ekey bionyx Service Level Agreement and Data privacy statement

Item of agreement

This contract is formed by ekey biometric systems GmbH, based in Linz, Austria, FN 229357s (hereafter “ekey”), and the respective operator or user of physical (biometric) access control systems (hereafter “operator”).

The item of this agreement is the usage of the software service “ekey bionyx” (hereafter “bionyx”). ekey provides bionyx to the respective operator so that they may administer their access points and respective authorizations on the basis of the conditions of this contract.

Consent to the agreement

This contract is bindingly accepted by the operator, and thus comes into effect, when a new operator logs into the bionyx app by clicking on the button “Consent to contract terms”. The operator thereby declares their consent to the terms of this agreement, in particular the terms of use and service. If the operator does not click on the button “Consent to contract terms”, bionyx cannot be used. The operator receives no access to the account or services.

Contract beginning and duration, cancelation

The agreement for the provision of bionyx begins when the operator creates an account in the bionyx app and upon acceptance of this agreement, and is effective indefinitely.

ekey is authorized to cancel the agreement at any time, with a notice of at least 1 month; ekey may decide whether to announce this cancelation via email or postal mail to the operator, or by displaying a notification of cancellation in the bionyx app. In the latter instance, this announcement is considered to have been made once it would be visible in the bionyx app when the operator opens it. After the cancelation period has expired, the operator’s bionyx account and all data stored therein and access authorizations are automatically deleted; all entered data are thus automatically and irrevocably lost. The operator is thus generally responsible for transferring the saved data and authorizations before the cancelation period has ended, namely to a suitable access control system approved by ekey.

The operator is always authorized to immediately cancel the agreement without abiding by a cancelation period, but this also prevents the operator from using bionyx and accessing the data stored therein. The deletion of the operator’s bionyx account is considered immediate cancelation of the agreement.

If an account is not accessed for more than 5 years (the operator does not log in), and if no connections to devices have been made, this is also considered cancelation at the end of this 5-year period, whereupon the account will automatically be deleted. All entered data are thus automatically and irrevocably lost.

An immediate cancelation of the agreement without notice is also possible in case of compelling cause.

Rights of the operator

For the duration of this agreement, the operator receives the non-exclusive, non-transferable and temporary right to use the functions of bionyx while they are available and to the extent facilitated by ekey.

Blocking operators

ekey is authorized to temporarily or permanently block the user’s access to the cloud services if there are concrete indications that the user is violating or has violated the terms of use in this agreement and/or acted against the law. When deciding whether to block a user, ekey will consider the user’s interests to a reasonable extent.

Compensation, price adjustment

When using the bionyx app, the operator is obligated to pay the usage fee accepted during registration.

The usage fee is index-adjusted. The standard for the index adjustment is the 2020 Consumer Price Index = 100, or a similar index.

The starting basis for this index adjustment calculation is the index disclosed in December of the first full contract year. The usage fee increases and decreases to the extent that the Consumer Price Index has changed compared to the starting basis or the index number underlying the last fee adjustment. The changes to the usage fee caused by index fluctuations are computed in yearly increments on the basis of the disclosed index number for December of the respective year, and the new usage fee is disclosed to the user.

Other applicable terms and declarations

The following additional contracts and declarations, which are available on the ekey homepage, apply in addition to this agreement.

• Data privacy statement
• Privacy policy
• Terms of Business

The scope of service of bionyx for purposes of this agreement is offered at the maturity level of the latest release. ekey reserves the right to alter or discontinue the services at any time. ekey is not liable for any resulting expenses, costs, subsequent costs or damages, provided ekey is not responsible for such damages due to malice or gross negligence. There is no liability for damages caused by ekey or its proxies due to minor negligence.

As part of these services, it cannot be guaranteed that data entered by the customer will be retained. The operator must accept the possibility of loss of data. ekey is thus not liable for expenses, costs, subsequent costs or damages caused by data loss, provided ekey or its proxies are not responsible for these damages due to malice or gross negligence.

