TABLE OF CONTENT
- Scope of application
- Offers; Conclusion of contract; Subcontractors
- Software license / rights of use
- Maintenance / Support
- IT services
- Hosting
- Remuneration
- Industrial property rights; copyrights
- Liability for defects
- Liability
- Confidentiality; data protection
- Reference
- Final provisions
1 SCOPE OF APPLICATION
1.1 Subject matter of the contract. The following terms and conditions (hereinafter "GTC") apply to the licensing of software, for maintenance and support as well as for IT services of Quanos Solutions GmbH (hereinafter "Quanos"). The provisions contained herein regarding the licensing of software apply to standard software as well as to software that Quanos programs individually for the Customer. IT services within the meaning of these GTC are in particular installation, configuration, customizing, hosting and individual programming of software as well as IT consulting.
1.2 Terms and Conditions of the Customer. Conflicting or additional terms and conditions of the Customer only apply if Quanos expressly confirms their validity in writing.
1.3 Future transactions. In the case of ongoing business relationships, the following terms and conditions shall also apply to all future mutual transactions between the parties.
1.4 B2B. Quanos offers services exclusively to entrepreneurs within the meaning of § 14 German Civil Code (Bürgerliches Gesetzbuch, BGB).
2 OFFERS; CONCLUSION OF CONTRACT; SUBCONTRACTORS
2.1 Conclusion of contract. A contract is concluded upon acceptance of the offer submitted by Quanos to the Customer, but at the latest upon acceptance of the delivery or use of the products and/or services ("Individual Contract").
2.2 Order of precedence. If these GTC and an Individual Contract contain different provisions on the same subject matter, the provision in the Individual Contract shall take precedence.
2.3 Subcontractors. Quanos is entitled to provide the contractually owed services through qualified subcontractors.
3 SOFTWARE LICENSE / RIGHTS OF USE
If the subject of the contract is the licensing of software, the following provisions shall apply to the granting of rights of use to the software:
3.1 Scope of the rights of use. Quanos grants the Customer a non-exclusive right to install and use the software upon delivery of the software and full payment of the respective license fees. The scope of the right of use results from the offer, in particular the type of license specified therein. Unless otherwise specified in the offer, the authorized users per license type are determined in accordance with Exhibit 1 to these GTC.
3.2 Making available of work results to third parties. The Customer is entitled to make the service and information systems and other work results generated with the software available to third parties on data carriers, for download or for access via the Internet using a browser. Any restrictions on the number of third parties to whom the work results may be made available or transmitted, as specified in Quanos' offer, must be complied with. If the permitted number is exceeded, the Customer will inform Quanos immediately. This obligation also applies after the end of the term of the right of use.
3.3. License term. The license term begins with the delivery of the software, unless otherwise specified in the Individual Contract. If Quanos is responsible for the installation of the software, the software is delivered upon installation. If Quanos hosts the software for the Customer in accordance with Section 6 of these GTC, the software is delivered to the Customer when the software is made available, and the access data is handed over, to the Customer.
If the Customer acquires a temporary license, the license term ends after one year, calculated from the start of the license term, unless otherwise specified in the Individual Contract. The license term shall be automatically extended by terms of one year each if it is not terminated in writing by one of the parties at least 3 months before the end of the respective license term. Notice of termination must be given in writing. Contractual rights of termination granted to the parties and the right to terminate for good cause remain unaffected.
3.4 Transferability. The rights of use granted to the Customer are not transferable. This does not apply to the transfer of rights of use to software programs for which Quanos has granted the Customer a perpetual license in return for a one-off payment (software purchase). If the Customer transfers the right to use the software in the case of a software purchase, the Customer's right of use automatically expires with the transfer. The prohibition of transferring the software to third parties on a rental basis remains unaffected thereby.
3.5 Condition precedent. If the Customer acquires a license for an indefinite period, the granting of rights is subject to the condition precedent of full payment of the purchase price in accordance with Section 7.2. However, Quanos accepts the use of the software in the manner described above until full payment has been made. Such acceptance is revocable if the Customer is in default of payment.
3.6 License key. The license key required for the installation of the software serves to facilitate proof of the Customer's authorization. Its possession or use alone does not grant any right to use the software. Such a right only arises from an agreement with Quanos or a statutory regulation.
