Data Processing Agreement for Meister AI

This Data Processing Agreement ("DPA") is entered into by and between:

The User(hereinafter the "Controller")

and

MeisterLabs GmbHZugspitzstraße 285591 Vaterstetten, Germany (hereinafter the "Processor")

(individually referred to as a "Party" and jointly referred to as the "Parties")

This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the Meister AI Product. 

1. Preamble and Definitions

1.1 Purpose: This DPA forms an integral part of the Meister AI Beta Terms of Service and ensures that personal data processing by the Processor on behalf of the Controller is carried out in compliance with applicable Data Protection Laws, particularly the EU General Data Protection Regulation (EU/2016/679) ("GDPR").

1.2 Definitions: Terms defined in the Meister AI Beta Terms of Service shall have the same meaning in this DPA.

1.2.1 “Data protection laws” include GDPR as well as any national data protection acts and provisions governing the data processing activities under this DPA.

1.2.2 "Personal Customer Data" includes all personal data the Processor, and any sub-processors used by the Processor, process on behalf of the Controller under this DPA.

1.2.3 Terms used in this DPA are to be interpreted within the meaning of the GDPR, unless expressly agreed otherwise. 

3. Rights and Obligations of the Controller

3.1 Compliance with Laws: The Controller undertakes to process Personal Customer Data disclosed to the Processor in accordance with relevant and applicable Data Protection Laws and regulations.

3.2 Legality of Processing: It is the Controller's sole responsibility to ensure the legality of the processing of Personal Customer Data, including obtaining any necessary consents or establishing other legal bases for processing, before importing data into the Product.

3.3 Instructions: The Controller’s instructions for all processing steps necessary for the performance of the Product’s functionalities are deemed to have been given upon conclusion of the Beta Terms and use of the Product.

4. Rights and Obligations of the Processor

4.1 Processing on Instruction: The Processor shall process Personal Customer Data only in accordance with the documented instructions of the Controller, this DPA, the Meister AI Beta Terms of Service, and its legal obligations.

4.2 Notification of Legal Violations: The Processor shall notify the Controller without undue delay if, in its opinion, an instruction from the Controller violates applicable Data Protection Laws.

4.3 Confidentiality: The Processor ensures that persons authorized to process Personal Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.4 Assistance to Controller: Taking into account the nature of the processing, the Processor shall assist the Controller to comply with its obligations under the GDPR, including (1) responding to requests from data subjects (e.g., rights of access, rectification, erasure, objection, data portability); (2) ensuring security of processing (Art. 32 GDPR); (3) notifying personal data breaches to supervisory authorities and data subjects (Art. 33, 34 GDPR); and (4) Conducting data protection impact assessments (Art. 35 GDPR) and prior consultations (Art. 36 GDPR).

4.5 Data Breach Notification: The Processor shall notify the Controller of any personal data breach that directly affects Personal Customer Data in accordance with legal requirements.

4.6 Data Deletion/Return: Upon termination of the DPA or completion of processing services, the Processor shall, at the Controller's written request, delete or return all Personal Customer Data to the Controller, unless retention is required by law.

5. Sub-processors

5.1 General Authorization: The Controller hereby grants general written authorization to the Processor to engage other processors ("Sub-processors") to process Personal Customer Data under this DPA.

5.2 Notification and Objection: The Processor undertakes to inform the Controller of any change regarding the involvement or replacement of further Sub-processors. The Controller may object to such changes in writing within fourteen (14) days, specifying reasonable grounds relating to data protection. If an objection is valid and commercially reasonable efforts to provide services without the objected-to sub-processor are not feasible, either party may terminate the relevant services.

5.3 Sub-processor Obligations: Where the Processor engages a Sub-processor, it shall ensure, by written agreement, that the Sub-processor is bound by data protection obligations substantially the same as those imposed on the Processor under this DPA. The Processor remains liable to the Controller if a Sub-processor fails to comply with its data protection obligations.

6. International Data Transfers

6.1 Compliance with Chapter V GDPR: The Processor may transfer Personal Customer Data to Sub-processors established in countries outside the European Economic Area (EEA) or countries not deemed to ensure an adequate level of protection by the European Commission, only if such transfers comply with the requirements of Chapter V of the GDPR.

6.2 Appropriate Safeguards: The Processor shall ensure such compliance by implementing appropriate safeguards for the transfer, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). If any safeguard relied upon for the lawful transfer ceases to be valid or is otherwise insufficient, it may be replaced by any other valid safeguard according to Chapter V of the GDPR.

7. Technical and Organizational Measures (TOMs)

7.1 Security Measures: The Processor undertakes to implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Customer Data, in accordance with Art. 32 GDPR. These measures are designed to protect data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. An overview of technical and organizational measures taken by the Processor is included in Annex 2. The Controller confirms that the technical and organizational measures provided in Annex 2 are adequate.

