concluded between licensees as stated in the offer

(hereinafter referred to as the "person responsible")

and in-manas: intelligent management solutions GmbH

FN 456942 z

Bienerstraße 4, 6020 Innsbruck

(hereinafter referred to as "processor")



1.1 This Agreement is the legal basis for the processing of personal data provided by the Controller to the Processor in accordance with Article 28 paragraph 3 of the Basic Data Protection Regulation ("GDPR").


2.1 The subject of this contract is the execution of the following tasks by the processor on behalf of the responsible party: Licensing and operation of the in-manas software solution in accordance with the licence agreement concluded between the Responsible Party and the order processor.

2.2 This agreement is concluded for the duration of the licence agreement between the parties according to point 2.1. It therefore ends automatically at the point in time at which the licence agreement according to point 2.1 ends.


3.1 The data provided by the Controller is processed automatically and manually. The processing is carried out for the purpose of the technical and content provision by the processor of the services provided for in the licence agreement referred to in point 2.1. Against this background, the purpose and scope of the processing can be summarised as follows:

3.1.1 The purpose of the Software licensed by the Processor is to collect ideas from natural persons (typically employees) and to discuss, summarise and evaluate them. The exact purpose of the software is presented by the responsible person before inviting the first participants in accordance with company agreements and on the platform for all participants to see. For this purpose, conditions of participation which can be edited and are accessible to all participants are available.

3.1.2 The scope of collection and processing is limited to the persons mentioned by name on the closed platform. Processing includes the display of this data on the screen and data exports for the administrator(s) of the platform and the sending of e-mails to users of the platform.

3.2 In principle, the data processing provided for under this agreement shall only be carried out in a member state of the European Union or in a member state of the European Economic Area.

3.3 Any transfer of data to a state that is not a member state of the European Union or the European Economic Area may only be carried out if (i) this has been expressly agreed between the parties or otherwise approved by the person responsible and (ii) the requirements of Art 44 ff GDPR are fulfilled. In this case, the processor will inform the responsible party in writing of how an adequate level of data protection is ensured in the country concerned that enables data to be transferred.


4.1 The Controller shall provide the following personal data for the processing of orders in accordance with this Agreement:

4.1.1 Personal master data and communication data (name, e-mail address).

4.1.2 Data relating to submitted ideas, comments and ratings of ideas; questions and answers from surveys

4.1.3 Contract master data, contract billing and payment data for the responsible person.


5.1 Processing under this Agreement includes the following categories of data subjects:

5.1.1 Employees and staff of the Controller;

5.1.2 customers, interested parties, suppliers, sales representatives, contact persons;

5.1.3 sublicensees of the Controller and the employees and co-workers of such sublicensees;


6.1 The responsible person declares that:

6.1.1 the processing of the personal data provided to the Processor, including the provision of such data to the Processor, has been and shall continue to be carried out in accordance with the relevant provisions of the applicable legal regulations (in particular data protection law and labour law)

6.1.2 he has instructed and will continue to instruct the Processor, throughout the duration of the data processing services, to process the personal data provided only on behalf of the Controller and in compliance with the applicable law;

6.1.3 he will immediately and fully inform the processor if he discovers errors and irregularities in the results of the order with regard to data protection provisions;

6.1.4 he shall fulfil his obligations to the persons concerned in accordance with the applicable legal situation.


7.1 Within his area of responsibility, the Processor shall take and describe technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Art. 32 GDPR.

7.2 The necessary measures currently implemented by the Seller to ensure the security of processing in accordance with Art. 32 GDPR are described in Annex 1.

7.3 The technical and organisational measures are subject to technical progress and further development. The Seller shall be entitled to implement alternative adequate measures provided that the safety level of the specified measures is not fallen below.


8.1 The processor shall process personal data only on documented instructions from the controller, including with regard to the transfer of personal data to a third country or international organisation, unless required to do so by Union or national law to which the processor is subject, in which case the processor shall notify the controller of these legal requirements prior to processing, unless the law concerned prohibits such notification for an important public interest.

8.2 The Processor shall ensure that the persons authorised to process the personal data of the Processor are bound to confidentiality or are subject to an appropriate legal obligation of secrecy and process the personal data in accordance with Article 32, paragraph 4 of the GDPR only on the instructions of the Controller, unless they are obliged to do so under Union or national law.

8.3 At the request of the Controller, the processor shall, in accordance with Art. 28 para. 3 lit f GDPR, assist in the preparation of a data protection impact assessment and, where appropriate, in the prior consultation of the supervisory authorities. At the request of the Controller, the processor shall cooperate in the compilation and updating of the Controller's list of processing activities in so far as the documentation of technical and other measures is concerned.

