Terms and Conditions
Last Updated: January 18, 2024
1. Scope of Application
(1) These Terms and Conditions (referred to as "T&C") provided by Y42-Intelligence GmbH, Charlottenstr. 4, 10969 Berlin (referred to as "Y42") govern the use of the data processing software platform Y42 (referred to as "Software"), all materials provided or developed by Y42 (independently or with customer’s cooperation) in the course of performance under these T&C (hereinafter referred to as “Materials”) by the customer using the Software or its affiliated entities (jointly referred to as "CUSTOMER"). Y42 offers certain service packages (currently: “Developer”, “Business” and “Enterprise”). The range of services provided by Y42 is determined by the service package as individually purchased by CUSTOMER.
The T&C shall only apply if CUSTOMER is an entrepreneur (Section 14 German Civil Code), a legal entity under public law or a special fund under public law.
(2) Subject to the conditions of the respective service package, Y42’ services may include user-specific adjustments ("customizing") training or consulting services. Besides, services of Y42 will not go beyond the mere provision of the Software.
(3) These T&C apply exclusively. Deviating, conflicting or supplementary general terms and conditions of CUSTOMER shall only become part of the contract if and to the extent that Y42 has expressly agreed to their validity. This consent requirement shall apply in any case, even if Y42, being aware of CUSTOMER's general terms and conditions, unconditionally provides the Software to CUSTOMER.
2. License and Y42 Responsibilities
(1) To use the Software, CUSTOMER must complete the registration process by providing Y42 with current, complete and accurate information as requested by Y42.
(2) Subject to CUSTOMER’s registration, timely payment of the subscription fees and subject to these T&C, Y42 hereby
(a) grants CUSTOMER a non-exclusive, non-transferrable, and non-sub-licensable right to use the Software (including related documentation) and all Materials for CUSTOMER’s internal business operations.
(b) grants CUSTOMER access to and CUSTOMER is entitled to grant authorized users (i.e., CUSTOMER’s employee, agent, contractor or representative) access to the Software in its latest version via a user interface provided by Y42 where CUSTOMER and authorized users can upload and store content, materials, data and information (referred to as “Customer Data”) from CUSTOMER’s systems. Customer Data is processed by the Software using various methods and made available to CUSTOMER for further use. A full description of the functionalities of the Software can be made available by Y42.
(3) Y42 will continue to develop the Software at its own discretion and will improve it through updates and upgrades.
(4) Y42 does not warrant permanent and uninterrupted availability of the Software. Notwithstanding that, Y42 warrants the operability and accessibility of the Software of 98% on an annual average. No liability shall be assumed for availability beyond this. The calculation of the quota shall not include announced maintenance time. It is CUSTOMER's responsibility to verify at regular intervals via CUSTOMER’s own access whether the Software can be properly accessed and used.
(5) Y42 will provide support services in accordance with the purchased service package. Support services may include, in particular:
- The provision of the latest versions of the software;
- The update of the software documentation. In case of a significant changes in the functionality or operability of the software, a completely new documentation shall be provided;
- The provision of newly developed functions of the software (that does not encompass the development of specific functionalities);
- The remedy of defects, malfunctions, and irregularities within the program code and the documentation after expiration of the warranty period;
- Written consulting services (also by fax or e-mail) and hotline support for troubleshooting purposes. In case of program error messages or other queries made via e-mail, the reply can also be made via e-mail;
- Support services shall always be performed on the current version of the software.
3. Reservation of Rights and Restrictions of License
(1) Y42 reserves all rights not expressly granted by this T&C and CUSTOMER acknowledges that CUSTOMER shall not acquire any title in or to the Software. CUSTOMER shall not alter or delete any copyright or trademark notice, trade name, or other markings that identify the proprietary rights and interests of the owners or Y42. CUSTOMER is not entitled to make available or sub-license the Software to third parties.
