1. General
1.1 Object of the DPA: Wire shall provide the Controller with the service as described in the ToU (“Service”) and shall process personal data as part of the performance of Services on behalf of the Controller.
1.2. Nature, purpose and duration of processing: The data processing shall serve the purpose of providing a software solution for messaging services as described in the ToU being an integral part of the Service. The duration of the processing shall be in line with the duration of the provision of the Service.
1.3. Group of data subjects: Users of the Service whom the Controller enrolls to the Service as well as persons whose personal data is included in the content of the communication between the users.
1.4. Type of personal data processed: Wire processes the following types of personal data on behalf of the Controller:
Metadata of the Service; this, particularly, includes information on the creator of a team, conversation name and pseudonymised participants list as well as the team assignments of the participants;
full name and email address and / or mobile phone number;
temporary traffic data of the Service like log files including user’s type of equipment and IP addresses;
end-to-end encrypted communication data, such as messages and files (Wire only temporarily stores encrypted messages on its servers for the purpose of allowing those messages to later be delivered to offline clients once the clients get back online. Wire does not hold the decryption keys to those messages and therefore cannot access the content);
data separately provided by the user, e. g. profile picture.
1.5. Processor: With respect to the processing of personal data as part of this DPA, Wire is the Processor in the meaning of Art. 4 (8) GDPR.
1.6. Place of Processing: Wire generally performs the contractually agreed processing of personal data on servers within the Member States of the European Union and Switzerland. If the agreed performances are nevertheless provided outside the area of Member States of the European Union or Switzerland on instructions of the Controller, Wire shall ensure that the transfer of personal data is admissible pursuant to Art. 44 et seqq. GDPR by making sure that at least one of the following conditions is met:
There is an adequacy decision by the European Commission for the third country;
appropriate safeguards are put in place (i.e. binding corporate rules (BCR), standard data protection clauses, approved codes of conduct or certification mechanisms);
the data transfer is covered by derogations for specific situations pursuant to Art. 49 GDPR.
1.7. Instructions by the Controller: Wire will process personal data as the Processor as specified in the ToU and the DPA. The ToU and the DPA contain all instructions by the Controller on data processing. Accordingly, Wire will process the data:
Insofar as required with respect to the scope and type for the purpose of providing the Service and for meeting the obligations from the ToU and this DPA;
insofar as Wire is obliged to do so pursuant to the law of the European Union of the law of the Member States to which Wire is subject (in such a case, Wire shall notify the Controller of that legal requirement before processing, unlee that law prohibits such notification on important grounds of public interest).
The Controller shall retain the right to issue instructions regarding the data processing according to the provision of the ToU and this DPA. Instructions by the Controller shall be agreed with Wire and documented. Any expenses incurred by Wire for this purpose shall be reimbursed by the Controller
2. Controller's rights and obligations
2.1. Data responsibility: The Controller shall be responsible for the permissibility of the processing of personal data as well as the protection of the rights of the data subjects.
2.2. Control rights: Wire is obliged to provide the Controller with all information required to demonstrate compliance with Wire’s obligations pursuant to this DPA, in particular, the technical and organizational measures pursuant to §4 of this DPA, before commencement of the data processing and regularly during the data processing. The Controller shall be entitled to inspect compliance with Wire’s obligations under this DPA to an appropriate extent, either personally or by a third party, in particular, by obtaining information on the technical and organizational measures and, in case this information is not sufficient, by on-site inspections (“Inspections”). The Inspections at the Processor shall be carried out without avoidable disruption of the business of the Processor and without violation of the protection of personal data. As a rule, Inspections shall be carried out upon reasonable notice, in urgent cases also without notice, and during the business hours of the Processor, however, as a rule, but no more frequently than every 12 months.
3. Processor's rights and obligations
3.1. Rights of the data subject. The Processor shall assist the Controller, if possible, by appropriate technical or organizational measures to enable the Controller to comply with any data subject rights laid down in Chapter III of the GDPR. The Processor shall answer data subject requests only if the Controller instructs the Processor to do so or if the Processor is obliged to do so by law. The assistance by the Processor to the Controller in the context of data subjects’ rights may be subject to a charge.
3.2. Data confidentiality: The Processor shall ensure that all employees who have access to personal data are informed of the confidential nature of the personal data and of any special data protection requirements arising from this commission, in particular, the limitation of data processing to specific purposes as instructed by the Controller and that all such employees have entered into confidentiality agreements with the Processor.
3.3. Further assistance of the Controller, inter alia, with regard to technical and organizational measures. The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor. 3.4. Information about concerns: The Processor shall inform the Controller without undue delay if the Processor is of the opinion that an instruction of the Controller infringes the GDPR or other data protection provisions of the Union or the Member States. The Processor shall be entitled to suspend the execution of the relevant instruction until the Controller confirms or changes it.
4. Technical and organizational measures
4.1. Technical and organizational measures: The Processor will implement all technical and organizational measures which are necessary pursuant to Art. 32 GDPR and other data protection requirements to ensure a level of security appropriate to the risk associated with its processing activities.
For further information on the technical measures taken by Wire please visit https://wire.com/security.
5. Security incidents
5.1. Security incident notification: In case of security incidents, the Processor is obliged to apply all necessary measures to ensure the integrity and confidentiality of personal data without undue delay. Furthermore, in case of a data breach, the Processor shall notify the Controller without undue delay after becoming aware of such breach. In this case Wire will provide the Controller with all required information enabling the Controller to comply with its statutory obligations.
6. Subcontractors
6.1. Authorized subcontractors: The Processor may contract subcontractors. A subcontractor involvement requires that the Processor (a) ensures that the subcontractor fulfils Processor’s duties according to this DPA and (b) assumes liability towards the data subject for actions of the subcontractor concerned, as if these actions were taken by the Processor itself. At the time of the conclusion of this DPA, Wire engages the following subcontractors: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg for the provision of the server infrastructure and Zeta Project Germany GmbH, Rosenthaler Str. 40, 10178 Berlin, for the development of the services. Wire shall inform the Controller about the involvement of any further or replacement of any subcontractor. The Controller shall have the opportunity to object to the involvement within one month after having been informed. In the event of Controller’s objection, Wire shall be entitled to an extraordinary termination right.
6.2. Territorial scope: The Processor may not use any subcontractors located outside the Member States of the European Union, the European Economic Area or Switzerland for processing personal data.
7. Deletion / return of personal data
7.1. Deletion: Upon termination of the DPA or when requested by the Controller, the Processor, at the choice of the Controller, shall return to the Controller all personal data available at the Processor and shall delete copies, if any, provided that no legal obligation to keep the personal data exists pursuant to the law of the Union or the Member States to which Wire is subject.