in accordance with the requirements of Article 32 GDPR. The current measures are set forth in Exhibit 2 hereto. Such measures hereunder will include, but not be limited to:
a) the pseudonymization and encryption of personal data where possible;
b) the ability to ensure ongoing confidentiality, integrity, availability and resilience of Processing systems and services (logical, physical access control, transfer control);
c) the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident (availability control);
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
Data security measures referred to in this section above will be supported by the use of state-of-the-art encryption technology. An overview of the technical and organizational measures implemented by the Data Processor will be attached to this Agreement as an Exhibit.
(3) Upon the Data Controller’s request, the Data Processor will provide all information concerning the protection of Personal Data within the Data Processor’s organization in the sense of Article 32 of GDPR and will provide reasonable assistance to the Data Controller in order to allow it to comply with its obligations under the Data Protection Laws.
(4) The Data Processor will ensure that any personnel, entrusted with Processing the Data Controller’s Personal Data have undertaken in writing to comply with the principle of data secrecy in accordance with Article 5(f) GDPR and have committed themselves to confidentiality. The undertaking to secrecy will continue after the termination of the above-entitled activities.
(5) The Data Processor will notify the Data Controller of the contact details of the Data Processor’s data protection Officer (if appointed) or the responsible associate, respectively.
(6) The Data Processor will, without undue delay, inform the Data Controller in case of a Personal Data Breach (as defined under Article 4 (12) GDPR and will investigate and provide the Data Controller with sufficient information related to the Personal Data Breach and will ensure reasonable cooperation in order to enable Data Controller to comply with any legal obligation to report the Personal Data Breach and to inform Data Subjects and the supervisory authority within the time frame provided in the Data Protection Laws.
(7) Where applicable, the Data Controller will retain title as to any carrier media provided to the Data Processor as well as any copies or reproductions thereof. The Data Processor will store such media safely and protect them against unauthorized access by third parties. The Data Processor will, upon the Data Controller’s request, provide to the Data Controller all information on the Data Controller’s Personal Data and information. The Data Processor will be obliged to securely delete any test and scrap material, based on an Instruction issued by the Data Controller on a case-by-case basis. Where the Data Controller so decides, the Data Processor will hand over such material to the Data Controller or store it on the Data Controller’s behalf.
§ 4 Obligations of Controller
(1) The Data Controller and Data Processor each will be responsible for conforming with such statutory data protection regulations as are applicable to them.
(2) The Data Controller and Processor will be responsible for fulfilling their duties to inform resulting from Article 33 GDPR.
(3) The Data Controller will, upon termination or expiration of the Base Agreement, and, by way of issuing an Instruction, stipulate, within a period of time set by the Data Controller, the measures to return Personal Data on carrier media or to delete stored Personal Data.
(4) The Data Controller shall be solely responsible for the lawfulness of the processing of the data and for safeguarding the rights of the data subjects in relation to each other. Should third parties assert claims against the Data Processor based on the Processing of data in accordance with this contract, the Data Controller shall indemnify the Data Processor against all such claims upon first request.
(5) It is the Data Controller’s responsibility to provide the Data Processor with the data in timely manner for the provision of services under the main contract and the Data Controller is responsible for the quality of the Data Controller’s data. The Data Controller shall inform the Data Processor immediately and in full if the Data Controller discovers errors or irregularities with regard to data protection provisions or the Data Controller’s instructions when checking the results of the Data Processor’s work.
(6) The Data Controller shall provide the Data Processor, upon request, with the information referred to in Art. 30 (2) GDPR, insofar as it is not already available to the Data Processor.
(7) If the Data Processor is obliged to provide information to a government agency or person regarding the processing of the Data Controller data or to otherwise cooperate with such agencies, Data Controller shall be obliged to assist Data Processor in providing such information or fulfilling such other obligations to cooperate upon first request.
(8) Any additional cost arising in connection with the return or deletion of Personal Data after the termination or expiration of the Base Agreement or arising out of Instructions outside the Base Agreement’s scope shall be borne by the Data Controller.
(9) If applicable, the Data Controller will at all times make sure to have a sufficient legal basis for handing over his own customers’ data to the Data Processor in the event, the processing activities of the Data Processor relate to customers’ data. Such legal basis has to be set forth in writing between the Data Controller and his customer and must be provided to the Data Processor upon request.
