Data privacy

Privacy

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

It is generally possible to use our website without providing personal data. If personal data (e.g. name, address or e-mail addresses) is collected on our website, this is always done on a voluntary basis as far as possible. This data will not be passed on to third parties without your express consent.

We would like to point out that data transmission over the Internet (e.g. when communicating by e-mail) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible.

Data protection officer: Henning Welz ([email protected]), Gesellschaft für Datenschutz Mittelhessen mbH

Storage of access data

When you access our website, your location is analysed on the basis of your IP address and browser settings. The result is used to direct you to one of our company subpages that is responsible for your country location. The legal basis for this is Art. 6 para. 1 lit f. GDPR. Our overriding legitimate interest lies in targeted customer and prospect support.

Each time a user accesses a page on our server and each time a file is retrieved, access data about this process is also stored in a log file. Such a data record contains

  • the page from which the file was requested
  • the name of the file
  • the date and time of the request
  • the amount of data transferred
  • the access status (file transferred, file not found, etc.)
  • a reference to the web browser used
  • the IP address of the visitor

The stored data is analysed exclusively for statistical purposes. It is not passed on to third parties for commercial or non-commercial purposes.

Where it is possible to enter personal or business data (e-mail addresses, names, addresses), the disclosure of this data by the user is expressly voluntary. In this context, too, all data is treated confidentially and not passed on to third parties.

You have the option of obtaining information about the personal data stored about you free of charge at any time. In addition, you naturally have the right to correct, block and delete this personal data in accordance with the statutory provisions.

Privacy policy for the use of Google Analytics

If you have given your consent, this website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited, Gordon House Barrow Street Dublin 4, D04E5W5 Ireland. Google Analytics uses so-called ‘cookies’. These are text files that are stored on your computer and enable your use of the website to be analysed. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. Google processes the data on the basis of EU standard contractual clauses, which are supplemented by a DPA.

However, if IP anonymisation is activated on this website, your IP address will first be truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information to analyse your use of the website, to compile reports on website activity and to provide other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de

You can prevent Google Analytics from collecting your data by clicking on the following link. An opt-out cookie will be set to prevent the future collection of your data when you visit this website: Deactivate Google Analytics

You can find more information on terms of use and data protection at https://www.google.com/analytics/terms/de.html or at https://policies.google.com/privacy?hl=en. Please note that Google Analytics has been extended on this website by the code ‘anonymizeIp’ in order to ensure anonymised collection of IP addresses (so-called IP masking).

We also use Google Analytics to analyse data from AdWords and the double-click cookie for statistical purposes. If you do not want this, you can deactivate it via the Ads Preferences Manager (https://www.google.com/settings/ads/onweb/?hl=en).

Privacy policy for the use of Google Ads

We use Google Ads, an online advertising service provided by Google Ireland Limited (‘Google’). Google Ads enables us to place targeted adverts in the Google search engine and on third-party websites.

If you access our website via a Google advert, Google Ads will store a cookie on your end device. This cookie contains a unique cookie ID and information about the ad interaction.

Google uses this data to measure the effectiveness of our advertising campaigns and to provide us with analyses. We ourselves do not receive any personal data from Google, only anonymised statistical evaluations.

The use of Google Ads is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG.

You can revoke your consent at any time with effect for the future.

Privacy policy for the use of Microsoft Ads

We use Microsoft Advertising, a service provided by Microsoft Corporation. Microsoft Advertising uses cookies to serve relevant adverts and measure the performance of advertising campaigns. When you click on a Microsoft advert, a cookie is placed on your device. This cookie contains information about your click on the advert, such as the date, time and the advert ID. Microsoft uses this data to analyse the effectiveness of our ads and to provide us with aggregated reports. We do not receive any personal data from Microsoft. The use of Microsoft Advertising is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG.

You can revoke your consent at any time with effect for the future.

Sie können Ihre Einwilligung jederzeit mit Wirkung für die Zukunft widerrufen.

