Within the scope of the Framework Agreement, the Processor (CAOS Ltd.) processes Personal Data on behalf of the Customer (Responsible Party), collectively the "Parties".
This Annex to the Agreement governs the Parties' data protection obligations in addition to the provisions of the Agreement.
Subject matter, duration, nature and purpose of the processing as well as the type of personal data and categories of data subjects
This annex reflects the commitment of both parties to abide by the applicable data protection laws for the processing of Personal Data for the purpose of Processor's execution of the Framework Agreement.
The duration of the Processing shall correspond to the duration of the Agreement, unless otherwise provided for in this Annex or unless individual provisions obviously result in obligations going beyond this.
In particular, the following Personal Data are part of the processing:
|Type of personal data||Examples||Affected data subjects|
|Basic data||All users|
Password: Users who use authentication methods with password.
Public Keys: Users who use an authentication procedure with cryptographic keys.
External login provider identifiers: Users who use an external login provider.
Phone number: Users who use authentication methods with SMS
|Profile data||Users who voluntarily add profile data|
|Communication data||Customers and users who communicate with us directly (e.g. support)|
Customers who use services that require payment
Credit rating information: Only customers who pay by invoice
|Usage meta data||All users|
Scope and responsibility
Under this Agreement, the Processor shall process Personal Data on behalf of the Customer.
This Annex applies to all processing of Customer's data (including data of the users of Customer's organization) with reference to persons ("Personal Data") which is related to the Agreement and which is carried out by the Processor, its employees or agents.
The Customer shall be responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the transfer of data to the Processor as well as for the lawfulness of the data processing.
The Processor is responsible for taking appropriate technical and organizational protection measures so that its processing complies with the legal requirements and ensures the protection of the rights of the Data Subjects.
Obligations of the processor
Bound by directions
If the Processor is of the opinion that a direction of the Customer violates the Agreement, the GDPR or other data protection provisions of the EU, EU Member States or Switzerland, it shall inform the Customer thereof and shall be entitled to suspend the Processing until the instruction is withdrawn or confirmed.
Obligation of the processing persons to confidentiality
The Processor shall ensure that the persons authorized to process the Personal Data have committed themselves to confidentiality, unless they are already subject to an appropriate statutory duty of confidentiality.
Technical and organizational measures
The Processor has taken appropriate technical and organizational security measures, maintains them for the duration of the Processing and updates them on an ongoing basis in accordance with the current state of technology.
The technical and organizational security measures are described in more detail in the annex to this appendix.
Involvement of subcontracted processors
A current and complete list of involved and approved sub-processors can be found at https://zitadel.com/trust/.
The Processor is entitled to involve additional sub-processors. In this case, the Processor shall inform the Responsible Party about any intended change regarding sub-processors and update the list at https://zitadel.com/trust. The Customer has the right to object to such changes. If the Parties are unable to reach a mutual agreement within 90 days of receipt of the objection by the Processor, the Customer may terminate the Agreement extraordinarily.
The Processor obligates itself to impose on all sub-processors, by means of a contract (or in another appropriate manner), the same data protection obligations as are imposed on it by this Annex. In particular, sufficient guarantees shall be provided that the appropriate technical and organizational measures are implemented in such a way that the processing by the sub-processor is carried out in accordance with the legal requirements. If the sub-processor fails to comply with its data protection obligations, the processor shall be liable to the customer for this as for its own conduct.
Assistance in responding to requests
The Processor shall support the Customer as far as possible with suitable technical and organizational measures in fulfilling its obligation to respond to requests to exercise the data subject's rights. The parties shall agree separately on the compensation of the Processor for this.
Further support for the customer
The Processor shall, taking into account the nature of the processing and the information available to it, assist the Customer in complying with its obligations in connection with the security of the processing, any notifications of personal data breaches, and any data protection impact assessments.
Deletion or destruction after termination
Upon Customer's request, the Processor shall delete personal data received after the end of the agreement, unless there is a legal obligation for the Processor to store or further process such data.
Information and control rights of the customer
The Processor shall provide the Customer with all information necessary to demonstrate compliance with the obligations set forth in this annex. It shall enable and contribute to audits, including inspections, carried out by the Customer or an auditor appointed by the Customer.
The procedure to be followed in the event of directions that are presumed to be unlawful is governed by the section Bound by directions of this Appendix.
Annex regarding security measures
The Processor has taken the following organizational and technical security measures to ensure a level of protection of the Personal Data processed that is appropriate to the risk:
Pseudonymization / Encryption
The following measures for pseudonymization and encryption exist:
- All communication is encrypted with TLS >1.2 with PFS
- Critical data is exclusively stored in encrypted form
- Storage media that store customer data are always encrypted
- Passwords are irreversibly stored with a hash function (bcrypt)
- Data for web analytics are pseudonymized and do not contain any personal data
Ensuring certain properties of the systems and services
The following confidentiality measures exist:
- Implementation of information security policies
- Implementation of secure authentication policies
The following integrity measures exist:
- Code and container images are automatically checked for vulnerabilities
- An automated system is used to keep dependencies up to date
- Secrets are automatically rotated whenever possible and are short-lived (for example, signing keys)
- Changes to code or infrastructure require mandatory review by at least one other employee
The following measures of availability exist:
- Operation of the systems in combination with a CDN/DDoS mitigation service
- High availability operation
- Geo-redundant operation over at least two data centers
The following measures of availability exist:
- Automatic scaling of resources
- Monitoring, logging, tracing and alerting
Restoring availability and access
The following measures exist to restore availability and access:
- Implementation of a backup concept
- Emergency plan
- Testing of the emergency plan
Regular review, assessment and evaluation of effectiveness
The following measures exist for regular review, assessment and evaluation of effectiveness:
- At least annual audit and evaluation of processes within the framework of an information security management system
- Responsible Disclosure and Bug Bounty policies
- External audit of system security ("penetration testing")
Entry into force
This agreement is valid from 15.07.2022.
Last revised: June 14, 2022