Law & Innovation Technology GmbH, offers a trust platform enabling various stakeholders to exchange consent and/or enable other data protection relevant decisions (hereafter named „Consenter"). This trust platform includes, in particular, the Consenter Banner, which customers can configure via the Consenter Manager and which can communicate with the Consenter Agent via a technical API and the so-called Handover Notice, as well as the Risk Assessment Centre (see the components of the service in detail on the website www.consenter.eu). To this aim, Consenter processes, on behalf of the customer (in the following “controller”), personal data of its end-users. This Data Processing Agreement (hereinafter also “DPA”) sets out the conditions under which Consenter may process personal data for the customer.
Effective: December 2025
‍
1. Subject and Duration of the Agreement
‍
1.1. The subject of the agreement is the execution of the tasks as described as follows by the processor in accordance with the service description in the General Terms & Conditions for Using the Consenter Manager and Consenter Banner (in the following “main agreement”):
‍
1.2. Consenter offers a trustworthy Consent Management Platform (CMP) as a Software as a Service (SaaS) solution. The CMP enables the controller to:

a) select and configure third-party technologies according to the data protection risks they pose, and configure the Consenter Banner accordingly;

b) collect, manage, document and transmit consent decisions, as well as to document, from both Consenter Agent-users and non-users;

c) communicate with the Consenter Agent to collect, manage, document and transmit consent decisions.
‍
The processing activities are described in detail in Annex 1.
‍
1.3. By using the CMP and integrating the codes provided for this purpose, the scripts of the individually implemented technologies are blocked when the website is opened. These technologies are served only after consent has been given. Technologies that are used on the basis of legitimate interest are not blocked and served automatically.  The CMP enables the controller to document the end-user's consent as well as future changes in the decision. Through this, both Consenter Agent-users and non-Consent Agent-users are able to always adjust their decision in subsequent steps.
‍
1.4. Doing so, the processor processes personal data for the controller within the meaning of Art. 4 No. 2 and Art. 28 GDPR on the basis of the main agreement. Definitions in the main agreement shall also apply in this agreement. Definitions in this agreement shall only apply to this agreement.
‍
1.5. The duration of this Agreement (term) corresponds to the duration of the main agreement.
‍
2. Specification of the Agreement Content
‍
2.1. Scope, nature and purpose of the collection, processing and / or use of personal data by the processor for the controller result from the main agreement and the service description in section 1.1.
‍
2.2. The following data are collected and processed on behalf of the controller when using the CMP:

Consenter Manager configuration data

Contact data: Email address, and where applicable, postal address and telephone number.

Access / login data: Account information such as login ID, password (stored in encrypted form), date and time of registration and logins.

Contract and account data: Information relating to the user account (e.g. roles, settings, subscribed services).

Communication data: Content of support requests or other correspondence in connection with registration or use of the account.

Usage and metadata (if applicable): Technical log data such as IP address, timestamps, and device/browser information used during registration.

Payment data

Stripe acts as an independent payment processor for transactions on our platform. When users provide payment details via Stripe's secure interfaces Stripe tokenizes and processes this data directly, without sharing full card numbers, CVVs, or other sensitive information with us.​

Stripe collects necessary personal data such as name, email, billing address, and transaction metadata solely to authorize payments, prevent fraud (via Radar), and settle funds. Stripe may share limited analytics data with us, including non-sensitive transaction metadata like payment amounts, statuses, timestamps, and aggregated insights (e.g., total sales, success rates).

Users retain rights over their data processed by Stripe, including access and deletion requests. For full details, see Stripe's Privacy Policy.

Consent records (data)

purpose-specific consents per third-party service (granted, confirmed, revoked)

consent metadata

ID of the consent per third-party provider (no user ID!)