Privacy policy for the use of Microsoft Clarity

We use Microsoft Clarity, a web analysis tool from Microsoft Corporation. Clarity helps us to better understand user behaviour on our website. Clarity collects information such as mouse movements, clicks and scrolling behaviour. It also collects technical data such as browser type, operating system and screen resolution. This data is anonymised and analysed in aggregated form. Microsoft Clarity uses cookies to recognise returning visitors and assign sessions. The collected data is stored on Microsoft servers in the USA. Microsoft Clarity is used on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG.

You can revoke your consent at any time with effect for the future.

You can also prevent data collection by Microsoft Clarity by deactivating JavaScript in your browser. Further information on data protection at Microsoft Clarity can be found in Microsoft’s privacy policy.

Privacy policy for the use of HubSpot

We use HubSpot on our website for analysis purposes. HubSpot is a digital marketing tool from the USA with its headquarters in Ireland. Contact: HubSpot, 1 Sir John Rogerson’s Quay, Dublin Docklands, Dublin.

HubSpot enables us to manage existing and potential customer contacts. We can also use the service to record, sort and analyse customer interactions via email, social media and contact forms across different channels.

We have concluded a so-called order processing contract with the service provider in accordance with Art. 28 GDPR.

As part of the optimisation of our marketing measures, the following information may be collected via the service IP address, browser type, duration of your visit, geographical location and the pages accessed. This information is evaluated by HubSpot on our behalf so that we are able to record the user behaviour of our contacts on our website through the evaluation.

HubSpot is used on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR; you can revoke this consent at any time with effect for the future.

Für den Fall, dass personenbezogene Daten in die USA übertragen werden, hat sich HubSpot unter dem EU-U.S. Data Privacy Framework zertifizieren lassen – hierdurch wird das Datenschutzniveau bei der Übermittlung in die USA als angemessen betrachtet. Nähere Informationen zu der Datenverarbeitung durch HubSpot entnehmen Sie bitte der Datenschutzerklärung von HubSpot: HubSpot Privacy Policy.

Cookies

Consent with Usercentrics

We use the Usercentrics consent technology from the German company Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, to obtain your consent to the storage of certain cookies on your end device or to the use of external services and to document these in compliance with data protection regulations. We have concluded a so-called order processing contract with Usercentrics in accordance with Art. 28 GDPR. The following of your data will be forwarded to the service provider

URL of the page visited, date and time of access, browser type, geographical location and cookie preferences. The service also stores a cookie in your browser in order to be able to assign the consents you have given or revoke them. The data collected is stored until you ask us to delete it, delete the cookie yourself or the purpose for storing the data no longer applies. Mandatory statutory retention periods remain unaffected. For details on data processing by Usercentrics, please refer to the Usercentrics privacy policy: Privacy policy – Usercentrics. Usercentrics is used so that we can obtain the legally required consent for the use of cookies; the legal basis is Art. 6 para. 1 lit. c GDPR.

LinkedIn Insight Tag

The LinkedIn Insight Tag allows us to collect data about visits to our website, including URL, referrer URL, IP address, device and browser characteristics and timestamps. The IP addresses are truncated or hashed. Direct identifiers of LinkedIn members are removed after seven days in order to pseudonymise the data. Using the Insight Tag, we can analyse information about the users of our website, such as demographic data, career level, company size and industry. We can also measure whether visitors perform certain actions on our website (conversion measurement). We use this data to optimise our online offering and our marketing measures. The legal basis for this is Art. 6 para. 1 lit. f GDPR (legitimate interests).

The pseudonymised data is deleted within 180 days. The data is stored on servers in the USA and possibly also in Europe.

Social media plug-ins and third-party sites

Our website contains social media plug-ins from various platforms, some of whose processing location is in the USA. The respective plug-ins can be recognised by the relevant manufacturer logos:

  • Facebook
  • Twitter
  • WordPress
  • YouTube

If we have received your consent and you visit our website, the plug-in establishes a direct connection between your browser and the servers of the respective operator. If you are logged in to the relevant network, information about your visit to our website will be added to your profile.

We are not informed about the content of the transmitted data or the use of the data. The circumstances of this use can be found in the data protection declarations of the respective operators. If you do not want social networks to link data to your profile via our website, please log out before you visit our site.