3.7 Restrictions and prohibitions of use. The Customer is not authorized to take the following actions:
3.7.1 Modification, adaptation, translation, editing, arrangement or other reworking of the software as well as the reproduction of the results obtained thereby, unless these actions are necessary for the use of the software in accordance with its intended purpose, including the correction of errors by the person authorized to use the software, and Quanos has not offered to remove the obstacle to such use within a reasonable period of time and, if requested to do so, has not done so;
3.7.2 Disassembling, decompiling, reverse-engineering or using any other method to obtain the source code, unless these actions are necessary to establish the interoperability of an independently created computer program with other programs and Quanos has not made the necessary information available within a reasonable period of time;
3.7.3 Reproduction of the software with the following exceptions: Installation and running in accordance with Section 3.1 above, creation of a backup copy, which must be marked as such;
3.7.4 Removal or modification of trademarks, copyright notices or other proprietary notices of the software;
3.7.5 Lending, renting, leasing or other temporary transfer of the software to third parties;
3.7.6 Use of the software on behalf of a third party, e.g. as Software as a Service (SaaS) or as an Application Service Provider (ASP);
3.7.7 When licensing software for the production of service and information systems, the development, processing or redesign of similar systems by analyzing the structures generated with the service and information systems produced.
3.8 Infringement of rights. The Customer shall inform Quanos immediately as soon as the Customer becomes aware of the infringement of an industrial property right or copyright to the software or the disclosure of user IDs or passwords to unauthorized users.
3.9 Audits. Quanos has the right, in consultation with the Customer, to carry out audits or have them carried out by auditors to be named in individual cases in order to check the Customer's compliance with the contractual terms of use. In particular, Quanos is entitled to convince itself of the Customer's compliance with the terms of use in its business operations by means of audits, which are generally to be announced in good time.
3.10 Obligation of users and a purchaser. The Customer shall oblige the authorized users and, in the case of the transfer of the software in accordance with Section 3.4, the purchaser, to comply with the terms of use of these GTC. The declaration of commitment must be in text form and must be sent to Quanos on request.
3.11 Executable version. The object of the software owed is the software as an executable version in object code. The source code of the software is not owed.
4 MAINTENANCE / SUPPORT
4.1 Maintenance. If the Customer purchases software maintenance, the provisions of this Section 4.1 apply. Maintenance includes the delivery of new versions of the software covered by the maintenance, including upgrades and updates as well as patches and bug fixes issued by Quanos. The software supplied as part of maintenance is subject to the terms of use of the originally purchased software. If the Customer acquires maintenance not at the beginning but during the term of a software license, Quanos is entitled, in addition to the recurring maintenance fees owed, to demand payment of a fee which corresponds at least to the amount which the Customer would have had to pay if a maintenance contract had been concluded with a term from the beginning of the license term.
4.2 Support. If the Customer purchases additional support, Quanos will provide the services described in the Quanos Support Policy, which can be viewed at the URL quanos.com/agb.
4.3 Term. If the Customer purchases maintenance and / or support (maintenance and / or support contract) with or prior to the delivery of the software, the term of the maintenance and / or support contract shall commence at the beginning of the license term (Section 3.3). If the Customer acquires maintenance and / or support during the term of the software license, the term shall commence upon conclusion of the relevant contract. Unless otherwise specified in the Individual Contract, the term ends after one year, calculated from the start of the term. The term shall be automatically extended by terms of one year each if it is not terminated in writing by one of the parties at least 3 months before the end of the respective term. Notice of termination must be given in writing. The right to terminate for good cause remains unaffected. Otherwise, the term for maintenance and support ends upon termination or expiration of the software license.
4.4 Congruence. If the Customer acquires maintenance and / or support for software and / or a module used with it, the conclusion of maintenance and / or support contracts for all versions of the same software program and modules used with it licensed by Quanos to the Customer is obligatory. This applies in particular to the purchase of additional modules for software licenses, which the Customer has purchased previously, and which are subject to maintenance.
4.5 Liability for defects. Quanos' liability for defects remains unaffected by maintenance and support.
5 IT SERVICES
5.1 Obligations of Quanos. If the Customer purchases IT services from Quanos, Quanos provides the services specified in the Individual Contract. Quanos does not owe any additional services. Quanos will provide the agreed services according to the assured state of the art and in accordance with the service description and by using professional know-how. Quanos is entitled to replace employees with other qualified employees or service providers at any time. Unless expressly stipulated otherwise in Individual Contracts, Quanos is not obliged to achieve specific results.
5.2 Obligations of the Customer to cooperate. The Customer shall provide the cooperation services agreed in the Individual Contract (e.g. provision of infrastructure, personnel, hardware, documents, organizational support). Unless otherwise stipulated in the Individual Contract, the Customer's personnel will be available to respond to Quanos' inquiries within one working day. Quanos may request the replacement of employees of the Customer who are involved if the employee to be replaced is not qualified or willing to cooperate. The Customer is responsible for the practical implementation of the services owed, even if the Customer and Quanos jointly draw up a plan for the practical implementation of such services.
