Product Demo

Quanos

General Terms and Conditions

Software as a Service

TABLE OF CONTENT

  1. Scope of application
  2. Offers; Conclusion of contract; Subcontractors
  3. Making available of software as a service
  4. Availability of Services
  5. Support
  6. IT-Services
  7. Obligations of the Customer
  8. Test system
  9. Fees and terms of payment
  10. Liability
  11. Suspension
  12. Confidentiality; reference Customer; data; data protection
  13. Beta versions
  14. Customer Data on termination of contract
  15. Miscellaneous

1 SCOPE OF APPLICATION

1.1 Subject matter of the contract. These General Terms and Conditions (hereinafter referred to as "GTC") apply to all services of Quanos Solutions GmbH (hereinafter referred to as "Quanos") in connection with the provision of software for access via the Internet as well as related support services and IT services. IT services within the meaning of these GTC are in particular configuration, customizing, and IT consulting.

1.2 Terms and conditions of the Customer. Conflicting or additional terms and conditions of the Customer only apply if Quanos expressly confirms their validity in writing.

1.3 Future transactions. In the case of ongoing business relationships, the following terms and conditions shall also apply to all future mutual transactions between the parties.

1.4 B2B. Quanos offers services exclusively to entrepreneurs within the meaning of § 14 German Civil Code (Bürgerliches Gesetzbuch, BGB).


2 OFFERS; CONCLUSION OF CONTRACT; SUBCONTRACTORS 

2.1 Conclusion of contract. A contract is concluded upon acceptance of the offer submitted by Quanos to the Customer, but at the latest upon acceptance of the delivery or use of the services ("Individual Contract").

2.2 Order of precedence. If these GTC and an Individual Contract contain different provisions on the same subject matter, the provision in the Individual Contract shall take precedence.

2.3 Subcontractors. Quanos is entitled to provide the contractually owed services through qualified subcontractors.


3 MAKING AVAILABLE OF SOFTWARE AS A SERVICE

3.1 Provision of Services. Quanos provides the software to the Customer subject to the availability specified in Section 4 of these General Terms and Conditions on a central data processing system or several data processing systems (hereinafter "Server", also in the case of several servers) for access via an Internet connection (hereinafter, including the storage space in accordance with Section 3.2, "Services"). In no event shall the Customer obtain a copy of the software for on premise use. 

3.2 Provision of storage space. Subject to the availability specified in Section 4 of these GTC, Quanos shall provide storage space on the Server for the data uploaded to the Server by authorized users (hereinafter referred to as "Customer Data") during the term of the contract.

3.3 Term. The Customer's entitlement to use the Services (hereinafter "Service Term") begins when the Services are made available and accessible on the Server. Unless otherwise specified in the Individual Contract, the Service Term ends after one year as of the start of the Service Term (hereinafter "Initial Term"). The Service Term automatically renews by terms of one year each (hereinafter "Renewal Term(s)") if it is not terminated in writing by one of the parties at least 3 months before the end of the respective term. The contractual rights of termination granted to the parties and the right of each party to terminate for good cause remain unaffected.

3.4 Users. Unless otherwise agreed between the parties, the Customer shall be entitled to make the Services available to its own employees and third parties, insofar as they work for and on behalf of the Customer, in accordance with these GTC and the authorization concept agreed in the Individual Contract. The users authorized per authorization concept are determined in accordance with Exhibit 1 to these GTC.

3.5 End users. The Customer is entitled to make the content generated by or on behalf of the Customer on the Server with the software available to employees of the Customer and third parties (hereinafter collectively referred to as "End Users"). If the number of End Users is limited in accordance with the Individual Contract, the number of End Users to whom the content is made available during the Service Term may not exceed the contractually agreed maximum number of End Users.

3.6 Handover. The handover of the Services takes place at the technical point of transmission of the data center where the Server is located. The Customer is responsible for the Internet connection between the Customer and the data center and the hardware and software required for such connection (e.g. PC, network connection) as well as the configuration of the Customer's IT environment required for access to the Services (e.g. firewall settings).

