General Terms & Conditions

General Terms and Conditions of Business for Augmented Automation (SaaS)
Section 1 Subject matter of contract

(1) Ubimax GmbH, Hoerneckestraße 25-31, D-28217 Bremen (hereinafter: the Licensor) hires out to the Licensee for the term of this agreement the Augmented Portal Software and the Augmented Applications (hereinafter overall referred to as the: Software).
(2) By way of augmented reality techniques, the Software enables companies to establish a picture and sound connection with a support engineer. The performance description (in accordance with the offer) valid at the time of entering into the contract and which is available to the Licensee is exclusively authoritative for the quality of the Software. The Licensor is not required to provide Software in a condition that extends beyond this. The Licensor cannot derive such an obligation, in particular, from other portrayals of the Software in public expressions or in advertising of the Licensor or its employees or distribution partners unless the Licensor had expressly confirmed in writing that the quality extends beyond that.
(3) The subject matter of this agreement is the surrendering of the Software for a specific period by the Licensor for use by the Licensee for the Licensee’s own purposes via data telecommunication. The Software (portal) shall not be installed on the Licensee’s hardware. The terminals (e.g. data goggles or tablets supplied as part of the order from the Licensor to the Licensee shall, at the Licensee’s request, be equipped with software clients / Apps for use of the data telecommunication. The Licensee can either install these software clients/Apps itself on its own or supplied terminals (e.g. data goggles or tablets) as part of the delivery scope.
(4) Rendering services such as training or making individual programme adjustments etc. is not the subject matter of this agreement.
(5) The Software is intended merely as a communications platform and aid for the Licensee with its support service providers. Solely the support service provider is responsible for its services that have been and are to be rendered. Solely the respective users of the Software are personally responsible for complying with the occupational safety regulations or the plant protection requirements.

 

Section 2 Software surrender; hardware

(1) The Licensor shall make the Software available to the Licensee from the time at which the contract is entered into at https://www.augmented-portal.com. The Software-Clients/Apps shall be made available in the App store of the respective terminal or have already been pre-installed in the terminal.
(2) The Licensee can use the Software (Portal) via an internet browser (Firefox, Chrome) or use the Software Client/App. The Software (Portal) shall remain on the Licensor’s server, and shall be made available for use at the interface of the data network operated by the Licensor to the internet. The Licensor is not required to establish and maintain the data connection between the Licensee’s IT system and the hand over point operated by the Licensor.
(3) The Licensor shall use the respective currently offered version of the Software. The Licensee shall be informed in good time of updating the software or installing Updates or Patches.
(4) As a matter of principle, the Software shall be made available to the Licensee for use in the service time from Mondays to Sundays in the period from 0.00 midnight to 24.00 hours with the exception of maintenance windows harmonised with the Licensee. Maintenance windows shall be announced on the portal log-in page. Following consultation with the Licensee, the Licensor may interrupt the rendering of services for a defined period to perform maintenance. The Licensee shall not unreasonably refuse to grant consent such interruptions.
(5) The Licensor shall surrender the Software to the Licensee for use at the Delivery point with availability of 99.9%/year. The availability does not include maintenance windows defined in accordance with sub-section 4 during the maintenance time and the downtime as a result of disruptions or in the case of rendering services to eliminate disruptions and perform maintenance, which were not foreseeable for or could be planned by the Licensor provided they are not based on causes that are the responsibility of the Licensor.
(6) The Licensee shall purchase the hardware (e.g. data goggles or tablets) stated in the order. The Licensee shall only acquire ownership in the case of payment in full of the invoice written out in that respect. Solely the Licensee is itself responsible for connecting the hardware to the Licensee’s network and/or the internet and maintaining such a connection.