The processing and use of personal data is also necessary for personal access to the helpdesk, for example to be able to define and change individual user settings. Access to this information is protected by a personal customer login and password.

Forms and partner registration

If you send us enquiries using a form and enter data for this purpose or register online as a partner, your details from the relevant form, including the contact details you provide there, will be stored by us for the purpose of processing the enquiry or fulfilling the purpose pursued with the form and in the event of follow-up questions. This concerns

  • Names
  • Contact and address data
  • Company data (area of responsibility)
  • Financial data (in the case of partner registration)
  • Purpose of the enquiry

In principle, it is labelled which data we absolutely require in the form and which information you can provide on a voluntary basis. We use information provided voluntarily on the basis of our legitimate interest in targeted direct marketing. If consent is required for reasons of competition law, we will obtain it. We will not pass on any data to third parties without your consent.

You have the following rights under this agreement:

  • Right to information
  • Right to erasure of data
  • Right to be forgotten
  • Right to data portability
  • Right to rectification of the data category
  • Right to object to the processing activity
  • Right to rectification if data is incorrect
  • Right to lodge a complaint with the supervisory authority

Please note that contact requests for trial versions are forwarded to N-able via elovade.com/manufacturer/n-able/. As a result, the manufacturer’s privacy policy applies to the processing of your enquiry, for which we cannot accept any responsibility.

Use of the ConnectWise operating costs calculator

If you use our operating costs calculator, you can enter all personal data (first name, surname) or business data (e-mail address, name, address) on a voluntary basis. All data entered will be treated confidentially and will not be passed on to third parties. The entries are stored in a necessary cookie and automatically deleted after 4 weeks.

Objection to advertising emails

We hereby object to the use of contact data published as part of our obligation to provide a legal notice for the purpose of sending unsolicited advertising and information material. The operators of the website expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam e-mails.

Newsletter data

If you would like to receive the newsletter offered on the website, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. No further data is collected. We use this data exclusively for sending the requested information and do not pass it on to third parties.

As part of sending the newsletter, we can track whether you have opened it and which links you have clicked on. We use this data to tailor future newsletters even more precisely to your interests; it is not passed on to third parties.

You can revoke your consent to the storage of the data, the e-mail address and its use for sending the newsletter at any time, for example via the ‘unsubscribe’ link in the newsletter.

Hosting

The website is hosted by the following service provider

Raidboxes GmbH

When you visit our website, the web host collects various log files including your IP address, which is why we have concluded an order processing contract with the web host in accordance with Art. 28 GDPR. The use of Raidboxes GmbH is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in displaying our website as reliably as possible

Translation

This page has been automatically translated to provide general guidance to international users. Despite careful machine translation, there may be deviations in the wording. In case of doubt, the German version of this content is legally binding.

Order processing (Art. 28 para. 3 GDPR)

You can find everything you need to know about working with us in the context of order processing in our FAQ.

Agreement pursuant to Art. 28 para. 3 of the General Data Protection Regulation (GDPR) between

the contractual partner
(hereinafter referred to as the ‘client’)

and

the
ELOVADE Deutschland GmbH
Garbenheimer Str. 36
35578 Wetzlar
Germany
(hereinafter referred to as ‘Contractor’))

1. Purpose

This agreement governs the processing of personal data on behalf of the Contractor. This agreement applies to all activities in which commissioned processors process personal data for the Client. With this agreement, the responsible processor (client) determines the purpose and means of processing and prescribes the technical and organisational measures (TOMs) to be taken by the contractor to fulfil this purpose. The agreement also establishes a transmission privilege. It is subject to continuous amendment and is available here in its current form.

The exact circumstances of the processing on which the agreement is based are described in the annexes to this agreement.

The following agreements apply to the processing commissioned in this way:

2. Subject matter and duration of the order

The duration of the order is set out in the main contract. The name and date of this main contract can be found in Appendix 1.

Appendix 1 also lists the processing objects on which the order is based and for which the processing is concluded in the order.

3. Specification of the content of the order

The detailed specification of the content of the order is set out in Appendix 2.

3.1 Nature and purpose of the data processing

Die detaillierte Konkretisierung von Art und Zweck der Datenverarbeitung erfolgt in Anlage 2.