3.7 Customer Data. The Customer grants Quanos the non-exclusive right to use the Customer Data to fulfill Quanos' obligations under this contract, in particular to reproduce such Customer Data itself or through a subcontractor for the purpose of providing the Services on the Server and making the Services accessible to authorized End Users.

3.8 Further development. The software is continuously being developed. However, the basic functions always remain the same. Notwithstanding the above, Quanos is free to add functions to the Services at any time or to remove functions that are no longer useful, taking into account the interests of the Customer.


4 AVAILABILITY OF SERVICES

Quanos provides an availability of the Services of 99.5% per calendar month in relation to the transfer point specified in Section 3.6 of these GTC. Such availability is calculated as follows:

Excluded from availability are the total number of minutes per month attributable to the following ("Excluded Downtime"): (i) announced maintenance work, (ii) downtime due to circumstances for which the Customer is responsible, and (iii) periods of unavailability due to factors beyond Quanos' control, such as unforeseeable events that cannot be prevented even by exercising reasonable care.


5 SUPPORT

During the Service Term, Quanos provides support to rectify errors in the software in accordance with the Quanos Support Policy applicable to the software, which can be viewed at the URL quanos.com/agb.


6 IT SERVICES

6.1 Obligations of Quanos. If the Customer purchases IT services from Quanos, Quanos provides the services specified in the Individual Contract. Quanos does not owe any additional services. Quanos will provide the agreed services according to the assured state of the art and in accordance with the service description and by using professional know-how. Quanos is entitled to replace employees with other qualified employees or service providers at any time. Unless expressly stipulated otherwise in Individual Contracts, Quanos is not obliged to achieve specific results.

6.2 Obligations of the Customer to cooperate. The Customer shall provide the cooperation services agreed in the Individual Contract (e.g. provision of infrastructure, personnel, hardware, documents, organizational support). Unless otherwise stipulated in the Individual Contract, the Customer's personnel will be available to respond to Quanos' inquiries within one working day. Quanos may request the replacement of employees of the Customer who are involved if the employee to be replaced is not qualified or willing to cooperate. The Customer is responsible for the practical implementation of the services owed, even if the Customer and Quanos jointly draw up a plan for the practical implementation of such services.

6.3 Deadlines. If Individual Contracts provide for specific deadlines for the provision of contractually owed services or specific parts thereof (milestones), these deadlines are only estimated dates and are not binding unless they are expressly marked as binding.

6.4 Delivery; acceptance. Work results owed by Quanos are delivered by Quanos in accordance with the contractual service description and, in the case of work results ready for acceptance, are inspected and accepted by the Customer in accordance with the contractually agreed criteria and tests. The Customer shall immediately inform Quanos in writing of any defects discovered in the acceptance test, including a reasonably detailed specification of the nature and conditions of these defects ("Defect Report"). The work results are deemed to have been accepted if no Defect Report is received by Quanos within 4 weeks of delivery.

6.5 Rights to work results. Quanos and its licensors remain the owners of all rights to the work results owed by Quanos as part of the provision of IT services. Unless otherwise agreed in Individual Contracts, the Customer receives a worldwide, non-exclusive right to use the work results in accordance with its intended purpose. If work results are integrated into the Services provided to the Customer, the same rights of use apply to the work results as to the software otherwise made available.  


7 OBLIGATIONS TO THE CUSTOMER

7.1 Compliance with data protection laws. When using the Services, the Customer shall comply with the applicable data protection laws, in particular obtain the necessary consent of the persons concerned, insofar as the Customer collects, processes or uses personal data when using the Service and no other legal basis for processing such data applies.

7.2 Protection of third-party rights. The Customer shall ensure that it observes all third-party rights to the content used by the Customer (e.g. when transmitting third-party texts/data to the Server).

7.3 Virus protection. Before sending Customer Data to the Server, the Customer shall check it for viruses and use state-of-the-art virus protection programs.

7.4 No improper use. The Customer shall not use the Services improperly or allow them to be used improperly, and in particular shall not use on the Server any illegal or immoral content and/or content that serves to incite hatred, incites criminal acts or glorifies or trivializes violence, is sexually offensive or pornographic, is capable of seriously endangering the morals of children or young people or impairing their well-being or can damage the reputation of Quanos, and shall not refer to such content.