 

Section 3 Granting of rights

(1) The Software is protected by copyright.
(2) The Licensor grants the Licensee a non-exclusive right to use the Software as follows: The Licensee may use the Software during the term of this contract with the users stated by name for its own business purposes (including for rendering support services for third parties). The licensee is free to change the named users. A changed user will be unlocked by the licensee for use after 48 hours.
(3) The remuneration terms are set out in Section 10 of this agreement.
(4) The Licensee’s users shall be connected via data connection to be set up by the Licensee.

 

Section 4 Documentation and Hotline

(1) The Licensor shall make documentation (in pdf format) available to the Licensee in respect of using the Software.
(2) With regard to support involving Software matters, the Licensor shall make available to the Licensee for a consideration a Hotline, which can be reached via e-mail, fax or telephone weekdays from 9.00 a.m. to 4.00 p.m. (exception: public holidays at the Licensor’s principal place of business).

Section 5 Data storage by the Licensee

(1) The Licensee has the opportunity to file its data in the Software whereby it can access such data in conjunction with using the surrendered Software. In this respect, the Licensor is merely required to provide storage space for use by the Licensee. The Licensor is not subject to any storage or care obligations in respect of the data forwarded and processed by the Licensor. The Licensee is responsible for complying with the commercial and tax law storage periods.
(2) When placing the order, the Licensee can choose the storage space available to the Licensee (depending on the booked package).

 

Section 6 Processing personal data

(1) If the Licensee processes personal data as part of this contractual relationship, it is responsible for complying with the data protection law requirements. The Annex “Data Processing Agreement in accordance with Art. 28 GDPR” contains a corresponding agreement on data processing on behalf.
(2) Data shall be transferred between the Licensor’s server and the Licensee exclusively in encrypted form (SSL).

 

Section 7 Disclosure and deletion of data

(1) The Licensee may itself download and make corresponding copies at any time of its data filed in the Software. The Licensee undertakes to download the data it has filed or make copies of such data directly prior to the end of the contractual relationship. The Licensee is to ensure that the data it has saved are legible and complete. On request, the Licensor shall offer the Licensee data export subject to payment of costs.
(2) The Lessor does not have a right of retention or the statutory lessor’s lien (Section 562 BGB) with regard to the Licensee’s data.
(3) The Licensor shall ultimately delete the Licensee’s data filed in the Software – i.e. render the data incapable of being restored – on the day on which the contract ends. The Licensor shall delete the data in such a manner irrespective of the quality, condition, impairment significance of such data for the Licensee. The licensor reserves the right to delete accounts not used by the licensee.

 

Section 8 Data security, data storage by the Licensor

(1) The Licensee shall grant the Licensor the right to copy the data to be saved by the Licensor for the Licensee provided this is necessary to render the services required in accordance with this contract (in particular for data security purposes). To eliminate disruptions, the Licensor is also entitled to amend the structure of the data or the data format.

 

Section 9 Collaboration obligations on the part of the Licensee

(1) The Licensee shall assume the task of establishing a data connection between the work stations it has proposed for use and the data delivery point defined by the Licensor. The Licensor is entitled to re-define the data delivery point at any time provided this is necessary to facilitate trouble-free utilisation of the services by the Licensee. In such a case, the Licensee shall establish a connection to the newly defined delivery point.
(2) The utilisation as per agreement of the Licensor’s services is conditional on the fact that the hardware and software used by the Licensee, including workstation computers, routers and data communication equipment etc., comply with the minimum technical requirements for use of the currently offered Software version and that the users authorised to use the Software by the Licensee are familiar with using the Software.
(3) The Licensee shall take the necessary precautions to avoid unauthorised parties from using the Software. The Licensee shall keep secret the use and access authorisations granted to the Licensee or the users, protect these against access by third parties, and not forward these to unauthorised users. The Licensee shall inform the Licensor without delay in the event of suspicion that unauthorised persons could have gained knowledge of the access data and/or IDs.