§ 5 Enquiries by Data Subjects or Supervisory Authorities
The Data Processor will, without undue delay, inform the Data Controller in case of any request, claim or notice from a Data Subject or any third party and assist and cooperate with Data Controller in order ensure compliance with the Data Protection Laws. Where the Data Controller, based upon GDPR or other applicable data protection law, is obliged to provide information to an individual about the collection, Processing or use of its Personal Data, the Data Processor will assist the Data Controller in making this information available, provided that the Data Controller has instructed Processor in writing to do so.
§ 6 Audit Obligations
The Data Controller may, prior to the commencement of Processing, and in regular intervals thereafter, audit the technical and organizational measures taken by the Data Processor, and will document the resulting findings. For such purpose, the Data Controller will collect voluntary disclosures from the Data Processor.
The Data Controller will: (i) ensure that any information request, audit or inspection is undertaken within normal business hours (unless such other time is mandated by a competent data protection regulator) with minimal disruption to Data Processor’s and/or its Sub-Processors’ businesses, and acknowledging that such information request, audit or inspection: (a) will not oblige Data Processor to provide or permit access to information concerning Data Processor’s internal business information or relating to other recipients of services from the Data Processor; and (b) shall be subject to any reasonable policies, procedures or instructions of Data Processor or its Sub-Processors for the purposes of preserving security and confidentiality; and (ii) provide Data Processor at least 30 days’ prior written notice of an information request and/or audit or inspection (unless the competent data protection regulator provides Data Controller with less than 30 days’ notice, in which case Data Controller shall provide Data Processor with as much notice as possible).
If any information request, audit or inspection relates to systems provided by or on the premises of Data Processor’s Sub-Processors, the scope of such information request, audit and/or inspection will be as permitted under the relevant agreement in place between Data Processor and the Sub-Processor.
A maximum of one information request, audit and/or inspection may be requested by Data Controller in any twelve (12) month period unless an additional information request, audit and/or inspection is mandated by a competent data protection regulator in writing.
The Data Processor will cooperate with the Controller in the sense of Art. 28 III h GDPR in the facilitation of any audit or inspection or other work undertaken pursuant to Data Processor’s obligations under this Agreement.
§ 7 Sub-Processors, Subcontractors
(1) The Data Controller generally agrees that the Data Processor may subcontract parts of its contractual obligations hereunder to the Data Processor’s affiliated companies and/or third parties (Sub-Processors) within or outside the EEA. Sub-Processors will only act on the Data Processor’s Instructions when Processing Personal Data and will abide by any applicable data protection laws in effect. The Data Processor agrees and warrants to remain liable to the Data Controller for any acts or omissions of its Sub-Processors related to the subcontracted Processing by them under this Agreement.
(2) Where the Data Processor engages Sub-Processors, the Data Processor will be obliged to pass on the Data Processor’s contractual obligations hereunder as required by the GDPR to such Sub-Processors and will restrict the Sub-Processor’s access to data only to what is necessary to maintain the subcontracted services. Sentence 1 of this paragraph 2 will apply in particular, but will not be limited to, the contractual requirements for confidentiality, data protection and data security stipulated between the parties of the Base Agreement. Furthermore, the Data Processor is responsible for setting-up and maintaining appropriate safeguards between it and the Sub-Processors as stipulated in Article 46 GDPR.
(3) The list of Sub-Processors in Exhibit 3 hereto lists all Sub-Processors that are currently authorized by WebPros entities for specific purposes. Depending on the Service requested, only specific Sub-Processors may be involved in the Processing of certain data. WebPros will periodically update the applicable list of Sub-Processors on its websites. The Data Controller may subscribe to the update service in order to remain informed about any changes to this list. Alternatively, the Data Controller hereby commits to periodically check such website for changes in the list of WebPros Sub-Processors and acknowledges that satisfies its needs in regards to Sub-Processor information by the Data Processor.
If the Data Controller does not approve a newly added Sub-Processor, then without prejudice to any termination rights under the Base Agreement and subject to the applicable terms and conditions, either Party shall have the right to either terminate this Agreement, its Instruction to Process data in writing or reject a specific form of data Processing in writing towards the Data Processor in order to avoid processing by such new Sub-Processor.
