Quanos

Terms and Conditions

Software as a Service | Quanos InfoTwin

Table of contents

  1. Subject Matter
  2. Contract Conclusion
  3. Making Available of the Contractual Software as a Service
  4. Availability of the Services
  5. Support
  6. Subcontractors
  7. The Customer's Obligations
  8. Fees and Payment Terms
  9. Liability
  10. Suspension
  11. Confidentiality; Reference; Customer; Data; Data Protection
  12. Beta Versions
  13. Contractual Term; Termination
  14. Miscellaneous

 


1. Subject Matter

1.1 These Terms and Conditions (hereinafter ’T&Cs’) of Quanos Content Solutions GmbH, Hugo-Junkers-Str. 15-17, 90411 Nuremberg, Germany, apply to all services provided by Quanos Content Solutions GmbH, Hugo-Junkers-Str. 15-17, 90411 Nuremberg, Germany and Quanos Service Solutions GmbH, Landsberger Str. 57, 82266 Inning am Ammersee, Germany in relation to the making available of the contractually agreed version of the software InfoTwin (hereinafter ’Contractual Software’) for access through the internet and support services related thereto, both now and in the future. The contractual partner of the Customer is the company which has submitted an offer to the Customer to conclude the contract (hereinafter ’Quanos’).

1.2 Quanos shall provide the Customer with a technical specification of the Contractual Software prior to conclusion of an agreement. 

1.3 Any deviating or supplementary contractual terms of the Customer shall only apply if expressly agreed to in writing by Quanos. 

 

2. Contract Conclusion

2.1 The agreement shall be concluded upon the Customer's written acceptance of the quote issued by Quanos, but no later than upon the Customer’s use of the Services listed in the quote.

2.2 Quanos solely issues quotes to entrepreneurs as per Section 14 of the German Civil Code [Bürgerliches Gesetzbuch – BGB]. Accordingly, Quanos reserves the right to require the Customer to adequately verify its entrepreneurial activities, e.g. by stating its VAT ID or other relevant documentation, prior to concluding an agreement. All information required to confirm the Customer's status as an entrepreneur must be submitted truthfully and in full by the Customer.

 

3. Making Available of the Contractual Software as a Service

3.1 Subject to the network availability stipulated in Section 4 of these T&Cs, Customer shall have access to the Contractual Software on a server or servers operated by Quanos or a third party authorized by Quanos (hereinafter ‘Server’, also in the case of several servers) to host the Contractual Software (hereinafter ’Services’, including the memory capacity stipulated in Section 3.2 below). In no event shall the Customer obtain a copy of the Contractual Software for on premise use.  

3.2 Subject to the network availability stipulated in Section 4 of these T&Cs, Quanos shall, for the term of the agreement, make available to the Customer memory space for the data uploaded onto the Server by the Customer and its authorised employees (hereinafter ‘Customer Data’). 

3.3 Quanos shall issue a login for the Customer (hereinafter ’Tenant’). To do so, Quanos shall use information provided by the Customer’s identity provider as made available by the Customer to Quanos, and inform the Customer of the URL for its Tenant. Once the Customer has been notified of such Tenant, the Customer shall be able to use the Services.

3.4 The term of Services (hereinafter ’Service Term’) shall begin on the day on which the Services are made accessible to the Customer and the Customer is notified of its Tenant. The Service Term shall end after one year, calculated from the first day of the calendar month following the month in which the Service Term began (hereinafter ’Initial Term’). The Service Term shall automatically renew for additional twelve-month term(s), unless either Party terminates the Services at the end of the then current term by giving two (2) months prior written notice to the other Party (‘Renewal Term(s)’). The termination rights granted to the Parties under these T&Cs and each Party’s right to terminate on legitimate grounds under statutory laws (Kündigung aus wichtigem Grund) shall remain unaffected by the above.

3.5 In the absence of any deviating agreements between the Parties, the Customer reserves the right to grant its employees and third parties that work for or on behalf of the Customer access to the Services in accordance with these T&Cs and the agreement, subject to the proviso that the number of users that use the Services during the Service Term does not exceed the contractually agreed maximum number of users. 