7.5 Protection against unauthorized access. The Customer shall take reasonable precautions to prevent unauthorized access to the Services, in particular to protect the Services from unauthorized use. The Customer is obliged to keep user IDs and passwords secret and not to make them accessible to unauthorized third parties. The Customer must expressly ensure that End Users comply with these conditions.

7.6 Duty to inform in the event of infringement of property rights. The Customer shall inform Quanos immediately as soon as the Customer becomes aware of the infringement of an industrial property right or copyright to the software or the Services or the disclosure of user IDs or passwords to unauthorized users.


8 TEST SYSTEM

In the event that Quanos grants the Customer access to a test system, the Customer is entitled, for the Service Term and in consideration of a separate fee, to access the test system for exclusively non-productive and internal use, and otherwise in accordance with the terms of these GTC.
 

9 FEES AND TERMS OF PAYMENT

9.1 Remuneration for Services and support. The Customer shall pay Quanos the agreed monthly fee for the Services and support. The remuneration for the Initial Term is due for payment in advance within 30 days of receipt of the invoice. The fee for Renewal Terms is due for payment in advance before the start of each contract year.

9.2 Remuneration if usage parameters are exceeded. The remuneration described in Section 9.1 includes the fee in compliance with the usage parameters agreed in the Individual Contract, e.g. a contractually agreed data volume. If the usage parameters are exceeded, the Customer shall pay Quanos the additional fees agreed between the parties. If usage parameters are exceeded, Quanos will invoice the additional fee at the end of the Initial Term or the Renewal Term, as applicable. Quanos will send a list of the calculated usage parameters with the invoice. The additional fee is due for payment within 30 days of receipt of the invoice.   

9.3 Price adjustment. Quanos is entitled to adjust the amount of the fees specified in Sections 9.1 and 9.2 annually. In the event of an adjustment, Quanos will take into account cost changes that have occurred in the meantime in the area of wages and salaries and the costs of purchasing IT services. An adjustment becomes effective on the date specified by Quanos, but at the earliest one month after receipt of the notification of the adjustment to the Customer. In the event of an increase in remuneration of more than 5% in each case, the Customer may terminate the relevant Individual Contract extraordinarily with effect from the date on which the increase takes effect. The termination must be declared in writing immediately after receipt of the notification of the increase.

9.4 Remuneration for IT services. The following conditions apply to the provision of IT services:

9.4.1 If the remuneration is calculated on a time and material basis, Quanos will invoice the Customer at the end of the month for the work performed in the month at the agreed hourly or daily rates. Less than full hours will be invoiced pro rata per 15 minutes or part thereof.   

9.4.2 If the parties agree on a lump sum remuneration, Quanos is entitled to charge the Customer advance payments in the amount of the value of the services rendered by Quanos and owed under the contract.

9.5 Costs (IT Services). Unless otherwise agreed, the Customer shall bear the material costs, travel costs and expenses incurred by Quanos in connection with the provision of IT services. Travel costs and expenses are charged according to actual expenditure and at flat-rate expense rates in accordance with the applicable statutory regulations. Travel time is charged at the same hourly rate as working time. If, in individual cases, services are not charged at hourly rates, an appropriate hourly rate shall apply.

9.6 Net prices. All prices are net prices plus the applicable statutory VAT.

9.7 Offsetting; retention. Offsetting or retention is only permitted on the basis of undisputed or legally established counterclaims of the Customer.


10 LIABILITY 

10.1 Exclusion of strict liability for damages. Quanos' strict liability for damages for defects in the Services already existing at the start of the contract is excluded. Otherwise, Quanos' liability for damages, including liability for defects in the Services, is governed by statutory laws, modified by the following provisions of this Section 10.

10.2 Intent and gross negligence. Quanos is liable without limitation for damage caused intentionally or through gross negligence.