5.3 Deadlines. If Individual Contracts provide for specific deadlines for the provision of contractually owed services or specific parts thereof (milestones), these deadlines are only estimated dates and are not binding unless they are expressly marked as binding.
5.4 Delivery; acceptance. Work results owed by Quanos are delivered by Quanos in accordance with the contractual service description and, in the case of work results ready for acceptance, are inspected and accepted by the Customer in accordance with the contractually agreed criteria and tests. The Customer shall immediately inform Quanos in writing of any defects discovered in the acceptance test, including a reasonably detailed specification of the nature and conditions of such defects ("Defect Report"). The work results are deemed to have been accepted if no Defect Report is received by Quanos within 4 weeks of delivery.
5.5 Rights to work results. Quanos and its licensors remain the owners of all rights to the work results owed by Quanos as part of the provision of IT services. Unless otherwise agreed in Individual Contracts, the Customer receives a worldwide, non-exclusive right to use the work results in accordance with its intended purpose.
6 HOSTING
6.1 Provision of Software. If Quanos provides the operation of the software licensed in accordance with Section 3 on a server ("Server") operated by Quanos or by a third party ("Provider") on behalf of Quanos, Quanos shall make the software available to the Customer via the Internet for contractual use during the term of the software license ("Hosting"), subject to the availability specified in Section 6.3 of these GTC.
6.2 No responsibility for the Customer's Internet and environment. The services of Quanos in the transmission of data are limited solely to the data communication between the transfer point to the Internet operated by Quanos or the Provider and the Server. Quanos is not able to influence data traffic outside its own communication network or that of the Provider. In this respect, successful forwarding of information from or to the Customer's computer is not owed.
6.3 Availability. Quanos provides an availability of the Server of 98.5% per calendar month in relation to the transfer point specified in Section 6.2 of these GTC. This availability is calculated as follows:
Excluded from availability are the total number of minutes per month attributable
Excluded from availability are the total number of minutes per month attributable to the following ("Excluded Downtime"): (i) announced maintenance work, (ii) downtime due to a circumstance for which the Customer is responsible, and (iii) periods of unavailability due to factors beyond Quanos' control, such as unforeseeable events that cannot be prevented even by exercising reasonable care.
6.4 Compliance with data protection laws. When using the software, the Customer shall comply with the applicable data protection laws, in particular obtain the necessary consent of the persons concerned, insofar as the Customer collects, processes or uses personal data when using the software and no other legal basis for processing such data applies.
6.5 Protection of third-party rights. The Customer shall ensure that it observes all third-party rights to the content used by the Customer (e.g. when transmitting third-party texts/data to the Server).
6.6 Virus protection. Before sending Customer data to the Server, the Customer shall check it for viruses and use state-of-the-art virus protection programs.
6.7 No improper use. The Customer shall not use the Hosting services improperly or allow them to be used improperly, and in particular shall not use on the Server any illegal or immoral content and/or content that serves to incite hatred, incites criminal acts or glorifies or trivializes violence, is sexually offensive or pornographic, is capable of seriously endangering the morals of children or young people or impairing their well-being or can damage the reputation of Quanos, and shall not refer to such content.
6.8 Protection against unauthorized access. The Customer shall take appropriate precautions to prevent unauthorized access to the Server, in particular to protect the software against unauthorized use. The Customer is obliged to keep user IDs and passwords secret and not to make them accessible to unauthorized third parties. The Customer must expressly ensure that authorized users comply with these conditions.
6.9 Duty to inform in the event of infringement of industrial property rights. The Customer shall inform Quanos immediately as soon as the Customer becomes aware of the infringement of an industrial property right or copyright to the software or the disclosure of user IDs or passwords to unauthorized users.
6.10 Blocking of access. Quanos is entitled to block access to the Hosting services temporarily or permanently if there are concrete indications that the Customer is in breach of these GTC, the contract and/or applicable law or if Quanos has another legitimate interest in blocking access. Quanos will take appropriate account of the Customer's legitimate interests when deciding whether to block the Hosting service.
7 REMUNERATION
7.1 Remuneration provision in the Individual Contract. The amount and type of remuneration are determined in the Individual Contract. In all other respects, the following provisions apply to remuneration.
7.2 One-off payment for perpetual licenses. The remuneration for software licenses granted for an unlimited period of time in return for a one-off payment (software purchase) is due for payment upon conclusion of the contract and receipt of the invoice by the Customer.
7.3 Recurring remuneration. Unless otherwise stipulated in the Individual Contract, recurring remuneration for software licenses granted for a limited period of time as well as maintenance, support and Hosting fees are, for the first annual term, due for payment in advance within 30 days of receipt of the invoice. The fee for renewal terms is due for payment in advance before the start of the renewal term.