8.4 The Processor shall ensure that it supports the Responsible Party as far as possible with suitable technical and organisational measures in fulfilling its obligation to respond to requests to exercise the rights of the data subject as specified in Chapter III of the GDPR. If a data subject turns to the processor with the assertion of one of the rights specified in Chapter III GDPR, the processor shall refer the person concerned to the controller, provided that an assignment to the controller is possible according to the data subject's details. The processor shall not be liable if the data subject's request is not, not correctly or not timely answered by the data controller.

8.5 The processor shall assist the Controller in complying with the obligations set out in Articles 32 to 36 of the DPA, taking into account the nature of the processing and the information available to him.

8.6 The Processor shall continuously monitor its data processing processes and systems with regard to compliance with data protection regulations and shall document the monitoring. Upon request, the Processor shall provide the Responsible Party with documentation as proof of sufficient guarantees.

8.7 The Processor shall inform the Responsible Party in case of suspicion of a violation of the protection of personal data as well as of control actions and measures taken by the supervisory authority. The Processor is aware that the Responsible Party is obliged to comprehensively document all violations of the protection of personal data and, if necessary, to notify the supervisory authorities or the data subject within 72 hours. In this case, the processor shall support the responsible party in complying with its reporting obligations and, in particular, provide the information specified in Art. 33 para. 3 GDPR.

8.8 The Processor shall - at the option of the Controller - either delete or return the personal data provided and the works developed from it after termination of the contract concluded pursuant to point 2.1, unless there is an obligation to store them under Union law or the law of the Member States.

8.9 If the legal requirements are met, the Processor shall appoint a Data Protection Officer and notify the Controller thereof. Any change of the data protection officer and the contact person for information security matters of the processor shall be notified to the Responsible Party in writing without delay.

8.10 The Processor shall provide the Responsible party with all information necessary to prove compliance with the obligations set forth in this Article and shall enable and contribute to any checks - including inspections - carried out by the Responsible party or by another auditor appointed by the Responsible party.

8.11 The data shall be handled exclusively within the framework of the agreements made and in accordance with the instructions of the Responsible Party. The standards contractually agreed in the context of the assignment, including user documentation and the general terms and conditions of the processor, shall apply to the scope of the instructions. The processor shall inform the controller without delay if it considers that an instruction from the controller is in breach of Union or national data protection legislation. However, the mere acceptance of an instruction by the processor does not constitute an assessment of whether or not it is in breach of data protection rules. The processor is entitled to suspend compliance with instructions until they have been reconfirmed or amended by the controller.


9.1 The Responsible Party shall be entitled to carry out inspections in consultation with the processor or to have them carried out by inspectors to be named in individual cases. If, in individual cases, inspections by the Responsible Party or an inspector appointed by the Responsible Party are necessary, they shall be carried out during normal business hours without disrupting operations after notification, taking into account a reasonable lead time. The Contractor may make such inspections dependent on prior notification with an appropriate lead time and on the signing of a confidentiality agreement with regard to the data of other customers and the technical and organisational measures implemented. If the examiner commissioned by the Responsible Party is in a competitive relationship with the commissioned processor, the commissioned processor shall have the right to object to this.

9.2 The Contractor shall ensure that the Client can satisfy himself that the Contractor complies with his obligations under Art. 28 GDPR. The contractor undertakes to provide the customer with the necessary information on request and in particular to provide evidence of the implementation of the technical and organisational measures.

9.3 The proof of such measures, which do not only concern the specific order, can be provided by

9.3.1 compliance with approved rules of conduct in accordance with Art. 40 GDPR;

9.3.2 certification in accordance with an approved certification procedure under Art 42 GDPR;

9.3.3 current attestations, reports or report extracts of independent bodies (e.g. auditors, revision, data protection officer, IT security department, data protection auditors, quality auditors);

9.3.4 appropriate certification by IT security or data protection audit.

9.4 The party processing the order may assert a claim for remuneration for enabling controls by the responsible party.


10.1 The Contractor may use subcontractors for the performance of its processing activities, provided that the provisions of the GDPR (in particular Art. 28 Paras. 2 and 4 GDPR) are complied with.

10.2 The same data protection obligations as laid down in this contract shall be imposed on the sub-processor by means of a contract or another legal instrument in accordance with Union law or the law of the Member State concerned, in particular by providing sufficient guarantees that the appropriate technical and organisational measures are implemented in such a way that the processing is carried out in accordance with the requirements of this Regulation.