10.3 Slight negligence. In the event of a slightly negligent breach of a primary performance obligation or a secondary obligation, the breach of which jeopardizes the achievement of the purpose of the contract or the fulfilment of which is essential for the proper execution of the contract and on the observance of which the Customer could rely (hereinafter "Essential Secondary Obligation"), the liability of Quanos is limited to damages foreseeable at the time of conclusion of the contract and typical for the contract. Quanos is not liable for slightly negligent breaches of secondary obligations that do not belong to the Essential Secondary Obligations.

10.4 Mandatory statutory liability. The above exclusions and limitations of liability in this Section 10 do not affect Quanos' liability for a guarantee of quality, for fraud, for damages resulting from injury to life, body and health and for product defects in accordance with the Product Liability Act. This does not imply a change in the burden of proof to the detriment of the Customer.

10.5 Beneficiaries. Insofar as liability is excluded or limited in accordance with this Section 10, this also applies to the personal liability of Quanos' employees, staff, representatives and vicarious agents.


11 SUSPENSION

Quanos is entitled to suspend access to the Services temporarily or permanently if there are concrete indications that the Customer is in breach of these GTC, the contract and/or applicable law or if Quanos has another legitimate interest in suspending access. Quanos will take appropriate account of the Customer's legitimate interests when deciding whether to suspend the Service.
 

12 CONFIDENTIALLY; REFERENCE CUSTOMER; DATA; DATA PROTECTION

12.1 Confidentiality. The parties undertake to maintain the strictest confidentiality about all confidential processes, including know-how and trade and business secrets, of the other party that come to their knowledge in the course of the execution of the contract and not to pass them on or use them in any other way. This applies to any unauthorized third parties, unless the disclosure of information is necessary for the proper execution of the contract.

12.2 Reference. However, Quanos is entitled to use the Customer's name and logo on the Quanos website, in financial reports, press releases and brochures and on Customer lists to indicate that the Customer is a customer of Quanos.

12.3 Use of derivative data. Quanos is entitled to use derivative data to expand and improve the functionalities of the Services. For this purpose, Quanos may aggregate Customer Data with data from other Customers, provided that the aggregated data (i) cannot be identified as (part of) the Customer's data; (ii) cannot be used as a source to identify the Customer; and (iii) is not personal data.

12.4 Compliance with data protection. Insofar as the Customer commissions Quanos to collect, process and use personal data or Quanos receives access to personal data used by the Customer on the occasion of the execution of the contract, Quanos undertakes to process and use this data only in accordance with the provisions of data protection law, in particular those of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and the General Data Protection Regulation (GDPR).

12.5 Order processing. Quanos processes all personal data transmitted by the Customer to the Server or entered on the Server on behalf of the Customer. The Data Processing Agreement in accordance with Exhibit 2 of these GTC apply between the parties (Art. 28 para. 3 GDPR).


13 BETA VERSIONS

Quanos may, at its own discretion, make "beta features" available to the Customer, i.e. functions within the scope of testing a trial version, "as is". Beta features are not part of the Services and support. The use of beta features is limited to use for test purposes; the use of beta features in productive operation is not permitted. The Customer may decide at its own discretion whether to use beta features made available to the Customer. The use of beta features is free of charge. Liability for beta features is excluded with the exception of liability for intent.


14 CUSTOMER DATA ON TERMINATION OF CONTRACT. 

Upon termination of the contract, Quanos will store the Customer Data stored on the Server for 14 days from the date of termination of the contract in a standard format and make it available to the Customer for download at the Customer's request. The Customer's request must be made in text form. After this period has expired, Quanos will delete any Customer Data still on the Server. Data protection claims of the Customer remain unaffected by this.


15 MISCELLANEOUS 

15.1 Severability clause. Should individual provisions of the contract be or become invalid in whole or in part, this shall not affect the validity of the remaining provisions. In this case, the parties undertake to replace the invalid provision with a valid provision that comes as close as possible to the economic purpose of the invalid provision. The same applies to any loopholes in the contract.

15.2 Transfer. Quanos is entitled to transfer the contract to a company affiliated with Quanos in accordance with §§ 15 et seq. German Stock Corporation Act (Aktiengesetz, AktG) and to an acquirer of the part of the company relating to the subject matter of the contract. The Customer hereby agrees to such a transfer of the contract.