7.4 Remuneration for IT services. The following conditions apply to the provision of IT services:
7.4.1 If the remuneration is calculated on a time and material basis, Quanos will invoice the Customer at the end of the month for the work performed in the month at the agreed hourly or daily rates. Less than full hours will be invoiced pro rata per 15 minutes or part thereof.
7.4.2 If the parties agree on a lump sum remuneration, Quanos is entitled to charge the Customer advance payments in the amount of the value of the services rendered by Quanos and owed under the contract.
7.5 Costs (IT Services). Unless otherwise agreed, the Customer shall bear the material costs, travel costs and expenses incurred by Quanos in connection with the provision of IT services. Travel costs and expenses are charged according to actual expenditure and at flat-rate expense rates in accordance with the applicable statutory regulations. Travel time is charged at the same hourly rate as working time. If, in individual cases, services are not charged at hourly rates, an appropriate hourly rate shall apply.
7.6 Net prices. All prices are net prices plus the applicable statutory VAT.
7.7 Price adjustment. Quanos is entitled to adjust the amount of the recurring fees for software licenses granted for a limited period of time as well as maintenance, support and hosting fees annually. In the event of an adjustment, Quanos will take into account cost changes that have occurred in the meantime in the area of wages and salaries and the costs of purchasing IT services. An adjustment becomes effective on the date specified by Quanos, but at the earliest one month after receipt of the notification of the adjustment to the Customer. In the event of an increase in remuneration of more than 5% in each case, the Customer may terminate the relevant Individual Contract extraordinarily with effect from the date on which the increase takes effect. The termination must be declared in writing immediately after receipt of the notification of the increase.
7.8 Exceeding agreed usage restrictions. If, in the case of software licensing, the number of third parties to whom work results generated with the software may be made accessible or transmitted is contractually limited and the parties have agreed on additional remuneration if the permitted number is exceeded, the additional fees shall be calculated from the day on which the permitted number was first exceeded.
7.9 Offsetting; retention. Offsetting or retention is only permitted on the basis of undisputed or legally established counterclaims of the Customer.
8 INDUSTRIAL PROPERTY RIGHTS; COPYRIGHTS
Quanos and its licensors are the owners of all copyrights and industrial property rights to the licensed software products. If the Customer becomes aware of infringements of the rights of Quanos and its licensors, the Customer shall inform Quanos thereof immediately.
9 LIABILITY FOR DEFECTS
9.1 Subsequent performance. If, in an individual case, Quanos owes the provision of a software license for an unlimited period (software purchase) or a work product-oriented work contract (Werkvertrag) or work delivery contract (Werklieferungsvertrag) and Quanos has not provided the service free of material defects or defects of title, Quanos is obliged to remedy the defect or make a replacement delivery (collectively "Subsequent Performance") at its own discretion if the Customer requests Subsequent Performance. If the Subsequent Performance fails, the Customer may, at the Customer’s discretion, withdraw from the contract or reduce the remuneration. A failure of remedying a defect is only to be assumed if it is impossible, if it is refused by Quanos or delayed in an unreasonable manner, if after a second attempt at remedying a defect there are reasonable doubts regarding the prospects of success or if for other reasons a further attempt at remedying a defect is unreasonable for the Customer. The provision of a workaround as a temporary solution must be taken into account when weighing up the circumstances. The statutory cases of dispensability of setting a deadline remain unaffected.
9.2 Statute of limitations. Claims for defects under sales law, in particular claims for defects in the purchase of software, shall become time-barred 12 months after delivery, claims for defects under contracts for work and services 12 months after acceptance. Excluded from this are claims for damages and claims for defects in the event of fraudulent concealment of a defect.
9.3 Exclusion of strict liability for damages. If Quanos owes a temporary license and / or hosting in return for a recurring payment, Quanos' liability for damages regardless of fault for defects already existing at the time of conclusion of the contract (§ 536a para. 1 BGB) is excluded.
9.4 De minimis. There are no claims for defects for insignificant deviations from the agreed quality that do not particularly hinder the use of the product or service.
9.5 Compensation for damages. The Customer is only entitled to claims for damages due to defects insofar as the liability of Quanos is not excluded or limited in accordance with Section 10 of these GTC.
10 LIABILITY
10.1 Intent and gross negligence. Quanos is liable without limitation for damage caused intentionally or through gross negligence.