7.2 Security Measure Updates: The Data Processor is obliged to notify the Data Controller of any significant changes to the technical or organizational measures, provided such change does not result in an improved overall security of the services provided by the Data Processor. The Processor will ensure that such changes will not result in a lower level of protection. 

8. Audit

8.1 Compliance Verification: The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA. The Processor may demonstrate compliance by providing appropriate documentation regarding its security measures and relevant current certifications.

8.2 On-site Audits: To the extent that documentation does not appropriately verify compliance and the Controller provides documented evidence of reasonable suspicion of a material breach or an audit is explicitly required by a supervisory authority, the Processor shall permit an on-site audit by the Controller or an approved independent third-party auditor, subject to reasonable procedures agreed upon by both parties.

9. Term and Termination

9.1 Term: This DPA will enter into force upon your acceptance of the Meister AI Beta Terms of Service and will remain in effect for as long as the Processor processes Personal Customer Data on behalf of the Controller in connection with the provision of the Product.

9.2 Termination: This DPA terminates automatically upon the termination of the Meister AI Beta Terms of Service, or earlier if mutually agreed by the Parties.

10. General Provisions

10.1 Severability: Should individual provisions of this DPA be or become wholly or partially invalid, the validity of the remaining provisions shall not be affected thereby. An effective provision shall be deemed agreed which comes closest economically to what the Parties intended.

10.2 Governing Law and Jurisdiction: This DPA shall be governed by German law. The exclusive place of jurisdiction for all disputes arising from or in connection with this DPA shall be Munich, Germany.

If the Controller wishes to engage the  Data Processor with the processing of additional personal data than the personal data mentioned below, it is in the responsibility of the Data Controller to notify the Data Processor. Data Processor will then review the request and - if possible - confirm the changes.

Data subjects

The personal data processed depend on the data provided by or on behalf of the Controller and may relate to the following categories of data subjects:

• Controller’s customers

• Customers of the Controller’s customers

• Controller’s employees

• Employees of the Controller’s customers

• Contact persons at Controller’s suppliers

• Contact persons at suppliers to the Controller’s customers

• Controller’s prospective customers

• Prospective customers of the Controller’s customers

Categories of data

The categories of personal data processed depend on the data provided by or on behalf of the Controller and may include the following data categories:

• Personnel master data (e.g. salutation, last name, first name, address, title, position)

• Communication data (e.g. communication content)

• Planning and control data

• Data from third-party resources, including but not limited to calendar entries emails.

Special data categories

No. The use of special category data is prohibited by the applicable terms of service.

Scope, nature and purpose of the Data Processing, nature of the personal data and data subjects

Personal Customer Data is processed under the DPA for the purpose of the provision of the services and to fulfill the Processors obligations under applicable law, the Meister AI Beta Terms and this DPA.

The nature of the processing depends on the Controller’s use of the Product and may include storing, altering, displaying, structuring, organizing and combining, depending on the Controller’s use of the Product

The Processor may update these technical and organizational measures from time to time, provided that such update does not reduce the overall security of the services provided by the Processor.

Privacy Policy / Security Concept  

The Data Controller’s and Processor’s privacy policies (including any relevant security policies) address the security of personal data.

Organizational security measures 

The internal organization is appropriately designed to meet the specific requirements of data protection.

• Policies and procedures are in place and are checked regularly.

• Risks are evaluated and documented

• Information is classified according to a policy.

• A security manager has been appointed.

• Appropriate measurements for the performance and effectiveness of security management are in place.  

Security measures for changes in service

The change management process includes a data protection impact analysis and information security risk evaluation.

Personal data may only be utilized for process or system development activities and the testing associated therewith if they have been anonymised prior to their utilization or otherwise protected.

Security measures in user management  

Measures prevent data processing systems from being used by unauthorized persons.

• Passwords are managed with a password manager.

• A password policy is in place and enforced through the password manager and a Unified Endpoint Management system.

• Two-factor authentication is enforced where required by our policy.

Security measures for logical access

Logical access to personal data is restricted.

Measures ensure that persons authorized to use the data processing systems may only access data for which they are authorized.

• Access is granted based upon the need-to-know principle (Principle of Least Privilege). 

• Access is granted/revoked upon request. Revocation may also happen automatically after a set timeframe, or manually after a review was conducted.

• We have an authorization request process in place, with documentation of the user that needs access, the system, the requested permissions, the requester and the authorizer.

• As part of the HR on boarding process and HR off boarding process, access rights will be granted/revoked as well.

• We conduct regular reviews of logical access on all our systems, depending on the classification of information and document those reviews. 