Point of transfer of service

ekey provides bionyx in a Microsoft server center in the EU so that the operator can use and access the services. The point of transfer of service for the bionyx services is the net access point of the server center contracted by ekey (router in the server center). ekey is not responsible for outages or unavailability of hardware or software components, Internet or other networks outside of the server center and beyond this point of transfer of service. The operator is solely responsible for ensuring the connection between the operator’s devices and Internet, the maintenance of the network connection, and the acquisition and provision of the hardware and software by the operator for connecting to the Internet. This also applies to the connection between the operator’s devices (app) and the Internet.

Purpose of use

The functions and services of bionyx must solely be used by operators and other users for the purpose specified by ekey. The following, non-exhaustive uses of bionyx are prohibited, or require special approval from ekey:

• Personal safety (used to protect life and body)
• Medical installations and systems
• Military installations and systems
• Usage in vehicles, ships, airplanes, construction machinery and cargo transportation systems
• Usage in machines
• Usage in critical infrastructures and banks
• Uses that to not comply with legal regulations

Access to services

A username, password and email address are required to access bionyx. The password must meet the minimum security requirements specified by ekey, and which are visible to the operator when setting the password. The operator must ensure safe storage of, and prevention of unauthorized access to the access info. A new password can be requested if the operator has forgotten the password. Access is no longer possible if the operator has forgotten the access info (username and/or email).

Operating devices

The ekey bionyx app (hereafter “app”) is used to operate and administer bionyx. The app can be used with mobile end devices (smartphone, tablet) with Android and iOS operating systems.

If an operating device can no longer be updated due to technical developments of smartphones and their operating systems like Android or iOS, rendering the operation of the app on this device impossible, the operator must find a substitute and modernize or replace the device. ekey is solely responsible for determining which operating system versions the app supports.

The operator is only allowed to make changes and expansions to the app if such is allowed by law or has been agreed upon with ekey. Copyright mentions, serial numbers, version numbers, trademarks or other identifying characteristics in the app must not be altered or removed by the operator. This also applies to the obscuring of such characteristics on the screen display.

Access control devices

The operator is only authorized to connect access control devices approved by ekey, and with approved firmware versions, to bionyx.

The access control devices must be installed according to the operating instructions, and used in the specified area and as intended. The devices must not be used, or must be replaced, in the event of considerable damage (e.g., broken casing). The devices must not be manipulated in any way.

Availability of the bionyx cloud service

ekey provides the operator with bionyx without the assurance of specific availability. A claim to the usage of bionyx is only effective within ekey’s technical and operational capacities, and in accordance with the app provided by ekey for operation.

Unexpected maintenance measures and technical defects (such as power outage, hardware and software errors, technical data line issues) can cause temporary operational disruptions or limitations.

ekey reserves the right to suspend operations of the platform, including the functions and services provided, in the event of technical errors or expected failure to meet product goals, or inefficient operation of bionyx. ekey is not liable for any resulting expenses, costs, subsequent costs and/or damages, provided these damages were not caused by gross negligence or malice by ekey or its proxies.

Change to services

ekey has the right to perform technical updates on bionyx, in particular with regard to new functions and to add extra protection, e.g., due to technical innovations, changes to legislation, changes to judicature or changes to economic conditions, and to alter the technical characteristics and functions of the services or to discontinue functions.

Consent to push notifications

With this agreement the operator consents to receiving push notifications or other notifications in the app. These notifications solely concern information on the operating and maintenance states of bionyx. Furthermore, the user must use a suitable end device with the respective app for using bionyx and for receiving push notifications on their smartphone.

Preventing unauthorized access

The operator is responsible for ensuring no unauthorized parties obtain access to bionyx. If the operator or ekey detects unauthorized access, this must be immediately reported (within 3 business days) to the other party, and precautions must be taken to prevent this from recurring in the future.

Liability limitations

ekey is always only liable for damages incurred by the operator, and/or other persons who are protected in accordance with this agreement, to the extent that ekey caused the damages on the basis of malice or gross negligence.

If the operator or other person protected in accordance with this contract is not a consumer as defined by the Austrian Consumer Protection Act, ekey is only liable for damages caused by malice or severely gross negligence by ekey; there is no liability for loss of profits or other subsequent damages.