3.2 Place of data processing

The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 f. GDPR are fulfilled.

Appendix 2 shows whether data is transferred to a third country and which guarantees the transfer is based on in this case.

3.3 Categories of data

The categories of personal data result from the main contract and are described in Appendix 3 based on the data categories.

The name and date of this main contract can be found in Appendix 1.

3.4 Categories of data subjects

The categories of data subjects result from the main contract and are described in Appendix 4 on the basis of the categories of data subjects. The name and date of this main contract can be found in Appendix 1.

4. Technical and organisational measures

The contractor must document the implementation of the technical and organisational measures set out and required prior to the award of the contract before the start of processing, in particular with regard to the specific execution of the contract, and submit them to the client for review. If accepted by the client, the documented measures shall form the basis of the order. If the inspection/audit by the client reveals a need for adjustment, this must be implemented by mutual agreement.

The Contractor must establish security in accordance with Art. 28 para. 3 lit. c and Art. 32 GDPR, in particular in conjunction with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR must be taken into account.

The technical and organisational measures are subject to technical progress and further development. In this respect, the contractor is permitted to implement alternative adequate measures. In doing so, the security level of the specified measures must not be undercut. Significant changes must be documented.

5. Correction, restriction and deletion of data

The contractor may not rectify, erase or restrict the processing of data processed on behalf of the client without authorisation, but only in accordance with documented instructions from the client. If a data subject contacts the Contractor directly in this regard, the Contractor shall forward this request to the Client without delay.

If included in the scope of services, the erasure concept, right to be forgotten, rectification, data portability and information shall be ensured directly by the Contractor in accordance with the Client’s documented instructions.

6. Quality assurance and other obligations of the Contractor

In addition to complying with the provisions of this contract, the Contractor shall have statutory obligations pursuant to Art. 28 to 33 GDPR; in this respect, the Contractor shall in particular ensure compliance with the following requirements:

  1. Written appointment of a data protection officer (DPO) who performs his/her duties in accordance with Art. 38 and 39 GDPR. The contact details of the DPO will be provided to the client for the purpose of direct contact. The client will be informed immediately of any change of DPO. The name and contact details of the DPO can be found in Appendix 5.
  2. If the Contractor is not obliged to appoint a DPO, the contact person at the Contractor shall be named in Appendix 5.
  3. If the Contractor has its registered office outside the Union, it shall appoint representatives in the Union in accordance with Art. 27 para. 1 GDPR. These are listed in Appendix 5.
  4. The maintenance of confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. b and Art. 29 & 32 para. 4 GDPR. When carrying out the work, the Contractor shall only use employees who have been obliged to maintain confidentiality and who have previously been familiarised with the data protection provisions relevant to them. The Contractor and any person subordinate to the Contractor who has access to personal data may only process this data in accordance with the instructions of the Client, including the authorisations granted in this contract, unless they are legally obliged to process it.
  5. The implementation of and compliance with all technical and organisational measures required for this contract in accordance with Art. 28 para. 3 sentence 2 lit. c and Art. 32 GDPR [details in Appendix 7].
  6. The Client and the Contractor shall cooperate with the supervisory authority in the fulfilment of their tasks upon request.
  7. Immediate information of the client about control actions and measures of the supervisory authority, insofar as they relate to this order. This also applies if a competent authority is investigating the processing of personal data in the context of administrative offence or criminal proceedings relating to the processing of personal data by the contractor.
  8. If the Client is subject to an inspection by the supervisory authority, administrative offence or criminal proceedings, a liability claim by a data subject or a third party or any other claim in connection with the commissioned processing at the Contractor, the Contractor shall support the Client to the best of its ability.
  9. The Contractor shall regularly monitor the internal processes and the technical and organisational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.
  10. The verifiability of the technical and organisational measures taken vis-à-vis the client within the scope of the client’s control powers in accordance with clause 8 of this contract.

7. Subcontracting relationships

Subcontracting relationships within the meaning of this provision are those services that relate directly to the provision of the main service. This does not include ancillary services which the contractor utilises, e.g. as telecommunication services, postal/transport services, maintenance and user service or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Contractor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure the data protection and data security of the Client’s data, even in the case of outsourced ancillary services.

