top of page

Order Processing Agreement

In accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

This Data Processing Agreement has been concluded between the parties named below in connection with Lemin GmbH and shall enter into force upon signature.

1. Contracting parties

1.1. The responsible party according to Art. 4 (7) of the General Data Protection Regulation ("GDPR") is the ordering party (hereinafter referred to as the "Ordering Party").

1.2. Processing party according to Art. 4 para. 8 General Data Protection Regulation ("GDPR") is: Lemin GmbH, Rochusplatz 1, 50827 Cologne, Germany. (hereinafter "Processor" "Processor" or "Lemin").

2. Definitions

2.1. Unless specified otherwise in this Agreement, the definitions of Art. 4 GDPR shall apply.

2.2. "Applicable Data Protection Law" means the GDPR and other legislation applicable to the processing for the purposes of this Agreement. In addition to the GDPR, the national data protection law of the country in which the controller has its place of business shall also apply.

3. Contractual relationship

3.1. Each Party shall comply with its respective obligations under applicable data protection and/or privacy laws and regulations in or in relation to the countries of the European Union and the United Kingdom, including the General Data Protection Regulation (2016/679) ("GDPR") and local implementing laws or regulations ("Data Protection Laws"). The terms "Processing", "Controller", "Processor", "Personal Data" and "Data Subject" shall have the same meaning as in the applicable Data Protection Legislation.

3.2. The Ordering Party shall be the responsible party within the meaning of Art. 4 No. 7 DSGVO for the processing of data on behalf of Lemin. Lemin shall have the right to inform the client if data processing which it considers to be legally inadmissible is the subject of the order and/or an instruction.

3.3. Subject matter and purpose of the assignment

This Agreement is entered into between the Parties as a result of the processing of personal data under the above contract [as above] (hereinafter "Service Agreement").

3.4. The processing is primarily carried out for the following purposes:

Lemin is a software that aims to identify areas of action for the further development of teams and to promote behavioral changes in the workforce. Lemin focuses on communication, collaboration and leadership behaviors.

Lemin will process employee data and survey responses for the following purposes:

  • Creating reports and analyses, including on personality, action items, and company culture, based on aggregated responses;

  • Sending notifications and feedback, assigning nudges and content to users;

  • Monitoring interactions with the Lemin software;

  • Creation of dashboard tools for managers and recruiters to access thecollected data based on the aggregated responses;

  • Lemin's assessment of change in behavior.


3.5. Nature of personal data

Lemin uses IP address, birthday (optional), name, email addresses, position, department, gender, length of team membership and length of company membership. When using our software, Lemin collects data that employees provide as part of the personality and team analysis, including personal strengths, personality traits, and a work situation survey. This data is then combined to create an individual culture profile.


3.6. Categories or groups of data subjects

The following groups or categories of data subjects are the data subjects in this context: Employees of the Ordering Party


3.7. Duration

This agreement is an integral part of the service agreement. The arrangement shall apply for as long as the Processor processes personal data on behalf of the Ordering Party under the Service Agreement.

The limitation period for claims arising from this Agreement shall commence at the end of the year in which the respective claim arose. The duration of the limitation period shall be governed by general data protection law or the general provisions of the law of the country in which the Controller has its place of business, whichever is longer.


3.8. Termination

Unless further agreed in the Service Agreement, the Ordering Party may terminate the Service Agreement on grounds of good cause with immediate effect if the Processor breaches material provisions of this Agreement or applicable data protection law and it would - rationally - be unreasonable for the Ordering Party to continue to maintain the Service Agreement if the Processor does not remedy the breach within 14 days after discovery of the breach or after notification by the Ordering Party. In particular, it would be unreasonable for the Ordering Party to continue to maintain the Service Agreement if the Processor fails to implement the Ordering Party's instructions after the Processor has attempted to remedy the breach within 14 days, or if the Processor provides insufficient or no assistance in response to requests from data subjects or public authorities, i.e. fails to comply with the terms of the Service Agreement despite having been requested to do so, or if the Processor refuses to allow the Ordering Party to conduct audits.