10.2 Slight negligence. In the event of a slightly negligent breach of a primary performance obligation or a secondary obligation, the breach of which jeopardizes the achievement of the purpose of the contract or the fulfilment of which is essential for the proper execution of the contract and on the observance of which the Customer could rely (hereinafter "Essential Secondary Obligation"), the liability of Quanos is limited to damages foreseeable at the time of conclusion of the contract and typical for the contract. Quanos is not liable for slightly negligent breaches of secondary obligations that do not belong to the Essential Secondary Obligations. However, the above limitations and exclusions of liability do not affect the liability of Quanos for a guarantee of quality, for fraud, for damages resulting from injury to life, body and health and for product defects in accordance with the Product Liability Act. This does not imply a change in the burden of proof to the detriment of the Customer.
10.3 Beneficiaries. Insofar as liability is excluded or limited in accordance with this Section 10, this also applies to the personal liability of Quanos' employees, staff, representatives and vicarious agents.
11 CONFIDENTIALITY; DATA PROTECTION
11.1 Confidentiality. The parties undertake to maintain the strictest confidentiality about all confidential processes, including know-how and trade and business secrets, of the other party that come to their knowledge in the course of the execution of the contract and not to pass them on or use them in any other way. This applies to any unauthorized third parties, unless the disclosure of information is necessary for the proper execution of the contract.
11.2 Data protection. Insofar as the Customer commissions Quanos with the collection, processing and use of personal data or Quanos receives access to personal data used by the Customer on the occasion of the execution of the contract (e.g. if Quanos provides hosting and/or support), the conditions of the Data Processing Agreement (Art. 28 para. 3 GDPR) in accordance with Exhibit 2 of these GTC apply between the parties.
12 REFERENCE
Quanos is entitled to use the Customer's name and logo on the Quanos website, in financial reports, press releases and brochures and on Customer lists to indicate that the Customer is a customer of Quanos.
13 FINAL PROVISIONS
13.1 Severability clause. Should individual provisions of the contract be or become invalid in whole or in part, this shall not affect the validity of the remaining provisions. In this case, the parties undertake to replace the invalid provision with a valid provision that comes as close as possible to the economic purpose of the invalid provision. The same applies to any loopholes in the contract.
13.2 Transfer. Quanos is entitled to transfer the contract to a company affiliated with Quanos in accordance with §§ 15 et seq. German Stock Corporation Act (Aktiengesetz, AktG) and to an acquirer of the part of the company relating to the subject matter of the contract. The Customer hereby agrees to such a transfer of the contract.
13.3 Reservation of right of amendment. During the term of the contract, Quanos may amend the GTC in order to (1) adapt the GTC to new legal requirements or a change in higher or supreme court rulings, (2) eliminate doubts of interpretation or (3) adapt the GTC to changed technological developments or market conditions. Quanos shall inform the Customer of such changes to these GTC in text form at least 4 weeks before the change comes into effect. If the Customer does not object to an amendment within 4 weeks of receipt of the notification, the amendments are deemed to have been effectively agreed. Quanos will inform the Customer separately of the right of objection and the consequences of remaining silent when informing the Customer of the changes.
13.4 Place of jurisdiction. The exclusive place of jurisdiction for all disputes arising from or in connection with the contract is Nuremberg. Quanos is also entitled to take legal action at the Customer's place of business or another competent court.
13.5 Applicable law. The law of the Federal Republic of Germany shall apply, with the exception of its provisions on the choice of law, which would lead to the application of another legal system. The application of the CISG ("UN Convention on Contracts for the International Sale of Goods") is excluded.
Version July 2024
Exhibit 1 - Authorized Users per License Type
1. Named User
If the Customer acquires a license limited to the number of named users ("Named User"), the Customer is entitled to install the software on workstations of the Customer’s named employees and third parties, insofar as they work for and on behalf of the Customer, and the named users are entitled to use the software on these workstations for the Customer's purposes.
2. Monthly Active User
If the Customer acquires a license limited to the number of monthly active users ("Monthly Active User"), the Customer is entitled to install the software on workstations of the Customer’s named employees and third parties, insofar as they work for and on behalf of the Customer, and the named users are entitled to use the software on these workstations for the Customer's purposes, insofar as the number of named users who actively use the software during a calendar month does not exceed the contractually agreed maximum number of users per calendar month.
3. Concurrent User
If the Customer acquires a license limited to the number of unnamed users ("Concurrent User"), the Customer is entitled to install the software on hardware or IT infrastructure operated by the Customer or on the Customer’s behalf and to make it accessible to the Customer’s employees and third parties, insofar as they are working for and on behalf of the Customer, for use for the Customer's purposes, provided that the number of users using the software at any one time does not exceed the contractually agreed maximum number of users.
4. Enterprise License
If the Customer acquires a license limited to an enterprise ("Enterprise License"), the Customer is entitled to install the software for the duration of the license term on a server operated by the Customer or on the Customer’s behalf and to make it available to the Customer’s employees at the location named in the Individual Contract as well as to third parties, insofar as they work at this location for and on behalf of the Customer, for use for the purposes of the Customer.