Timestamp of the consent per third-party provider

CB version per purpose

Website domain

Error logs

Page URL

Error Type

Error Description

Software component, version and environment

Domain Identifier

Date and Time

Analytics events (aggregated and anonymized)

Browser type and version

Screen size and orientation

Domain and domain identifier

Event type

Time stamp

Consent choices

Consent trigger

Agent status

Banner version

2.3. The categories of data subjects affected by the processing of their personal data within the scope of this Agreement include: Website visitors (with and without Consenter Agent).

3. Controller’s Authority to Issue Instructions / Location of the Data Processing

3.1. The data is handled exclusively within the framework of the agreements made and in accordance with documented instructions from the Controller (cf. Art. 28 Para. 3 lit. a GDPR). The main agreement, this agreement and, if applicable, the settings made by the controller for the use of the processor's service shall constitute the controller's instructions. Within the scope of the description of the data processing mandate in this agreement, the controller reserves the right to issue comprehensive instructions on the type, scope and procedure of data processing, which she can specify in more detail by means of individual instructions. Changes to the object of processing and procedural changes are to be jointly agreed and documented. Oral instructions will be confirmed by the controller immediately in writing or by e-mail (in text form). Any additional expenses incurred are to be remunerated by the controller on a time and material basis.

3.2. The Processor shall not use the data for any other purposes and shall in particular not be entitled to pass them on to third parties. Excluded from this are back-up copies, insofar as they are necessary to ensure proper data processing, as well as data which is necessary to comply with legal obligations under Union law or the law of an EU member state, and to comply with retention obligations.

3.3. The processor must inform the controller without delay in accordance with Art. 28 para. 3 subpara. 2 GDPR if the processor believes that an instruction violates data protection regulations. The processor is entitled to suspend the execution of the corresponding instruction until it is confirmed or amended by the person responsible at the controller’s side.

3.4. The processing of the controller data by the processor takes place, depending on the data, within the EU / EEA and the USA (see Annex 3). The processor shall be obliged to inform the controller prior to the commencement of the processing of the controller's data of a legal obligation of the processor to carry out the processing of the controller's data at another location, unless such notification is prohibited by law. In this context, it should be noted that the processed information relates only very weakly or not at all to individual end-users of the controller (see point 2.2 and Annex 1). However, any transfer, including transfers of sub-operations, to a third country outside the territory of the EU/EEA or to an international organization requires controller’s prior authorization as described below in 6.1.2 and may only take place if the special requirements of Art. 44 et seq. GDPR (e.g., adequacy decision of the Commission, standard contractual clauses and authorized code of conduct) have been fulfilled.

4. Confidentiality
The processor shall ensure that employees involved in the processing of personal data and other persons working for the processor are prohibited from processing the personal data outside the scope of the instruction. Furthermore, the processor shall ensure that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate legal obligation of secrecy. The confidentiality / secrecy obligation shall continue to exist after the termination of the agreement.

5. Technical-Organisational Measures

5.1. Within her area of responsibility, the processor shall design the internal organisation in such a way that this meets the legal requirements of data protection. To this aim, she will take appropriate technical and organisational measures to protect the personal data of the controller according to Art. 32 GDPR. In particular, the technical and organisational measures are to be taken in such a way that the confidentiality, integrity, availability and resilience of the systems and services in connection with data processing are permanently guaranteed. These technical and organisational measures are described in Annex 2 of this agreement. The controller is aware of these technical and organisational measures and is responsible for ensuring that they provide an adequate level of protection for the risks of the data to be processed.

5.2. The technical and organisational measures are subject to technical progress and further development. In this respect the processor is permitted to implement alternative adequate measures. In doing so, the safety level of the specified measures may not be undercut. Significant changes must be documented.