(2) CUSTOMER shall not do or attempt to do any of the following:
(a) copy, modify, translate or create derivative works of the Software, except as expressly permitted in these T&C; For the avoidance of doubt, this includes the installation or storage of the Software on desktops or other data carriers (such as hard disks);
(b) decompile, disassemble or otherwise reverse engineer the Software provided by Y42 to CUSTOMER in object/source code form, or determine or attempt to determine algorithms, methods or techniques embodied in such Software;
(c) distribute, disclose, rent, lease, assign, sublicense, pledge or otherwise transfer the Software (or any modifications thereto), in whole or in part, to any third party;
(d) export the Software (or any modifications thereto);
(e) perform, release the results of benchmark tests or other comparisons of Y42 Software to third parties;
(f) transfer the Software (or any modifications thereto);
(g) permit the Software (or any modifications thereto) to be used in connection with any facility management services or service bureaus or otherwise to be used for processing the data of any third party;
(h) use the Software (or any modifications thereto) for any other purposes that are not expressly permitted under this T&C, if and to the extent accepted by Y42.
(3) Y42 reserves the right to refuse access to the Software if there are indications that technologies used by CUSTOMER impair the functionality or security of the Software or the possibilities of Y42 to monitor and verify the authorization of CUSTOMER or its authorized users to use the Software. In such case Y42 will inform CUSTOMER and give CUSTOMER the opportunity to remedy the situation within a reasonable period of time; this shall not apply in the event of imminent danger requiring Y42 to immediate action.
4. CUSTOMER's Responsibilities
- CUSTOMER is responsible for the Customer Data and entering it into the Cloud Service. Customer grants to Y42 a nonexclusive, royalty-free, non-transferable, and sub-licensable right to process Customer Data solely to provide and support the Software.
- Proper and trouble-free operation of the Software is subject to a specific hardware and software environment (e.g. APIs to pre-existing software, internet-connection, minimum frequency of the processor, memory, operating system). It is CUSTOMER’s own duty to ensure a suitable hardware and software environment in a timely manner. Y42 does not assume any liability for inoperability of the Software due to any deficiency.
- CUSTOMER is obliged to make appropriate arrangements in order to prevent unauthorized access to the Software. CUSTOMER will protect the passwords and take full responsibility for CUSTOMER’s own (including any authorized user’s) and any third party’s use of CUSTOMER’s account. CUSTOMER is solely responsible for any and all activities that occur under CUSTOMER’s account. CUSTOMER will notify Y42 immediately upon obtaining knowledge of any unauthorized use of CUSTOMER’s account or any other security breach.
- CUSTOMER will indemnify and hold Y42 harmless against claims brought against Y42 and subcontractors by any third party related to Customer Data. In relation to Materials, CUSTOMER will indemnify and hold Y42 harmless against all damages resulting from claims of third parties against Y42 due to an infringement of intellectual property rights by CUSTOMER.
5. Prices and Terms of Payment
(1) CUSTOMER will pay the individually agreed subscription fees for the provision of the Software.
(2) Unless otherwise agreed, the subscription fees shall be due and payable in advance at the beginning of the calendar month in which Y42 provides the service.
(3) If CUSTOMER fails to meet the payment deadlines, CUSTOMER shall be in default. During the period of default, interest shall be charged at the statutory default interest rate applicable from time to time. The assertion of further damage caused by default remains unaffected. The claim to the commercial default interest (Section 353 German Commercial Code) remains unaffected. After prior written notice, Y42 may suspend CUSTOMER’s access and use of the Software until payment is made.
(4) A set-off or retention on the part of CUSTOMER is only permissible due to formally accepted or legally established counterclaims of CUSTOMER.
(1) Technical data, specifications and performance data in public statements, in particular in advertising material, do not constitute quality specifications. The functionality of the Software shall be suitable for the use presumed under these T&C and must otherwise have a quality that is customary for solutions of the same type. Under no circumstances shall Y42 assume liability for the economic success assumed and intended to be achieved by CUSTOMER by using the Software.
(2) The statutory provisions shall apply to CUSTOMER's rights in the event of material defects and defects of title.