The Client consents to the commissioning of the subcontractors named in Annex 6 on the condition of a contractual agreement in accordance with Art. 28 para. 2-4 GDPR. Outsourcing to subcontractors or changing the existing subcontractor is permitted insofar as

  • the Contractor notifies the Client of such outsourcing to subcontractors a reasonable time in advance in writing or in text form and
  • the client does not object to the planned outsourcing in writing or in text form to the contractor by the time the data is handed over and
  • a contractual agreement in accordance with Art. 28 para. 2-4 GDPR is used as a basis.

The transfer of the client’s personal data to the subcontractor and the subcontractor’s initial activities are only permitted once all requirements for subcontracting have been met. If the subcontractor provides the agreed service outside the EU/EEA, the subcontractor shall take appropriate measures to ensure compliance with data protection law. The same applies if service providers within the meaning of para. 1 sentence 2 are to be used.

Any further outsourcing by the subcontractor requires the express consent of the main contractor (at least in text form).

All contractual provisions in the contractual chain must also be imposed on the additional subcontractor.

8. Control rights of the client

The client has the right to carry out inspections in consultation with the contractor or to have them carried out by inspectors to be named in individual cases. It shall have the right to satisfy itself of the Contractor’s compliance with this Agreement in its business operations by means of spot checks, which must generally be notified in good time.

The Contractor shall ensure that the Client can satisfy itself of the Contractor’s compliance with its obligations under Art. 28 GDPR. The Contractor undertakes to provide the Client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organisational measures.

Proof of such measures, which do not only relate to the specific order, can be provided by current certificates, reports or report extracts from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditors, quality auditors).

The Contractor may claim remuneration for enabling the Client to carry out inspections.

9. Notification of violations by the contractor

The Contractor shall support the Client in complying with the obligations set out in Articles 32 to 36 of the GDPR regarding the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations. This includes, among other things

  1. ensuring an adequate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing as well as the predicted probability and severity of a possible breach of rights through security gaps and enable the immediate detection of relevant breach events
  2. the obligation to report personal data breaches to the client without delay
  3. the obligation to support the client in the context of its duty to inform the data subjects and to provide it with all relevant information in this context without delay
  4. the support of the client for its data protection impact assessment
  5. supporting the client in the context of prior consultations with the supervisory authority

The Contractor may claim remuneration for support services that are not included in the service description or are attributable to misconduct on the part of the Client.

10. Authority of the client to issue instructions

The Client shall confirm verbal instructions without delay (at least in text form).

The Contractor must inform the Client immediately if it is of the opinion that an instruction violates data protection regulations. The Contractor shall be entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the Client.

11. Deletion and return of personal data

Copies or duplicates of the data will not be created without the knowledge of the client. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as data that is required in order to comply with statutory retention obligations.

After completion of the contractually agreed work or earlier at the request of the Client – at the latest upon termination of the service agreement – the Contractor shall hand over to the Client all documents, processing and utilisation results and data stocks that have come into its possession in connection with the contractual relationship or, with prior consent, destroy them in accordance with data protection regulations. The same applies to test and scrap material. The deletion log must be submitted on request.

Documentation that serves as proof of proper data processing in accordance with the order shall be retained by the Contractor beyond the end of the contract in accordance with the respective retention periods. The Contractor may hand them over to the Client at the end of the contract in order to discharge the Client.

12. Obligation pursuant to § 203 para. 4 no. 2 StGB (applies to persons subject to professional secrecy)

The Contractor is obliged to maintain confidentiality, even after completion of the contract. This obligation applies to everything that becomes known to the Contractor in the course of its work for the Client. This shall not apply to facts that are obvious or that do not require confidentiality due to their significance.

The Contractor shall impose a written confidentiality obligation on its employees or subcontractors or other persons it engages to fulfil its order, insofar as they work for the Client in fulfilment of this agreement, and shall draw attention to the consequences under criminal law of a breach of the confidentiality obligation, in particular Section 203 of the German Criminal Code (StGB). The Contractor shall require subcontractors to obligate their employees to maintain confidentiality in writing and to inform them of the consequences under criminal law of a breach of the duty of confidentiality, in particular of Section 203 of the German Criminal Code (StGB). The Contractor shall obtain copies of the relevant declarations from the subcontractor.