Copyright

The operator acknowledges that ekey is the sole holder of all usufructuary rights to bionyx. Any violation of these usufructuary rights, in particular use of bionyx beyond the usufruct approval granted through this agreement, is prohibited and constitutes an illegal infringement of ekey’s protected rights.

Applicable law

This contract is subject to Austrian material law, to the exclusion of conflicts of laws and UN CISG.

The following data privacy statement applies to the usage of the cloud service ekey bionyx (hereafter “bionyx”) as well as the app “ekey bionyx app” (hereafter “app”) and associated devices (hereafter “devices”).

ekey biometric systems GmbH (hereafter “ekey”) takes the protection of your personal data very seriously. We solely process your data on the basis of the legal provisions within the EU General Data Protection Regulation (hereafter “GDPR”) and the Austrian Law to Protect Natural Persons during the Processing of Personal Data (hereafter “DSG”). In this data protection statement, we would like to inform you of the key aspects of the data processing carried out at our company and during the usage of our products.

Personal data are all information that pertains to an identified or identifiable natural person. A natural person is considered identifiable if they can be identified directly or indirectly through association with a characteristic such as a name, identifier number, location data, online identifier or one or more special characteristics indicating the physical, physiological, genetic, mental, financial, cultural or social identity of this natural person.

Legal basis and purposes of processes

The processing of your personal data by ekey for contract initiation or fulfillment is justified by Article 6 paragraph 1 letter b GDPR, and is necessary to fulfill the contract. We also process your personal data on the basis of our justified interest in ensuring the security of our IT systems and, if applicable, to uncover and prevent criminal threats and actions (Article 6 paragraph 1 letter f GDPR). We solely process your biometric data (fingerprints) on the basis of your explicit consent as per Article 9 paragraph 2 a) GDPR.

Every instance of consent to data processing can be revoked at any time, independently of one another. Revocation results in us no longer being able to process your data upon the moment of revocation, meaning that the respective rights, benefits, etc., can no longer be claimed. Please contact the following e-mail address if you wish to revoke your consent: datenschutz@ekey.net.

Revocation does not affect the legality of the processing conducted before revocation.

ekey bionyx system

The system uses biometric data obtained from fingerprints (referred to as templates) to offer opening and closing functions. Below we inform you of the retrieval and processing of personal data during your use of our system.

Processing of personal data while using the ekey bionyx system

Personal data are required and processed when using the specific product as intended. The processing of the following personal data is required in order to ensure comfortable, comprehensible use of the system:

Profile data of end users:

• ID
• Biometric data (fingerprint)

Usage data:

Access logs and log data (person, place, time, function) – encrypted
(purpose: comprehensibility and forwarding of information to other users via the respective app)

The data are stored directly in the system’s memory storage, as well as in a cloud service (ekey bionyx cloud) provided by the order processor. All data in the cloud service are encrypted and can only be viewed by ekey with the customer-specific system key that is only known to the user of the system.

In the event of a support case, the necessary data can only be processed together with the user, as the user must provide their explicit consent and the required data (such as log data).

ekey bionyx app

The following information and declarations also apply to the product “ekey bionyx app”.

We provide you with a mobile app that you can download onto your mobile device. Below we inform you of the retrieval and processing of personal data during your use of our mobile app.

Processing of personal data while using our mobile app

When downloading the mobile app, the necessary information is sent to the App Store or Google Play, namely the username, e-mail address and customer number of your account, time of the download, payment information and individual device identifier. We have no influence over this retrieval of data and are not responsible for it. We only process the data to the extent required for you to download the mobile app on your mobile device.

While you use the mobile app we process the following personal data in order to facilitate convenient use of the functions. If you would like to use our mobile app, we retrieve the following, technically required data so that we can offer you the functions of our mobile app and to ensure stability and security:

Device data of end users

• Device number/ID
• Browser agent
• Browser settings and operating system

Profile data of end users

• Name
• E-mail address
• Password (encrypted)
• Profile picture (optional profile addition)
• Registration data of end users
• Username
• Date of registration

Hosting data

• IP address
• Browser type and settings
• IP location
• Time of app download
• Time and scope of server requests

Diagnostics data

You can send data from the app to ekey support for analysis after granting your explicit consent as per Article 6 paragraph 1 letter a GDPR. In this case, diagnostic data relating to your ekey system are sent to ekey biometric systems GmbH along with contact details such as your name and email address and, optionally, your address and/or telephone number so that ekey can contact you. This transfer must be triggered by the user. The contact and analysis data for the respective support case can only be accessed by the support employee and is stored until the support case is closed. The diagnostic data is transferred to an ekey server in Linz/Austria via an encrypted connection (HTTPS). The data sent will only be used to contact you, as well as for analysis and error detection and will not be forwarded to third parties.

