Skip to main content

Data Processing Agreement

for LumoDoc by FortoLabs

hereinafter referred to as “DPA”,

between

Customer
as set out in the Order Form

hereinafter also referred to as “Controller” or “Data Exporter”

and

Forto Logistics SE & Co. KG

Schönhauser Allee 9, 10119 Berlin, Germany

hereinafter also referred to as “Forto” or “Processor” or “Data Importer”

collectively referred to as “Parties” and each individually referred to as a “Party”.

§ 1 | Definitions

  1. GDPR : Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
  2. Personal Data : intended within the meaning of Art. 4 (1) GDPR;
  3. Data Subject : intended within the meaning of Art. 4 (1) GDPR;
  4. Processing : intended within the meaning of Art. 4 (2) GDPR;
  5. Controller : intended within the meaning of Art. 4 (7) GDPR;
  6. Processor : intended within the meaning of Art. 4 (8) GDPR;
  7. Third Party : intended within the meaning of Article 4 (10) GDPR;
  8. Breach : intended within the meaning of Art. 4 (12) GDPR.

§ 2 | Subject and duration of processing

The details of the subject matter and duration of Processing are set out in the Agreement. This DPA is legally dependent on the Agreement; termination of the Agreement automatically results in termination of this DPA. The parties acknowledge that no (further) processing may be carried out without a valid data processing agreement. An isolated ordinary termination of this DPA is excluded.

§ 3 | Processing details

(1) Type of processing

In the context of this DPA, Personal Data is:

  • collected;
  • structured;
  • adapted;
  • made available to the controller.

(2) Purpose of Processing

  1. The purpose of Processing is for the Processor to provide the Services to the Controller.
  2. Processor may further process Personal Data under this DPA for application security purposes, where such processing is required by applicable law or otherwise agreed to by the parties to the Agreement in writing.

(3) Place of Processing

  1. For the purposes of this DPA, Personal Data shall be processed in the territories of the European Economic Area or in a third country for which an adequacy decision has been taken by the European Commission pursuant to Art. 45 (3) GDPR, which can be found at the following URL: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en .
  2. Should the Processing take place in a third country for which there is no adequacy decision by the European Commission, as described in the previous subsection, Processor shall ensure that the transfer of Personal Data is based on one of the transfer mechanisms referred to in Art. 46 (2) GDPR, as further described in Section 6 of this DPA.

(4) Categories of Personal Data processed

The following categories of Personal Data are processed under the Agreement:

  1. Any information contained in the documents provided by the Controller in the context of the use of Services.

(5) Categories of Data Subjects

The following categories of Data Subjects are affected by the processing activities carried out under the Main Agreement:

  • Any Data Subject identifiable from the content of the documents provided by the Controller in the context of the use of Services.

§ 4 | Technical and Organizational Measures

  • The Processor must document the implementation of the technical and organizational measures before the start of Processing on the basis of the Agreement.
  • The Processor must implement data security measures and ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability, and resilience of the systems and services in accordance with Art. 28 (3) (c) and (e) and Art. 32 GDPR, in particular in conjunction with Art. 5 (1) and (2) GDPR. The Processor lists the security measures implemented to comply with the aforementioned provisions of the GDPR in Annex I to this DPA.
  • The technical and organizational measures are subject to technological progress and further development. In this context, the Processor is permitted to implement alternative and appropriate measures that either ensure the same level of security as the replaced measure or further improve it. Significant changes shall be documented and communicated to the Controller without undue delay.