4. Controller and processor

4.1. Controller and Processor shall fulfill their respective obligations arising from this Agreement and applicable data protection law.

4.2. If the Processor processes Personal Data outside the scope of the mandate as defined in Section 3.1, it shall carry out the processing on its own responsibility as a Responsible Entity pursuant to Article 28(10) of the GDPR; this shall also apply to transfers to third parties (within the meaning of Article 4(10) of the GDPR). In the cases of Art. 28(3), subparagraph 2(a) of the GDPR, the processor must inform the controller.

5. Duties for the Controller

5.1. Within the scope of the assignment, the Controller is obliged to comply with its obligations under the GDPR and the applicable data protection law, in particular with regard to the rights of the data subjects within the meaning of Art. 12 - 22 GDPR.

5.2. Payment obligations of the Controller in connection with the Assignment within the meaning of Section 3.1 as well as the performance of this Assignment shall only arise to the extent that the Service Agreement expressly establishes such a payment obligation.

6. Rights of the Controller to issue instructions


6.1. The Processor acknowledges that the commissioned processing in accordance with the GDPR and applicable data protection laws as well as official orders requires that the Processor is strictly bound by all declarations of the Controller which determine the scope and purpose of the processing of Personal Data and that it must implement these declarations in such a way, such that the decision-making authority of the Controller with respect to the Processing is ensured ("Instructions").


6.2. The Processor shall carry out the Controller's instructions promptly and effectively.


6.3. Instructions must always be issued in writing or in text form (e.g. by e-mail or fax). Verbal instructions are only permitted in urgent exceptional cases; they must be documented by the processor in writing or in text form.


6.4. In addition, Art. 28 and 29 GDPR, in particular Art. 28(3), subparagraph 3 GDPR, apply (regarding: complaint/information about unlawful instructions).

7. Duties of the Processor

7.1. The Processor shall process the Personal Data of the Controller within the scope of the Order as defined in Section 3.1 and in accordance with the applicable data protection law.


7.2. The Processor shall ensure, in accordance with Articles 28(3), second subparagraph(b), 29, 32(4) GDPR, that the natural persons under its responsibility who are involved in the processing under the contract act in accordance with the instructions of the Controller, are bound to secrecy and exercise discretion with regard to the processing. The Processor shall also ensure that its means (in particular programs, databases, technical infrastructure) are used for the processing of Personal Data (Articles 4(1), 4(2) GDPR, in particular for collecting, recording, organizing, separately storing, modifying, retrieving, reading, querying, comparing and erasing), have been designed for and are suitable for the processing of Personal Data and that this state is maintained throughout the term of this Agreement.

7.3. The Processor is obliged to take the necessary measures in its geographical and functional area of responsibility within the meaning of Article 32 GDPR. In particular, the Processor undertakes, taking into account the respective state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the different likely and serious risks to the rights and freedoms of the Data Subjects, to design and update its in-house organization so that it complies with the requirements of applicable data protection law, in particular the GDPR, and thus protects the rights of the Data Subjects. In general, the technical and organizational measures taken must be designed to achieve the following protection goals:


7.3.2. Access control (protection of processing operations against unauthorized use)

7.3.3. Authorization control (assignment-compliant authorization concepts)

7.3.4. Disconnection control (separation of processing according to processing purposes)

7.3.5. Disclosure control (ensuring integrity, e.g. in transfer processes, encryption)

7.3.6. Input control (traceability of data access, as far as possible and permissible)

7.3.7. Availability control (protection against loss/destruction as well as fail-safety of the system)

7.3.8. Assignment control (checking that processing is actually carried out in accordance with the assignment and instructions).

7.3.9. Regular review of the effectiveness of the aforementioned measures and procedures

7.4. If the parties have agreed in writing on supplementary or detailed regulations on technical and organizational measures in accordance with Section 7.3 (in particular, if a need for protection has been identified and agreed, such as "High"), these regulations shall take precedence.


7.5. The Entity responsible for processing shall be entitled to verify compliance with the obligations entered into pursuant to Section 11. Any breaches of obligations ascertained must be remedied. The Controller shall be entitled to exercise the aforementioned right of inspection over the Processor and any subcontractors.