3.6 The Customer may grant its employees and third parties (hereinafter jointly referred to as ’End Users’) access to content it has made available on the Server, provided the number of End Users to whom the content is made available during the Service Term does not exceed the contractually agreed maximum number of End Users.

3.7 The delivery of the Services takes place at the technical point of transmission at the data centre in which the Server is located. The Customer is responsible for maintaining the internet connection between its premises and the data centre, including all hardware and software (e.g. computers, network connection) required in this regard, in addition to the configuration of its IT environment to facilitate access to the Services (e.g. firewall settings). 

3.8 The Customer may use a subdomain held by Quanos (e.g. companyXYZ.infotwin.eu) via the Tenant or be redirected to its own domain. For such use or redirection, the Customer must provide the necessary information to Quanos upon at least 10 working days’ notice prior to activation.

3.9 The Customer grants Quanos the non-exclusive right to use its Customer Data to fulfil its obligations arising from this agreement, particularly to reproduce such Customer Data itself, or to authorise a subcontractor to do so, in order to perform the Services on the Server, and to grant authorised users access to Customer Data. 

3.10 The Contractual Software is updated on an ongoing basis. However, the basic features shall continue to be available. In addition, Quanos is entitled to add features at any time or remove features if, when taking into account the Customer’s interests, they appear no longer useful. 

 

4. Availability of the Services

4.1 The Services are available 99.5% per annum, based on the transfer point stipulated in Section 3.7 of these T&Cs. Such availability is calculated as follows:

[ (Number of minutes per year-Excluded  Downtimes - Downtimes) / (Number of minutes per year- Excluded Downtimes) ] * 100

4.2 The availability stipulated in Section 4.1 does not include the total number of minutes each year that can be attributed to the following (’Excluded Downtimes’’): (i) previously announced maintenance services, (ii) limitations due to category 2, 3 or 4 errors, as listed under Section 5.3, (iii) in the event of category 1 errors, as listed under Section 5.3, the periods of time prior to the receipt of an error notification during regular business hours, (iv) suspension of Services on grounds for which the Customer is responsible, and (v) periods of unavailability due to factors beyond the control of Quanos, e.g. due to unforeseeable events that cannot be prevented, even when applying adequate due diligence.

 

5. Support

5.1 Quanos shall provide support for fixing of Contractual Software errors for the duration of the Service Term. Support services do not cover the following aspects: 

  • Training
  • Customizing the Contractual Software or Services
  • Data imports

5.2 Quanos shall make available to the Customer a support hotline on a website (ticket system). The Customer shall use such support hotline to report any errors to Quanos and cooperate to limit errors. In particular, the Customer shall provide Quanos with verifiable documentation on the type and occurrence of errors and indicate the nature and impact of the errors, and under which circumstances they occurred.

5.3 Quanos provides support services on the Working Days between 9am and 5pm (hereinafter ’Business Hours’). ’Working Day(s)’ within the meaning of these Ts&Cs are Monday to Friday, except for public holidays in the State of Bavaria and except 24/12 and 31/12. Any queries received shall be managed during Business Hours as follows (response time/error resolution time):

Level

Definition

Quanos support

1

Error that stops operations

  • Response time: On the same Working Day the error notification is received during Business Hours.
  • Error resolution time: Quanos will begin troubleshooting within one Working Day and assign employees to the case until the error has been resolved, or a workaround deemed reasonable for the Customer has been achieved.

2

Error that interferes with operations

  • Response time: By the next Working Day after the error notification is received during Business Hours.
  • Error resolution time: Quanos will begin troubleshooting within two Working Days after receipt of the error notification and assign employees to the case until the error has been resolved, or at least a workaround deemed reasonable for the Customer has been achieved.

3

Error that limits operations

  • Response time: Within five Working Days after receipt of the error notification.
  • Error resolution time: Quanos will provide an initial response to the request for further information or clarification within five Working Days of receiving the error notification and include a workaround and program improvements if necessary as part of a subsequent update.

4

Other errors; insignificant errors; minor

errors

These errors cover issues that do not have a decisive impact on the usability of the Contractual Software. These errors are remedied over the course of standard development of the Contractual Software in one of the upcoming updates.

 

An error that stops operations exists when use of the Services is no longer possible due to malfunctions, incorrect work results, inadequate response times or the unavailability of Services.