(3) CUSTOMER shall support Y42 in determining and remedying the defect. CUSTOMER shall describe the symptoms of a defect to Y42 in as much detail as possible and submit to Y42 any documents (e.g., error messages, screenshots) that enable identification of the defect. CUSTOMER shall at all times comply with instructions given by Y42 and allow access to its IT infrastructure, if applicable.
(4) To the extent that Y42 provides technical information or acts in an advisory capacity and this information or advice is not part of the contractually agreed scope of services to be rendered by Y42, this is done free of charge and to the exclusion of all liability.
(5) Y42 undertakes to remedy malfunctions of the software as follows:
Malfunctions shall generally be allocated to a specific defect class. Y42 will make a provisional assignment at its reasonable discretion, taking into account the legitimate interests of the CUSTOMER. The CUSTOMER may request the conduct of good faith discussions with Y42 aiming at a potential re-classification.
During the warranty period, each malfunction shall be remedied without additional remuneration and within a reasonable period of time, adequately taking into account the relevant defect class. After the warranty period, Y42 may provide its services subject to the conclusion of a separate maintenance agreement.
(5) Y42 reserves the right to maintain the software and its environment at its own discretion. Scheduled maintenance work and data backups will, if possible, be carried out outside normal business hours at night or at weekends. During this time, operation is not possible. New software versions must be downward compatible with each previous version and API with other software. Patches used exclusively for troubleshooting purposes shall be separated from other releases and updates/upgrades.
7. General Liability
(1) In case of intent and gross negligence, Y42 shall be liable without limitation.
(2) In case of simple negligence Y42 shall be liable
(a) for damages resulting from an injury to life, limb or health
(b) for damages resulting from the breach of an essential contractual obligation (i.e. an obligation the fulfillment of which is essential for the proper execution of the contract and the observance of which the contractual partner regularly relies on and may rely on); in this case, however, liability is limited to compensation for the foreseeable, typically occurring damage.
The limitations of liability resulting from the preceding sentence shall not apply if Y42 fraudulently concealed a defect or assumed a guarantee for the quality of the Software. The same shall apply to CUSTOMER's claims under the Product Liability Act.
Any further liability of Y42 is excluded.
(3) When using the Software, special instructions for handling and use must always be observed. Y42 accepts no liability for misuse.
8. Term and Termination
(1) The initial subscription period is a minimum of twelve (12) months. After this initial minimum term, the license renews for further subscription periods of respectively twelve (12) months. The subscription can be terminated by either party with one (1) month's notice to the end of the respective subscription period.
(2) The right to terminate the license for good cause shall remain unaffected.
(3) Upon termination of the subscription, Y42 will stop providing and CUSTOMER will stop accessing the Software and delete any remaining recognizable software residues from CUSTOMER’s IT system. Upon Y42’ request, CUSTOMER shall confirm in writing that the aforementioned obligations have been fulfilled. Before the subscription expires, CUSTOMER may request data export of the Customer’s data. After six months following termination of the subscription, Y42 will delete the Customer’s data remaining on servers unless applicable law requires retention.
9. Force Majeure
Y42 shall not be liable for the inability to provide the Software caused by force majeure or other unforeseeable events (e.g. breakdowns of any kind, difficulties in procuring materials or energy, transport delays, strikes, pandemics, lawful lockouts, shortage of labour, energy or raw materials, difficulties in obtaining necessary official permits, official measures) for which Y42 is not responsible. To the extent that such events make the provision of the Software substantially more difficult or impossible for Y42 and the hindrance is not only of a temporary nature, Y42 shall be entitled a right of withdrawal. In the event of hindrances of a temporary nature, performance deadlines shall be extended by the period of the hindrance plus a reasonable start-up period. To the extent that CUSTOMER cannot reasonably be expected to accept the delay, CUSTOMER may rescind by immediate written declaration to Y42.
- All drafts, offers, specifications, drawings, marketing plans, reports and photographs in connection with the Software or its functionalities, which are not generally known, are confidential information of Y42 and may not be disclosed to third parties or used for other purposes without the prior written consent of Y42. Such information shall remain the sole property of Y42 and shall be returned or destroyed at Y42' request, if applicable. CUSTOMER may not create or publish any press releases or advertising in connection with Y42 or the Software without the express prior consent of Y42.