7.6. The Processor is obliged to keep the required documentation on the processing within the scope of its responsibility and to make it available to the Controller upon request (pursuant to Art. 28(3) subpara. 2 h GDPR). The content of the documentation must enable the controller to prove the correctness of the data processing (pursuant to Art. 24(1) DSGVO). This applies accordingly to the processing logs to be kept and the data protection impact assessments to be performed and documented.


7.7. The processor is obliged to assist the controller in responding to data subjects' requests and claims (under Chapter 3 GDPR). If the rights are asserted directly against the processor, the processor must forward them to the controller without undue delay. This does not preclude the processor from fulfilling the data subject's right after receiving the relevant instructions from the controller.


7.8. If the Controller has to process official orders or requests relating to the activities of the Processor in connection with the Order, the Processor shall assist the Controller to the extent necessary to comply with the official order or request.


7.9. The Processor shall ensure that the procedures it uses in the context of the assignment and the resources it deploys for the duration of the assignment are and remain designed and maintained to enable effective implementation of the Controller's instructions or of the requirements under applicable data protection law.


7.10. The Processor shall ensure by technical and organizational measures that personal data can be released to the Controller and/or deleted after termination of the contract; the Processor shall confirm the deletion in writing upon request of the Controller. The right of the processor to continue to process personal data for its own purposes and on its own responsibility after termination of the contract shall remain unaffected.

8. Subcontractors

8.1. The Processor may subcontract all or part of the processing if the Controller has given its written consent in the individual case. For the following other Processors, consent to the Processing Activities defined below is already in place:

The complete and detailed list of Lemin's sub-processors can be found here:

Subcontractors (

  • Google LLC (Google Analytics, Google Tag Manager, Google Fonts, Google reCaptcha, Youtube)

  • Zendesk Inc. (Support-Center)

  • Vimeo Inc. (Video-Hosting)

  • Microsoft Corporation (Office)

Subcontractors (

  • Hubspot Inc. (CRM-Tool)

  • Wix Ltd. (Website)

Subcontractors (

  • Amazon Web Services Inc. (Server)

  • MongoDB Inc. (Database)

  • Sendinblue Gmbh (Email-Automation)

  • Datadog Inc. (Application monitoring, error logging)

  • Intuition Machines – hCaptcha, Intuition Machines Inc. (Spam/Bot-Defense)

  • ConfigCat Szolgáltató és Fejlesztő Korlátolt Felelősségű Társaság (Feature-Toggling)

8.2. The Processor shall be responsible for ensuring that subcontractors are subject to at least the same obligations with regard to their Processing under the Assignment as provided for in this Agreement and applicable data protection law; this applies in particular to Section 10.

8.3. In all other respects, the provisions of the GDPR on subcontracting shall apply, in particular Art. 28(4) GDPR.

8.4. Cross-border commissioned processing

Commissioned processing can be carried out in all member states of the European Union as well as in Iceland, Liechtenstein, Norway and Switzerland without the need for any additional regulation.

8.5. Commissioned processing in countries other than those listed in Section 8.4 (hereinafter "Third Country") is permitted, provided that the special requirements of Art. 44 et seq. GDPR (e.g. EU standard contractual clauses, adequacy decision of the EU Commission for the respective third country) for commissioned processing in a third country are met.

8.6. The processor shall inform the controller of the commissioned processing in a third country carried out by itself or by one of its subcontractors.

8.7. Unless otherwise agreed in writing, the Processor must meet the admissibility requirements as defined in Section 9.2.

8.8. The requirement of consent within the meaning of Section 8.1 remains unaffected.

9. Notification of a data breach

9.1. The Processor shall notify the Controller within 24 hours of the discovery of an actual or probable personal data breach within the meaning of Article 4(12) GDPR.

9.2. The notification must contain information that enables the controller to comply with the requirements pursuant to Art. 33, 34 GDPR; in case of deficiencies, additional information must be provided upon request of the controller. The notification must be textual.

9.3. Upon becoming aware of a data protection incident, the Processor shall immediately take the necessary measures to protect the data and mitigate any adverse effects on the Data Subjects.