6. Sub-Processors

6.1. The engagement and/or change of sub-processors by the processor is only allowed with the consent of the controller. The controller agrees to the engagement of sub-processors as follows:

6.1.1. The controller hereby agrees to the engagement of the sub-processors listed in Annex 3 to this Agreement.

6.1.2. The Controller agrees to the use or modification of further sub-processors if the processor notifies the controller of the use or change in writing (email sufficient) thirty (30) days before the start of the data processing. The controller may object to the use of a new sub-processor or the change. If no objection is made within the aforementioned period, the approval of the use or change shall be assumed to have been given. The controller acknowledges that in certain cases the service can no longer be provided without the use of a specific sub-processor. In these cases, each party is entitled to terminate the contract without notice. If there is an important data protection reason for the objection and if an acceptable solution between the parties is not possible, the controller is granted a special right of termination. The controller shall declare its intention to terminate the contract in writing to the processor within one week after the failure to reach an agreeable solution. The processor may remedy the objection within two weeks of receipt of the declaration of intent. If the objection is not remedied, the controller can declare the special termination, which becomes effective upon receipt.

6.2. The processor shall design the contractual arrangements with the sub-processor(s) in such a way that they contain the same data protection obligations as defined in this agreement, taking into account the nature and extent of data processing within the scope of the sub-contract. The sub-processor's commitment must be made in writing or in electronic format.

6.3. Sub-contracting relationships within the meaning of this provision do not include services which the processor uses with third parties as ancillary services to support the execution of the agreement. These include, for example, telecommunications services, maintenance, and user service, cleaning staff, inspectors, or the disposal of data media. However, the processor is obliged to make appropriate and legally compliant contractual agreements and to take control measures to ensure the protection and security of the controller's data, even in the case of ancillary services contracted out to third parties.

7. Data Subject Rights

7.1. The processor shall support the controller within the scope of its possibilities in meeting the requests and claims of affected persons in accordance with Chapter III of the GDPR.

7.2. The CMP provided by the processor serves as an automated system to obtain consent from the controller's users (end-user) and to document the measures required for data processing based on the customer's legitimate interests. Within the Consenter Banner, the end-user can accordingly exercise the right to withdraw consent as well as to object to processing based on a legal basis of the controller’s choice. End users also have the option of downloading the Consenter Agent via the Consenter banner using a call-to-action; end users can also view and revoke their consents in the Consenter Agent.

7.3 With regard to other data subject rights, the exercise of which is not (yet) enabled via the functionality of CMP, the processor shall only provide information on the data processed on behalf of the controller, correct or delete such data or restrict the data processing accordingly upon instruction of the controller. Insofar as a data subject should contact the processor directly for the purpose of information, correction, or deletion of his/her data as well as with regard to the restriction of data processing, the processor shall forward this request to the controller without undue delay.

8. Processor's Obligations to Cooperate

8.1. The processor shall assist the controller in complying with the obligations regarding the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments, and prior consultations as set out in Articles 32 to 36 GDPR.

8.2. With regard to possible notification and reporting obligations of the controller according to Art. 33 and Art. 34 GDPR the following applies: The processor is obliged

a) to inform the Controller without undue delay of any violation of the protection of personal data and

b) in the event of such a violation, to provide the Controller with appropriate support, if necessary, in its obligations under Art. 33 and 34 GDPR (Art. 28 para. 3 sentence 2 lit. f GDPR).

Notifications pursuant to Art. 33 or 34 GDPR (notifications and reports of violations of personal data protection) for the controller may only be carried out by the processor following prior instructions pursuant to Section 3 of this Agreement.

8.3. If the controller has an obligation to notify or report in the event of a security incident, the processor is obliged to support the controller at the controller’s expense.

9. Other Obligations of the Processor

9.1. To the extent required by law, the processor shall appoint a data protection officer, who may resume his activities in accordance with Articles 38 and 39 GDPR, §§ 38, 6 BDSG. Her contact details will be provided to the controller for the purpose of direct contact upon request.

9.2. The processor shall inform the controller immediately of control actions and measures taken by the supervisory authority pursuant to Art. 58 GDPR. This shall also apply if a supervisory authority is investigating the processor in accordance with Art. 83 GDPR.

9.3. The processor shall ensure to execute the control of the proper contract performance and fulfillment by means of regular self-inspections, in particular the adherence to and, if required, the necessary adjustment of regulations and measures for the execution of the contract.