- CUSTOMER agrees to maintain confidential all information obtained from Y42 in the course of performance of the contractual relationship and to use the same exclusively for the contractually agreed purposes. CUSTOMER agrees to implement adequate control mechanisms to ensure confidentiality and security. This Section imposes no confidentiality obligation upon CUSTOMER with respect to any information which CUSTOMER can demonstrate that
(a) it was in the possession of or was known by CUSTOMER without any confidentiality obligation towards Y42;
(b) it is or becomes generally known to the public without violation of the confidentiality obligations;
(c) it is obtained by CUSTOMER from a third party having no obligation of confidentiality;
(d) it is developed by CUSTOMER independently from Y42;
(e) CUSTOMER is legally obliged to disclose pursuant to judicial action or government regulation or requirement provided CUSTOMER promptly informs Y42 of the disclosure obligation; in case, Y42 decides to challenge the disclosure, CUSTOMER shall provide all reasonable co-operation to Y42 in challenging the disclosure, at Y42’s expense;
(f) it is necessarily disclosed by the sale by CUSTOMER.
- Without limiting the generality of this section, CUSTOMER shall not disclose to any third parties any information regarding the Software and documentation, or CUSTOMER‘s result of evaluation or testing thereof, including, without limitation, any test results, observations, data or other information regarding the quality, reliability or performance of the Software, or the applicability of the Software to any markets or sectors.
- This section shall survive the termination of the contractual obligations.
11. Press Releases
The CUSTOMER consents to the publication of the conclusion of a software or service agreement with Y42 or of a project handled by Y42, in a customary manner (e.g., in press releases, marketing or similar publications). Without prior consent of the CUSTOMER, such publication shall only name the CUSTOMER and describe the agreement/ the project in general terms, without the disclosure of specific details. The CUSTOMER may withdraw its consent in writing at any time with effect for future publication.
12. Data Protection and Data Security
Y42 processes personal data according to CUSTOMER’s specific instructions and subject to a data processing addendum (“DPA”) attached to these T&C as Exhibit A. Y42 processes data in full compliance with all applicable data protection regulations and ensures an appropriate level of data security.
The processing of special categories of personal data within the meaning of Article 9 of the GDPR shall be excluded and CUSTOMER shall not be entitled to use the Software for the purpose of processing such data.
13. Final Provisions
(1) CUSTOMER shall provide timely responses to Y42’s inquiries and requests for information. CUSTOMER acknowledges and agrees that Y42’s performance is dependent upon the completeness and accuracy of information provided by CUSTOMER.
(2) In case of any doubt, the provisions of these T&C shall remain binding in their remaining parts even if individual provisions are legally invalid. Y42 and CUSTOMER undertake to replace ineffective provisions with provisions that come as close as possible to the intended economic success. The same shall apply to any loopholes in the contract.
(3) Amendments or supplements to these T&C must be made in writing. This also applies to any changes to the written form requirement. Individual agreements always have priority.
(4) The contract concluded between the Parties is subject exclusively to the law of the Federal Republic of Germany to the exclusion of the UN Convention on Contracts for the International Sale (CISG).
(5) In case of disputes in connection with these T&C, Berlin shall be an exclusive venue. Irrespective of this, Y42 remains entitled to bring an action at the general place of jurisdiction of CUSTOMER.
Exhibit A: Data Processing Addendum (“DPA”)
Any processing of personal data by Y42 on behalf of CUSTOMER within the framework of the use of the Software shall be governed by the following terms:
1. Purpose and Application
(1) The provision of the Software by Y42 requires Y42 to have access to Customer Data which may also include personal data within the meaning of applicable data protection laws, in particular the General Data Protection Regulation (GDPR). Y42 will process such personal data on behalf of and in accordance with the instructions of CUSTOMER. Y42 provides data processing services according to Article 28 GDPR. The present DPA substantiates the Parties’ rights and obligations under data protection law aspects in connection with the handling of Customer Data by Y42.