 

Section 10 Terms and conditions of payment

(1) The Licensee is to pay the remuneration/rent agreed upon by the parties for its use of the Software.
(2) All invoices written out by the Licensor and sent to the Licensee fall due for payment within 14 days following receipt of invoice. Prices are to be understood plus value added tax at the respective applicable statutory amount.
(3) The Licensee may only set off by way of claims that are undisputed or have become res judicata. The Licensee shall only be entitled to exercise a right of retention regarding counter-claims resulting from this contractual relationship.
(4) The Licensor is entitled to initial increase the rent following expiry of twelve months after entering into the contract by way of a written announcement made with two months’ notice to take effect at the end of a quarter provided and insofar as its costs required to maintain or operate the Software have increased. The Licensee is entitled to terminate the contractual relationship within a period of three weeks following receipt of notice of the increase. In the case of a reduction in the Licensor’s corresponding costs, the Licensee may, following expiry of the period set out in sentence 1, request a corresponding reduction of the rent.

 

Section 11 Warranty

(1) The Licensee is to provide notification of Software defects without delay. The Licensor undertakes to rectify the Software defects within a reasonable time. For the purpose of rectifying defects, the Licensor is entitled to exchange the faulty software with fault-free Software.
(2) Termination on the part of the Licensee in accordance with Section 543(2) sentence 1 no. 1 BGB regarding the failure to grant use as per agreement shall only be permitted if the Licensor was given ample opportunity in which the rectify the defect and such rectification of a defect failed.
(3) If third parties assert claims that prevent the Licensee from exercising the use of the Software granted to the Licensee as per agreement, the Licensee shall inform the Licensor without delay in writing and in detail. The Licensee shall authorise the Licensor to pursue the judicial and out of court dispute on its own. If legal action is brought against the Licensee, the Licensee shall harmonise matters with the Licensor and only take legal action, in particular acknowledgement or compositions, following approval by the Licensor.
(4) The warranty regulations set out in the Sales Law apply with regard to hardware (e.g. data goggles and tablets) sold as part of the order. The Licensee undertakes to check the hardware without delay following handover in respect of its proper function and complete nature. The Licensee notify the Licensor of defects without delay and where possible in writing. Subsequent performance may be provided at the Licensor’s discretion either by way of subsequent improvement or a new delivery of the hardware. Claims regarding hardware defects shall fall under the warranty period of one year following delivery provided the claims do not involve physical injury, loss of life or detrimental effects on health or intent or gross negligence.

 

Section 12 Limitation on liability

(1) The Licensor shall be liable as part of the statutory provisions for damage
(a) that was caused intentionally or gross negligently by the Licensor,
(b) that is based on basic negligent violation of key obligations (cardinal obligations) by the Licensor. Furthermore, contractual obligations (cardinal obligations) are deemed key if honouring such obligations is required to properly execute the contract, and the contracting party can normally expect such obligations to be honoured.
(2) In other respects, the Licensor’s liability is excluded irrespective of the legal grounds on which it is based apart from cases involving the loss of life, physical injury, detrimental effects on health of a person, the provision of an express guarantee, malicious concealment of a defect or liability in accordance with the German Product Liability Act.
(3) In the event of Section 12(1) (b) (basic negligent violation of key obligations), the Licensor’s liability shall be limited to the foreseeable damage only that is typical for a contract of this kind.
(4) The Lessor’s no-fault liability in accordance with Section 536 a (1), 1st Alternative BGB regarding defects that already existed at the time of entering into the contract is excluded.
(5) Insofar as Software is surrendered gratuitously, contrary to Section 12(1) to (3), the Licensor shall only be liable in the case of intent and gross negligence in line with the statutory regulations set out in the law on donations.
(6) The above provisions also apply by way of analogy to the Licensor’s liability in respect of compensation for expenses incurred in vain and in the case of claims against employees and authorised representatives.