Separation of mandates 

Customer data is logically separated and separated from each other by security mechanisms.

In addition, there are tests and staging systems that are completely separate from the productive system.

Security measures for physical access 

Physical access to personal data in any format is restricted. 

Personal data, in any format, is protected against accidental disclosure due to natural disasters and environmental hazards.

Personal data on portable media or devices is protected against unauthorized access. Storage media security measures prevent unauthorized reading, copying, modification, or removal of storage media.

Google data center (Frankfurt, Germany)

• see encryption measures and certificates of the data center:https://cloud.google.com/docs/security/encryption/default-encryptionhttps://cloud.google.com/security/compliance/iso-27001/

MeisterLabs GmbH office (Munich, Germany)

• The MeisterLabs GmbH office in Munich, Zugspitzstraße 2, 85591 Vaterstetten.

• Access to the office building is secured via an external door with a lock.

• Access to the MeisterLabs GmbH office is additionally secured with a lock and only possible with the appropriate keys, which are only in the hands of MeisterLabs GmbH employees. The landlord does not have a key to these premises. The keys are handed out to employees of MeisterLabs GmbH when the contract is signed, the key is withdrawn when the employment relationship is terminated, and there is corresponding documentation on keys in circulation.

• Guests or visitors are not received in the office of MeisterLabs GmbH.

• The company network in the above-mentioned premises of MeisterLabs GmbH in Munich is protected by a state-of-the-art firewall. 

Security measures for storage

There are measures in place to prevent unauthorized input and unauthorized evaluation, modification or deletion of stored personal data. These also include protection against malware.

• Cloud Storage

  • Data is encrypted at block-level, see “Security measures for physical access”.

  • Access to personal data is thoroughly managed, see “Security measures for logical access”.

  • Computer resources in the cloud are automatically checked for vulnerabilities.

  • A Host Intrusion Detection System (HIDS) is in place to detect unusual behavior on the machines.

  • Daily backups are kept for 14 days, after which they are deleted.

• Employee devices

  • All employee devices are full disk encrypted. A firewall and antivirus protection is present. Automatic screen locks are activated. Asset management processes are implemented. All devices are enrolled in a Unified Endpoint Management solution to automatically enforce policies.

  • Stolen or lost devices can be remotely locked or wiped.

  • Only authorized repair shops can be used to repair company owned devices. Computers are only bought at authorized resellers.

  • Storage of data on removable media is discouraged. Policies for disposal are in place.

Secure Development

A secure development policy is in place to make sure insecure code is not introduced, existing code and third party libraries are regularly checked for vulnerabilities.

• Measures are in place to detect insecure code (static code analysis)

• Development needs to adhere to our secure development policy.

• All application code is peer reviewed.

• Used libraries are automatically scanned for known vulnerabilities.

Security measures for data input

There are measures in place to ensure that it can be verified what personal data has been entered into data processing systems, by whom and when.

Control over processed information

The data subject has the possibility to obtain information on the processing of his/her personal data, to have such data corrected and deleted.

Data is deleted online directly in the database or in the online storage and then disappears from the back-ups after 2 weeks as soon as they are renewed.

Security measures during processing

There are measures in place to ensure that, in the case of commissioned processing of personal data, the data is processed strictly in compliance with the Data Controller’s instructions.

Security measures for transfer of data 

There are measures in place to prevent unauthorized reading, copying, modification or deletion of personal data during the transmission or transport of storage media.

• All connections to our data centers are encrypted in transit with state of the art TLS. Supported ciphers are regularly checked for deprecation.

• Third parties that process personal data have appropriate security controls in place.

• Unencrypted email attachments do not include confidential or sensitive information.

Availability and Resilience

• Business continuity and disaster recovery plans are in place, tested, and updated regularly.

• See certificates of the data center: https://cloud.google.com/security/compliance/iso-27001/  

• Cloudflare as a service provider for DDoS protection

Measures in the event of security incidents

• A documented procedure for the management of data protection incidents and violations has been implemented.

• Employees are regularly trained on preventing security incidents but also on how to react to such incidents, including the possible need to quickly report incidents to authorities and inform users.

• An internal hotline for security and data privacy incidents has been established and employees are encouraged to report incidents.

Assessment of security measures 

Assessments and tests of the effectiveness of the key organizational, technical, and physical safeguards protecting personal data are conducted according to our policies, containing but not limited to:

• External vulnerability scans and penetration tests are conducted at least once a year

• External code audits are conducted when deemed necessary.

• Internal infrastructure audits are conducted at least once a year.

• Internal architecture and security audits are conducted at least once a year.

The results of the analyses are documented.

Upon conclusion of this DPA, the Controller approves of the engagement of the sub-processors listed below: