Order processing | ACARiS

Subcontracting ArrangementsSpecification of the Order ContentAgreement

on Order Processing in accordance with Art. 28 GDPR

To you, our customer,

– Data Controller –

hereinafter referred to as the Controller

and

ACARiS GmbH

represented by the Managing Director Dr. Arne-Rasmus Dräger

Axel-Springer-Platz 3

20355 Hamburg

Email: info@acaris.net

Tel.: +49 40 – 32597525

– Data Processor –

hereinafter referred to as the Processor

1. Subject and Duration of the Order

(1) Subject

The subject of the order for data processing is the execution of the following tasks by the Processor:

Installation and maintenance of the so-called Horse-Protector units, which contain video cameras.

Collection, storage, and processing/analysis of these film recordings (without sound) from the horse stable through artificial intelligence.

In this context, it may be necessary to use and process personal data, for which the Controller is the responsible entity within the meaning of the EU General Data Protection Regulation [GDPR], before and after the conclusion of a contract.

(2) Duration

The duration of this agreement corresponds to the duration of the business relationship between the parties.

2. Specification of the Order Content

(1) Nature and Purpose of the Intended Data Processing

The Controller instructs the Processor to collect, store, and analyze video recordings (without sound) using Artificial Intelligence. Continuous video recordings enable Artificial Intelligence to monitor the horse(s) in the stable, learn their behavior, analyze their health, and ensure desired security.

Artificial Intelligence relies on continuously recording, learning, and analyzing various behavioral parameters of the horse. It may be necessary to use and process personal data, for which the Controller, as per the EU General Data Protection Regulation [GDPR], is the responsible entity, before and after a contract is concluded.

(2) Type of Data

The processing of personal data includes the following types/categories of data:

Video recordings of a person (without sound)

(3) Categories of Data Subjects

The categories of individuals affected by the processing include:

Employees of the Controller

Customers (owners and caretakers of the horses)

Suppliers

Visitors

and all other individuals present in the horse stable

(4) Balancing of Interests for Video Surveillance and Recording

The creation of video recordings via Horse-Protector units is initially for the analysis of horse behavior, as mentioned above. Without continuous video surveillance, it would not be possible to trigger the alarms promised by the Processor in cases of horse illness or security-related incidents.

Additionally, data collection and processing serve to uphold legitimate interests under Article 6(1)(f) GDPR. According to this provision, a balance of the affected interests is necessary.

Upholding Legitimate Interests

Continuous monitoring of the horse in the stable contributes to the safety and health of the horse. On one hand, it enables artificial intelligence to learn and analyze horse behavior and assess the horse’s health. On the other hand, surveillance serves vandalism prevention, enforcement of house rules, protection of the horse owner’s property, investigation of thefts, and other security-related incidents. Recordings may be used in legal and non-legal proceedings.

Artificial Intelligence relies on continuously recording, learning, and analyzing various behavioral parameters of the horse. Without this, triggering expected alarms for illnesses, births, etc., by Horse-Protector would not be possible. It is possible that video cameras may capture images (without sound) of individuals present in the horse stable. With the help of this data, Artificial Intelligence learns to distinguish between humans and animals.

Necessity

The following examines whether specific video recording is suitable for achieving the purpose and whether alternative measures, less intrusive to the right to protection of personal data, are preferable.

For the reasons outlined, continuous monitoring is necessary. Otherwise, artificial intelligence cannot learn and analyze horse behavior or provide alarm notifications in security-related incidents (illness, births, entry of unauthorized persons, etc.).

Without permanent data storage, the contractual purpose – monitoring and safeguarding the horse’s health – would be jeopardized. A milder measure is not apparent.

However, a biometric analysis of recorded individuals (e.g., through facial recognition software) does not occur. It is also not automatically recorded which person was present in the horse stable at a specific time. Panning of the camera is not possible.

Balancing of Interests

The lawfulness of processing may be justified by the legitimate interests of the Controller (or a third party to whom personal data may be disclosed), provided the interests or fundamental rights and freedoms of the data subject do not prevail. In this context, the reasonable expectations of the affected individuals based on their relationship with the Controller must be considered (see Recital 47 to Article 6(1) lit. f GDPR).

