§ 1 Subject and duration
(1) The subject of this agreement is the processing of personal data by the processor (Odenwald IT Service UG, hereinafter “Processor”) on behalf of the controller (the merchant using Now2Wallet, hereinafter “Controller”) within the Now2Wallet service.
(2) The term of this agreement corresponds to the term of the main contract (Now2Wallet subscription). It ends automatically when the main contract ends.
§ 2 Nature and purpose of the processing
(1) The Processor processes personal data on behalf of the Controller solely for the purpose of providing the Now2Wallet service:
- Generating signed Apple Wallet and Google Wallet passes from the ticket data transmitted by the Controller’s shop
- Creating and updating the corresponding wallet pass classes / objects
- Delivering the “Add to wallet” links / passes to the ticket holder
- Audit logging of the actions performed
(2) Processing for any other purpose (e.g. profiling, advertising, sale to third parties) does not take place.
§ 3 Type of personal data and categories of data subjects
(1) The following categories of data are processed:
- Controller / account data: name, e-mail, company, billing address, IP address, user agent
- Ticket-holder data: attendee name, ticket / order number, event data (name, date, venue, seat / section) and the QR / barcode value
- Audit data: timestamps of pass generation, IP addresses for security-relevant actions
(2) Not processed are: the full contents of the Controller’s WooCommerce database (articles, payment data, customer passwords), or FTP / SSH / database credentials. Communication takes place exclusively via the Now2Wallet plugin over a signed HTTPS API.
(3) Categories of data subjects: the Controller and its staff (account users) as well as the ticket holders whose passes are generated.
§ 4 Obligations of the Processor
The Processor undertakes to:
- process personal data only on the documented instructions of the Controller
- ensure the confidentiality of all persons authorised to process the data
- take appropriate technical and organisational measures (TOMs) pursuant to Art. 32 GDPR (see § 7)
- inform the Controller without undue delay of any personal data breach
- delete or return all personal data after the end of the engagement (except for statutory retention obligations, e.g. invoices under GoBD / AO for 10 years)
- provide the Controller with all information necessary to demonstrate compliance with GDPR obligations
§ 5 Sub-processors
(1) The Processor is entitled to engage the following sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Mittwald CM Service GmbH & Co. KG | Hosting of the Now2Wallet platform | Espelkamp, Germany |
| Apple Inc. | Apple Wallet pass delivery | USA (EU SCC) |
| Google Ireland Ltd. | Google Wallet pass delivery | Ireland, EU |
| PayPal (Europe) S.à r.l. et Cie, S.C.A. | Payment processing (billing) | Luxembourg |
(2) The Controller consents to the engagement of these sub-processors. Changes are announced at least 30 days in advance; the Controller has a right to object.
§ 6 Rights of data subjects
(1) Insofar as the Controller is legally obliged to do so, the Processor supports the Controller in fulfilling data-subject rights (access, rectification, erasure, portability, objection).
(2) The Processor forwards any such requests received directly to the Controller without undue delay.
§ 7 Technical and organisational measures (TOMs)
The Processor implements the following measures pursuant to Art. 32 GDPR:
Confidentiality
- Physical access control: servers in a certified data centre (Mittwald, ISO 27001)
- System access control: mandatory login, two-factor authentication, password hashing (bcrypt)
- Data access control: role-based permission system (admin / customer)
- Separation control: multi-tenancy, account-scoped filtering on all database queries
Integrity
- Transfer control: HTTPS with HSTS for all connections; HMAC-SHA256-signed API calls to the plugin
- Input control: audit logging of security-relevant actions
Availability & resilience
- Regular backups; encryption of secrets at rest
- Stateless pass generation where possible to minimise stored personal data
§ 8 Deletion and return
After the end of the engagement, the Processor deletes or returns all personal data processed on behalf of the Controller, unless statutory retention obligations require further storage.