§ 8 International Data Transfers
The Data Controller acknowledges that the Data Processor’s Sub-Processors may maintain data processing
operations in countries outside the EEA or in countries without an adequate level of data protection, if it is required for the fulfillment of the Data Controller’s Instructions or the underlying agreement. In such case, the Data Processor warrants that such Processing outside the EEA is protected by appropriate safeguards as requested by article 46 of GDPR. Specifically, the Data Processor will only transfer of Personal Data to entities outside the EEA if such entities are bound by EU Standard Contractual Clauses adopted by the EU Commission, Binding Corporate Rules, the EU/Swiss-US Privacy Framework(s) or such other appropriate safeguard to make sure that the foreign entity will have established an adequate level of data protection within its organization by taking the appropriate technical and organizational measures in accordance to GDPR and local data protection laws in effect.
§ 9 Duties to Inform
Where the Data Controller’s Personal Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties, public authority or government body, while being Processed, the Data Processor will inform the Data Controller without undue delay. The Data Processor will, without undue delay, notify to all pertinent parties in such action, that any Personal Data affected thereby is in the Data Controller’s sole property and area of responsibility, that Personal Data is at the Data Controller’s sole disposition, and that the Data Controller is the responsible body in the sense of the GDPR and if possible, the Data Processor will not disclose any Personal Data of the Customer to the extent allowed by the applicable laws.
§10 Indemnity and Limitation of Liability
Unless expressly stipulated differently in this Agreement, the Base Agreement or the applicable law, the Data Processor is solely liable and responsible for its’ gross negligence and willful misconduct. This limitation of liability also applies to its assigned agents and proxies. In cases of simple negligence, the Data Processor shall only be liable for typical and foreseeable damages, caused by a violation of a cardinal contractual obligation. In this case, however, the Data Processor’s, its affiliates’, officers’, directors’, employees’, agents’, service providers’, suppliers’ or licensors’ liability for indirect damages, business interruption, loss of goodwill or for any type of incidental, special, exemplary, consequential or punitive loss or damages is excluded, regardless of whether such Party has been advised of the possibility of such damages.
Notwithstanding the foregoing, in the event the Data Controller forwards his own customers’ data to the Data Processor for further processing under this Agreement, the Data Controller will indemnify and hold harmless the Data Processor against all claims made by third parties, cost (including legal costs) and fines relating to the legal basis of such data forwarding. In this respect, the Data Controller has the sole and exclusive responsibility of making sure to have sufficient permission by the Data Subject or his customers and a legal basis to forward data to WebPros for processing. WebPros strictly disclaims all associated liability towards Data Subjects or Data Controller customers, respectively.
Notwithstanding anything to the contrary in this Agreement or the Base Agreement, the Data Processor’s aggregate liability to the Data Controller or any 3rd party arising out of this Agreement or any data Processing services performed hereunder, shall in no event exceed to the limitations set forth in the Base Agreement. For the avoidance of doubt, this section shall not be construed as limiting the liability of either party with respect to claims brought by Data Subjects. The Data Controller and the Data Processor act as joint debtors in respect to such claims.
The Data Processor shall be entitled to disclose details of the Data Controller’s instructions and the data Processing carried out for the purpose of exempting itself from liability pursuant to Art. 82 (3) GDPR. The Data Controller shall do everything necessary to enable the Data Processor to release itself from liability to third parties in this context.
§11 General, Choice of Law
(1) No change of or amendment to this Agreement and all of its components, including any commitment issued by the Data Processor, will be valid and binding unless made in writing and signed by either Party and unless they make express reference to being a change or amendment to these regulations. The foregoing will also apply to the waiver of this mandatory written form.
(2) If any provision (or part thereof) of this Agreement is held invalid by a court with jurisdiction over the Parties, such provision (or part thereof) will be deemed to be restated to reflect as far as possible the Parties’ original intentions in accordance with applicable law, and the remainder of the Agreement or provision will remain in full force and effect as if the Agreement had been entered into without the invalid provision (or part thereof).
(3) This Agreement is governed by the laws of Switzerland. The courts located in Zürich / Switzerland will have the exclusive jurisdiction over the parties in regards to this Agreement. Notwithstanding the foregoing choice of law, the Parties expressly agree to make the terms of GDPR applicable to this Agreement.