Continuous monitoring of the horse through video cameras in the stable affects the rights of individuals entering this stable, especially their right to their own image. In contrast, the interests of the Controller in monitoring and preserving the health of their horse stand.

Considering these interests, the rights of recorded individuals appear less vulnerable. This is evident from the intensity of the intervention: Clear signs are placed in front of the horse stable – and thus in the monitored area – informing individuals about the video recordings and the responsible party. Hence, there is no covert surveillance.

Furthermore, only a very limited area is monitored – the horse stable – which only a manageable number of individuals may rightfully enter, namely only those caring for the horse. Besides the owner or caretaker of the horse, only employees of the Controller and potentially individuals authorized by the owner to handle the horse are eligible. Unauthorized individuals who enter the horse stable and potentially endanger the horse’s safety are also considered.

Despite the significant infringement on the personal rights of these individuals, it should be noted that no audio recordings are made, and no biometric analysis of individuals (such as through facial recognition software) takes place. The data is not shared and remains with the Processor and Controller. Only in cases of criminal activity and for enforcement in civil and/or criminal proceedings could sharing with authorities or courts be conceivable.

In light of the above, the interests of the affected individuals seem less worthy of protection than those of the Controller.

3. Technical and Organizational Measures

(1) The Processor shall document and submit to the Controller for review the implementation of the technical and organizational measures outlined and necessary before the commencement of processing, especially regarding the specific execution of the order. Upon acceptance by the Controller, the documented measures become the basis of the order. If the Controller’s review indicates a need for adjustment, such adjustments shall be mutually agreed upon.

(2) The Processor shall ensure security in accordance with Art. 28(3)(c), Art. 32 GDPR, particularly in connection with Art. 5(1), (2) GDPR. The measures to be taken collectively are data security measures aimed at ensuring an appropriate level of protection concerning the confidentiality, integrity, availability, and resilience of the systems relative to the risk. The state of the art, implementation costs, the nature, scope, and purposes of processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons under Art. 32(1) GDPR, must be considered [details in Annex 1].

(3) Technical and organizational measures are subject to technological progress and development. In this regard, the Processor is permitted to implement alternative appropriate measures. However, the security level of the defined measures must not be compromised. Significant changes are to be documented.

4. Correction, Restriction, and Deletion of Data

(1) The Processor may not independently correct, delete, or restrict the processing of data processed under the order but only based on documented instructions from the Controller. If an affected person directly contacts the Processor regarding these matters, the Processor shall promptly forward such requests to the Controller.

(2) If included in the scope of services, concepts for deletion, the right to be forgotten, correction, data portability, and information shall be ensured directly by the Processor based on documented instructions from the Controller.

5. Quality Assurance and Other Duties of the Processor

In addition to complying with the provisions of this order, the Processor guarantees compliance with legal obligations pursuant to Art. 28 to 33 GDPR; in this regard, the Processor ensures, in particular, compliance with the following requirements:

(1) The Processor is not obliged to appoint a Data Protection Officer.

(2) Maintaining confidentiality in accordance with Art. 28(3) sentence 2 lit. b, 29, 32(4) GDPR. The Processor only employs individuals in the execution of work who are obligated to confidentiality and have been familiarized with the relevant data protection provisions. The Processor and anyone under the Processor’s authority who has access to personal data may process such data solely in accordance with the instructions of the Controller, including the powers granted in this contract, unless they are legally required to process the data.

(3) Implementation and compliance with all technical and organizational measures required for this order in accordance with Art. 28(3) sentence 2 lit. c, 32 GDPR [details in Annex 1].

(4) Upon request, the Controller and the Processor shall cooperate with the supervisory authority in fulfilling their tasks.

(5) Promptly informing the Controller of control actions and measures of the supervisory authority, to the extent they relate to this order. This also applies if a competent authority investigates the processing of personal data in connection with order processing by the Processor as part of an administrative offense or criminal proceeding.

(6) If the Controller is exposed to a control by the supervisory authority, an administrative offense or criminal proceeding, liability claims of an affected person or a third party, or any other claim related to order processing by the Processor, the Processor shall assist the Controller to the best of its ability.

(7) The Processor regularly monitors internal processes, as well as technical and organizational measures, to ensure that processing within its scope of responsibility complies with the requirements of applicable data protection laws and guarantees the protection of the rights of the data subjects.