The Contractor confirms that it has been informed by the Client of the consequences under criminal law of a breach of the duty of confidentiality, in particular of Section 203 of the German Criminal Code (StGB). The Contractor undertakes to obtain knowledge of third party secrets only to the extent that this is necessary for the fulfilment of the contract.

The Contractor undertakes to provide the Client with a copy of the written confidentiality declarations of its employees without further request.

Appendix 1

Object of the agreement

Main contract:
Service agreement

Purpose of processing:
IT maintenance and service in accordance with the order specified in the service agreement

Duration of processing:
In accordance with the service agreement

Main contract:
Contract relating to the EL control panel

Purpose of processing:
Operation and maintenance of the cloud management console

Duration of processing:
In accordance with the contract

Main contract:
Contract relating to EL mailarchive

Purpose of processing:
Operation and maintenance of email archiving in the cloud

Duration of processing:
In accordance with the contract

Main contract:
Contract relating to EL storage

Purpose of processing:
Provision of online storage space

Duration of processing:
In accordance with the contract

Main contract:
Contract relating to EL cloud2cloud

Purpose of processing: operation and maintenance of a cloud backup management console, including the interface with OpenText CloudAlly Backup, as well as the provision of assessments and provisioning methods.

Duration of processing:
In accordance with the contract.

Appendix 2

Specific description of the processing activity, taking into account the nature and purpose of the processing and any data transfers to third countries:

Textual description of the processing activity:
The Contractor processes personal data of the Client in the context of supporting work on and with software products covered by the service contract. The processing of personal data is neither the rule nor the main purpose, but cannot be ruled out in the context of the provision of services.

If the service to be provided requires the transfer of data to a subcontractor located in a third country in accordance with Annex 6, this transfer shall take place on the basis of the EU standard contractual clauses in their current form, supplemented by additional guarantees as required by ‘Schrems II’.

List of the type and purpose of individual processing activities:

Relevant processing activities within the processing:
Remote maintenance, troubleshooting and analysis of technical questions and problems

Type of activity:
Maintenance of software products

Purpose of the activity:
Assistance with problems

Appendix 3

List of data categories:

Presumably all data available in the system to be maintained can be affected.

Appendix 4

List of categories of data subjects:

Presumably all data available in the system to be maintained can be affected.

Appendix 5

Data protection officer of the contractor

Name: Henning Welz
Organisation: gds Gesellschaft für Datenschutz Mittelhessen mbH
Adress: Auf der Appeling 8, 35043 Marburg, Allemagne
Telephone: +49 (0)6421 / 80413-10
Email: [email protected]

Representative outside the EU
Not applicable

Appendix 6

Annexe 7

Authorised subcontractors / other processors at Elovade in accordance with Art. 32 GDPR - Annex 6 to the agreement on order processing

Amazon Web Services Inc.
410 Terry Avenue North, Seattle, WA 98109-5210
Web hosting of dedicated web servers and related services

Asana, Inc
1550 Bryant Street, Suite 200, San Francisco, CA 94103
Internal project management

Campaign Monitor Pty Ltd
201 Elizabeth Street, Sydney NSW 2000
Tool for targeted and evaluable newsletter campaigns

Captcha GmbH
Muthgasse 2, 1190 Wien
GDPR-compliant bot protection on our website

Carbonite, Inc.
2 Avenue de Lafayette Boston, MA 02111
Cloud services, backup

Google Ireland Limited
Google Building Gordon House, 4 Barrow St. Dublin,
D04 E5W5 Google Analytics

HaloITSM
Halo House, Gipping Way, Stowmarket, IP14 1GJ, UK
Service desk solution in technical support

Hetzner Online GmbH
Industriestr. 25, 91710 Gunzenhausen
Web hosting of dedicated web servers and related services

Hornetsecurity GmbH
Am Listholze 78, 30177 Hannover
Email Security And Compliance – Maximum protection for email traffic