 

Section 13 Force majeure

(1) None of the contracting parties undertakes to honour the contractual obligations in the event and for the duration of force majeure. The following circumstances, in particular, are to be regarded as force majeure in this respect:
(a) Events that are not the responsibility of the contracting party such as earthquakes, fire, explosion and flooding etc.
(b) War, blockages and embargoes etc.
(c) Industrial action lasting for more than 6 weeks which has not been culpably brought about by the contracting party,
(d) Technical internet problems over which the contracting party has no influence;
(2) Each contracting party is to inform the respective other of the occurrence of a case of force majeure without delay and in writing.

 

Section 14 Term of contract

(1) The contract shall run for 12 months from the time at which it is entered into. It is automatically extended by a further period of 12 months, unless one of the parties terminates the contractual relationship at the end of the period with a minimum term of two months. A notice shall be given in text form (by letter, fax or e-mail).
(2) This does not affect the right to terminate for good cause (in exceptional cases). Good cause that justifies termination in exceptional cases shall be deemed given, in particular, if the Licensee defaults in its payment obligations in accordance with Section 543 (2) Sentence 1 No. 3 BGB.

 

Section 15 Secrecy

(1) The contractual parties undertake to treat any confidential information and company secrets (“Company Secrets”) of the other contractual party acquired within the context of initiating or executing the contract in strict confidence for an unlimited period of time, and use such information for the purpose of honouring this contract only. The Licensor’s Company Secrets also include the Software and the services rendered in accordance with this agreement.
(2) The above-mentioned obligations do not apply to Company Secrets that were already in the public domain at the time of forwarding by the contracting party or were known by the other contracting party: or became generally known after forwarding by the contracting party without culpability on the part of the other contracting party; or after forwarding by the contracting party were made available to the other contracting party by a third party in a manner that is not unlawful and without restrictions in relation to secrecy or utilisation; or which had been independently developed by a contracting party without using the Company Secrets of the contracting party; or which in accordance with the law, an administrative order or court decision must be disclosed – on condition the publishing party informs the contracting party of this without delay and supports the contracting party in warding off such disposals or decisions; or insofar as the contracting party is permitted to use or forward the Company Secrets due to mandatory statutory provisions or as a result of this contract.

 

Section 16 Referencing

(1) The Licensee consents to the incorporation of a brief project profile in the Licensor’s website. This shall entail key factors regarding the project such as the planned targets and the rendered services as well as the name/company name, logo/trademark of the Licensee and a link to its website.
(2) The Licensor grants the Licensee the non-exclusive right that may be required for these purposes. Further-reaching referencing shall only apply following express approval by the Licensor.

 

Section 17 Final provisions

(1) All amendments to, supplementary information regarding and termination of contractual agreements shall be subject to the written form. Similarly, this also applies to this written form requirement.
(2) In the event that individual provisions of the parties’ agreements are or become wholly or partially invalid, this shall not affect the validity of the other provisions. The contracting parties undertake in such a case to replace the invalid provision with a valid provision that comes closest in economic terms to the purpose pursued by way of the invalid provision. The same shall apply to any omissions in these agreements.
(3) Bremen is deemed the exclusive place of jurisdiction for all disputes resulting from this contract.
(4) The law of the Federal Republic of Germany applies.

Annex: Data Processing Agreement in accordance with Art. 28 GDPR

Preamble
When operating the software on the licensor’s servers, it cannot be ruled out that the licensor may come into contact with personal data within the scope of the provision of services for which the licensee acts as the responsible party within the meaning of the data protection regulations. This appendix specifies the rights and obligations under data protection law of the contracting parties in connection with the contractor’s handling of the client’s data.