(8) Demonstrability of the implemented technical and organizational measures to the Controller within the framework of its control powers under Section 7 of this contract.

6. Subcontracting Arrangements

(1) Subcontracting arrangements within the scope of this regulation refer to services directly related to the provision of the main service. Excluded from this are ancillary services, such as those the Processor uses for telecommunication services, postal/transport services, maintenance and user services, or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity, and resilience of hardware and software of data processing systems. However, the Processor is obligated to take appropriate and legally compliant contractual agreements as well as control measures to ensure data protection and data security for the Controller’s data, even for outsourced ancillary services.

(2) The Processor may only commission subcontractors (additional data processors) with the prior express written or documented consent of the Controller.

Currently, no subcontracting is in place.

Outsourcing to subcontractors or changing the existing subcontractor is permissible, provided that:

the Processor notifies the Controller in writing or in text form of such outsourcing to subcontractors in advance and

the Controller does not object to the planned outsourcing in writing or in text form by the time of data transfer and

a contractual agreement is based on Art. 28(2-4) GDPR.

(3) The disclosure of personal data of the Controller to the subcontractor and its initial activities are only permitted once all conditions for subcontracting are met.

(4) If the subcontractor provides the agreed-upon service outside the EU/EEA, the Processor ensures the legal permissibility of data protection through appropriate measures. The same applies if service providers within the meaning of paragraph 1 sentence 2 are to be used.

(5) Further subcontracting by the subcontractor is not envisaged. It would require the express prior consent of the main contractor (at least in text form).

All contractual regulations in the contractual chain must also be imposed on any further subcontractor in the event of further outsourcing.

7. Controller’s Inspection Rights

(1) The Controller has the right, in consultation with the Processor, to conduct inspections or have them carried out by auditors to be named in individual cases. The Controller has the right to convince itself of the Processor’s compliance with this agreement in the course of its business operations through random checks, which are generally to be announced in a timely manner.

(2) The Processor ensures that the Controller can verify the compliance with the Processor’s obligations according to Art. 28 GDPR. The Processor undertakes to provide the necessary information to the Controller upon request and, in particular, to demonstrate the implementation of technical and organizational measures.

(3) Evidence of measures that do not only concern the specific order may be provided through compliance with approved codes of conduct under Art. 40 GDPR, certification according to an approved certification procedure under Art. 42 GDPR, current certificates, reports, or excerpts from reports from independent bodies (e.g., auditors, revision, data protection officer, IT security department, data protection auditors, quality auditors), or suitable certification through IT security or data protection audits (e.g., according to BSI basic protection).

(4) The Processor may claim a remuneration for enabling controls by the Controller.

8. Notification of Violations by the Processor

(1) The Processor supports the Controller in complying with the obligations mentioned in Articles 32 to 36 of the GDPR regarding the security of personal data, notification obligations in the event of data breaches, data protection impact assessments, and prior consultations. This includes, among other things:

ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of processing, as well as the predicted probability and severity of a potential violation of rights due to security gaps, and enabling the immediate identification of relevant violation events;

obligation to report breaches of personal data to the Controller promptly;

obligation to assist the Controller in fulfilling its information obligations towards the data subject and providing all relevant information immediately in this context;

assisting the Controller in its data protection impact assessment;

assisting the Controller in prior consultations with the supervisory authority.

(2) The Processor may claim compensation for support services that are not included in the service description or not attributable to the Processor’s misconduct.

9. Instruction Authority of the Controller

(1) The Controller promptly confirms oral instructions (at least in text form).

(2) The Processor shall immediately inform the Controller if it believes that an instruction violates data protection regulations. The Processor is entitled to suspend the execution of the corresponding instruction until it is confirmed or modified by the Controller.

10. Deletion and Return of Personal Data

(1) Copies or duplicates of data are not created without the knowledge of the Controller. This excludes backup copies as far as they are necessary to ensure proper data processing, as well as data required to comply with legal retention obligations.

(2) After completing the contractually agreed-upon work – at the latest with the termination of the service agreement – the Processor must hand over all documents, processing and usage results produced, as well as data sets related to the contractual relationship, to the Controller or, with prior approval, destroy them in compliance with data protection standards. The same applies to test and waste material. The deletion protocol must be submitted upon request.