10.3 The Processor currently uses the following subcontractors:













10.4 By entering into this agreement, the Responsible party confirms not to raise any objections against the subcontractors listed in point 10.3.

10.5 In accordance with Art. 28 para. 2 of the GDPR, the responsible party has the right to object to any change regarding the involvement or replacement of subcontractors. For this purpose, the subcontractor shall inform the Responsible party of this fact at least 30 days before a new subcontractor is called upon. An objection must be made within 10 working days.


11.1 The person responsible and the processor shall be liable in the external relationship pursuant to Art 82 para. 1 GDPR for material and immaterial damage suffered by a person on account of a violation of the GDPR. If both the person responsible and the processor are responsible for such damage under Art 82(2) GDPR, the parties are liable for this damage in their internal relationship in proportion to their share of responsibility. If in such a case a person claims damages from one party in whole or in part, that party may demand indemnification or indemnification from the other party in so far as this corresponds to its share of responsibility.


12.1 This agreement contains all agreements between the parties with regard to the subject matter of the contract. There are no oral or written agreements outside of this agreement. This agreement replaces and cancels all previous oral and written agreements of the parties with regard to the subject matter of the agreement.

12.2 Subsidiary agreements or amendments to this agreement - including this written form clause - must be in writing.

12.3 References to laws, regulations, documents and annexes shall apply to the laws, regulations, documents and annexes as amended from time to time, including any amendments after the date of the Contract, unless expressly provided otherwise.

12.4 This Framework Agreement shall be governed by the law of the Republic of Austria to the exclusion of the UN Convention on Contracts for the International Sale of Goods (CISG). The international place of jurisdiction is Austria. The local place of jurisdiction is the registered office of the processor.

12.5 Should individual provisions of this agreement be or become invalid or impracticable, the validity of the remaining parts shall not be affected. In such a case, the parties undertake to replace the invalid or unenforceable provision with one that comes as close as possible to the intended purpose in a legally permissible manner. The same applies in the event of loopholes in the regulations.


Date and signature according to offer and order confirmation








Date and signature according to offer and order confirmation





Person responsible





The in-manas system itself is developed at IN-MANAS in the company building and after testing with artificially generated data on internal servers it is imported into the environment in the computer centre. Production system (computer centre), test system (computer centre) and development system (IN-MANAS) are operated separately. An update usually takes place step by step.


The virtualised server infrastructure is provided by Configo Systems GmbH (Hil-pertstrasse 3, 64295 Darmstadt, Germany).

The data centre complies with the international guidelines for IT security ISO 27001:2005 and quality management ISO 9001:2008. Only Global Switch customers have access to the data centre. During the visit, an official identification document must be deposited at reception.



  • The platform has access safeguards that can be set up by the administrator himself.
  • Password security according to complexity as is common in the industry
  • Session - Timeout / Automatic - Logout control

Securing data traffic via HTTPS


Only the IN-MANAS system administrators responsible for the project have administrative access to the servers. The access is only possible for the system administrators in the following way:

  • Via the IN-MANAS Intranet: with a 1-factor authentication procedure, only via the SSHv2 protocol
    • Access to the IN-MANAS Intranet is only available from the IN-MANAS office: Schellingstr. 45, 80799 Munich
    • Or via a VPN connection to the IN-MANAS office network, which is reserved for IN-MANAS system administrators
  • Via the Internet: with a 2-factor authentication procedure, using the SSHv2 protocol only
  • Employees of Configo Systems GmbH are only granted access to the serial consoles after consultation with the administrative staff of IN-MANAS. This is additionally limited to the case of disaster recovery.

Database access: access to the MySQL database of the In-manas platform is only provided via the IN-MANAS intranet. Access to this web interface is provided by the IN-MANAS System Administration Team and the responsible developer of the plattform.

2.3 IN-MANAS internal systems:

  • Password procedure (with numbers, letters and minimum length)
  • Deactivation of accounts for non-active employees before leaving the company


The following minimum configuration of the authorisation concept and access rights as well as their monitoring and logging is given:

  • Access for the system administration team: The system administration team has full administrative access to the responsible server and the database. After the start of the entry of personal data (simultaneously with the so-called "Go Live" of the In-manas platform), the administrative access to the servers is only permitted for IN-MANAS system administrators in case of emergency and after consultation with the corresponding project manager.
  • Access for the responsible developer: Until the "Go Live" of the platform the responsible developer has access to the files of the web server, which will be withdrawn after the start of the project. Access to the database will continue, but is only permitted in an emergency and after consultation with the relevant project manager.
  • Access for the project manager: the project manager has access to the admin area of the platform during the entire runtime, which can also be deactivated after consultation.