 

1. Scope, subject matter and duration of the contract

(1) This appendix applies to all activities that related to Augmented Automation services of the licensor from a corresponding contractual relationship between licensor and licensee including the General Terms and Conditions Augmented Automation (SaaS) (hereinafter referred to collectively as “main contract”) and during which employees of the licensor or third parties commissioned by the licensor may come into contact with personal data of the licensee.
(2) The subject matter and duration of the order as well as the scope, type and purpose of the processing of personal data by the licensor for the licensee result from the main contract. The right to extraordinary termination remains unaffected.
(3) The term and termination of this investment is governed by the terms of the term and termination of the main contract. Termination of the main contract automatically results in termination of this installation.
(4) The following data types/categories are the subject of the collection and processing of personal data: Personal data which is stored on the servers operated by the licensor within the scope of the intended use of the software. These are usually access data, name, e-mail address and activity log of the “Augmented Support” service, hardware-related information, contents of video recordings and image data which are uploaded to the Ubimax Portal by the licensee.
5. The categories of data subject shall include the licensee, his customers and, where applicable, the employees of the licensee and his customers.
(6) The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the principal and may only take place if the special requirements of Art. 44 ff. GDPR (e.g. Commission adequacy decision, standard data protection clauses, approved codes of conduct).

 

2. Definitions

(1) Personal data
Personal data are all information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR).
(2) Data processing by order
Data processing on behalf of the client is the processing of personal data by the contractor on behalf of the client within the meaning of Art. 28 GDPR.
(3) Directive
An instruction is the written instruction of the client directed to a certain data protection handling (for example anonymization, correction, deletion, publication) of the contractor with personal data. The instructions are initially laid down in the main contract and this agreement and can then be amended, supplemented or replaced by the client in writing by individual instructions (individual instructions).

 

3. responsibility for data processing

(1) Within the scope of this contract, the licensee is responsible for compliance with the legal provisions of the data protection laws, in particular for the legality of data transfer to the contractor and for the legality of data processing (“responsible person” within the meaning of Art. 4 No. 7 GDPR).
(2) It is the responsibility of the licensee to make the data available to the licensor in good time for the provision of services according to the main contract and he is responsible for the quality of the data. The licensee must inform the licensor immediately and completely if he detects errors or irregularities regarding data protection regulations or his instructions during the examination of the licensor’s order results.
(3) The Software is currently hosted and operated and the personal data is stored on a Microsoft Azure server in Europe. The data center operator has the required special reliability and fulfils the requirements of Art. 28 f. and Art. 32 GDPR. The Licensor is entitled to replace the data center at any time in compliance with Clause 10, provided that the respective data center operator fulfils the required special reliability and the requirements according to Art. 28 f. and Art. 32 GDPR.

 

4. Technical and organisational measures

(1) The Licensor assures the implementation of and compliance with the technical and organisational measures pursuant to Art. 32 GDPR before the start of processing. These are documented by the licensor in the attached appendix “Overview of Technical and Organisational Measures”.
(2) The measures documented in the aforementioned annex form the basis of this agreement. The licensee is aware of these technical and organisational measures and is responsible for ensuring that they offer an appropriate level of protection for the risks of the data to be processed. If the examination / an audit of the licensee reveals a need for adjustment, this must be implemented by mutual agreement.
(2) The technical and organisational measures are subject to technical progress and further development. In this respect, the licensor is permitted to implement alternative adequate measures, provided that the safety level of the defined measures is not undershot.

 