(4) Name of the WebPros External Data Protection Officer: RM Privacy GmbH ([email protected])
Exhibit 1
A description of Personal Data elements and the purpose of their Processing by the Data Processor on behalf of the Data Controller. The description will state the extent, the nature and purpose of contemplated collection, Processing and use of data, the type of data, and the circle of data subjects.
- The Data Controller may store names and email addresses of certain of its key employees or end-customers in the Data Processor’s Services systems for purposes of account creation or maintenance in order to gain access to use such system for the purposes these Services are offering.
- For Service data, the Processing of data is limited to the timeframe of the underlying Service / subscription relationship.
- Every Data Processor employee or subcontractor is bound by a comprehensive WebPros Data Protection Policy. Where access to data is required to be granted from outside the EEA, such access is protected by the appropriate safeguards and guarantees (e.g. by EU Standard Contractual Clauses, EU-US Privacy Framework), required under the applicable Data privacy laws like GDPR or local data protection laws.
Exhibit 2
List of technical and organizational measures taken by WebPros as the Data Processor
1.1 Confidentiality guarantee
1.1.1 Access control
Measures designed to prevent unauthorized persons from gaining access to data processing equipment that processes or uses personal data.
Measures:
2FA login to all projects
Visitors only accompanied by employees
Office is subject to the exclusive use
Chip cards / transponder systems
Electric door locks
Reception with reception
Building is purely an office building
Bell system without camera
Security locks
Key regulation with a list
Doors with knob on the outside
Monitored entrance area
1.1.2 Physical access control
Measures designed to prevent data processing systems (computers) from being used by unauthorized persons.
Measures:
General policy data protection and / or security
Anti-virus software
Anti-Virus Clients
Application of 2-factor authentication
Assignment of user profiles to IT systems
Use of VPN for remote access
Use of a software firewall
Login with username and password
Mobile Device Management
Encryption of data carriers
Encryption of notebooks / tablet
Smartphone encryption
Manage user permissions
Management of rights by a system administrator
Assignment of user rights
1.1.3 Data access control
Measures to ensure that persons authorized to use a data processing system have access only to data subject to their right of access and that personal data cannot be read, copied, altered or removed without authorization during processing, use and after storage.
Measures:
Document shredder
Differentiated authorizations (applications)
Use of program-technical authorization concepts
Logging of the output of data carriers
Logging of access to applications (when entering data)
Management of user rights by administrators
1.1.4 Separation control
Measures to ensure that data collected for different purposes can be processed separately. This can be ensured, for example, by logical and physical separation of data.
Measures:
Setting database rights
Physical separation of systems
Control via an authorization concept
1.2 Ensuring integrity
1.2.1 Handover control
Measures to ensure that personal data cannot be read, copied, altered or removed without authorization during their electronic transmission or during their transport or storage on data carriers and that it is possible to verify and establish the points to which personal data are to be transmitted by data transmission facilities.
Measures:
Provisioning over encrypted connections such as sftp, https
Documentation of the deletion periods
Use of VPN technology
Functional responsibilities
1.2.2 Input control
Measures to ensure that it can be subsequently verified and established whether and by whom personal data have been entered, modified or removed in data processing systems.
Measures:
Clear responsibilities for the deletion of data
Traceability of data processing through individual user names
Use of access rights
1.3 Pseudonymization
Measures that guarantee the pseudonymization of data.
Measures:
Internal instruction to pseudonymize personal data after expiry of the deletion period
1.4 Ensuring availability, resilience and recoverability
1.4.1 Availability (of data)
Measures to ensure that personal data are protected against accidental destruction or loss – ensuring the availability of data.
Measures:
99.99% server hardware availability
Backup & recovery concept
Data backup concept available
RAID system / hard disk mirroring
SLA with hosting service provider
1.4.2 Load capacity (of the systems)
Measures to ensure that personal data are protected against accidental destruction or loss – Ensure the resilience of systems.
Measures:
Use of intrusion detection systems
Use of software firewalls
Installation of current security updates on all application servers
1.4.3 Recoverability (of data / systems)
Measures to ensure that personal data are protected against accidental destruction or loss – Ensure the
recoverability of data and systems.
