optilyz GmbH (“optilyz”) uses certain subprocessors (including third parties, as listed below) to assist it in providing the optilyz service as described in the Terms & Conditions (“T&Cs”). Defined terms used herein shall have the same meaning as defined in the T&Cs.
What is a Subprocessor
A subprocessor is a third party data processor engaged by optilyz, who has or potentially will have access to or process Service Data (which may contain Personal Data). optilyz engages different types of subprocessors to perform various functions as explained in the tables below.
optilyz undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed subprocessors that will or may have access to or process Service Data.
Process to Engage New Subprocessors
For all Customers who have executed optilyz’s standard DPA, optilyz will provide notice via this policy of updates to the list of subprocessors that are utilized or which optilyz proposes to utilize to deliver its services. optilz undertakes to keep this list updated regularly to enable its Customers to stay informed of the scope of subprocessing associated with the optilyz services.
Pursuant to the DPA, a Customer can object in writing to the processing of its Personal Data by a new subprocessor within thirty (30) days after updating of this policy and shall describe its legitimate reasons to object. If Customer does not object during such time period the new subprocessor(s) shall be deemed accepted.
If a Customer objects to the use of a subprocessor pursuant to the process provided under the DPA, optilyz shall have the right to cure the objection through one of the following options (to be selected at optilyz’s sole discretion):
optilyz will cease to use the subprocessor with regard to Personal Data;
optilyz will take the corrective steps requested by Customer in its objection (which remove Customers’s objection) and proceed to use the subprocessor to process Personal Data; or
optilyz may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of an optilyz Service that would involve use of the subprocessor to process Personal Data.
Termination rights, as applicable and agreed, are set forth exclusively in the DPA.
The following is an up-to-date list (as of the date of this policy) of the names and locations of optilyz subprocessors and content delivery networks (including third parties):
Infrastructure Subprocessors – Service Data Storage
optilyz owns or controls access to the infrastructure that optilyz uses to host Service Data submitted to the Services, other than as set forth below. Currently, the optilyz production systems for the Services are located in co-location facilities in Europe. The Customer’s Service Data subsequently remains in that region unless agreed between Customer and optilyz, but may be shifted among data centers within a region to ensure performance and availability of the Services. The following table describes the countries and legal entities engaged in the storage of Service Data by optilyz.
|Entity name||Entity type||Country||Address|
|Amazon Web Services EMEA Sárl*||Cloud Service Provider||Luxembourg||5 rue Plaetis, 2338 Luxembourg|
|MongoDB, Inc.**||Database Provider||USA||229 W. 43rd Street, New York, NY 10036|
*) The data is hosted on servers at Amazon Web Services in Frankfurt am Main (Germany). There is no transfer of data to servers outside Germany. However, the legal contractual partner is the company in Luxembourg
**) There is no transfer of data to the USA. The database is hosted on servers at Amazon Web Services in Frankfurt am Main (Germany) using MongoDB technology. There is no transfer of data to servers outside Germany. However, the legal contract partner is the company in New York
Data flow and encryption at optilyz
We work with both AWS and MongoDB on the basis of SCC (standard contractual clauses):
- Virtual Private Cloud (VPC) – Logically isolated area of the AWS cloud where AWS resources can run on a virtual network defined by optilyz. See also https://aws.amazon.com/de/vpc/
- Isolated and fully self-managed virtual environment – Virtualized server environment running an operating system installed by optilyz. Appropriate configuration of this system ensures that no third party can gain access to this server and that the processing operations on this system cannot be overheard (not even AWS).
- Document-based encryption using account-specific secrets – All data (files or database entries) are encrypted (when writing) or decrypted (when reading) using a symmetric procedure. This encryption and decryption is done within the virtualized server environment and the required key is different for each optilyz customer and only known to the customer and optilyz. The customer-specific keys used are also stored encrypted in the VPC.
Print and postal service Subprocessors
optilyz works with certain third parties to provide printing and postal services. These providers are the Subprocessors set forth below. In order to provide the relevant functionality these Subprocessors access Personal Data.
|Asendia Germany GmbH||Postal Service Provider||Germany||Redcarstraße 3, 53842 Troisdorf|
|Borek media GmbH||Printer and Lettershop||Germany||Lüttgenröder Str. 4, 38835 Osterwieck|
|Central Mailing Services Ltd.*||Printer and Lettershop||United Kingdom||Unit 59-60, Gravelly Industrial Park Tyburn Rd, Birmingham B24 8TQ, UK|
|dataform dialogservices GmbH||Printer and Lettershop||Germany|
Wiesenstraße 1, 90614 Ammerndorf
|direct services Gütersloh GmbH||Printer and Lettershop||Germany||An der Autobahn 300, 33333 Gütersloh|
|Deutsche Post Direkt GmbH||Address Service Provider||Germany||Junkersring 57, 53844 Troisdorf|
|Funke Lettershop AG||Printer and Lettershop||Switzerland||Bernstrasse 217/223, 3052 Zollikofen|
|G.A. Service GmbH||Printer and Lettershop||Austria||Siezenheimer Straße 39, 5020 Salzburg|
|Jetmail BV||Printer and Lettershop||Netherlands||Amperestraat 5, 2181 HB Hillegom|
|MMS Melter Mail Service GmbH||Printer and Lettershop||Germany||Lugwaldstraße 10, 75417 Mühlacker|
|NOVO-Organisationsmittel GmbH||Printer and Lettershop||Germany||Lievelingsweg 102-104, 53119 Bonn|
|OMS Online Mailing Service GmbH||Printer and Lettershop||Germany||Keplerstraße 5A, 41564 Kaarst|
|Ottweiler Druckerei und Verlag GmbH||Printer and Lettershop||Germany||Johannes-Gutenberg-Straße 14, 66564 Ottweiler|
|QUBUS media GmbH||Printer and Lettershop||Germany||Beckstraße 10, 30457 Hannover|
|Sattler Direct Mail GmbH & Co. KG||Printer and Lettershop||Germany||Daimlerring 2, 31135 Hildesheim|
|United Products GmbH||Printer and Lettershop||Germany||Schmidmühlener Str. 53, 93133 Burglengenfeld|
|WIRmachenDRUCK GmbH||Printer and Lettershop||Germany|
Mühlbachstr. 7, 71522 Backnang
*) A transfer of data to the UK will only occur if the customer explicitly books a campaign for printing & shipping in the UK. In no other case will optilyz transfer personal data of any kind to the UK without the prior consent of the customer.
Content Delivery Networks
As explained above, optilyz’s services may use content delivery networks (“CDNs”) to provide the services, for security purposes, and to optimize content delivery. CDNs do not have access to Service Data but are commonly used systems of distributed services that deliver content based on the geographic location of the individual accessing the content and the origin of the content provider. Website content served to website visitors and domain name information may be stored with a CDN to expedite transmission, and information transmitted across a CDN may be accessed by that CDN to enable its functions. The following describes use of CDNs by optilyz’s Services.
|CDN Provider||Services using CDN||CDN location||Description of CDN Services|
|Amazon Web Services, Inc.||All optilyz Services||Global||Public website content served to website visitors may be stored with Amazon Web Services, Inc., and transmitted by Amazon Web Services, Inc., to website visitors, to expedite transmission.|