(2) With regard to the terms used in this Agreement, the definitions of the GDPR and in particular of Article 4 GDPR shall apply.
2. Type, Scope and Purpose of Data Processing
- Y42 and any person acting under the authority of Y42, who has access to the Customer Data, shall not process the Customer Data except on instructions from CUSTOMER, unless they are required to data processing by Union or Member State law (Article 29 of the GDPR). Y42 shall be obliged to impose the data secrecy obligation in writing to any and all persons involved in the processing of Customer Data.
- Y42 shall be entitled to collect, process, and use the Customer Data exclusively for the purpose of providing the Software as contractually agreed and for the following type of data and data subjects:
- Type of data: Names, e-mail addresses, postal addresses, purchase/customer history, customer interactions/correspondence/feedback with CUSTOMER
- Data subjects: Customers of CUSTOMER, Authorized users of CUSTOMER
Any processing activity relating to Customer Data deviating or exceeding such scope is prohibited; in particular, Y42 shall not be entitled to use Customer Data for own purposes.
The processing of special categories of personal data within the meaning of Article 9 of the GDPR shall be excluded and CUSTOMER shall not be entitled to use the Software for the purpose of processing such data.
(3) The processing of Customer Data by Y42 shall exclusively take place in the territory of the European Economic Area (EEA) or in third countries providing an adequate data protection level, either through an adequacy decision by the EU Commission or through other appropriate safeguards within the meaning of Article 46 GDPR.
3. Technical and Organizational Measures
Y42 shall undertake to implement all appropriate technical and organizational measures considering the state of the art, the implementation costs and the nature, extent, circumstances and purposes of the processing of Customer Data as well as the different probability of occurrence and the severity of the risk to the rights and freedoms of natural persons. In compliance with this obligation, Y42 warrants that it has implemented the technical and organizational measures specified in the Annex to this DPA and will maintain them during the contractual term.
4. Sub Processors
(1) Y42 is granted a general authorization to subcontract the processing of Personal Data to subprocessors; provided, that Y42 notifies CUSTOMER of any intended changes concerning the addition or replacement of sub processors and giving CUSTOMER the opportunity to object on reasonable grounds relating to the protection of Customer Data. In that case, the Parties will enter good faith negotiations on the replacement of such a subprocessor. Y42 shall impose data protection terms on any subprocessor equally to the standard required by this DPA and applicable data protection law.
(2) Y42 shall agree with the respective sub processors that CUSTOMER shall have the same rights towards the subprocessor as towards Y42.
(3) If Y42 wants to involve a subprocessor in a third country, section 2 (3) shall apply mutatis mutandis.
5. Rights of the Data Subjects
(1) Y42 shall support CUSTOMER with reasonable technical and organizational measures to meet its obligation to respond to: (i) requests concerning the scope of data processing and (ii) any other correspondence, enquiry or complaint received from a data subject, authority or other third party in connection with the processing of Customer Data.
(2) Y42 shall immediately inform CUSTOMER in case a data subject directly addresses Y42 in terms of rights conferred from applicable data protection law and support CUSTOMER to comply with the request.
6. Other Obligations to Support, Security Incidents
(1) If it becomes aware of a security incident, Y42 shall inform CUSTOMER without undue delay and shall provide reasonable information and cooperation to CUSTOMER, taking into account the nature of the processing and the information available to Y42, so that CUSTOMER can fulfil any data breach reporting obligations it may have under applicable data protection law. The notification shall contain:
- a description of the nature of the security incident towards Customer Data indicating, where possible, the categories and approximate number of data subjects, the categories and approximate number of data records concerned;
- a description of the foreseeable consequences of the security incident;
- a description of the measures taken or proposed by Y42 to remedy the security incident and, where appropriate, measures to mitigate the possible negative effects.
(2) Y42 shall assist CUSTOMER in complying with the obligations referred to in Articles 32 to 36 GDPR, considering the nature of the processing and the information available to it.