10. Monitoring and auditing rights of the controller

10.1. For the duration of the commissioning and thereafter until the expiry of the limitation period, the Controller shall be entitled to carry out or have carried out checks (monitoring, audits) in respect of the Processor in order to verify whether and to what extent the processing actually carried out complies with this Agreement and the applicable data protection law. This may be done once every 12 months.

10.2. Such checks shall be announced in due time. In the event of data breaches (processing that violates this Agreement or applicable data protection law) or if there are reasonable grounds to suspect such data breaches, the Processor shall enable, tolerate and support short-term controls.

10.3. The confidentiality agreements made in the service agreement apply to the controls/audits and their results. Confidentiality obligations do not apply insofar as disclosure is necessary to fulfill legal or regulatory requirements. The persons commissioned to carry out the monitoring/audit shall be bound to confidentiality insofar as they are not legally obligated to maintain secrecy.

11. Liability

11.1. Each party's liability to the other party is subject to applicable data protection law.

11.2. The Processor shall not be liable for any damage and loss caused by the execution of unlawful instructions of the Controller; the Controller shall indemnify the Processor for such damage and loss. In the event that a data subject brings a claim against the Controller, the Processor shall indemnify the Controller against such claims to the extent that the Processor is responsible for the circumstances giving rise to the claims.

12. Applicable Law

12.1. The applicable data protection law shall apply to the processing of personal data under this contract; the place of jurisdiction for disputes in this context shall be Cologne, Germany.

12.2. For clarity, the foregoing does not affect disputes between a party to this Agreement and a supervisory authority (e.g., Art. 4(21), 55, 56, 78 GDPR) or disputes between a party to this Agreement and a data subject (e.g., Art. 4(1), 79 GDPR) to which statutory law applies.

12.3. To the extent that any dispute between the Parties does not relate to the processing of Personal Data, this Agreement shall be subject to the jurisdiction and choice of law set forth in the Service Agreement.

12.4. In official and judicial proceedings, the parties shall support each other to the extent possible and necessary to avert unfounded claims or to satisfy justified claims.


12.5. Unless explicitly provided otherwise in this Agreement or in the Service Agreement, the provisions in this Agreement shall take precedence over the provisions in the Service Agreement.

Technical and organizational measures (TOM)

in accordance to Art. 32 GDPR


As a cloud service, data security is our top priority. Below, we explain the most important measures we take to protect data.


1. Introduction

1.1. Responsible party

The responsible party according to Art. 4 No. 7 EU General Data Protection Regulation (DSGVO) is Lemin GmbH, Rochusplatz 1, 50827 Cologne, Germany, e-mail: We are legally represented by Christof Weidl.

1.2. Data protection officer

Our data protection officer is heyData GmbH, Schützenstraße 5, 10117 Berlin,, e-mail:

1.3. Subject of the document

This document summarizes the technical and organizational measures taken by the responsible party within the meaning of Article 32 (1) of the GDPR. These are measures with which the controller protects personal data. The purpose of the document is to support the responsible party in fulfilling its accountability obligation under Article 5 (2) of the GDPR.

2. Confidentiality (Art. 32 Abs. 1 lit. b GDPR)

2.1. Entry control

The following implemented measures prevent unauthorized persons from gaining access to data processing equipment:

  • Alarm system

  • Manual locking system (e.g., key).

  • Doorbell system with camera

  • Working in the home office: instruction to employees, if possible, to work in study rooms separated from living quarters.

2.2. Access control

The following implemented measures prevent unauthorized persons from accessing the data processing systems:

  • Authentication with user and password

  • Use of anti-virus software

  • Use of firewalls

  • Encryption of data carriers

  • Encryption of smartphones

  • Automatic desktop lockdown

  • Encryption of notebooks / tablets

  • Management of user permissions

  • Creation of user profiles

  • Use of 2-factor authentication

  • General company policy on data privacy or security.

  • Company policy on strong passwords

  • Company policy on "delete/destroy"

  • Company "Cleandesk" policy

  • General instruction to manually lock desktop when leaving workstation.