2.5 in-manas: Customer platform

  • Personal account for access to the In-manas, no group accounts are allowed.
  • Role system: A distinction is made between normal users, experts, authors and administrators.


  • Demand-oriented, differentiated authorisation concept (profiles, roles), which is centrally controlled and coordinated with the IN-MANAS management
  • Computer centre and server accesses are person-related


The following minimum measures are to be taken during transport, transfer and transmission or storage on data carriers (manual or electronic) and during subsequent inspection:

3.1 in-manas: customer platform

  • SSL encryption of all connections to in-manas, http requests are rewritten to https
  • the export of personal data is only possible for the administrator
  • Logging of all essential behaviour elements see point 5 "Input control".



Encryption for updates

All data carriers that store personal data - in particular the data of the web server and the databases - are on AES256bit encrypted data carriers. Backups that are transferred to a third party system for further protection are encrypted with a separate AES256bit key, which is only used for the corresponding in-manas platform, and transferred via a secure SSHv2 connection using SFTP.


The following measures for subsequent verification whether and by whom data have been entered, modified or removed (deleted) are at least given.


  • Logging of all relevant activities with time stamp and author e.g.
    • Login
    • Input, modification of ideas
    • Evaluations (Quick / Detailed evaluation)
    • Visitors of ideas and profiles
    • Communication on the pin board
  • No physical deletion of data, but by "flags



The following measures (technical/organisational) to delimit the competences between the client and contractor are at least given.

  • IN-MANAS is technically and functionally offered by IN-MANAS as a standard product. All organisational measures within the scope of this standard will be described for the Client within the scope of this Agreement and, upon request, beyond this prior to the conclusion of the Agreement. By placing a written order, the Customer agrees that no customer-specific adaptation of either a technical or data protection nature is provided for in the present model and that the documented requirements are suitable for the intended use.
  • All regulations regarding data protection are made in advance and with all customers to the same extent (standard). The terms and conditions that are defined in the written order by the customer and order confirmation between the customer and IN-MANAS shall apply. If data protection or the General Terms and Conditions are changed due to technical or legal developments, IN-MANAS may provide an updated version. IN-MANAS shall draw the attention of the customer to this and shall indicate the changes. If the customer does not object within a review period of 4 weeks, the new terms and conditions shall be deemed accepted. Otherwise, the existing conditions shall continue to apply.
  • The supplementary agreement on data protection including this appendix shall be deemed to be the contract regarding commissioned data processing.

IN-MANAS will only collect and process personal data to the extent necessary for the order. For control purposes, the customer receives regular reports on the collected data and its processing after consultation. For control by the client there is the possibility to transmit corresponding server logs to the client.


The following measures for data backup (physical / logical) are minimal:

  • All hard disks are backed up using RAID procedures
  • Backup - scope:
    • Total server backup (1x daily) (Backup A)
    • A daily full backup (full backups are kept for at least 30 days (Backup B)
    • Hourly incremental backup (the last 24 hours are kept) (Backup C)
  • Redundant network connection
  • Virus protection
  • Uninterruptible power supply
  • All backups (of backup B and C) except the final backup are deleted after completion. All backups from backup A expire after seven days.
  • The following restore strategy is used in case of failure:
    • Attempt to restore first from the hourly backups (backup C)
    • In case of error: Restoration from daily backups (Backup B)
    • Disaster Recovery: recovery from server backups (Backup A)

Furthermore, in order to protect personal data from being destroyed in any other way, backups are carried out according to the following plan:

  • All backups are stored unencrypted - but on an encrypted file system - on the server responsible for the IN-MANAS platform to ensure the fastest possible restore process.
  • An extra encrypted copy of the backups is located on a storage area separate from the server responsible.
  • The entire server responsible for the IN-MANAS platform is backed up once a day. The technology used for this are so-called ZFS snapshots. (Ba-ckup A)

The servers of the In-manas platform are monitored 24/7 by a monitoring system. In the event of a failure, the responsible project manager and the IN-MANAS Sys-tem Administration Team are informed of the failure by e-mail and SMS. The response times are the working hours of the responsible IN-MANAS System Administration Team (Mon-Fri 9am-6pm), unless otherwise agreed with the project manager.


The following minimum separation measures are in place.

  • Separation into productive, test and development systems
  • Use of test data for the development system