optilyz Partners

optilyz GmbH (“optilyz”) uses certain subprocessors (including third parties, as listed below) to assist it in providing the optilyz service as described in the Terms & Conditions (“T&Cs”). Defined terms used herein shall have the same meaning as defined in the T&Cs.


What is a Subprocessor

A subprocessor is a third party data processor engaged by optilyz, who has or potentially will have access to or process Service Data (which may contain Personal Data). optilyz engages different types of subprocessors to perform various functions as explained in the tables below.


Due Diligence

optilyz undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed subprocessors that will or may have access to or process Service Data.


Process to Engage New Subprocessors

For all Customers who have executed optilyz’s standard DPA, optilyz will provide notice via this policy of updates to the list of subprocessors that are utilized or which optilyz proposes to utilize to deliver its services. optilz undertakes to keep this list updated regularly to enable its Customers to stay informed of the scope of subprocessing associated with the optilyz services.

Pursuant to the DPA, a Customer can object in writing to the processing of its Personal Data by a new subprocessor within thirty (30) days after updating of this policy and shall describe its legitimate reasons to object. If Customer does not object during such time period the new subprocessor(s) shall be deemed accepted.

If a Customer objects to the use of a subprocessor pursuant to the process provided under the DPA, optilyz shall have the right to cure the objection through one of the following options (to be selected at optilyz’s sole discretion):

  1. optilyz will cease to use the subprocessor with regard to Personal Data;

  2. optilyz will take the corrective steps requested by Customer in its objection (which remove Customers’s objection) and proceed to use the subprocessor to process Personal Data; or

  3. optilyz may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of an optilyz Service that would involve use of the subprocessor to process Personal Data.

Termination rights, as applicable and agreed, are set forth exclusively in the DPA.

The following is an up-to-date list (as of the date of this policy) of the names and locations of optilyz subprocessors and content delivery networks (including third parties):


Infrastructure Subprocessors – Service Data Storage

optilyz owns or controls access to the infrastructure that optilyz uses to host Service Data submitted to the Services, other than as set forth below. Currently, the optilyz production systems for the Services are located in co-location facilities in Europe. The Customer’s Service Data subsequently remains in that region unless agreed between Customer and optilyz, but may be shifted among data centers within a region to ensure performance and availability of the Services. The following table describes the countries and legal entities engaged in the storage of Service Data by optilyz.


Entity nameEntity typeCountryAddress
Amazon Web Services EMEA Sárl*Cloud Service ProviderLuxembourg5 rue Plaetis, 2338 Luxembourg
MongoDB, Inc.**Database ProviderUSA229 W. 43rd Street, New York, NY 10036


*) The data is hosted on servers at Amazon Web Services in Frankfurt am Main (Germany). There is no transfer of data to servers outside Germany. However, the legal contractual partner is the company in Luxembourg

**) There is no transfer of data to the USA. The database is hosted on servers at Amazon Web Services in Frankfurt am Main (Germany) using MongoDB technology. There is no transfer of data to servers outside Germany. However, the legal contract partner is the company in New York

 


Data flow and encryption at optilyz


We work with both AWS and MongoDB on the basis of SCC (standard contractual clauses):

  • Virtual Private Cloud (VPC) – Logically isolated area of the AWS cloud where AWS resources can run on a virtual network defined by optilyz. See also https://aws.amazon.com/de/vpc/
  • Isolated and fully self-managed virtual environment – Virtualized server environment running an operating system installed by optilyz. Appropriate configuration of this system ensures that no third party can gain access to this server and that the processing operations on this system cannot be overheard (not even AWS).
  • Document-based encryption using account-specific secrets – All data (files or database entries) are encrypted (when writing) or decrypted (when reading) using a symmetric procedure. This encryption and decryption is done within the virtualized server environment and the required key is different for each optilyz customer and only known to the customer and optilyz. The customer-specific keys used are also stored encrypted in the VPC.

 


Print and postal service Subprocessors

optilyz works with certain third parties to provide printing and postal services. These providers are the Subprocessors set forth below. In order to provide the relevant functionality these Subprocessors access Personal Data.


Entity NameTypeCountryAddress
Asendia Germany GmbHPostal Service ProviderGermanyRedcarstraße 3, 53842 Troisdorf
Borek media GmbHPrinter and LettershopGermanyLüttgenröder Str. 4, 38835 Osterwieck
Central Mailing Services Ltd.*Printer and LettershopUnited KingdomUnit 59-60, Gravelly Industrial Park Tyburn Rd, Birmingham B24 8TQ, UK
dataform dialogservices GmbHPrinter and LettershopGermany

Wiesenstraße 1, 90614 Ammerndorf

direct services Gütersloh GmbHPrinter and LettershopGermanyAn der Autobahn 300, 33333 Gütersloh
Deutsche Post Direkt GmbH Address Service ProviderGermanyJunkersring 57, 53844 Troisdorf
Funke Lettershop AGPrinter and LettershopSwitzerlandBernstrasse 217/223, 3052 Zollikofen
G.A. Service GmbHPrinter and LettershopAustriaSiezenheimer Straße 39, 5020 Salzburg
Jetmail BVPrinter and LettershopNetherlandsAmperestraat 5, 2181 HB Hillegom
MMS Melter Mail Service GmbHPrinter and LettershopGermanyLugwaldstraße 10, 75417 Mühlacker
NOVO-Organisationsmittel GmbHPrinter and LettershopGermanyLievelingsweg 102-104, 53119 Bonn
OMS Online Mailing Service GmbHPrinter and LettershopGermanyKeplerstraße 5A, 41564 Kaarst
Ottweiler Druckerei und Verlag GmbHPrinter and LettershopGermanyJohannes-Gutenberg-Straße 14, 66564 Ottweiler
QUBUS media GmbHPrinter and LettershopGermanyBeckstraße 10, 30457 Hannover
Sattler Direct Mail GmbH & Co. KGPrinter and LettershopGermanyDaimlerring 2, 31135 Hildesheim
United Products GmbHPrinter and LettershopGermanySchmidmühlener Str. 53, 93133 Burglengenfeld
WIRmachenDRUCK GmbHPrinter and LettershopGermany

Mühlbachstr. 7, 71522 Backnang


*) A transfer of data to the UK will only occur if the customer explicitly books a campaign for printing & shipping in the UK. In no other case will optilyz transfer personal data of any kind to the UK without the prior consent of the customer.


Content Delivery Networks

As explained above, optilyz’s services may use content delivery networks (“CDNs”) to provide the services, for security purposes, and to optimize content delivery. CDNs do not have access to Service Data but are commonly used systems of distributed services that deliver content based on the geographic location of the individual accessing the content and the origin of the content provider. Website content served to website visitors and domain name information may be stored with a CDN to expedite transmission, and information transmitted across a CDN may be accessed by that CDN to enable its functions. The following describes use of CDNs by optilyz’s Services.

CDN ProviderServices using CDNCDN locationDescription of CDN Services
Amazon Web Services, Inc.All optilyz ServicesGlobalPublic website content served to website visitors may be stored with Amazon Web Services, Inc., and transmitted by Amazon Web Services, Inc., to website visitors, to expedite transmission.