§ 5 | Obligations of the Processor

  1. The Processor may only process Personal Data under this DPA upon written instructions from the Controller. Any changes to these instructions shall be communicated to the Processor in writing. The Processor shall duly notify the Controller immediately if it believes that compliance with the Controller’s instructions would violate data protection law or other applicable laws and regulations.
  2. The Processor shall notify the Controller in writing of any Breach related to Personal Data processed on behalf of the Controller, of which the Processor becomes aware without undue delay and in any event within 48 hours of becoming aware of the Breach. The notification shall include all details of the remedial measures taken by the Processor up to that point to address the effects of the Breach. The Processor shall use reasonable efforts to ensure full cooperation with the Controller in investigating the notified Breach, in taking additional remedial measures where reasonably necessary and in informing the relevant supervisory authority and, where deemed necessary by the Controller, the affected Data Subjects.
  3. The Processor has appointed Giorgio Marradi as Data Protection Officer within the meaning of Articles 37-39 GDPR. Contact details are:

Forto Logistics SE & Co. KG
Schönhauser Allee 9, 10119 Berlin
[email protected]

Any changes to the Data Protection Officer or contact person must be communicated to the Controller without undue delay.

  1. Pursuant to Art. 28 (3) Sentence 2 (b) GDPR, the Processor ensures that the persons authorized to carry out Processing of Personal Data within the scope of this DPA have committed themselves to confidentiality or are subject to a corresponding statutory duty of confidentiality and have been previously familiarized with the data protection obligations. This confidentiality obligation shall also apply beyond the termination of this DPA.
  2. Controller and Processor, together with, where applicable, their representatives, shall cooperate and assist each other when necessary to perform tasks related to compliance with Articles 32-36 GDPR, in particular in the event of inquiries from a supervisory authority within the meaning of Article 4 (21) GDPR. Any communication from a supervisory authority received by the Processor concerning Processing on behalf of the Controller shall be communicated to the Controller without undue delay; this also applies if a competent authority conducts investigations in the context of administrative or criminal proceedings.
  3. The Processor regularly reviews its internal processes and the technical and organizational measures it has implemented to ensure that processing within its area of responsibility complies with the requirements of applicable data protection law and that the rights of Data Subjects are protected. The processor ensures the verifiability of the technical and organizational measures it has implemented vis-à-vis the Controller within the scope of its control powers pursuant to Section 6 of this DPA.

§ 6 | Subprocessors

  1. The Processor is hereby generally authorized by the Controller to engage subprocessors to carry out Processing on behalf of the Controller. subprocessors are Third Parties who provide services to the public and with whom the Processor has concluded a contract for the use of their offered services. An up-to-date list of the appointed subprocessors shall be available on Annex II of this DPA.
  2. The Processor shall notify the Controller in writing of any new subprocessor it intends to engage to carry out Processing under this DPA. The Controller may object to the engagement of the new subprocessor within 15 days of receiving this notification from the Processor. The objection must be communicated to the Processor in writing. Should the Controller fail to object to the engagement of the new subprocessor within this period, the engagement of the new subprocessor shall be deemed to have been agreed by the Controller.
  3. The Processor shall engage sub-processors by means of a written agreement between the Processor and the sub-processor, in accordance with Art. 28 (4) GDPR.
  4. If the engagement of a subprocessor for the purposes of the Services involve the transfer of Personal Data to a third country for which no adequacy decision has been adopted by the European Commission pursuant to Art. 45 (3) GDPR, the Processor shall ensure that such transfers are carried out in accordance with Art. 46 (2) GDPR. In particular, if the mechanism set out in Art. 46 (2) (c) is chosen as an appropriate safeguard for the transfer of Personal Data to third countries, the Processor shall ensure that the standard contractual clauses (EU SCCs) applied are accurate and up-to-date, in accordance with the latest implementing decision of either the European Commission or the relevant supervisory authority, the latter within the meaning of Art. 4 (22) GDPR.

§ 7 | Rights of the Controller

The Controller has the right to conduct inspections on the Processor’s operational activities involved with the Processing on Personal Data carried out on behalf of the Controller and in the context of the provision of Services, at its own discretion or carried out by an appointed third-party auditor. The inspection plan must be submitted by the Controller at least one (1) calendar month prior to the scheduled start of the inspection and must describe the intended scope. Inspections shall be conducted during the Processor’s business hours, or, in any event, during times of day that do not disrupt the Processor’s normal business operations. The Processor shall make all reasonable efforts to cooperate with the Controller and any auditors appointed for the inspection: this includes providing all requested documentation, including but not limited to written documents, and making personnel reasonably relevant to the scope of the inspection available for interviews, unless the requested documents are strictly confidential information of the processor or are reasonably determined to be outside the scope of the inspection. All parties involved in the inspection shall be bound to confidentiality by means of a written agreement.