10. Controller's right to information and inspection

10.1. The controller has the right to request the information required under Art. 28 Para. 3 h) GDPR to prove that the processor has complied with the agreed obligations and to carry out inspections in agreement with the processor or to have them carried out by auditors to be appointed in individual cases.

10.2. The parties agree that the processor is entitled to submit convincing documentation to the controller to prove adherence to her obligations and implementation of the technical and organizational measures. Convincing documentation can be provided by presenting a current audit certificate, reports or report extracts from independent institutions (e.g. auditors, auditing, data protection officer), appropriate certification through an IT security or data protection audit (e.g. ISO 27001), or certification approved by the responsible supervisory authorities.

10.3. This shall not affect the right of the controller to conduct on-site visits. However, the controller shall consider whether an on-site inspection is still necessary after submission of meaningful documentation, in particular taking into account the maintenance of the processor's regular business operations.

10.4. The controller has the right to assure himself of the processor's compliance with this agreement in his business operations by means of spot checks, which as a rule must be announced in good time. The processor is committed to provide the controller, upon request, with the information required to comply with his obligation to carry out inspections and to make the relevant documentation available.

11. Deletion of Data and Return of Data Carriers

11.1. In the event of termination of the agreement, the processor shall, at the controller's option and request, hand over to the controller without undue delay, at the latest within 30 days, all documents, processing and utilisation results produced and data files connected with the contractual relationship which have come into the processor's possession within the scope of the implementation of the agreement or destroy them in accordance with data protection law after prior authorization.

11.2. The same shall apply to test and reject material. The protocol of the deletion shall be submitted upon request. By way of derogation, a deletion or surrender period of no longer than 6 months shall apply to back-ups made by the processor.

11.3. Documentation that serves as proof of the orderly and appropriate data processing shall be kept by the processor in accordance with the respective retention periods beyond the end of the contract. She can hand them over to the controller at the end of the contract to exonerate him.

12. Liability
The parties' liability under this agreement shall be governed internally by the liability provisions in the processor's General Terms and Conditions unless otherwise stated in the service description in the offer or in a separate agreement between the parties. For the external legal liability, the regulations according to Art. 82 GDPR apply.

Annex 1 – Description of the Processing Activities

This document describes in detail how Law & Innovation processes personal data of the controller’s employers when configuring the Consenter Banner in the Consenter Manager and of its end-users when these end-users use the Consenter Banner. The data is processed in accordance with the General Data Protection Regulation (GDPR), the German Telecommunications-Digital Services-Data Protection Act (TDDDG) and, amongst others, guidelines from the French data protection authority CNIL.

1. How configuration data in the Consenter Manager is processed
Within the Consenter Manager, controllers can create an account and configure the Consenter banner. In doing so, personal data is collected that is processed exclusively for the purpose of fulfilling the service owed.

1.1 Personal data collected

Consenter Manager configuration data
Contact data: Email address, and where applicable, postal address and telephone number.
Access / login data: Account information such as login ID, password (stored in encrypted form), date and time of registration and logins.
Contract and account data: Information relating to the user account (e.g. roles, settings, subscribed services).
Communication data: Content of support requests or other correspondence in connection with registration or use of the account.
Usage and metadata (if applicable): Configuration data, technical log data such as IP address, timestamps, and device/browser information used during registration.

Payment data

Stripe acts as an independent payment processor for transactions on our platform. When users provide payment details via Stripe's secure interfaces Stripe tokenizes and processes this data directly, without sharing full card numbers, CVVs, or other sensitive information with us.​

Stripe collects necessary personal data such as name, email, billing address, and transaction metadata solely to authorize payments, prevent fraud (via Radar), and settle funds. Stripe may share limited analytics data with us, including non-sensitive transaction metadata like payment amounts, statuses, timestamps, and aggregated insights (e.g., total sales, success rates).

Users retain rights over their data processed by Stripe, including access and deletion requests. For full details, see Stripe's Privacy Policy.