Exhibit 2 - Data Processing Agreement (Art. 28 para. 3 GDPR)
1 Subject matter of the Agreement and order content
1.1 The subject matter of the Contract is set out in the agreement concluded between the parties for the provision of maintenance, support and/or IT services by Quanos Solutions GmbH (hereinafter "Processor") to the Customer, to which reference is made here (hereinafter "Main Agreement"). This Data Processing Agreement (the "Agreement") applies to all activities related to data processing in the provision of services under the Main Agreement and in which the Processor may come into contact with personal data transmitted or disclosed to the Processor by the Customer.
1.2 The type of data processed, the categories of data subjects and the nature and purpose of the collection, processing and use of personal data by the Processor for the Customer are set out in detail in Annex 1 to this Agreement.
1.3 Unless expressly stipulated otherwise in this Agreement, the provision of the contractually agreed data processing shall take place exclusively in Germany, a member state of the European Union (EU) or in another state party to the Agreement on the European Economic Area (EEA). Any transfer to a third country may only take place if the special requirements of Art. 44 et seq. GDPR are met.
2 Technical and organizational measures
2.1 The Processor must establish security in accordance with Art. 28 para. 3 lit. c, 32 GDPR, in particular in conjunction with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the type, scope and purposes of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR must be taken into account. The Processor shall document the individual measures in an action plan in Annex 2.
2.2 The technical and organizational measures are subject to technical progress and further development. In this respect, the Processor is permitted to implement alternative adequate measures. In doing so, the security level of the specified measures must not be undercut. Significant changes must be documented.
2.3 The Processor shall regularly monitor the internal processes and the technical and organizational measures to ensure (i) that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and (ii) the protection of the rights of the data subject.
3 Correction, restriction and deletion of data; rights of data subjects
3.1 The Processor may not rectify, erase or restrict the processing of data processed on behalf of the Customer without authorization, but only in accordance with documented instructions from the Customer. If a data subject contacts the Processor directly in this regard, the Processor shall forward this request to the Customer without delay.
3.2 The Processor shall support the Customer with suitable technical and organizational measures to ensure the rights of data subjects to be forgotten, rectification, data portability and access. The Processor may claim remuneration for support services that are not owed under the Main Agreement.
4 Quality assurance and other obligations of the Processor
4.1 When carrying out the work, the Processor shall only use employees who have been bound to confidentiality. The Processor may only process the data in accordance with the Customer's instructions, including the authorizations granted in this Agreement and in the Main Agreement, unless the Processor is legally obliged to a certain processing. The Customer shall confirm verbal instructions without delay (at least in text form). The Processor must inform the Customer immediately if it is of the opinion that an instruction violates data protection laws. The Processor is entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the Customer.
4.2 The Processor shall support the Customer in complying with the personal data security obligations set out in Articles 32-36 GDPR, data breach notification obligations, data protection impact assessments and prior consultations. This includes, among other things:
4.2.1 the obligation to report personal data breaches to the Customer without delay,
4.2.2 the obligation to support the Customer in the context of his duty to inform the data subjects and to provide the Customer with all relevant information in this context without delay,
4.2.3 supporting the Customer in its data protection impact assessment,
4.2.4 supporting the Customer in the context of prior consultation with the supervisory authority.
4.3 The Processor may claim remuneration for support services that are not included in the service description of the Main Agreement or are attributable to misconduct on the part of the Customer.
5 Subcontracting relationships
5.1 Subcontracting relationships within the meaning of this provision are those services that are directly related to the provision of the main service. This does not include ancillary services which the Processor uses, such as, for example, telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Processor is obliged to enter into appropriate and legally compliant contractual agreements and to take control measures to ensure data protection and the security of the Customer's data, even in the case of outsourced ancillary services.
5.2 The Processor is entitled to engage subcontractors, provided that it concludes an agreement with the subcontractor in accordance with Art. 28 (4) GDPR and, if the subcontractor is located in a third country, the requirements of Art. 44 et seq. GDPR are met.
5.3 Subject to the condition set out in Section 5.2, the Customer hereby authorizes the Processor to engage the companies listed in Annex 3 as subcontractors.
5.4 The Processor shall inform the Customer in advance of any intended change with regard to the involvement or replacement of other processors. The Customer may object to this change vis-à-vis the Processor within 14 days of receipt of the information by the Customer. If no objection is made within this period, consent to the change shall be deemed to have been given. An objection may not be made without the interests of the Customer outweighing those of the Processor.
