The following are the updates made to our Data Processing Agreement.
You need to accept this new version of our Data Processing Agreement within the “Account Management” section of your TimeTac account.
Please note that version 1.1 was not publicly released. These updates are based on the changes from version 1.0.
| Section | Previous Text | New Text |
| §1. (1) Subject matter and duration of the Agreement | The Subject matter of the Agreement is the transfer of data for the provision of services defined in the General Terms and Conditions, version 2.0, dated as effective of 25.05.2018, which is referred to here (hereinafter referred to as “Service Agreement”). | The subject matter of the Agreement is the transfer of data for the provision of services. These services are set out in the General Terms and Conditions applicable at the time of the confirmation of this agreement, the product description on the website www.timetac.com and, if applicable, a signed quotation (collectively referred to as the “Service Agreement”). |
| § 6. (g) Quality assurance and other duties of the Provider | The Provider shall periodically monitor the internal processes and the Technical and Organizational Measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject. | The Provider shall periodically monitor the internal processes and the Technical and Organizational Measures to ensure that processing within its area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject. |
| § 7. (2) Subcontracting | Stripe Payments Europe Ltd. | 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland | Payment Processing | |
| § 7. (2) Subcontracting | GoCardless Ltd. | Sutton Yard, Goswell Rd, London EC1V 7EN, United Kingdom | Payment Processing | |
| § 8. (1) Audit rights of the Customer | The Customer has the right, after consultation with the Provider, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. The Customer has the right to convince itself of the compliance with this agreement by the Provider in his business operations by means of random checks, which are ordinarily to be announced in good time. | The Customer has the right, after consultation with the Provider, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. The Customer has the right to convince itself of the compliance with this agreement by the Provider in its business operations by means of random checks, which are to be announced in good time. |
| § 8. (3) Audit rights of the Customer | The Provider may claim remuneration for enabling Customer inspections. | In exercising the rights under this section, the customer must act with consideration to not affect the business operations of the provider, otherwise the customer may be charged reasonable administrative costs. |
| § 13. Effectiveness of Agreement | This Agreement applies upon electronic confirmation. This Agreement orients itself on the GDPR and is therefore effective as of 25th May 2018. | This Agreement applies upon written or electronic confirmation. This Agreement orients itself on the GDPR and is therefore effective as of 25th May 2018. |
| Appendix 2 – Technical and Organisational Measures, 1. Confidentiality (Article 32 Paragraph 1 Point b GDPR) | Access control system | Access control system. Logging of employee arrival and departure. Access only granted to employees; access revoked as part of employee off-boarding process. |
| Appendix 2 – Technical and Organisational Measures, 1. Confidentiality (Article 32 Paragraph 1 Point b GDPR) | Visitor logging, Visitor escorting on premises | Visitor logging; monitored reception area which unregistered visitors may not leave. Visitor escorting on premises; visitors are not left unattended. |
| Appendix 2 – Technical and Organisational Measures, 1. Confidentiality (Article 32 Paragraph 1 Point b GDPR) | Fire detection systems | Fire detection systems in every room; linked to central control panel in building with direct link to fire services |
| Appendix 2 – Technical and Organisational Measures, 1. Confidentiality (Article 32 Paragraph 1 Point b GDPR) | No unauthorised use of the Data Processing and Data Storage Systems | No unauthorised use of the Data Processing and Data Storage Systems; access is restricted by authentication mechanisms. |
| Appendix 2 – Technical and Organisational Measures, 1. Confidentiality (Article 32 Paragraph 1 Point b GDPR) | Password policies | Password policies; minimum length, minimum complexity. |