1.2 How the data is processed and stored
The data is stored and processed by AWS.
Payment data from the controller is processed via the payment service provider Stripe.

1.3 How long the data is kept
The data is stored until the controller changes it or deletes their account.

2. How consent records are processed in an end-users browser cookie
The storage of consent records in an und-users browser cookie serves the purpose of automatically transferring and applying previously granted and denied consents when they visit the controller’s website again.

2.1 Personal data collected
Consent records are personal data insofar as it documents an end-user’s consent.
Contains a unique consent ID for the consent record (NO user ID!).
Contains a timestamp of when the consent record was created.
If an existing consent is changed, a new consent record is created, which then contains the ID of a now obsolete previous consent record.
It is weakly identifying, as presenting the same consent record (consent ID or timestamp) twice makes it possible to recognise an end-user between two visits to a website; however, the consent records themselves contain very little insight into their private life.
If all purposes have been refused, the consent record (cookie) does not contain a consent ID or timestamp. In this case, the consent record (cookie) is not identifying. For technical reasons, however, it is protected in the same way as the weakly identifying versions.

2.2 How the data is processed and stored
Consent records (cookies) are stored as cookies in an end-user’s browser.
They are transmitted in encrypted form between the consent banner and the website.
SameSite=strict, i.e. the cookie is not automatically sent to third-party websites.
The cookie is origin-bound, meaning that only the controller’s website can access it.
The cookie is not HttpOnly, meaning that it can be read from JavaScript, which is technically necessary for the service.
However, JavaScript outside the controller’s website does not have access to the cookie. Only the controller’s website can access the cookie.

2.3 How long the data is kept
The cookie is stored for 365 days. An end-user can always delete their consent record cookie by cleaning their browser cache.

3. How an end-user’s consent record is processed in the controller’s consent storage
The controller also needs access to an end-user’s consents to prove the lawfulness of processing their personal data. To this end, L&I Technology collects all consent records (PLEASE NOTE: these consents only contain consent IDs, NO user IDs, and cannot be linked).

3.1 Personal data collected
For information on the nature of consent records as personal data, see the previous point. Please also note the following special features:
It is not possible to derive any user profiles beyond the explicitly (and intentionally) linked consent records (customer store), as NO user IDs are stored.
For reasons of data minimisation, NO refusals of consent are stored either.

3.2 How the data is processed and stored
Consent records (customer store) are currently stored centrally in the cloud at L&I as part of the consent record store (customer store) and are technically and organisationally secured against unauthorised access, minimising the risk of misuse.
Amazon Web Services (AWS) is currently used as the sub-processor for this purpose.

3.3 How the data is kept
The consent records are stored as long as the controller needs it for proving the legality of processing its end-users’ personal data.

4. How the end-user’s consent pre-settings and consents are processed if they are a Consenter Agent-user
If the controller’s end-user is a Consenter Agent-user, they can pre-set, in their consent agent, the purposes for which they allow their data to be processed when visiting the controller’s or any other website. When an end-user visits the controller’s website with their consent agent, their agent will give them the option to adjust their preferences to the data protection level of the controller’s website; if the end-user does nothing, their agent will send their preferences after a short waiting period to the controller’s website. If an end-user gives or changes their consent in the controller’s consent banner, this setting is sent back to the end-users consent agent. When an end-user re-visits the controller’s website, the end-user’s consent agent sends their previous consent to the controller’s consent banner again.

4.1 Personal data collected
An end-user consent pre-settings are personal insofar as they contain their preferences regarding consent.
However, in the current status quo, they are not identifying (not even weakly identifying), as no unique identifier is contained in the consent pre-setting.
If an end-user gives or changes their consent in the banner, this setting will be sent back to their consent agent. When an end-user re-visits the controller’s website, their consent agent sends their previous consent to the controller’s consent banner again.