§ 8 | Processing

  • The making of copies and/or duplications of the Personal Data processed under this DPA by the Processor is prohibited, except to the extent necessary to create backup copies of the Personal Data processed, to the extent necessary to comply with the security requirements set out in this DPA or unless otherwise required by applicable law.
  • If any of the following conditions apply:
  1. Termination or withdrawal from the Agreement; or
  2. the complete fulfilment of the purposes of Processing in accordance with the Agreement,

the Processor shall, at the Controller’s discretion, either return the Personal Data processed under this DPA to the Controller or permanently delete it. The record demonstrating the deletion must be provided upon request.

  • If Personal Data processed under this Agreement is retained by the Processor due to security requirements or legal obligations, the Processor shall retain such Personal Data only for as long as necessary to comply with those obligations.

§ 9 | Liability

  1. Notwithstanding the dispositions in § 12 of the Terms and Conditions (https://fortolabs.com/lumodoc-by-fortolabs-terms-and-conditions/), each party to this DPA shall be liable to the other parties for any damages it may cause to the other parties as a result of a violation of any of the clauses contained herein or of data protection law.
  2. Each party shall be liable to the Data Subject, and the Data Subject shall be entitled to compensation, for any material or non-material damage caused by the party to the Data Subject as a result of the violation of the third-party beneficiary’s rights under this DPA. This shall be without prejudice to the Controller’s liability under the GDPR.
  3. If more than one party to this DPA is responsible for any damage suffered by the Data Subject as a result of a violation of this DPA or applicable data protection law, all responsible parties shall be jointly and severally liable, and the Data Subject shall have the right to bring legal proceedings against any of those parties.
  4. The parties agree that if a party to this DPA is found liable under the preceding sub-section, it shall be entitled to recover from the other parties that part of the compensation which corresponds to its responsibility for the damage.
  5. The Processor cannot rely on the conduct of a sub-processor to avoid its own liability.

§ 10 | Final provisions

  1. The Processor shall send any communication required under this DPA to the email address provided by the Customer in the Order Form to which the Agreement is an integral part of.
  2. Should any provision of this DPA conflict in meaning and/or effect with any provision of the Agreement, the provisions of this DPA shall prevail. Should any provision of this DPA conflict in meaning and/or effect with the EU SCC attached to this DPA, the provisions of the EU SCC shall prevail.
  3. Should individual provisions of this DPA be invalid or unenforceable in whole or in part, or become invalid due to a change in legislation after its conclusion, the remaining provisions and the validity of this DPA as a whole shall remain unaffected. The invalid or unenforceable provision shall be replaced by the applicable statutory provisions or an alternative provision agreed upon by the parties. If the DPA proves to be incomplete, those provisions shall be deemed agreed upon that correspond to its purpose and that would have been agreed upon by the parties had they been considered.
  4. Any changes to this DPA regarding the Processing must be made in writing and agreed upon by the parties.
  5. This DPA is governed by the laws of the Federal Republic of Germany. Any disputes arising between the parties in connection with this DPA shall be subject to the jurisdiction of the courts of the Federal Republic of Germany.

Annex I

Technical and organizational measures (TOMs)

1. Office premise access controls

Technical measures Organizational measures
☒Chip cards / transponder systems ☒ Key regulation / list
☒ Manual locking system ☒ Reception / Receptionist / Porter
☒Doors with knob outside ☒ Visitor book / visitor log
☒ secure server rooms ☒ Visitors accompanied by staff
☒ Video surveillance of office entrances ☒ Access authorization
☒ Remote control and access options for office access