| Appendix 2 – Technical and Organisational Measures, 1. Confidentiality (Article 32 Paragraph 1 Point b GDPR) | Two-Factor authorisation | Two-Factor authorisation where available, enforced by management. |
| Appendix 2 – Technical and Organisational Measures, 1. Confidentiality (Article 32 Paragraph 1 Point b GDPR) | Locking mechanisms for workstations | Locking mechanisms for workstations; “Clean desk policy” and automatic locking after periods of inactivity. |
| Appendix 2 – Technical and Organisational Measures, 1. Confidentiality (Article 32 Paragraph 1 Point b GDPR) | Encryption of hard drives | Encryption of hard drives; encryption part of new asset acquisition. Non-encrypted assets may not leave site. |
| Appendix 2 – Technical and Organisational Measures, 1. Confidentiality (Article 32 Paragraph 1 Point b GDPR) | Private/Public keys | Private/Public keys for all server accesses. |
| Appendix 2 – Technical and Organisational Measures, 1. Confidentiality (Article 32 Paragraph 1 Point b GDPR) | No unauthorised Reading, Copying, Changing or Deletion of Data | No unauthorised Reading, Copying, Changing or Deletion of Data; actions are logged and reviewed. Training of employees as to what is permissible. |
| Appendix 2 – Technical and Organisational Measures, 1. Confidentiality (Article 32 Paragraph 1 Point b GDPR) | Rights authorisation concept | Rights authorisation concept. Employees only have granular access for the activities they need to perform. |
| Appendix 2 – Technical and Organisational Measures, 1. Confidentiality (Article 32 Paragraph 1 Point b GDPR) | Access rights granted on a per role and need basis. Periodically reviewed. | Access rights granted on a per role and need basis. Periodically reviewed. Employees only granted access to resources and systems strictly required for their job. |
| Appendix 2 – Technical and Organisational Measures, 1. Confidentiality (Article 32 Paragraph 1 Point b GDPR) | Logging of access and system events | Logging of access and system events, such as connection, disconnection, changes, deletions. |
| Appendix 2 – Technical and Organisational Measures, 2. Integrity (Article 32 Paragraph 1 Point b GDPR) | Data transfers are recorded as per Article 30 GDPR | Data transfers are recorded as per Article 30 GDPR, controlled and audited by the Data Protection Officer |
| Appendix 2 – Technical and Organisational Measures, 2. Integrity (Article 32 Paragraph 1 Point b GDPR) | Removable Media Policy | Removable Media Policy, with logs of employee usage |
| Appendix 2 – Technical and Organisational Measures, 2. Integrity (Article 32 Paragraph 1 Point b GDPR) | Firewall | Firewall on network traffic, as well as a firewall on employee assets |
| Appendix 2 – Technical and Organisational Measures, 2. Integrity (Article 32 Paragraph 1 Point b GDPR) | Protocol of access | Protocol of access attempts, including IP address and username |
| Appendix 2 – Technical and Organisational Measures, 2. Integrity (Article 32 Paragraph 1 Point b GDPR) | User rights and roles within Software of Provider | User rights and roles within Software of Provider, preventing unauthorised manipulation |
| Appendix 2 – Technical and Organisational Measures, 2. Integrity (Article 32 Paragraph 1 Point b GDPR) | Rest * | Rest: Luks Volume Encryption with AES XTS Plain64, with Keysize 512 and SHA512 * |
| Appendix 2 – Technical and Organisational Measures, 2. Integrity (Article 32 Paragraph 1 Point b GDPR) | Transfer | Transfer: Key – RSA 4096 bit. Signature algorithm SHA-256 with RSA Encryption |
| Appendix 2 – Technical and Organisational Measures, 2. Integrity (Article 32 Paragraph 1 Point b GDPR) | Backups * | Backups: AES256-GCM encryption on application server before upload * |
| Appendix 2 – Technical and Organisational Measures, 2. Integrity (Article 32 Paragraph 1 Point b GDPR) | Confidentiality agreements | Confidentiality agreements on handling data and responsibilities associated |
| Appendix 2 – Technical and Organisational Measures, 3. Availability and Resilience (Article 32 Paragraph 1 Point b GDPR) | Multiple data centres * | Multiple data centres, increasing redundancy * |
| Appendix 2 – Technical and Organisational Measures, 3. Availability and Resilience (Article 32 Paragraph 1 Point b GDPR) | Off-site backup policy * | Off-site backup policy, with backups hosted in a different data centre * |
| Appendix 2 – Technical and Organisational Measures, 3. Availability and Resilience (Article 32 Paragraph 1 Point b GDPR) | Status page * | Status page, openly communicating availability of services and components * |