4.2 How the data is processed and stored
An end-user’s consent pre-settings are treated similar to the ‘no photography’ badge at a conference: consent pre-settings are de facto public, but that's in the end-user’s interest: a Consenter Agent-user want to tell every website that they don't want to be tracked, for example, or that they want to see personalised advertising instead of irrelevant banner ads.
Once the controller receives an end-user’s settings, the controller will treat all settings as described in point 2 and 3 above.

5. How error logs are processed
To maintain functionality and stabilize the CMP system, error logs are collected and analyzed.

5.1. Personal data collected
Page URL
Error Type
Error Description
Software component, version and environment
Domain Identifier
Date and Time

5.2. How the data is processed and stored
The data is stored and analysed in the AWS cloud.

5.3. How long the data is kept
The data will be stored until the analysis of possible errors in functionality, the restoration of functionality and the stabilisation of the system have been completed, and will then be deleted immediately.

6. How anonymous data is processed for analytics
Law & Innovation processes anonymized data for the continuous improvement and further development of the service and for scientific research purposes in the field of effective consent processes and data subject rights. To this end, Law & Innovation uses Matomo and applies the guidelines published by the French data protection authority CNIL (Exemption Audience measurement Configuration guide Matomo Analytics). Identifiers such as IP addresses are only stored in aggregated form.

6.1 Data collected
Browser type and version
Screen size and orientation
Domain and domain identifier
Event type
Time stamp
Consent choices
Consent trigger
Agent status
Banner version

6.2 How the data is processed
To follow the CNIL implementation guide, Matomo is configured as follows:
Data exports are disabled.
An opt-out option has been implemented in the Consenter Banner.
Only anonymised IP addresses are processed.
No third-party or cross-domain cookies are used.
No user ID–based measurement is used.
No e‑commerce tracking is used.
Heatmaps and session recordings are deactivated.

6.3. How long the data is kept
Identifiers are anonymised before storage (especially IP addresses). Other data is not identifying.

Annex 2 - Technical-Organisational Measures
Technical and organizational measures (TOM) within the meaning of Art. 28 para. 3 lit. c 32 GDPR
‍
Law & Innovation Technology GmbH, Jungstr. 29, 10247 Berlin, Germany (hereinafter "Law & Innovation") processes personal data on behalf of its customers. Law & Innovation is aware of its responsibility as a processor. Accordingly, technical and organizational measures have been taken to significantly reduce risks and potential hazards that arise in connection with the processing of personal data. How a level of security and data protection that complies with the GDPR is achieved can be found in the following technical and organizational measures. These are deemed to be agreed upon with the controller.
‍
Table of contents
1. Measures to ensure confidentiality (Art. 32 para. 1 lit. b GDPR)
2. Measures to ensure integrity (Art. 32 para. 1 lit. b GDPR)
3. Measures to ensure resilience & availability (Art. 32 para. 1 lit. b GDPR)
4. Measures to restore availability (Art. 32 para. 1 lit. c GDPR)
5. Measures for the pseudonymization of personal data (Art. 32 para. 1 lit. a GDPR)
6. Procedures for the regular review, assessment and evaluation of the effectiveness of the technical and organizational measures (Art. 32 para. 1 lit. d GDPR)1.

Ensuring confidentiality (Art. 32 para. 1 lit. b GDPR)
Law & Innovation takes measures to implement the requirement of confidentiality. This includes, among other things, measures for physical access, electronic access control and internal access control. The technical and organizational measures taken in this context are intended to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

Physical Access control
Where personal data is the subject of processing, it is stored in systems that are secure.
All systems and devices are updated at regular intervals (software update).
All systems are regularly checked for vulnerabilities.
There is no critical IT infrastructure (server systems) on the premises of Law & Innovation. Nevertheless, physical access to office space is protected with security measures to the greatest possible extent. These include:
Access to the office is only possible for employees and service providers (e.g. cleaning service) with personalized door transponders/locking cylinders and logged key/transponder issue/return.
Visitors must ring the bell, register in person, identify themselves and are not allowed to move freely around the premises.