15.3 Reservation of right of amendment. During the term of the contract, Quanos may amend the GTC in order to (1) adapt the GTC to new statutory requirements or a change in higher or supreme court rulings, (2) eliminate doubts as to interpretation or (3) adapt the GTC to changed technological developments or market conditions. Quanos shall inform the Customer of such changes to these GTC in text form at least 4 weeks before the change comes into effect. If the Customer does not object to an amendment within 4 weeks of receipt of the notification, the amendments are deemed to have been effectively agreed. Quanos will inform the Customer separately of the right of objection and the consequences of remaining silent when informing the Customer of the change.

15.4 Place of jurisdiction. The exclusive place of jurisdiction for all disputes arising from or in connection with the contract is Nuremberg. Quanos is also entitled to take legal action at the Customer's place of business or another competent court.

15.5 Applicable law. The law of the Federal Republic of Germany shall apply, with the exception of its provisions on the choice of law, which would lead to the application of another legal system. The application of the CISG ("UN Convention on Contracts for the International Sale of Goods") is excluded.

 

Version July 2024

 

Exhibit 1 - Authorized Users per SaaS Authorization Concept
 

1. Named User

If the Customer acquires a license limited to the number of named users ("Named User"), the Customer is entitled to make the Services available to its employees and third parties, who are each named in an environment technically provided by Quanos for this purpose, in accordance with these GTC and the contract for use for the Customer's purposes, provided that the number of named users accessing the Services at the same time does not exceed the contractually agreed maximum number of users.
 

2. Monthly Active User

If the Customer acquires a license limited to the number of monthly active users ("Monthly Active User"), the Customer is entitled to make the Services accessible to the Customer’s employees and third parties, who are each named in an environment technically provided for this purpose by Quanos , in accordance with these GTC and the contract , provided that the number of named users who use the software during a calendar month does not exceed the contractually agreed maximum number of users per calendar month.
 

3. Concurrent User 

If the Customer acquires a license limited to the number of unnamed users ("Concurrent User"), the Customer is entitled to make the Services available to its employees and third parties in accordance with these GTC and the contract for use for the Customer's purposes, provided that the number of users accessing the Services at the same time does not exceed the contractually agreed maximum number of users.

 

Exhibit 2 – Data Processing Agreement (Art. 28 para. 3 GDPR)
 

1 Subject matter of the Agreement and order

1.1 The subject matter of the Agreement results from the agreement concluded between the parties on the making available of software for access via the Internet (SaaS) and the provision of support and/or IT services by Quanos Solutions GmbH (hereinafter "Processor") to the Customer, to which reference is made here (hereinafter "Main Agreement"). This Data Processing Agreement (the "Agreement") applies to all activities related to data processing in the provision of services under the Main Agreement and in which the Processor may come into contact with personal data transmitted or disclosed to the Processor by the Customer.

1.2 The type of data processed, the categories of data subjects and the nature and purpose of the collection, processing and use of personal data by the Processor for the Customer are set out in detail in Annex 1 to this Agreement.

1.3 Unless expressly stipulated otherwise in this Agreement, the provision of the contractually agreed data processing shall take place exclusively in Germany, a member state of the European Union (EU) or in another state party to the Agreement on the European Economic Area (EEA). Any transfer to a third country may only take place if the special requirements of Art. 44 et seq. GDPR are met.


2 Technical and organizational measures

2.1 The Processor must establish security in accordance with Art. 28 para. 3 lit. c, 32 GDPR, in particular in conjunction with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the type, scope and purposes of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR must be taken into account. The Processor shall document the individual measures in an action plan in Annex 2.

2.2 The technical and organizational measures are subject to technical progress and further development. In this respect, the Processor is permitted to implement alternative adequate measures. In doing so, the security level of the specified measures must not be undercut. Significant changes must be documented.

2.3 The Processor shall regularly monitor the internal processes and the technical and organizational measures to ensure (i) that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and (ii) the protection of the rights of the data subject.
 

3 Correction, restriction and deletion of data; rights of data subjects

3.1 The Processor may not rectify, erase or restrict the processing of data processed on behalf of the Customer without authorization, but only in accordance with documented instructions from the Customer. If a data subject contacts the Processor directly in this regard, the Processor shall forward this request to the Customer without delay.