6 Audit rights of the Customer
6.1 The Customer shall have the right to carry out audits in consultation with the Processor or to have them carried out by auditors to be named in each individual case. The Customer shall have the right to convince itself of the Processor's compliance with this Agreement in its business operations by means of spot checks, which must generally be notified in good time.
6.2 The Processor shall ensure that the Customer can convince itself of the Processor's compliance with its obligations under Art. 28 GDPR. The Processor undertakes to provide the Customer with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.
6.3 Proof of such measures, which do not only concern the specific order, can be provided by
6.3.1 compliance with approved codes of conduct pursuant to Art. 40 GDPR,
6.3.2 certification in accordance with an approved certification procedure pursuant to Art. 42 GDPR,
6.3.3 Current certificates, reports or report extracts from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditor, quality audit),
6.3.4 suitable certification through an IT security or data protection audit (e.g. in accordance with BSI basic protection or ISO/IEC 27001).
6.4 The Processor may claim remuneration for enabling the Customer to carry out audits.
7 Deletion and return of personal data
7.1 Copies or duplicates of the data shall not be created without the knowledge of the Customer. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as the storage of data that is necessary with regard to compliance with statutory retention obligations.
7.2 After completion of the contractually agreed activities or earlier at the request of the Customer - at the latest upon termination of the Main Agreement - the Processor shall hand over to the Customer all documents, processing and usage results and data pertaining to the contractual relationship that have come into its possession or, with prior consent, destroy them in accordance with data protection regulations. The deletion log shall be presented upon request. The obligations of the Processor under this Section 7.2 shall not apply if there is an obligation to store the personal data under Union law or the law of the Member States of the EU.
7.3 Documentation that serves as proof of data processing in accordance with the Agreement shall be retained by the Processor beyond the end of the Agreement in accordance with the respective retention periods. The Processor may hand them over to the Customer at the end of the Agreement in order to discharge the Processor.
8 Order duration, termination
The term of this Agreement corresponds to the term of the Main Agreement and also includes the period after the end of the Main Agreement until the complete return or deletion of the data provided to the Processor by the Customer in connection with the performance of the Main Agreement. The right of either party to terminate the Agreement for good cause remains unaffected.
9 Miscellaneous
9.1 The Agreement shall be governed by German law to the exclusion of the rules of private international law which would lead to the application of a different law.
9.2 The exclusive place of jurisdiction for all disputes arising from or in connection with the Agreement is Nuremberg. The Processor shall also be entitled to take legal action at the Customer's registered office or any other competent court.
9.3 No verbal collateral agreements have been made.
9.4 Should individual provisions of the Agreement be or become invalid in whole or in part, this shall not affect the validity of the remaining provisions. In this case, the parties undertake to replace the invalid provision with a valid provision that comes as close as possible to the economic purpose of the invalid provision. The same applies to any loopholes in the Agreement.
Attachments:
Annex 1: Nature and purpose of the processing, subject matter of the processing, type of data, categories of data subjects
Annex 2: Technical and organizational measures
Annex 3: Subcontracting relationships
Annex 1 - Type and purpose of processing, subject matter of processing, type of data, categories of data subjects
Data subjects and categories of data subjects | In particular:
|
Type of data or data categories |
|
Recipient of data | Processor and subprocessors |
Nature and purpose of processing | Provision of IT services, in particular support and hosting services |
Annex 2 - Technical and organizational measures
If personal data is processed by automated means or used, the internal organization must be designed in such a way that it meets the specific requirements of data protection. In particular, measures shall be taken that are suitable depending on the type of personal data or data categories to be protected. The Processor shall ensure that the following measures are implemented:
1 CONFIDENTIALITY (ART. 32 PARA. 1 LIT. B GDPR)
1.1 Access control
Measures to prevent unauthorized access to data processing systems
- Key management for employees; regulated access to offices
- Defined access authorizations for the server room
- Regulations for visitors and maintenance personnel
1.2 Access control
Measures that prevent data processing systems from being used by unauthorized persons
- Regulation of access to the data processing systems via a user and authorization concept ("least privilege principle")
- Assignment of personalized user accounts with corresponding password guidelines (minimum password length 10 characters, complexity requirements, regular changes)