Measures:
Fire and smoke detection systems
Fire extinguisher in server room
No sanitary connections in or above the server room
Protective socket strips in the server room
Server room has no windows
Server room is separated from workstations
Server room monitoring (humidity)
Server room monitoring (temperature)
Server room is air conditioned
Surge protection devices
1.5 Procedures for periodic review, evaluation and evaluation
1.5.1 Order control
Measures to ensure that personal data processed on behalf of the customer can only be processed in accordance with the instructions of the customer.
Measures:
Conclusion of the necessary order data agreements
Conclusion of the necessary standard contractual clauses
Regulation on the use of subcontractors
Review of the level of protection of the contractor (initial)
Agreement on effective control rights vis-à-vis the contractor
Obligation of the contractor’s employees to maintain data secrecy
1.5.2 Privacy management
Measures that ensure that methods have been evaluated to systematically plan, organize, manage and control the legal and operational requirements of data protection.
Measures:
Safety concept documented elsewhere
Appointment of an internal data protection officer
Documentation of all data protection procedures and regulations
Carrying out data protection impact assessments (if required)
Compliance with the information requirements according to Art. 13 DSGVO
Use of software solutions for data protection management
Evaluate a formalized process for handling requests for information.
Implementation of suggestions for improvement
Regular sensitization of employees to data protection
Employee training on data protection
Obligation of employees to data secrecy
Access options for employees to the regulations on data protection (Wiki / Intranet)
1.5.3 Incident response management
Measures to ensure that security incidents can be prevented or, in the case of security incidents that have already occurred, that data and systems can be protected and that a rapid analysis and resolution of the security incident can be carried out.
Measures:
Documentation of security incidents
Involvement of data protection officers in security incidents
Documented process for reporting security incidents
Use of firewall and its regular updating
Use of spam filters and their regular updating
Use of virus scanners and their regular updating
Clear process for regulating responsibilities in the event of security incidents
1.5.4 Privacy friendly presets
Measures that ensure that a certain level of data protection already exists in advance through the corresponding technology design (privacy by design) and factory settings (privacy by default) of a software.
Measures:
Ensuring easy exercise of the right of withdrawal of a data subject
Personal data is only collected for the purpose for which it is required
Exhibit 3
List of XOVI Sub-Processors
| Name of Subcontractor | Location / Location of Processing | Service Type and utilizing entities/ products |
Safeguards
(Art. 46 GDPR) |
| WIIT AG (Myloc) | Joachim-Erwin-Platz 3 – 40212 Düsseldorf, Germany | Datacenter / Colocation | EU, DPA |
| Amazon Web Services, Inc | 410 Terry Avenue North Seattle WA 98109, USA |
Environment provider | DPA, EUSCC |
| Google Inc. | 1600 Amphitheatre Parkway, Mountain View, CA, 94043, USA | Environment and Data Analysis provider | DPA, EUSCC |
| Microsoft Corporation | One Microsoft Way. Redmond, WA 98052-6399, USA | Environment (Email / Office) and Online Storage provider |
Data Privacy Framework, DPA
|
| HubSpot Inc. | 25 First Street, 2nd Floor, Cambridge, MA 02141, USA | CRM and Marketing Software and Services | DPA, EUSCC |
| Typeform | Carrer Bac de Roda, 163, 08018 Barcelona | Contact Form engine | EU, DPA |
| AEB SE | Sigmaringer Straße 109 70567 Stuttgart / Germany |
Export Control Screening Service | EU, DPA |
| SparkLIT Networks Inc. (AdButler) |
201 – 1001 Wharf Street, Victoria, BC, Canada | Banner Advertising Provider |
Adequacy Decision, DPA
|
| Slack Technologies, Inc. | 500 Howard Street, San Francisco, CA 94105, USA | Internal Messaging Service |
Data Privacy Framework, DPA
|
| PayPal (Europe) S.à r.l. et Cie, S.C.A. | 22-24 Boulevard Royal L-2449 Luxembourg | Payment Processor | DPA, EUSCC |
| Cloudflare, Inc. | 101 Townsend Street San Francisco, CA 94107 USA |
Website Bot Protection |
Data Privacy Framework, DPA
|
| Usercentrics GmbH | Sendlinger Str. 7 80331 München |
Consent Management Platform | EU, DPA |
| Atlassian (Confluence / Jira) | 350 Bush Street Floor 13 San Francisco, CA 94104 United States |
Collaboration / Project Management Tools |
Data Privacy Framework, DPA
|