7. Deletion and Return of Data
Upon request of CUSTOMER, or at the latest upon termination of this Agreement, Y42 shall, at the choice of CUSTOMER, either delete or return to CUSTOMER all Customer Data in its possession or control, including all existing copies of such Customer Data, unless Y42 is required by applicable law to retain some or all of Customer Data, or such Customer Data is archived on back-up systems, which Y42 shall protect from any further processing except to the extent required by such law.
8. Verification of Y42 Compliance, Inspection
(1) CUSTOMER shall ensure and regularly verify that the processing of Customer Data is in accordance with this Agreement and with the instructions of CUSTOMER. Y42 shall enable and contribute to such inspections by all appropriate and reasonable means, including, but not limited to, by
- granting the necessary access, and
- providing the necessary information.
(2) Y42 shall document the implementation of the obligations under this Agreement in an appropriate manner and shall provide CUSTOMER with appropriate evidence upon request. In particular, Y42 shall document:
- all confidentiality obligations of persons processing Customer Data;
- all infringements to Customer Data occurring within its sphere of influence, including all related facts, their impact and any taken rectifications;
- all contracts relating to the use of sub processors and all audits of sub processors;
- all individual instructions of CUSTOMER in accordance with this Agreement.
9. Final Provisions
(1) The final provisions of the T&C shall apply to this DPA mutatis mutandis.
(2) In case of contradictions between this DPA and any other agreement between the Parties in terms of data processing, the provisions of the present Agreement shall prevail.
Annex: Technical and Organisational Measures (“TOM”)
Technical and Organisational Measures with respect to Confidentiality (Article 32 (1)(b) GDPR)
(1) Physical Access Control
Unauthorised entry to premises is to be prevented.
Technical and/or organisational measures for entry control, in particular also for authentication of authorised persons:
Implementation at the Processor:
The company premises are protected by electronic access control using the membership card of Factory Works GmbH. In case of loss of this, a report must be made immediately to the property management.
Sensitive and business-critical information, e.g. on paper or electronic storage media, should be kept under lock and key when it is not needed, especially when the office is not occupied.
Computers and devices should be left only after logging off or protected with an access lock when unattended. Paper containing sensitive or classified information should be removed from the printer immediately.
The Y42 data centre is located in protected German data centres and is physically separated from the offices.
(2) Electronic Access Control
Authentication information must be kept strictly confidential by the user and protected from access by third parties (including superiors). Electronic storage is therefore only permitted if a secure password management system, which in turn requires a password, is used. Writing down the access data is excluded in any case. If there is any indication of a possible compromise of the secret authentication information, it must be changed immediately.
Passwords must be at least 8 characters long and contain letters, numbers and other special They must not be easy to guess, must not be inferences from personal information, must not be dictionary terms and must not be sequences.
Access to Y42 systems is protected by Multi-Factor Authentication and/or Single-Sign-On (SSO). All is encrypted at rest with the Advanced Encryption Standard (AES) when saved in the data warehouse. In addition, data that passes over the internet during read and write operations is encrypted using Transport Layer Security (TLS).
(3) Control Access
The company implemented a system providing layered access control that define the level of authorization.
Access to the Y42 operating environment represents a privileged access authorization. Access can only be established with the server using an individual key pair (RSA 2048). Access to the operating environment must be enabled by the management.
Access to the test environment is sufficient for developing and testing the software, therefore it should be individually assessed who requires access to the operating environment.
In the case of privileged accesses, the check by the direct superior must be carried out every two weeks and logged in the document "Privileged Access Authorizations".
(4) Separation control
Two levels of operating environments are used for development at Y42:
- development - This server environment is intended for testing if local testing is not possible. This environment is used for internal and testing.
- production - This environment is the operating environment and may only be updated for new releases.
Both environments are aligned with Google Cloud and the General Data Protection Regulation (https://cloud.google.com/security/gdpr/).