Electronic Access control
Access to personal data is restricted to a limited group of employees, requires their designated login credentials (user ID and password) and access is only via encrypted means (HTTPS, TLS/SSL).
Group accounts / system logins only for specific applications.
Separate user IDs for privileged authorizations.
User IDs are deactivated/deleted immediately when employees leave the company.
Passwords are not stored in clear text or transmitted unencrypted.
For user authentication, password requirements are: 8-12 characters long; 3-4 character types are to be used; upper & lower case; no common terms; the password is to be changed immediately if there is a reason/indication of misuse; temporary passwords are to be updated immediately after account activation by the user.
Two-factor authentication is used wherever possible.
Session Management.
Internal IT security policies.
Automatic locking of clients (e.g. employee workstations) after a defined period of time without user activity (also password-protected screen saver or automatic pause).

Internal Access control
Access is in accordance with an authorization concept and crypto concept.
Use of a user and user group management system and access rights management.
SSH is deactivated wherever possible.
Graduated authorizations are assigned depending on the employee's area of activity. The minimum principle is always applied here.

Further measures
Strict separation control: If there are different purposes, data is not processed together. Here, a client separation (logical or physical) / function separation is supported.
If the respective purpose for data processing ceases to exist, the data is deleted. This is done in accordance with the deletion concept.
Encryption of data-at-rest.

2. Ensuring integrity (Art. 32 para. 1 lit. b GDPR)
Measures are taken that serve the requirement of integrity. This includes, among other things, measures to control input, but also those that generally contribute to protection against unauthorized or unlawful processing, destruction or unintentional damage.

Transfer control
Measures to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons during electronic transmission or while being transported or stored on data media, and that it is possible to verify and establish to which bodies personal data is intended to be transmitted by data transmission equipment:
The transmission of data is encrypted.
Data encryption is always used when transferring data over the internet.
Only secure wireless networks (WLAN) are used, all of which are encrypted with WPA-2.
If necessary, VPN technology is used.
If data carriers, data and printouts are no longer used, they are securely deleted or destroyed. This ensures to the greatest possible extent that data cannot be recovered.
If necessary, the data transfer is logged.

Input control
Measures to ensure that it is possible to check and establish retroactively whether, at what time and by whom personal data have been entered, changed or removed in data processing systems:
High standards in the legally compliant drafting of contracts for the processing of personal data with sub-contractors, which contain provisions of control options.
Use of logging and log evaluation systems to document user input. If adjustments are made to systems that process personal data, this is recorded and kept as required (e.g. in the form of log files).
The logic of data input and output is checked (checking file paths, etc.).
Obtain information from service providers regarding the measures taken to implement data protection requirements.
Verbal instructions are confirmed in writing.

3. Ensuring availability (Art. 32 para. 1 lit b GDPR)
Measures to ensure that personal data are protected against accidental destruction or loss.

Specific measures for our production environment & related systems
Law & Innovation does not operate its own server resources in its own data centers. Where processing is carried out by sub-contractors, the following measures, among others, apply, before and during data processing:
Monitoring/supervision of system activities by our employees.
Our productive environment is backed up at regular intervals or data mirroring procedures are used.
Hardware (especially servers) is decommissioned after a check of the data carriers used in it and, if necessary, after the relevant data records have been backed up.
The systems are protected by an uninterruptible power supply (UPS).
A multi-layer virus protection and firewall architecture is used.
The data centers used have fire/water and temperature early warning systems in the server rooms as well as fire doors.
Regular patch management.
Load balancing.
Data storage is added as part of dynamic processes.
Penetration and load tests are carried out regularly.
The load limit for each data processing system is set above the necessary minimum in advance of data processing.
Regular training of the personnel deployed. For the production system and related systems, AWS resources are used.