(3) Documentations serving as evidence of proper and lawful data processing are to be retained by the Processor beyond the end of the contract in accordance with the respective retention periods. The Processor may hand them over to the Controller at the end of the contract for its relief.

Technical and Organizational Measures for Data Security

– ACARiS GmbH –

Access Control

The access control aims to prevent unauthorized individuals from accessing processing facilities.

• ACARIS GmbH employees access data from their computers, protected by passwords. These computers temporarily store customer emails, while the actual data and archived emails are stored on external servers of a data processing contractor (cloud service provider).

• Access to the external server requires an additional input of an individual username and password.

• External individuals have no access to the securely locked computers.

• Access to the data stored at the cloud service provider is further protected, particularly through:

Ongoing monitoring of the security infrastructure.

The data centers of the cloud service provider maintain an on-site security service responsible for all physical security functions of the data center 24/7. The on-site security personnel regularly monitors CCTV cameras (Closed Circuit TV) and all alarm systems. They conduct routine internal and external patrols within the data center.

The cloud service provider implements formal access procedures for physical entry into its data centers. These data centers are housed in facilities requiring an electronic card key for access, equipped with alarms connected to the on-site security service. Anyone entering the data center must provide identification and proof of identity to the on-site security personnel. Access to the data centers is restricted to authorized employees, contractors, and visitors. Only authorized employees and contractors are allowed to request access to these facilities using electronic card keys. Otherwise, access is granted only to those who have submitted an application, registered, and provided identification in advance.

The cloud service provider maintains a security policy and conducts security training for its own personnel.

Further details on access and entry controls can be found in the Terms of Service (TOMs) of the data processing contractor.

Datenträgerkontrolle

The data storage control measures aim to prevent unauthorized access, copying, alteration, or deletion of data carriers.

• ACARiS GmbH fundamentally avoids the use of data carriers, given that the majority of data is stored on the external servers of the data processing contractor.

• The cloud service provider has established the following procedures for data carrier control:

Every decommissioned data carrier undergoes a series of data destruction processes before leaving the premises of the cloud service provider for either reuse or destruction.
Decommissioned data carriers are subjected to a multi-stage process of deletion, followed by a completeness check. The results of the deletion process are logged and tracked.
In cases where a decommissioned disk cannot be deleted due to a hardware fault, it is securely stored until it can be safely destroyed.

Further details on access and entry controls can be found in the Terms of Service (TOMs) of the data processing contractor.

Storage Control

Storage control aims to prevent unauthorized access to stored personal data, including the ability to view, input, modify, or delete such data.

• Data from ACARiS GmbH is secured on the external servers of the cloud service provider.

• Access to temporarily stored emails from customers on ACARiS computers is restricted to respective employees, protected by a password.

• Access to external servers requires the input of an individual username and password.

• At the cloud service provider, storage control is planned as follows:

The cloud service provider stores data in a multi-tenant environment on its own servers.
Unless otherwise instructed by the customer, the cloud service provider replicates customer data across multiple geographically distributed data centers.
Customers have the option to utilize logging functions provided by the cloud service provider.

Further details can be found in the Terms of Service (TOMs) of the data processing contractor.

User Control

User control aims to prevent unauthorized individuals from using automated processing systems through data transmission.

ACARiS GmbH’s data is secured on the external servers of the cloud service provider.
Only authorized employees have access to the data temporarily stored on ACARiS computers. Access to these computers is protected by a password.
User control for the servers at the data processors is additionally secured, especially through:

Die Administratoren und Endnutzer der Kunden müssen sich über ein zentrales Authentifizierungssystem oder über ein Single-Sign-On-System authentifizieren, um die Cloud-Services nutzen zu können.

Es erhalten nur autorisierte Personen Zugriff auf Daten, zu denen sie berechtigt sind. Es ist sichergestellt, dass personenbezogene Daten während der Verarbeitung, Nutzung und nach der Aufzeichnung nicht unbefugt gelesen, kopiert, verändert oder entfernt werden können. Die Systeme sind so ausgelegt, dass jeder unzulässige Zugriff erkannt wird.