An error that interferes with operations exists if use of the Services is only strongly restricted and such restriction cannot be remedied by reasonable organisational measures.

An error that limits operations exists if use of the Services is restricted although the error can be compensate by the Customer himself; however, the presence of the error limits operations to an extent that the ongoing existence of the error is not acceptable for the Customer over an extended period.

 

6. Subcontractors

Quanos reserves the right to engage qualified subcontractors for the provision of Services and support. The Customer's rights granted under Art. 28(2) GDPR are not affected thereby.

 

7. The Customer's Obligations

7.1    The Customer shall regularly back up the Customer Data according to their significance and create backup copies outside the Server to facilitate the reconstruction of such Customer Data in the event of its loss.

7.2    The Customer shall adhere to the applicable data protection laws when using the Services, particularly those concerning obtaining required consent from the respective data subjects if the Customer collects, processes or uses personal data when using the Services and no other statutory legal bases apply.

7.3    Furthermore, the Customer shall take care to ensure that it observes all third-party rights to the content it uses (e.g. when transferring third-party content/data to the Server). 

7.4    When setting up a subdomain or Customer domain, the Customer shall not use any terms that infringe third-party industrial property rights.

7.5    Before sending any Customer Data to the Server, the Customer must first scan it for viruses and use antivirus software in line with the current state of technology.

7.6    The Customer is not permitted to use, or to permit the use of, the Services in an improper manner, in particular to use or make reference to illegal or improper content on the Server, or information that promotes sedition, leads to criminal offences or glorifies or trivializes violence, is sexually indecent or pornographic, is suitable to endanger or threaten the wellbeing of children or young people, or which could otherwise harm the reputation of Quanos.

7.7    The Customer shall undertake appropriate measures to prevent unauthorised access to the Services, in particular to protect the Services against unauthorised use. The Customer must keep usernames and passwords secret and protect them against unauthorised third-party access. The Customer shall ensure that authorised users comply with these terms and conditions.

7.8    The Customer shall notify Quanos without undue delay if it learns of an infringement of an industrial property right or copyright to the Contractual Software or Services, or the disclosure of usernames or passwords to unauthorised users.

 

8. Fees and Payment Terms

8.1 The Customer shall pay Quanos the agreed monthly fee for the Services and support. Payment for the Initial Term shall be due in full in advance within 30 days of receipt of the invoice. If the Service Term begins at the middle of a calendar month, use of the Services during such calendar month shall not be billed. The fee for Services and support provided during a Renewal Term is due for payment in advance prior to the start of such Renewal Term. 

8.2 The fee listed under Section 8.1 covers the contractually agreed data volume. If the agreed data volume is exceeded, the Customer shall pay Quanos the additional fees as agreed between the Parties. In the event that the data volume is exceeded, Quanos shall bill the Customer the additional fee at the end of the Initial Term or Renewal Term, as applicable. Quanos shall send a calculation of the data volume along with the invoice. The additional fee is due for payment within 30 days of receipt of the invoice.    

8.3 Quanos reserves the right to adjust the fees listed in Sections 8.1 and 8.2 by a reasonable amount each year. With each adjustment, Quanos shall account for any cost developments in terms of salaries, wages and the cost of purchasing IT services that have occurred in the meantime. Fee adjustments shall enter into effect on the date specified by Quanos, however no sooner than one month after the Customer has been notified of the changes. If the fees are increased by over 5%, the Customer has the right to terminate the agreement. A notice of termination must be submitted in writing without undue delay after the notification of the increase with effect from the date on which the increase takes effect. 

8.4 The prices specified by Quanos are subject to statutory VAT.

8.5 In case of delay of payment, the statutory amount of default interest and the statutory lumpsum payment of EUR 40.00 shall be charged. A EUR 15 charge shall be billed for each chargeback of contractual direct debits for which the Customer is responsible; Quanos reserves the right to prove higher costs were incurred, and the Customer to prove lower costs. If payment is overdue for more than 14 days, Quanos shall be entitled to suspend the Customer's access to the Services until the Customer has met its payment obligations. Quanos reserves any other rights and claims arising from late payment.

 

9. Liability

9.1 With the exception of liability according to Product Liability Law and due to death, physical injury or harm to health, Quanos’ liability is limited or excluded as follows. 