- Blocking access after ten incorrect login attempts
- Locking the workstations when leaving the workstation (automatically after 15 minutes or manually with reactivation password)
- Documentation and secure storage of administrator accesses
- Logging of log-on and log-off processes
- Use of firewall (incl. intrusion prevention system), spam filter and antivirus software
- Encryption of mobile data carriers/smartphones
- Multi-factor authentication
1.3 Access control
Measures to prevent unauthorized reading, copying, modification or removal within the system
- Assignment of access rights according to user groups
- Authorization concepts and needs-based access rights ("least privilege principle")
- Annual review of access controls
- Destruction of written documents that are no longer required in accordance with DIN 66399 security level P3 (paper)
- Non-reversible deletion/destruction of electronic data carriers after decommissioning
1.4 Separation control
Measures for the separate processing of data collected for different purposes
- Multi-Customer capable IT systems
- Separation of development and production environment
- Access authorizations according to functional responsibility
1.5 Pseudonymization (Art. 32 para. 1 lit. a GDPR; Art. 25 para. 1 GDPR)
The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures
- Not relevant to the order
2 INTEGRITY (ART. 32 PARA. 1LIT. B GDPR)
2.1 Transfer control
Measures to prevent unauthorized reading, copying, modification or removal during electronic transmission or transport
- Forwarding of data by electronic means in accordance with the Customer's possibilities
- Remote maintenance concept
- Logging of data transmission or data transport
- Encrypted data connections (VPN, SFTP, HTTPS)
2.2 Input control
Determining whether and by whom personal data has been entered, modified or removed from data processing systems
- Regulation of organizational responsibilities
- System logging
- Regulation of access authorizations to log data
3 AVAILABILITY AND RESILIENCE (ART. 32 PARA. 1 LIT. B GDPR)
3.1 Availability control
Measures to protect against accidental or willful destruction or loss
- Redundant data storage (e.g. RAID)
- Backup Internet connection
- Uninterruptible power supply (UPS)
- Fire extinguishers/fire alarms
- Backup strategy
- Secure storage for backup media (e.g. fireproof/burglar-proof safe)
- Regular installation of security updates
- Air-conditioned server room
- Reporting channels and emergency plans
- Rapid recoverability (Art. 32 para. 1 lit. c GDPR)
- Cloud services
4 PROCEDURES FOR REGULAR REVIEW, ASSESSMENT AND EVALUATION (ART. 32 PARA. 1 LIT. D GDPR; ART. 25 PARA. 1 GDPR)
4.1 Data protection management
Measures to ensure that an organization is in place that meets the basic requirements of data protection law
- Guidelines/instructions to ensure technical and organizational measures for data security
- Appointment of a data protection officer
- Obligation to maintain employee confidentiality (data secrecy)
- Adequate training of employees in data protection matters
- Maintaining an overview of processing activities (Art. 30 GDPR)
- Carrying out data protection impact assessments, where necessary (Art. 35 GDPR)
- Periodic review by data protection officer
4.2 Incident response management
Measures to ensure that a reporting process is triggered in the event of data protection breaches
- Reporting process for contract and data protection breaches to the Customer in accordance with Art. 28 para. 3 sentence 3 and Art. 33 and Art. 34 GDPR
- Reporting process for data breaches to the supervisory authorities in accordance with Art. 4 (12) GDPR
- Support for Customers in the reporting process for data protection violations in accordance with Art. 4 No. 12 GDPR to the supervisory authorities (Art. 33 GDPR)
4.3 Privacy-friendly default settings
Measures to ensure that as little data as possible is collected, stored and shared from the outset
- Data protection-friendly technology design ("privacy by design")
- Data protection-friendly default settings ("Privacy by default")
4.4 Order control
Measures to ensure that personal data is only processed in accordance with the Customer's instructions
- Sub-processors with written data protection agreements in accordance with Art. 28 GDPR
- Agreement on order processing with regulations on the rights and obligations of the Processor and Customer
- Designation of contact persons and/or responsible employees
- Obligation of employees to maintain data secrecy
- Formalized order management
- Standardized contract management for monitoring service providers
Annex 3 - Subcontracting relationships
Subcontractor incl. address | Service description |
PlusServer GmbH Hohenzollernring 72, 50672 Cologne Germany | Server hosting |
Hetzner Online GmbH Industriestr. 25, 91710 Gunzenhausen Germany | Server hosting |
IONOS SE Elgendorfer Str. 57, 56410 Montabaur Germany | Server hosting |
noris network AG Thomas-Mann-Straße 16-20, 90471 Nuremberg Germany | Server hosting |
TeamViewer AG Bahnhofsplatz 2, 73033 Göppingen Germany | Software for remote maintenance |
Host Europe GmbH Hansestrasse 111, 51149 Cologne Germany | Hosting prototype catalogs, hosting partner portal, hosting FTP server |
Amazon Web Services EMEA SARL 38 Avenue John F. Kennedy, L-1855 Luxembourg | Server hosting |
Okta, Inc (Auth0) 100 First Street, San Francisco, CA 94105 USA | Identity Management |
Atlassian Pty Ltd Level 6, 341 George Street, | Support portal, project management |