Der Cloud-Dienstleister verwendet ein zentralisiertes Zugriffsverwaltungssystem, um den Zugriff des Personals auf die Produktionsserver zu kontrollieren, und gewährt nur einer begrenzten Anzahl von autorisiertem Personal Zugriff.

Der Zugriff auf Systeme wird protokolliert, um einen Prüfpfad zur Nachvollziehbarkeit zu erstellen. Wo Passwörter zur Authentifizierung verwendet werden (z. B. bei der Anmeldung an Workstations), werden Passwortrichtlinien implementiert, die mindestens dem Industriestandard entsprechen. Diese Standards beinhalten Einschränkungen für die Wiederverwendung von Passwörtern und eine ausreichende Passwortstärke. Für den Zugriff auf extrem sensible Informationen (z. B. Kreditkartendaten) verwendet der Cloud-Dienstleister Hardware-Tokens.

Further details can be found in the Terms of Service (TOMs) of the data processing contractor.

Access Control

Access control aims to ensure that those authorized to use an automated processing system have access solely to the personal data covered by their access authorization.

• ACARiS GmbH’s data is secured on the external servers of the cloud service provider.

• Only authorized employees have access to the data temporarily stored on ACARiS computers. Access to these computers is protected by a password.

• To access the external servers, the input of an individual username and password is additionally required.

• Access to data on servers at the data processors is separately protected, especially through:

The cloud service provider uses a centralized access management system to control personnel access to production servers, allowing access only to a limited number of authorized personnel.

Access is granted only to authorized individuals for data they are entitled to. It is ensured that personal data cannot be unauthorizedly read, copied, altered, or removed during processing, usage, and after recording. Systems are designed to detect any unauthorized access.

Administrators and end-users of customers must authenticate themselves through a central authentication system or a single sign-on system to utilize cloud services.

The cloud service provider uses a centralized access management system to control personnel access to production servers, allowing access only to a limited number of authorized personnel.

The authentication and authorization systems of the cloud service use SSH certificates and security keys and are designed to provide secure and flexible access mechanisms to the cloud service provider. These mechanisms are designed to grant only approved access rights to website hosts, logs, data, and configuration information.

The cloud service provider requires the use of unique user IDs, strong passwords, two-factor authentication, and carefully monitored access lists to minimize the potential for unauthorized account usage.

System access is logged to create an audit trail for traceability. Where passwords are used for authentication (e.g., logging into workstations), password policies are implemented meeting at least industry standards. These standards include restrictions on password reuse and adequate password strength. For access to extremely sensitive information (e.g., credit card data), the cloud service provider employs hardware tokens.

Further details can be found in the Terms of Service (TOMs) of the data processing contractor.

Transmission Control

Transmission control aims to ensure that it can be verified and determined to which locations personal data has been or can be transmitted or made available using data transmission facilities.

• Personal data is electronically transmitted only to authorized recipients (e.g., financial institutions for general payment transactions).

• Logfiles are used to provide evidence and trace the extent of external access.

• Data stored on the processors‘ servers is additionally protected, especially by:

The cloud service provider offers HTTPS encryption (also known as SSL or TLS connection) and supports ephemeral elliptic curve Diffie-Hellman key exchange, signed with RSA and ECDSA. These Perfect Forward Secrecy (PFS) methods help protect data traffic and minimize the impact of a compromised key or cryptographic breakthrough.

The data centers of the cloud service provider are typically connected via private high-speed links to ensure secure and fast data transfer between data centers. This is to prevent unauthorized reading, copying, altering, or removal of data during electronic transmission, transport, or recording on data storage media. Data transmission is carried out using Internet standard protocols.

Further details can be found in the Terms of Service (TOMs) of the data processing contractor.

Transport Control

Transport control aims to ensure the confidentiality and integrity of personal data during transmission and transportation of data carriers.

• Since the data is stored and processed on the external servers of the data processors, transportation or transmission is rarely necessary.

• Personal data is electronically transmitted only to authorized recipients (e.g., financial institutions for general payment transactions).

• Data stored on the data processors‘ servers is additionally protected, especially by:

Further details can be found in the Terms of Service (TOMs) of the data processing contractor.

Recoverability

Recoverability aims to ensure that systems can be restored in case of disruptions.