9.2 In the event of negligence, Quanos’ liability is limited to reimbursement of typically foreseeable damages. However, in case of slight negligence (‘einfache Fahrlässigkeit’) Quanos shall only be held liable, if Quanos has breached a duty, the fulfillment of which is necessary to adequately perform this Agreement, and on the fulfillment of which the Customer may rely. 

9.3 Strict liability, regardless of fault, for defects that already existed upon conclusion of the Agreement is excluded, unless such defect constitutes a breach of a guarantee, or Quanos has maliciously concealed the defect.

9.4 The foregoing limitation of liability shall also apply to the personal liability of Quanos’ employees, staff, representatives and vicarious agents.

 

10. Suspension

Quanos is entitled to temporarily or permanently suspend access to the Services if there are legitimate grounds to believe that the Customer has breached these T&Cs, the Agreement and/or the pertinent legislation, or if Quanos has a legitimate interest in suspending the Customer's access. When deciding whether to suspend access, Quanos shall take the Customer’s legitimate interests into consideration.

 

11. Confidentiality; Reference; Customer; Data; Data Protection

11.1 The Parties agree to maintain strict confidentiality on all confidential information, including know how of the other Party, they get to know when performing the agreement, and to neither disclose nor use such confidential information in another manner. This applies towards all unauthorised third parties, provided the disclosure of information is not required for the due performance of the agreement.

11.2 Quanos is nevertheless permitted to use the Customer’s name and logo on its website, in financial reports, press releases, marketing materials and in customer lists to show that the Customer is a customer of Quanos. 

11.3 Furthermore, Quanos reserves the right to use derivative data to expand and improve the functionality of its services. To this end, Quanos may aggregate the Customer Data with data from other Customers subject to the proviso that the aggregated data (i) cannot be identified as (partially) being the Customer’s data, (ii) cannot be used as a source to identify the Customer and (iii) does not involve personal data.

11.4 If the Customer appoints Quanos to collect, process or use personal data, or Quanos is granted access to personal data used by the Customer in order to perform its contractual obligations, Quanos shall be required to solely process and use this data in compliance with data protection regulations, in particular those stipulated in the German Federal Data Protection Act (BDSG) and the General Data Protection Regulation (GDPR).

11.5 The Customer shall provide Quanos with information on all relevant facts Quanos needs to know for reasons of data protection or secrecy.

11.6 Quanos shall process all personal data transmitted by the Customer to the Server or entered on the Server by the Customer on behalf of the Customer. The contractual terms on contracted data processing as per Annex 1 to these T&Cs apply between the Parties (Art. 28(3) GDPR.

 

12. Beta Versions

At its own discretion, Quanos may provide the Customer with access to beta features, i.e. features included to test a test version as is. Beta features are not included in the Services and support. The use of beta features is limited to use for test purposes; the use of beta features in a production environment is not permitted. The Customer may at its own discretion decide whether to use the beta features it has been granted access to. The use of beta features does not incur any fees. Liability for beta features is excluded, with the exception of liability for intent.

 

13. Contractual Term; Termination

13.1 Subject to Section 8.3 and the following terms of this Section 13, termination prior to the end of the Service Term is not permitted. The statutory right of both Parties to terminate without notice in the presence of legitimate grounds (Kündigung aus wichtigem Grund) remains unaffected.

13.2 Subject to Section 112 of the Insolvency Code [Insolvenzordnung – InsO], Quanos may terminate on legitimate grounds without notice, particularly if

13.2.1 the Customer is late in payment amounting to the pro rata fee for two months over a period that exceeds one month;

13.2.2 the Customer's financial situation significantly worsens or may worsen, jeopardising its ability to pay the fee or comply with any other material obligations towards Quanos, in particular if the Customer not only temporarily ceases payment, but is unable to pay, insolvent or enforcement measures are taken against its assets, or;

13.2.3 the Customer fails to immediately cease a violation of essential contractual duties and hereby substantially infringes the rights of Quanos. No written warning is necessary if it is evident it would not result in success, or if certain circumstances exist that justify immediate termination in consideration of the interests of both Parties.