3.2 The Processor shall support the Customer with suitable technical and organizational measures to ensure the rights of data subjects to be forgotten, rectification, data portability and access. The Processor may claim remuneration for support services that are not owed under the Main Agreement.
 

4 Quality assurance and other obligations of the Processor

4.1 When carrying out the work, the Processor shall only use employees who have been bound to confidentiality. The Processor may only process the data in accordance with the Customer's instructions, including the authorizations granted in this Agreement and in the Main Agreement, unless the Processor is legally obliged to a certain processing. The Customer shall confirm verbal instructions without delay (at least in text form). The Processor must inform the Customer immediately if it is of the opinion that an instruction violates data protection laws. The Processor is entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the Customer.

4.2 The Processor shall support the Customer in complying with the personal data security obligations set out in Articles 32-36 GDPR, data breach notification obligations, data protection impact assessments and prior consultations. This includes, among other things:

4.2.1 the obligation to report personal data breaches to the Customer without delay,

4.2.2 the obligation to support the Customer in the context of his duty to inform the data subjects and to provide the Customer with all relevant information in this context without delay,

4.2.3 supporting the Customer in its data protection impact assessment,

4.2.4 supporting the Customer in the context of prior consultation with the supervisory authority.

4.3 The Processor may claim remuneration for support services that are not included in the service description of the Main Agreement or are attributable to misconduct on the part of the Customer.
 

5 Subcontracting relationships

5.1 Subcontracting relationships within the meaning of this provision are those services that are directly related to the provision of the main service. This does not include ancillary services which the Processor uses, such as, for example, telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Processor is obliged to enter into appropriate and legally compliant contractual agreements and to take control measures to ensure data protection and the security of the Customer's data, even in the case of outsourced ancillary services.

5.2 The Processor is entitled to engage subcontractors, provided that it concludes an  agreement with the subcontractor in accordance with Art. 28 (4) GDPR and, if the subcontractor is located in a third country, the requirements of Art. 44 et seq. GDPR are met.

5.3 Subject to the condition set out in Section 5.2, the Customer hereby authorizes the Processor to engage the companies listed in Annex 3 as subcontractors.

5.4 The Processor shall inform the Customer in advance of any intended change with regard to the involvement or replacement of other processors. The Customer may object to this change vis-à-vis the Processor within 14 days of receipt of the information by the Customer. If no objection is made within this period, consent to the change shall be deemed to have been given. An objection may not be made without the interests of the Customer outweighing those of the Processor.
 

6 Audit rights of the Customer

6.1 The Customer shall have the right to carry out audits in consultation with the Processor or to have them carried out by auditors to be named in each individual case. The Customer shall have the right to convince itself of the Processor's compliance with this Agreement in its business operations by means of spot checks, which must generally be notified in good time.

6.2 The Processor shall ensure that the Customer can convince itself of the Processor's compliance with its obligations under Art. 28 GDPR. The Processor undertakes to provide the Customer with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.

6.3 Proof of such measures, which do not only concern the specific order, can be provided by

6.3.1 compliance with approved codes of conduct pursuant to Art. 40 GDPR,

6.3.2 certification in accordance with an approved certification procedure pursuant to Art. 42 GDPR,

6.3.3 Current certificates, reports or report extracts from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditor, quality audit),

6.3.4 suitable certification through an IT security or data protection audit (e.g. in accordance with BSI basic protection or ISO/IEC 27001).

6.4 The Processor may claim remuneration for enabling the Customer to carry out audits.
 

7 Deletion and return of personal data

7.1 Copies or duplicates of the data shall not be created without the knowledge of the Customer. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as the storage of data that is necessary with regard to compliance with statutory retention obligations.

7.2 After completion of the contractually agreed activities or earlier at the request of the Customer - at the latest upon termination of the Main Agreement - the Processor shall hand over to the Customer all documents, processing and usage results and data pertaining to the contractual relationship that have come into its possession or, with prior consent, destroy them in accordance with data protection regulations. The deletion log shall be presented upon request. The obligations of the Processor under this Section 7.2 shall not apply if there is an obligation to store the personal data under Union law or the law of the Member States of the EU.