Use of cookies

Cookies are small text components saved on the user’s device by a website. Many cookies contain a cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a sequence of characters that allow websites and servers to identify the browser in which the cookie has been saved. This allows the websites and servers that the user visits to differentiate the respective browser from other browsers that contain other cookies. A specific browser can be recognized and identified with the unique cookie ID.

The mobile app uses the following types of cookies, the scope and function of which are explained below:

• Technically required cookies:

These are required to use basic functions and to ensure the security of the app and data; they neither collect nor store information on your for marketing purposes.

Data processing outside of the EU/EEA

Data are processed in a sever center located in Europe. There is no processing of data outside of the EU/EEA.

Forwarding of data to contracted data processors

ekey relies on assistants, in particular in the field of IT, to process personal data. These parties process the data as contracted processors, i.e., on the basis of a written contract as per Article 28 GDPR in which the details of the data processing ordered by ekey are regulated and in which the contracted processor is obligated to process the data with care. For example, this type of processing occurs when ekey stores data in an external server center. ekey commissions contracted processors in the following areas, among others:

• IT services
• Telecommunications
• Cloud service providers

The contracted processors are carefully selected by ekey, with special consideration of the suitability of their technical and organizational measures, and inspected for their abidance to them. ekey only processes the data in Austria and within the European Union.

Forwarding of data to third parties

We do not disclose any personal data to third parties, unless this is required for our organizational and company purposes, and/or if this is allowed or required on the basis of law or occupational standards.

Maximum duration of permissible data storage

We only store our customers’ data as long as is required to fulfill the contract. Then the data are deleted. Legal retention obligations are in place, e.g., according to the Austrian Commercial Code (UGB) and Austrian Federal Tax Code (BAO). After the legal retention periods have ended, we will immediately delete your personal data from our databases (both digitally and physically).

Our customers’ personal data, including log data, are deleted when their respective account is deleted or if it is inactive for 5 years (no user activities in the app).

When the app is active, the user’s profile data, excluding the password, are stored in the RAM cache of the mobile end device. Based on the storage characteristics, these data may remain in the device memory for an indefinite period after the app has closed.

Security of data processing

To ensure data security, ekey has taken the necessary technical and organizational measures, under consideration of the state of technology. These precautions chiefly serve to prevent unauthorized, illegal or accidental access, processing, loss, use and manipulation. A process is also in place to regularly assess and evaluate the effectiveness of the technical and organizational measures.

Please note that we do not accept any liability whatsoever for the disclosure of information on the basis of errors during the data processing not committed by us, and/or unauthorized access by third parties (e.g., hacker attacks).

Automated decision-making

As a responsible company, we hereby inform you that there is no automated decision-making on the basis of your personal data that we obtain.

Your rights

You have the following rights concerning your personal data:

• Right to disclosure,
• Right to correction or deletion,
• Right to limitation of processing,
• Right to object to processing,
• Right to data portability

You also have the right to file a complaint with the responsible supervisory authority (in Austria this is the data protection authority in Vienna). The data protection authority can be reached at the following address:

Österreichische Datenschutzbehörde
Barichgasse 40-42
A-1030 Vienna, Austria
Telephone: +43 1 52 152 – 0

The data processor as per Article 4 paragraph 7 EU General Data Protection Regulation (GDPR) is

ekey biometric systems GmbH
Lunzerstraße 89
A-4030 Linz, Austria

If you have any questions concerning the processing of your personal data as well as your rights, please contact us at: datenschutz@ekey.at

Updates to the data privacy statement

We reserve the right to update this data privacy statement at any time. The data privacy statement is regularly updated, and all changes are automatically published on www.ekey.net.