13.3 The right of the Parties to cancel on other legitimate grounds remains unaffected.

13.4 Terminations require the written form.

13.5 If the agreement is terminated by Quanos on legitimate grounds for which the Customer is responsible, Quanos shall be entitled to seek payment of any overdue gross payments and other amounts to cover net payments due for the remainder of the agreed contractual term. The crediting of saved interest, other saved expenses and other benefits gained from termination shall be governed by the respective statutory provisions. All payments due to Quanos shall be payable upon receipt of the notice of termination. Quanos reserves the right to claim any other damages under this agreement and / or applicable laws.

13.6 Upon termination or expiration of the agreement, Quanos shall keep the Customer’s data stored on the Server available for the Customer to download in a standard format (e.g. CSV file) for a 14-day period after the expiration or termination date. Once this period ends, Quanos shall delete all of the Customer Data stored on the Server. Claims to which the Customer is entitled under data protection laws shall remain unaffected hereby.

 

14. Miscellaneous

14.1 Quanos may assign the agreement, including the contract on commissioned processing (Annex 1), to any of its affiliate enterprises as per Section 15 et seq. of the German Stock Corporation Act [Aktiengesetz – AktG] by notifying the Customer of such assignment. The Customer hereby consents to any such assignment. 

14.2 This agreement is governed by the laws of the Federal Republic of Germany to the exclusion of the rules of private international law, which would result in the applicability of another jurisdiction. 

14.3 The legal venue for all disputes arising from or in connection with this agreement is Nuremberg. Quanos also reserves the right to file a lawsuit at the Customer's place of domicile or another competent court.

14.4 There are no verbal ancillary agreements between the Parties. 

14.5 Quanos shall inform the Customer of any changes to these T&Cs in writing upon at least 4 weeks notice prior to them coming into effect. If the Customer fails to object to a change within 4 weeks after receiving the respective notification, the change shall be deemed effectively agreed. Quanos shall inform the Customer of its right to object and the consequences of failing to lodge an objection when it notifies the Customer of such changes.

14.6 In the event that individual clauses are deemed invalid or found to be void after conclusion of the agreement, in full or in part, this shall not affect the validity of the remaining provisions. In this case, the Parties undertake to replace the invalid provision by a valid provision which comes as close as possible to fulfilling the economic purpose of the invalid provision. The same applies to any loopholes found in the agreement.

 

October 2022

Annex 1 - Data Processing Agreement

1. SUBJECT OF THE CONTRACT AND CONTENTS OF THE ORDER

1.1.  The subject matter of the contract is derived from the agreement concluded between the parties on the provision of software for access via the Internet (SaaS) and/or the provision of maintenance, support, and/or IT services by Quanos (hereinafter “Contractor”) to the Client (hereinafter “Client”), to which reference is made herein (hereinafter “Main Contract”). This contract for data processing (the “Contract”) shall apply to all activities related to data processing in the provision of services pursuant to the Main Contract and during which the Contractor may come into contact with personal data transmitted or disclosed to the Contractor by the Client.

1.2. The type of data processed, the categories of data subjects and the type and purpose of the collection, processing, and use of personal data by the Contractor for the Client are specified in detail in Annex 1 to this Contract.

1.3. Unless expressly stated otherwise in this Contract, provision of the contractually agreed data processing takes place exclusively in Germany, a European Union (EU) Member State, or another country party to the Agreement on the European Economic Area (EEA). Any transfer to a third country shall only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.

2. TECHNICAL AND ORGANIZATIONAL MEASURES

2.1. The Contractor shall establish security in accordance with Art. 28 Para. 3, lit. c, 32 GDPR, in particular in connection with Art. 5 Para. 1 and Para. 2 GDPR. As a whole, the measures to be executed are measures for data protection and measures to guarantee a protection level appropriate to the risk in terms of confidentiality, integrity, availability, and capacity of the systems. The state of the art, the implementation costs, and the type, scope, and purpose of the processing, as well as the varying probability of occurrence and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32 Para. 1 GDPR must thereby be considered. The Contractor documents the individual measures in a plan of action in Annex 2.

2.2. The technical and organizational measures are subject to technical progress and development. The Contractor is therefore permitted to implement adequate alternative measures. The security level of the specified measures shall thereby not fall below the minimum requirement. Substantial changes must be documented.