All business-critical data of ACARiS GmbH is regularly backed up as part of a structured backup plan. This includes, and is especially focused on, personal data residing on these systems. The proper execution of backup tasks is regularly verified.
Restoration of data from security backups is promptly feasible and can be performed by ACARiS GmbH.

In addition to daily on-site backups, there is a regular georedundant full backup of all data on physically separate backup systems.

• As ACARiS GmbH’s data is stored and processed on the external servers of the data processors, their concept of recoverability is decisive. Accordingly, recoverability is specifically ensured through:

Programs for maintaining business operations and for recovery in case of a disaster, which are regularly planned and tested.

Further details can be found in the Terms of Service (TOMs) of the data processing contractor.

Reliability

Reliability is intended to ensure that all functions of the system are available, and any malfunctions that occur are reported.

• Antivirus protection and firewall

• Since the data of ACARiS GmbH is primarily stored and processed on the external servers of the data processing contractor, their concept of reliability/resilience is crucial. Accordingly, reliability is particularly ensured through:

The cloud service provider employs multiple layers of network devices and intrusion detection to protect against external attacks, utilizing specialized technologies developed for this purpose.

There are specific systems designed to detect intrusions into the cloud service provider’s systems, including preventive measures with strict control over potential attack points, the use of intelligent detection controls at data entry points, and the deployment of technologies that automatically address certain critical situations.

Redundant circuits, switches, networks, or other necessary devices contribute to ensuring the required redundancy. Services are designed to allow the cloud service provider to perform certain types of preventive and corrective maintenance without interruption. Documented procedures for preventive maintenance exist for all business-critical devices and facilities, detailing the process and frequency of execution in accordance with manufacturer specifications or internal specifications.

Preventive and corrective maintenance on data center equipment is planned through a standard change process according to documented procedures.

The power supply systems of the data center are designed to be redundant and can be maintained 24/7 without affecting continuous operation. In most cases, critical infrastructure components in the data center have both a primary and an alternative power source, each with equal capacity. Backup power is provided through various mechanisms, such as uninterruptible power supplies (UPS), which offer consistent and reliable power protection during power outages, blackouts, over- and under-voltages, and frequency excursions. In the event of a power outage, the emergency power supply is designed to provide the data center with full power for up to 10 minutes until the diesel generator systems take over. The diesel generators can automatically start within seconds and provide enough emergency power to typically operate the data center at full capacity for several days.

Further details can be found in the Terms of Service (TOMs) of the data processing contractor.

Data Integrity

Data integrity aims to ensure that stored personal data cannot be damaged by system malfunctions.

The measures outlined through access, entry, and user controls ensure that data cannot be altered, damaged, or deleted by unauthorized individuals.

All business-relevant data of ACARiS GmbH is regularly backed up as part of a structured backup plan. This applies especially to personal data stored on these computers. The proper execution of backup tasks is regularly monitored.

Data restoration from security backups can be done quickly and is manageable by ACARiS GmbH itself.

In addition to daily on-site backups, there is a regular georedundant full backup of all data to physically separate backup systems.

As the essential data of ACARiS GmbH is stored and processed on the external servers of the data processing contractor, their concept for recoverability is crucial. Therefore, data integrity is particularly secured through:

The cloud service provider employs multiple layers of network devices and intrusion detection to protect against external attacks, utilizing specialized technologies developed for this purpose.

Further details can be found in the Terms of Service (TOMs) of the data processing contractor.

Availability Control

Availability control aims to ensure that personal data is protected against destruction or loss.

• As the data of ACARiS GmbH is stored and processed on the external servers of the data processing contractor, their concept for availability control is crucial. Therefore, availability is particularly secured through:

Programs for maintaining business operations and for recovery in case of a disaster, which are regularly planned and tested.

There are redundant circuits, switches, networks, or other necessary devices that contribute to ensuring the required redundancy. The services are designed so that the cloud service provider can perform certain types of preventive and corrective maintenance without interruption. For all business-relevant devices and facilities, there are documented procedures for preventive maintenance, detailing the process and frequency of execution according to manufacturer specifications or internal specifications. Preventive and corrective maintenance on data center equipment is planned through a standard change process according to documented procedures.

Further details can be found in the Terms of Service (TOMs) of the data processing contractor.