Further measures
If companies are commissioned with the processing of personal data, this is always subject to the condition of an existing order processing contract that complies with the requirements of Article 28 of the GDPR. Corresponding sample contracts are provided for this purpose. These also ensure that Law & Innovation is informed of possible threats to availability at an early stage.
Use of virus software on employee computers.
The storage of data on employee computers is reduced as much as possible. Data is stored on secure cloud systems.
Standard software used is subject to a preliminary check and may only be obtained from limited secure sources.
Emergency plans with concrete instructions for action have been established for security and data protection breaches.

4. Ensuring recoverability (Art. 32 para. 1 lit. b GDPR)
In the event of a physical or technical incident, measures are in place to ensure rapid availability and, as part of a plan of action, go beyond mere data backup. To be able to restore ongoing operations in these disaster scenarios, the following is undertaken:
Specific measures for our production environment (CMP) & related systems
Daily backup of all server resources by the hosting provider (AWS).
Disaster recovery.
Conclusion of service level agreements (SLAs) with service providers.
Multi-level backup procedures.
Redundant storage (cluster setups / geo-redundancy) of data (e.g. hard disk mirroring).
Use of firewall, IDS/IPS.
Fire and extinguishing water protection.
Alarm monitoring.
Failure, disaster and recovery plans and scenarios.

5. Measures for pseudonymization of personal data
Pseudonymization is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. The following measures are taken for this purpose:
Establish a strict privacy-by-design approach.
Establish a pseudonymization concept (including definition of the data to be replaced; pseudonymization rules, description of procedure).

6. Procedures for the regular review, assessment and evaluation of the effectiveness of technical and organizational measures
A regular review, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the secure processing of personal data is carried out through the following measures:

Data protection management system
All procedures, any requests from authorities, contracts and directories are kept for documentation and transparency purposes. Changes are also documented.

Information Security Management System
All concepts, processes and risk analyses are kept in an internal ISMS.

Processing of data on behalf of Law & Innovation or by subcontractors
Commissioning is always preceded by an extensive selection process and a PreCheck. We check whether our high standards described here are also met by potential processors. Only when this has been done and a processing contract that complies with the requirements of Article 28 GDPR has been concluded may processing take place. In addition to the PreChecks, we also carry out recurring audits in order to permanently maintain the required level. The agreed-upon services are specifically set out in the order processing contracts in order to clearly delineate the scope of the order.

Training and employee awareness
At the start of their employment with Law & Innovation, all employees receive all important information on the topic of data protection and information security and are obligated to maintain confidentiality. With regular (refresher) training and selective provision of information (articles, cases, etc.), we ensure a constantly high level of employee awareness.

Up-to-dateness of the security concept
The security concept is subject to regular revision and adapted as necessary.

Responsibilities
Responsibility for the implementation of the measures and processes described here lies within the responsible departments or specialist areas. Regular monitoring is carried out in part by the Data Protection Officer and the Information Security Officer.

Further measures
Reviewing information on newly emerging vulnerabilities and other risk factors, including revision of the risk analysis and assessment, if necessary.

Annex 3 to the Data Processing Agreement

Authorised subprocessor
#
Name
Operating company
Address of the Subcontractor
Place of data processing
Scope of Application under the Contract
Data Subject
Service

1
AWS
Amazon Web Services EMEA SARL
38 Avenue John F. Kennedy, L-1855 Luxembourg
EU
Data bases, file storages and identity management, encryption, CRM
Controller itself and her users (esp. consent records)
CMP

2
Stripe
Stripe Technology Company Limited (STC)
One Wilton Park
Wilton Place
Dublin 2
D02 FX04
Ireland
EU
Payment data
Controller itself
CMP (billing)

3
Cloudfront AWS
Amazon Web Services EMEA SARL
38 Avenue John F. Kennedy, L-1855 Luxembourg
Global
Content
Delivery
Network
(CDN)
only controller itself
CMP

4
Matomo Cloud
InnoCraft Ltd.
7 Waterloo Quay, PO625, 6140 Wellington, New Zealand
EU
Anonymous analytics
Controller itself; wrt her users only in anonymized form
CMP