2.3. The Contractor shall regularly monitor the internal processes and the technical and organizational measures to ensure that processing within Contractor's area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.

3. RECTIFICATION, RESTRICTION, AND DELETION OF DATA; RIGHTS OF THE DATA SUBJECT

3.1. The Contractor shall not modify or delete data that is processed in the order or restrict its processing on their own authority, and shall only do so after receiving documented instructions from the Client. Should a data subject contact the Contractor directly in this respect, the Contractor will immediately forward this request to the Client.

3.2. The Contractor shall assist the Client with suitable technical and organizational measures to ensure the rights of data subjects with regards to data deletion, rectification, portability, and information. The Contractor may claim compensation for support services that are not owed under the Main Contract.

4. QUALITY ASSURANCE AND OTHER DUTIES OF THE CONTRACTOR

4.1. In performing the work, the Contractor shall only use employees who have been obliged to maintain confidentiality. The Contractor shall only process the data in accordance with the instructions issued by the Client, including the authorizations granted in this Contract and in the Main Contract, unless the Contractor is legally obliged to process the data. The Client shall confirm verbal instructions immediately (in text form as a minimum). The Contractor must inform the Client immediately if the Contractor believes that an instruction violates data protection regulations. The Contractor is entitled to suspend implementation of the corresponding instruction until it is confirmed or modified by the Client.

4.2. The Contractor shall assist the Client in complying with the obligations set out in Art. 32-36 GDPR regarding the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments, and prior consultations. This includes:

4.2.1. The obligation to immediately report breaches of personal data to the Client;

4.2.2. The obligation to support the Client within the scope of their duty to inform data subjects and to make all relevant information available to the data subject in this context without delay;

4.2.3. Supporting the Client in their data protection impact assessment;

4.2.4. Supporting the Client within the framework of prior consultations with the supervisory authority.

4.3. The Contractor may claim compensation for support services that are not included in the service description of the Main Contract, or that cannot be attributed to a failure on the part of the Contractor.

5. SUBCONTRACTING RELATIONSHIPS

5.1. For the purpose of this provision, subcontracting relationships are services that relate directly to the provision of the main service. These do not include secondary services that the Contractor uses. e.g., in the form of telecommunication services, post/transport services, maintenance and user services, or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity, and capacity of the hardware and software of data processing systems. However, the Contractor is obliged to use appropriate and lawful contractual agreements and control measures to guarantee the data protection and data privacy of the Client's data, even in the case of outsourced secondary services.

5.2. The Contractor is entitled to engage subcontractors based within the EU or the EEA, provided that the Contractor concludes a contractual agreement with the subcontractor in accordance with Art. 28 Para. 4 GDPR.

5.3. Subject to the condition specified in clause 5.2, the Client hereby permits the Contractor to engage the companies specified in Annex 3 as subcontractors.

5.4. The Contractor shall inform the Client in advance of any intended change in relation to the addition or replacement of subcontractors. The Client can submit an objection to this change to the Contractor within 14 days of receipt of the information by the Client. If no objection is forthcoming within this period, consent to the change is deemed to have been granted. An objection shall not be made unless an interest of the Client outweighs the interests of the Contractor.

6. CONTROL RIGHTS OF THE CLIENT

6.1. The Client has the right, in consultation with the Contractor, to carry out reviews or have reviews carried out by inspectors named on a case-by-case basis. The Client has the right to satisfy themselves of the Contractor's compliance with this Contract within their business operations by means of random checks, whereby notification of such checks shall be provided in a timely manner.

6.2. The Contractor shall ensure that the Client is able to satisfy themselves of the former's compliance with the obligations in accordance with Art. 28 GDPR. The Contractor is obliged to provide the Client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.

6.3. Evidence of such measures, which do not only relate to the specific order, can be provided by:

6.3.1 Compliance with approved rules of conduct in accordance with Art. 40 GDPR;

6.3.2 Certification per an approved certification process in accordance with Art. 42 GDPR;

6.3.3 Current attestations, reports or report extracts from independent entities (e.g., auditors, audits, data protection officers, IT security departments, data protection auditors, quality auditors);

6.3.4 Suitable certification by means of IT security or data protection audits (e.g., in accordance with BSI Baseline Protection or ISO/IEC 27001).