Cloud Security ISO 27017 is an international standard of practice for information security controls based on ISO/IEC 27002, specifically for Cloud Services. Google has been certified compliant with ISO 27017 for G Suite and Google Cloud Platform. Cloud Privacy- ISO 27018 is an international standard of practice for protection of personally identifiable information (PII) in Public Cloud Services. Google has been certified compliant with ISO 27018 for G Suite and Google Cloud Platform.
(5) Pseudonymisation (Article 32 (1)(a) GDPR; Article 25 (1) GDPR)
The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.
Technical and Organisational Measures with respect to Integrity (Article 32 (1)(b) GDPR)
(1) Separation control
Information should be classified according to legal requirements, its value, criticality and sensitivity to unauthorised disclosure or modification.
The company uses the following classification levels for this purpose:
- Public - values which are publicly accessible or may be made publicly accessible. Any copyrights are held by the company or have been licensed.
- Restricted - values that may only be shared with certain partners or organisations. Also values that are copyrighted by third parties. This label contains an additional note about the user group if it is not obvious.
- Internal - values that may only be used internally and may not be passed on to external ones. All values without an indicator belong to this class.
- Confidential - Sensitive values that require special care and are highly restricted in their use and distribution.
Technical and Organisational Measures with respect to Availability and Recovery (Article 32 (1)(b) and (c) GDPR)
The company uses Google Cloud and G Suite as central data storage. Local copies of values should only be created if they are absolutely necessary. If necessary, they should be synchronized with Google Cloud or G Suite as quickly as possible and securely deleted on the local device.
Data from Y42 software and the associated databases are stored exclusively on the Google Cloud. Backups may only be stored locally in encrypted form. As soon as the data is anonymised, it may also be processed locally in accordance with its authorisation. Learn more about cloud compliance on Google Cloud Platform and in G Suite Data Protection Implementation Guide.
Procedures for regular testing, assessment, and evaluation (Articles 32 (1)(d) and 25 (1) GDPR)
Data Breach Procedure
Y42 follows this procedure to provide a standardised response to any reported data breach incident, and ensure that data breaches are appropriately logged and managed in accordance with the law and best practice.
The GDPR defines a “personal data breach” in Article 4(12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
These include, but are not limited to, events such as ineffective security measures, breaches of expected integrity, confidentiality or availability of information, human error, non-compliance with policies or guidelines, breaches of physical security measures, uncontrolled system changes, malfunctions of software or hardware or access violations.
Every employee has the duty to report information security incidents to a member of management immediately. In the event of onboarding, employees are made aware of this responsibility by the human resources department and informed of the procedure to be followed in the event of a data breach incident.
- Y42 will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the damage.
- An initial assessment will be made by Y42 in liaison with the Data Protection Officer to establish the severity of the breach and who will take the lead investigating the breach. The whole procedure is explained in the Evaluation of the risks associated with the breach document.
- An investigation will be undertaken immediately and wherever possible within 24 hours of the breach being discovered/reported.
- Y42 investigate the risks associated with the breach, for example, the potential adverse consequences for individuals, how serious or substantial those are.
- Y42 will then establish whether there is anything that can be done to recover any losses and limit the damage.
- The incident must be recorded in the Data Breach Notification document, regardless of whether damage was caused or not. This includes time, potentially affected values, known and possible damage, immediate measures taken and affected persons. This document is also the basis for a possible report to customers and data protection authorities.
- If an immediate remedy of the data gap is not possible or the cause is unknown, the affected system must be disconnected from the network and the status must be saved. If possible, a backup of the system should be created for documentation purposes of the cause
After each information security incident, the cause must be investigated and, if necessary, future countermeasures must be developed and implemented. The DPO (WeData GmbH, Schellingstr. 126, 80798 München, firstname.lastname@example.org) is responsible for the follow-up and mediate the process with the data controller, supervisory authority and data subjects.
The content of the Data Security Breach Notice Letter is drafted and saved on the Akarion App platform. In case of data breach DPO will edit it in line with our procedures and in conjunction with consulting the management if considered necessary. We will notify individuals in clear and plain language and in a transparent manner (for example by email, SMS or letter). In some circumstances, we may not need to notify the affected individuals. Our DPO will decide whether this is the case.