7.3 Documentation that serves as proof of data processing in accordance with the Agreement shall be retained by the Processor beyond the end of the Agreement in accordance with the respective retention periods. The Processor may hand them over to the Customer at the end of the Agreement in order to discharge the Processor.
 

8 Order duration, termination

8.1 The term of this Agreement corresponds to the term of the Main Agreement and also includes the period after the end of the Main Agreement until the complete return or deletion of the data provided to the Processor by the Customer in connection with the performance of the Main Agreement. The right of either party to terminate the Agreement for good cause remains unaffected.
 

9 Miscellaneous

9.1 The Agreement shall be governed by German law to the exclusion of the rules of private international law which would lead to the application of a different law.

9.2 The exclusive place of jurisdiction for all disputes arising from or in connection with the Agreement is Nuremberg. The Processor shall also be entitled to take legal action at the Customer's registered office or any other competent court.

9.3 No verbal collateral agreements have been made.

9.4 Should individual provisions of the Agreement be or become invalid in whole or in part, this shall not affect the validity of the remaining provisions. In this case, the parties undertake to replace the invalid provision with a valid provision that comes as close as possible to the economic purpose of the invalid provision. The same applies to any loopholes in the Agreement.

 

Attachments:

Annex 1: Nature and purpose of the processing, subject matter of the processing, type of data, categories of data subjects 

Annex 2: Technical and organizational measures

Annex 3: Subcontracting relationships

Annex 1 - Type and purpose of processing, subject matter of processing, type of data, categories of data subjects
 

Data subjects and categories of data subjects

In particular:

  • Users of the service (in particular employees of the Customer)
  • Employees of the Customer's business partners

Type of data or data categories
  • Contact details
  • Data on the use of the software (log data)

Recipient of data

Processor and subprocessors

Nature and purpose of processing

Provision of software for access via the Internet (SaaS); IT services, support services

ANNEX 2 - Technical and organizational measures
 

If personal data is processed by automated means or used, the internal organization must be designed in such a way that it meets the specific requirements of data protection. In particular, measures shall be taken that are suitable depending on the type of personal data or data categories to be protected. The Processor shall ensure that the following measures are implemented:

1 CONFIDENTIALITY (ART. 32 PARA. 1 LIT. B GDPR)

1.1 Access control

Measures to prevent unauthorized access to data processing systems

  • Key management for employees; regulated access to offices
  • Defined access authorizations for the server room
  • Regulations for visitors and maintenance personnel

1.2 Access control

Measures that prevent data processing systems from being used by unauthorized persons

  • Regulation of access to the data processing systems via a user and authorization concept ("least privilege principle")
  • Assignment of personalized user accounts with corresponding password guidelines (minimum password length 10 characters, complexity requirements, regular changes)
  • Blocking access after ten incorrect login attempts
  • Locking the workstations when leaving the workstation (automatically after 15 minutes or manually with reactivation password)
  • Documentation and secure storage of administrator accesses
  • Logging of log-on and log-off processes
  • Use of firewall (incl. intrusion prevention system), spam filter and antivirus software
  • Encryption of mobile data carriers/smartphones
  • Multi-factor authentication

1.3 Access control

Measures to prevent unauthorized reading, copying, modification or removal within the system

  • Assignment of access rights according to user groups
  • Authorization concepts and needs-based access rights ("least privilege principle")
  • Annual review of access controls
  • Destruction of written documents that are no longer required in accordance with DIN 66399 security level P3 (paper)
  • Non-reversible deletion/destruction of electronic data carriers after decommissioning

1.4 Separation control

Measures for the separate processing of data collected for different purposes

  • Multi-Customer capable IT systems
  • Separation of development and production environment
  • Access authorizations according to functional responsibility

1.5 Pseudonymization (Art. 32 para. 1 lit. a GDPR; Art. 25 para. 1 GDPR)

The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures

  • Not relevant to the order


2 INTEGRITY (ART. 32 PARA. 1 LIT. B GDPR)

2.1 Transfer control

Measures to prevent unauthorized reading, copying, modification or removal during electronic transmission or transport