6.4. The Contractor can assert a claim for compensation for facilitating inspections by the Client.

7. DELETION AND RETURN OF PERSONAL DATA

7.1. Copies or duplicates of data shall not be produced without the knowledge of the Client. Exceptions are backup copies, if these are necessary to guarantee proper data processing, and data that is necessary in terms of compliance with statutory retention obligations.

7.2. Following completion of the contractually agreed work or earlier upon request by the Client (and at the latest upon termination of the Main Contract) the Contractor must hand over all documents, processing and usage results produced, and databases that the Contractor obtains in connection with the contractual relationship with the Client, or destroy these items in accordance with data protection law after obtaining prior permission. The deletion log must be presented on request. The obligations of the Contractor according to this clause 7.2 do not apply if there is an obligation to store the personal data under European Union or Member State law.

7.3. Documentation that serves as proof of the order-related data processing must be retained by the Contractor in accordance with the respective retention periods beyond the end of the Contract. The Contractor can transfer this to the Client for the Contractor’s discharge at the end of the Contract.

8. ORDER PERIOD, TERMINATION

The term of this Contract corresponds to the term of the Main Contract and also includes the period after the end of the Main Contract until complete return or deletion of the data provided to the Contractor by the Client in connection with the execution of the Main Contract. The right of each party to terminate the Contract with good reason shall not be affected.

9. MISCELLANEOUS

9.1. The Contract shall be governed by German law, excluding the provisions of private international law which would lead to the application of a different law.

9.2. The exclusive place of jurisdiction for all disputes arising from or in connection with the Contract is Nuremberg. Quanos is also entitled to take legal action at the Customer's place of business or at any other competent court.

9.3. No verbal agreements have been made.

9.4. Should individual provisions of the Contract be or become totally or partly ineffective, this shall not affect the validity of the remaining provisions. In such cases, both parties undertake to replace any invalid provision with a provision that reflects insofar as possible the commercial purpose of the invalid provision. The same applies to any loopholes in the Contract.

APPENDICES:

Annex 1: Type and purpose of processing, object of processing, type of data, group of data subjects

Annex 2: Technical and organizational measures

Annex 3: Subcontracting relationships

Annex 1: Type and purpose of processing, object of processing, type of data, group of data subjects

Data subjects and data subject groups

In particular:

  • Users of the software (in particular employees of the Client)
  • Employees of the Customer’s business partners

Type of data or categories of data

  • Contact Details
  • Data about the use of the contractual software (log data)

Recipients

Contractors and subcontractors

Type and purpose of processing

  • Provision of software for access via the internet (SaaS)
  • Provision of IT services, in particular support and IT services

Annex 2: Technical and organizational measures

If personal data is processed or used automatically, the internal company organisation must be designed such that it meets the specific data protection requirements. This includes implementing measures that are suitable based on the type of personal data or data categories requiring protection. Quanos Service Solutions GmbH ensures that the following measures are implemented:

 

1 Confidentiality (Article 32(1)(b) GDPR)

1.1 Entry control

Measures that prevent unauthorised access to data processing equipment

  • Key management for employees; controlled entry to offices
  • Defined entry authorisations for the server room
  • Rules for visitors and maintenance personnel

1.2 Access control

Measures that prevent unauthorised persons from being able to use data processing equipment

  • Control of access to data processing systems by means of a user and authorisation concept ("principle of least privilege")
  • Assignment of personalised user accounts with appropriate password guidelines (minimum password length ten characters, complexity requirements, regularly changed)
  • Access blocked after ten unsuccessful log-in attempts
  • Workstations are locked when employees leave the workplace (automatic after 15 minutes or manual lock with reactivation password)
  • Administrator accesses are documented and stored securely
  • Login and logout processes are logged
  • Implementation of a firewall (including an intrusion prevention system), spam filter and anti-virus software
  • Encryption of mobile data carriers/smartphones

1.3 Data access control

Measures that prevent unauthorised reading, copying, modification or deletion within the system

  • Assignment of access rights according to user group
  • Authorisation concepts and needs-based access rights ("principle of least privilege")
  • Annual review of access controls
  • Destruction of written documents no longer required, in accordance with DIN 66399 security level P3 (paper)
  • Irreversible erasure/destruction of electronic data carriers once out of service