2. Device access controls

Technical measures Organizational measures
☒ Login with SSO + MFA ☒ Manage user permissions
☒ Anti-virus software servers ☒ Mobile Device Management policy
☒ Anti-virus software clients ☒ Secure password policy
☒ Mobile Device Management ☒ Deletion / Destruction policy
☒ Firewall ☒ Clean desk policy
☒ Encryption of notebook hard drives / mobile phones ☒ General data protection and information security policies
☒ Automatic desktop lock
☒ Use of VPN for remote access
☒ Intrusion detection system for data processing systems

3. Data access controls

Technical measures Organizational measures
☒ Physical deletion / destruction of data carriers ☒ Use of authorization concepts
☒ Automated and logged user access management system ☒ Management of user rights by Administrators

4. Data segregation controls

Technical measures Organizational measures
☒ Separation of production and test environments ☒ Control via authorization concept
☒ Physical separation (systems / databases / data storage devices) ☒ Defining database rights
☒ Logical separation of databases containing data of the Controller from data processed in the commercial interest of the Processor
☒ Logical separation of data processed for each customer

5. Distribution controls

Technical measures Organizational measures
☒ SSL/TLS certificates ☒ Security guidelines for data processing
☒ Provision via encrypted connections – https ☒ Deletion concept for deletion of data and destruction of data carriers

6. Input controls

Technical measures Organizational measures
☒ No input rights for processors
☒ Recording of activity logs

7. Availability controls

Technical measures Organizational measures
☒ Fire and smoke alarm systems ☒ Backup & Recovery concept
☒ Fire extinguisher server room ☒ Control of the backup process
☒ Server room monitoring temperature and humidity ☒ No sanitary connections in or above the server room
☒ Air-conditioned server room ☒ Existence of an emergency plan
☒ UPS
☒ Protective power strips server room
☒ RAID system / hard disk mirroring
☒ Alarm message in case of unauthorized access to the server room

8. Disaster recovery

Technical measures Organizational measures
☒ Recurring data backups (Day / Week / Month) ☒ Recovery concept, including important telephone numbers that are needed in case of need (emergency contact)

9. Data protection management

Technical measures Organizational measures
☒ Central documentation of all data protection procedures and regulations with access for employees as required / authorized (e.g. Wiki, Intranet, etc.) ☒ Data Protection Officer
☒ Employees trained and committed to confidentiality
☒ Regular training of staff on data protection and security obligations
☒ The Data Protection Impact Assessment (DPIA) is carried out if necessary
☒ Formalised procedure for processing information requests from data subjects is in place

10. Incident response management

Technical measures Organizational measures
☒ Use of firewall and regular updates ☒ Documented process for detecting and reporting security incidents / data breaches (also with regard to reporting obligations to supervisory authorities)
☒ Use of spam filters and regular updates ☒ Documented procedures for dealing with security incidents
☒ Use of virus scanners and regular updates ☒ Involvement of ☒DPOs and ☐ISOs in security incidents and data breaches

11. Privacy by Design and by Default

Technical measures Organizational measures
☒ Unless recognized by the service’s software program, the information contained in the documents processed by the service is not recorded or stored ☒ Strict access rights policy for information processed on behalf of responsible parties, based on the need-to-know principle
☒ Use of LLM processing via API connection
☒ Data minimisation guaranteed with processing carried out on sole basis of API calls

12. Sub-processing (outsourcing to third parties)

Technical measures Organizational measures
☒ Use of LLM processing via API connection ☒ Selection of the contractor under due diligence (especially with regard to data protection and data security)
☒ Conclusion of the necessary agreement for order processing or EU standard contractual clauses

Annex II

List of subprocessors

company Processing locations Processing carried out
Google Cloud EMEA Limited

70 Sir John Rogerson’s Quay, Dublin 2, Dublin, Ireland

cloud.google.com

 Ireland, Belgium, United States Data cloud storage

AI functionality (Gemini AI)
Datadog, Inc.

620 8th Ave., 45th Fl., New York, NY 10018 United States

datadoghq.com

 Germany, United States Security event logging
Cloudflare, Inc.

101 Townsend Street

San Francisco, CA 94107

United States of America

cloudflare.com

 Germany, United States Rate limitation, DDoS mitigation.

No access to any information contained in either input document or output data.