2.3. Authorization control

The following implemented measures ensure that unauthorized persons do not have access to personal data:

  • Use of an authorization concept

  • Number of administrators is kept as small as possible

  • Secure storage of data media

  • Management of user rights by system administrators

  • Instructing employees that only absolutely necessary data is printed out.

2.4. Separation control

The following measures ensure that personal data collected for different purposes are processed separately:

  • Physically separate storage on separate systems or data carriers

  • Separation of productive and test systems

  • Encryption of data records processed for the same purpose

  • Logical client separation (on the software side)

  • Creation of an authorization concept

  • Determination of database rights

  • Internal instruction to anonymize/pseudonymize personal data in the event of disclosure or after expiry of the statutory deletion period, if possible.

3. Integrity (Art. 32 Abs. 1 lit. b GDPR)

3.1. Transfer control

It is ensured that personal data cannot be read, copied, changed or removed without authorization during transfer or storage on data carriers and that it is possible to check which persons or bodies have received personal data. The following measures are implemented to ensure this:

  • WLAN encryption (WPA2 with strong password)

  • Logging of accesses and retrievals

  • Provision of data via encrypted connections such as SFTP or HTTPS.

3.2. Input control

The following measures ensure that it is possible to check who has processed personal data in data processing systems and at what time:

  • Allocation of rights to enter, change and delete data on the basis of an authorization concept.

4. Availability and Protection (Art. 32 Abs. 1 lit. b GDPR)

The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client:

  • Fire extinguishers in server rooms

  • Fire and smoke detection systems

  • Devices for monitoring temperature and humidity in server rooms

  • Air conditioning in server rooms

  • Protective power strips in server rooms

  • Uninterruptible power supply (UPS) system.

  • RAID system / hard disk mirroring

  • Video monitoring in server rooms

  • Alarm notification in case of unauthorized access to server rooms

  • Regular backups

  • Creation of a backup & recovery concept

  • Control of the backup process

  • Storage of data backup in a secure, off-site location

  • Regular data recovery testing and logging of results.

  • Hosting (at least of the most important data) with a professional hoster.

5. Procedures for regular review, assessment and evaluation (Art. 32 Abs. 1 lit. d GDPR; Art. 25 Abs. 1 GDPR)


5.1. Data protection Management

The following measures are intended to ensure that an organization that meets the basic requirements of data protection law is in place:

  • Use of the heyData platform for data protection management.

  • Appointment of the data protection officer heyData

  • Obligation of employees to maintain data secrecy

  • Regular training of employees in data protection

  • Keeping an overview of processing activities (Art. 30 GDPR).


5.2. Incident-Response-Management

The following measures are intended to ensure that notification processes are triggered in the event of data protection breaches:

  • Notification process for data protection breaches pursuant to Art. 4 No. 12 GDPR vis-à-vis the supervisory authorities (Art. 33 GDPR).

  • Notification process for data protection breaches pursuant to Art. 4 No. 12 GDPR vis-à-vis the data subjects (Art. 34 GDPR)

  • Involvement of the data protection officer in security incidents and data breaches.

  • Use of anti-virus software

  • Use of firewalls.

5.3. Privacy-friendly Default settings (Art. 25 Abs. 2 GDPR)

The following implemented measures take into account the requirements of the principles "Privacy by design" and "Privacy by default":

  • Training of employees in "Privacy by design" and "Privacy by default"

  • No more personal data is collected than is necessary for the respective purpose.


5.4. Order control

The following measures ensure that personal data can only be processed in accordance with the instructions:

  • Written instructions to the contractor or instructions in text form (e.g., by order processing contract)

  • Ensuring that data is destroyed after termination of the order, e.g., by requesting corresponding confirmations

  • Confirming contractors that they commit their own employees to data secrecy (typically in the order processing contract)

  • Careful selection of contractors (especially with regard to data security)

  • Ongoing review of contractors and their activities.

  • Ensuring the destruction of data after completion of the order, e.g., by requesting appropriate confirmations.

If there are any questions, please contact us!

Lemin GmbH

Rochusplatz 1, 50827 Cologne

bottom of page