  • Forwarding of data by electronic means in accordance with the Customer's possibilities
  • Remote maintenance concept
  • Logging of data transmission or data transport
  • Encrypted data connections (VPN, SFTP, HTTPS)

2.2 Input control

Determining whether and by whom personal data has been entered, modified or removed from data processing systems

  • Regulation of organizational responsibilities
  • System logging
  • Regulation of access authorizations to log data


3 AVAILABILITY AND RESILIENCE (ART. 32 PARA. 1 LIT. B GDPR)

3.1 Availability control

Measures to protect against accidental or willful destruction or loss

  • Redundant data storage (e.g. RAID)
  • Backup Internet connection
  • Uninterruptible power supply (UPS)
  • Fire extinguishers/fire alarms
  • Backup strategy
  • Secure storage for backup media (e.g. fireproof/burglar-proof safe)
  • Regular installation of security updates
  • Air-conditioned server room
  • Reporting channels and emergency plans
  • Rapid recoverability (Art. 32 para. 1 lit. c GDPR)
  • Cloud services


4. PROCEDURES FOR REGULAR REVIEW, ASSESSMENT AND EVALUATION (ART. 32 PARA. 1 LIT. D GDPR; Art. 25 PARA. 1 GDPR)

4.1 Data protection management

Measures to ensure that an organization is in place that meets the basic requirements of data protection law

  • Guidelines/instructions to ensure technical and organizational measures for data security
  • Appointment of a data protection officer
  • Obligation to maintain employee confidentiality (data secrecy)
  • Adequate training of employees in data protection matters
  • Maintaining an overview of processing activities (Art. 30 GDPR)
  • Carrying out data protection impact assessments, where necessary (Art. 35 GDPR)
  • Periodic review by data protection officer

4.2 Incident response management

Measures to ensure that a reporting process is triggered in the event of data protection breaches

  • Reporting process for contract and data protection breaches to the Customer in accordance with Art. 28 para. 3 sentence 3 and Art. 33 and Art. 34 GDPR
  • Reporting process for data breaches to the supervisory authorities in accordance with Art. 4 (12) GDPR
  • Support for Customers in the reporting process for data protection violations in accordance with Art. 4 No. 12 GDPR to the supervisory authorities (Art. 33 GDPR)

4.3 Privacy-friendly default settings

Measures to ensure that as little data as possible is collected, stored and shared from the outset

  • Data protection-friendly technology design ("privacy by design")
  • Data protection-friendly default settings ("Privacy by default")

4.4 Order control

Measures to ensure that personal data is only processed in accordance with the Customer's instructions

  • Sub-processors with written data protection agreements in accordance with Art. 28 GDPR
  • Agreement on order processing with regulations on the rights and obligations of the Processor and Customer
  • Designation of contact persons and/or responsible employees
  • Obligation of employees to maintain data secrecy
  • Formalized order management
  • Standardized contract management for monitoring service providers

 

Annex 3 - Subcontracting relationships

Subcontractor incl. address

Service description

PlusServer GmbH

Hohenzollernring 72, 50672 Cologne
Germany

Server hosting

Hetzner Online GmbH

Industriestr. 25, 91710 Gunzenhausen
Germany

Server hosting

IONOS SE

Elgendorfer Str. 57, 56410 Montabaur
Germany

Server hosting

noris network AG

Thomas-Mann-Straße 16-20, 90471 Nuremberg
Germany

Server hosting

TeamViewer AG

Bahnhofsplatz 2, 73033 Göppingen
Germany

Software for remote maintenance

Host Europe GmbH

Hansestrasse 111, 51149 Cologne
Germany

Hosting prototype catalogs, hosting partner portal, hosting FTP server

Amazon Web Services EMEA SARL

38 Avenue John F. Kennedy, L-1855
Luxembourg

Server hosting

Okta, Inc (Auth0)

100 First Street, San Francisco, CA 94105
USA

Identity Management

Atlassian Pty Ltd

Level 6, 341 George Street,
Sydney, NSW 2000
Australia           

Support portal, project management