1.4 Separation control

Measures to separate processing of data that has been collected for different purposes

  • IT systems with multi-client capability
  • Separation of development environment and production environment
  • Access authorisations in accordance with functional responsibility

1.5 Pseudonymisation (Article 32(1)(a) GDPR; Article 25(1) GDPR)

The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without referring to additional information, provided that this additional information is stored separately and is subject to adequate technical and organisational measures

  • Not relevant to the contract

 

2 Integrity (Article 32(1)(b) GDPR)

2.1 Transfer control

Measures that prevent unauthorised reading, copying, modification or deletion during electronic transfer or transport

  • Transfer of data by electronic means in accordance with the capabilities of the Customer
  • Remote maintenance concept
  • Logging of data transmission or data transport
  • Encrypted data connections (VPN, SFTP, HTTPS)

2.2 Data entry control

Determination of whether personal data has been entered, modified or deleted in the data processing systems, and by whom

  • Control of organisational responsibilities
  • System-based logging
  • Control of access authorisations to log data

 

3 Availability and resilience (Article 32(1)(b) GDPR)

3.1 Availability control

Measures to protect against accidental or malicious loss or destruction

  • Redundant data storage (e.g. RAID)
  • Backup Internet connection
  • Uninterruptible power supply (UPS)
  • Fire extinguishers/fire alarms
  • Backup strategy
  • Secure storage of backup media (e.g. fire-proof/anti-theft safe)
  • Regular installation of security updates
  • Temperature-controlled server room
  • Reporting channels and disaster recovery plans
  • Rapid recoverability (Article 32(1)(c) GDPR)
  • Cloud services

 

4 Process for regular testing, assessment and evaluation (Article 32(1)(d) GDPR; Article 25(1) GDPR)

4.1 Data protection management

Measures that ensure a structure is in place that satisfies the fundamental legal data protection requirements

  • Guidelines/instructions to ensure the implementation of technical and organisational data security measures
  • Appointment of a data protection officer
  • Obligating employees to maintain confidentiality (data secrecy)
  • Providing adequate training on data protection matters to employees
  • Maintaining an overview of processing activities (Article 30 GDPR)
  • Performing data protection impact assessments where required (Article 35 GDPR)
  • Periodic review by data protection officer

4.2 Incident response management

Measures that ensure a reporting process is triggered in the event of data protection breaches

  • Reporting process for breaches of contract and data protection with respect to the Customer in accordance with Article 28(3)(3), Article 33 and Article 34 GDPR
  • Reporting process for data protection breaches in accordance with Article 4(12) GDPR with respect to the supervisory authorities
  • Support for the Customer during the reporting process for data protection breaches in accordance with Article 4(12) GDPR with respect to the supervisory authorities (Article 33 GDPR)

4.3 Default privacy settings

Measures that ensure that as a default the minimum possible data is collected, saved and shared

  • Privacy by design
  • Privacy by default

4.4 Contract control

Measures that ensure personal data is only processed in accordance with the Customer's instructions

  • Sub-contractors with written data protection agreements in accordance with Article 28 GDPR
  • Agreement on Commissioned Processing with provisions on the rights and obligations of the Contractor and Customer
  • Appointment of contact persons and/or responsible employees
  • Obligating employees to maintain data secrecy
  • Formal contract management system
  • Standardised contract management system to control service providers

Annex 3 – Subcontracting relationships

Subcontractor including address

Service description

PlusServer GmbH

Hohenzollernring 72

50672 Cologne

Germany

Server hosting

Hetzner Online GmbH

Industriestr. 25

91710 Gunzenhausen

Germany

Server hosting

IONOS SE

Elgendorfer Str. 57

56410 Montabaur

Germany

Server hosting

noris network AG

Thomas-Mann-Straße 16-20

90471 Nürnberg

Germany

Server hosting

TeamViewer AG

Bahnhofsplatz 2

73033 Göppingen

Germany

Software for remote maintenance

Host Europe GmbH

Hansestraße 111

51149 Cologne

Germany

Hosting prototype catalogs, hosting partner portal, hosting FTP server