HubSpot
1 Sir John Rogerson’s Quay, Dublin Docklands, Dublin
Cloud services, tracking

Infiterra Ltd.
25 Martiou 19, Suite 301, 2408 Egkomi, Cyprus
Cloud-Dienstleistungen, Subscription Commerce Platform

KnowBe4, Inc.
33 N Garden Avenue, Suite 1200
Clearwater, FL 33755, USA

Microsoft Ireland Operations, Ltd.
One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521
Web hosting of dedicated web servers and related services, mail traffic and document storage

Raidboxes GmbH
Hafenstraße 32, 48153 Münster
Web hosting of dedicated web servers and related services

Open Text Software GmbH
Werner-von-Siemens-Ring 20, 85630 Grasbrunn
Cloud services, Backup

Skyfillers GmbH
Schiffbrücke 66, 24939 Flensburg
Cloud services, backup

STRATO GmbH
Pascalstraße 10, 10587 Berlin
Cloud services, hosting, backup

Susell GmbH
Rosenthaler Str. 38, 10178 Berlin
Introduction of a digital learning platform called reteach

T3CH.com LLC
12 S. Main St. #412, Allentown, NJ 08501
Notification of planned maintenance and outages of cloud services (optional opt-in service)

TeamViewer GmbH
Jahnstraße 30, 73037 Göppingen
Carrying out remote maintenance and file transfers

Wasabi Technologies LLC
111 Huntington Avenue Boston, MA 02199
Web hosting of dedicated cloud storage and related services

Zoho Corporation GmbH
II. Hagen 7, 45127 Essen
Cloud-Dienstleistungen (CRM-Software, Helpdesk)

Technical and organisational security measures in accordance with Art. 32 GDPR - Annex 7 to the agreement on commissioned processing

1. Confidentiality (Art. 32 para. 1 lit. b GDPR)

1.1 Access control

The following measures prevent unauthorised access to data processing systems (servers)

  • Determination of authorised persons
  • Management of personal access authorisations
  • Accompaniment of external personnel
  • Access protection through alarm systems

1.2 Access control

The following measures prevent unauthorised use of the system (server & clients):

  • Access protection
  • Implementation of secure access procedures, strong authentication (2FA)
  • Implementation of simple authentication via username and password
  • Logging of access
  • Monitoring of critical IT systems
  • Secure (encrypted) transmission of authentication secrets

1.3 Access control

The following measures prevent unauthorised reading, copying, modification or removal of data within the system:

  • ‘Need to know’ principle
  • Assignment of minimum authorisations
  • Logging of access

1.4 Separation control

The following options exist for processing data collected for different purposes independently of each other:

  • Data minimisation when handling personal data
  • Separate processing of different data sets
  • Regular monitoring of intended use and deletion
  • Separation of test and development environment

2. Integrity (Art. 32 para. 1 lit. b GDPR)

2.1 Transfer control

These measures prevent unauthorised reading, copying, modification or removal during electronic transmission or transport:

  • Secure data transmission between server and client (VPN)
  • Secure transmission to external systems
  • Risk minimisation through network separation

2.2 Input control

This makes it possible to determine whether and by whom personal data has been entered into, changed or removed from data processing systems:

  • Logging of input within the software

3. Availability, resilience, disaster recovery

Protection against accidental or wilful destruction or loss

3.1 Availability and resilience (Art. 32 para. 1 lit. b GDPR)

  • Redundancy of the communication connections
  • monitoring
  • Resource planning and provision
  • Defence against system-impacting misuse (firewall, antivirus)
  • Data backup concepts and implementation

3.2 Disaster recovery – rapid recovery after an incident (Art. 32 para. 1 lit. c GDPR)

  • Emergency plans
  • Data backup concepts and implementation

4. Procedures for regular review, assessment and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)

  • Process for the evaluation of technical and organisational measures
  • Data protection management process
  • Incident response management process
  • Implementation of technical reviews

You can download our data protection certificate as a PDF here.

The website does not match your location

Based on your IP address, a different language version of the Elovade website may be more appropriate. There you will find all relevant content for your region. If you would prefer to continue here, simply close the pop-up.