Hilfe - Alle Produkte & Anleitungen
Hilfe - Alle Produkte & Anleitungen
Breadcrumbs

Data Processing Agreement for Resellers and Partners

Non-binding translation
This is an informational English translation. The legally binding version is the German original.

DATA PROCESSING AGREEMENT (DPA) – RESELLER AGREEMENT

pursuant to Art. 28 GDPR

between

meisterwork GmbH
Rosentaler Straße 1
9020 Klagenfurt am Wörthersee
Austria
(hereinafter referred to as the "Main Processor")

and

[Reseller Name]
[Address]
[Postal Code City]
[Country]
(hereinafter referred to as the "Sub-Processor / Reseller")

Preamble

The reseller distributes the bessa software of the Main Processor to end customers (operators). In the course of this activity, the reseller obtains access to personal data stored in the Main Processor's systems in order to provide support services. This agreement governs the data protection obligations of the reseller as a sub-processor.

1. Subject and Duration

1.1 Subject

As a sub-processor, the reseller processes personal data on behalf of the operators (controllers); access is provided through the Main Processor's systems. Processing is carried out exclusively for the purpose of:

  • Providing first-level support to operators

  • Assisting with system setup and configuration

  • Conducting training sessions

  • Troubleshooting and technical support

1.2 Duration

This agreement applies for the term of the reseller agreement between the parties.

2. Nature of Data Processing and Data Subjects

2.1 Nature of Processing

  • Inspection of customer data for support purposes

  • Configuration of system settings

  • Assistance with data entry

  • Error analysis and troubleshooting

  • Conducting system tests

2.2 Data Categories

In the course of providing support, the reseller may obtain insight into the following data categories:

  • Master data of end customers

  • Transaction data (orders, invoices)

  • System configuration data

  • Customer loyalty data

  • Hospitality/Accommodation: Billing data for additional services, room numbers for internal billing

Note: ID and registration data is NOT processed in bessa.

2.3 Data Subjects

  • End customers of operators

  • Hotel guests (only with regard to additional services)

  • Employees of operators

  • Business partners of operators

3. Obligations of the Reseller

3.1 Purpose Limitation and Bound by Instructions

The reseller:

  • Processes data exclusively for the agreed support purposes

  • Follows the instructions of the Main Processor and the respective operators

  • Does not use the data for its own purposes or for the purposes of third parties

  • Does not store local copies of customer data

3.2 Confidentiality

The reseller undertakes to:

  • Place all employees under an obligation of confidentiality

  • Ensure that only authorised employees obtain access

  • Conclude a confidentiality agreement with all persons authorised to access

3.3 Data Security

The reseller implements appropriate technical and organisational measures:

  • Secure authentication for system access

  • Use of secure connections

  • Protection of access credentials

  • Clean desk policy

  • Secure deletion/destruction of printouts or temporary files

3.4 No Further Sub-processing

The reseller may not engage any further sub-processors without prior written approval.

3.5 Duty to Provide Support

The reseller supports:

  • The handling of data subject requests

  • The reporting of personal data breaches

  • Audits by supervisory authorities

3.6 Documentation

The reseller maintains a record of all processing activities pursuant to Art. 30 GDPR.

4. Audit Rights

4.1 Audits

The Main Processor and the respective operators have the right to:

  • Verify compliance with this agreement

  • Inspect relevant documentation

  • Conduct audits (with reasonable prior notice)

4.2 Duty to Provide Information

Upon request, the reseller shall provide information about:

  • Employees authorised to access

  • Support activities performed

  • Implemented security measures

5. Notification Obligations

The reseller shall inform the Main Processor without undue delay about:

  • Personal data breaches or suspected cases

  • Requests from data subjects

  • Audits by supervisory authorities

  • Instructions which the reseller considers unlawful

Personal data breaches must be reported within 24 hours of becoming aware of them.

6. Access Logging

The reseller documents all access to customer data:

  • Date and time of access

  • Affected operator/customer

  • Reason for access (ticket number, support request)

  • Activities performed

  • Name of the accessing employee

7. Training and Awareness

The reseller undertakes to:

  • Train all employees in data protection

  • Carry out regular refresher training

  • Document the training sessions

8. Termination

Upon termination of the agreement:

  • All access rights are withdrawn without undue delay

  • All local data must be deleted

  • Deletion must be confirmed in writing

9. Liability

9.1 Liability of the Reseller

The reseller is liable for breaches of data protection regulations in accordance with the statutory provisions of the GDPR.

9.2 Indemnification

The reseller shall indemnify the Main Processor against all third-party claims based on a culpable breach of this agreement by the reseller.

10. Remuneration

The rights and obligations under this agreement are settled by the reseller agreement. No separate remuneration is paid.

11. Final Provisions

11.1 Written Form

Amendments and supplements must be made in writing.

11.2 Severability Clause

Should individual provisions be invalid, the validity of the remaining provisions remains unaffected.

11.3 Governing Law

Austrian law applies. Place of jurisdiction is Klagenfurt am Wörthersee.

Annex: Technical and Organisational Measures of the Reseller

Minimum Requirements for Security Measures

1. Physical Access Control

  • Business premises are secured against unauthorised entry

  • Server rooms / IT rooms are specially protected

2. System Access Control

  • Use of individual, strong passwords

  • Activation of two-factor authentication

  • Screen lock during absence

  • No sharing of access credentials

3. Data Access Control

  • Access only to necessary customer data

  • Principle of least privilege

  • Regular review of authorisations

4. Transfer Control

  • No disclosure of customer data to third parties

  • Encrypted communication

  • Secure deletion of data carriers

5. Input Control

  • Documentation of all support activities

  • Traceability of changes

6. Availability Control

  • Protection against malware

  • Regular security updates

  • Backup of own systems

7. Separation Requirement

  • Separation of customer data of different operators

  • No mixing with own business data

Contact details for data protection matters:

Main Processor:
meisterwork GmbH
E-mail: support@bessa.app
Tel: +43 720 317 836

Reseller:
[Name of the data protection officer]
[E-mail]
[Telephone]

Place, date: _______________________

For the Main Processor (meisterwork GmbH):

Name, position
Signature

For the Sub-Processor (Reseller):

Name, position
Signature