5. Obligations of the Licensor

(1) The Licensor shall only process data in accordance with the instructions of the Licensee and in compliance with Clause 7 of this Agreement. The Licensor shall correct, delete or restrict the processing of the data processed in the order exclusively in accordance with the instructions of the Licensee. If a person concerned contacts the Licensor directly for the purpose of correction or deletion of his data or information about the stored data of the Licensee, the Licensor will promptly forward this request to the Licensee.
(2) The Licensor shall ensure and regularly check that data processing and use within the scope of the main contract within its area of responsibility is in accordance with the provisions of this Annex.
(3) The Licensor supports the Licensee in inspections by the regulatory authority to the extent reasonable and necessary, insofar as these inspections concern data processing by the Licensor against reimbursement of the expenses and costs to be proven to be incurred by the Licensor as a result.
(4) Licensor shall provide Licensee with the contact details of the company data protection officer (if the Licensor is required to appoint one in accordance with statutory provisions) and the contact person for any data protection issues arising within the scope of the agreement.
(3) The Licensor shall oblige the persons employed in the processing of the Licensee’s data to maintain confidentiality in accordance with Art. 28 para. 3 sentence 2 b, 29, 32 para. 4 GDPR.
(4) The Licensor shall inform the Licensee immediately if it determines that he or an employee has violated data protection regulations or the provisions of this Agreement in the processing of Licensee’s data and the requirements of Articles 33, 34 GDPR are met. Insofar as the licensee is subject to statutory duties to provide information due to unlawful knowledge of the licensee’s data (in particular according to Art. 33, 34 GDPR), the licensor must support the licensee in fulfilling the duties to provide information at the licensee’s request to the extent reasonable and necessary against reimbursement of the expenses and costs that can be proven to be incurred by the licensor as a result. Notifications pursuant to Art. 33 or 34 GDPR for the licensee may only be made by the licensor after prior instruction.

 

6. Obligations of the Licensee

(1) The licensee is solely responsible for assessing the admissibility of the commissioned processing and for safeguarding the rights of data subjects.
(2) The licensee must inform the licensor immediately and completely if he detects errors or irregularities regarding data protection regulations during the examination of the order results.
(3) The licensee is responsible for the reporting obligations resulting from Art. 33, 34 GDPR.

 

7. The licensor’s authority to issue instructions

(1) Licensor processes Licensee’s data exclusively in accordance with Licensor’s instructions as conclusively expressed in the provisions of this Agreement and the provisions of the main contract. Licensee’s instructions may not make the contractually agreed performance obligations under the main contract impossible. Individual instructions that deviate from the provisions of this agreement or impose additional requirements require the prior consent of the licensor. If individual instructions entail additional costs, in particular if these exceed the contractually agreed scope of services, these are to be reimbursed to the licensor.
(2) The licensee shall immediately confirm verbal instructions in writing or in text form (e.g. by e-mail).
(3) The licensor shall inform the licensee immediately if he considers that an instruction issued by the licensee violates statutory provisions (Art. 28 para. 3 sentence 3 GDPR). The licensor is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed by the responsible person at the licensee.

 

8. Duties of support

(1) If, pursuant to applicable data protection laws, the licensee is obliged vis-à-vis an individual to provide information or information for the processing of data of this person or to guarantee the rights of data subjects pursuant to Chapter III (Art. 12 to 23) of the GDPR, the licensor shall support the licensee in fulfilling these obligations with appropriate technical and organisational measures in accordance with Art. 28 para. 3 lit. e GDPR, as agreed.
(2) The licensor supports the licensee within the scope of his possibilities according to art. 28 par. 3 lit. f GDPR in the compliance with the obligations mentioned in art. 32 to 36 GDPR.
(3) The Licensee shall reimburse the Licensor for any expenses and costs incurred and verifiable in the provision of the support services pursuant to subsections 1 and 2.
(4) In the event of a claim against a Contracting Party by a data subject with regard to any claims under Art. 82 GDPR, the Contracting Party claimed undertakes to inform the other Contracting Party without delay. The contracting parties will support each other in the defense of the claim.

 

9. Control rights of the licensee

(1) With regard to the Licensee’s control obligations pursuant to Art. 28 para. 3 lit. h GDPR, the Licensor shall ensure that the Licensee is satisfied that the technical and organisational measures taken in accordance with the Annex to this Annex have been complied with. Controls on subcontractors/data centers shall be supplemented by their conditions for controls.
(2) The licensor grants the licensee the rights of access, information and inspection necessary for carrying out these controls.
(3) The licensee is entitled to enter the premises of the licensor in which the licensee’s data are processed during normal business hours at his own expense, without interrupting the course of business and under strict confidentiality of the licensor’s trade and business secrets in order to ensure compliance with the technical and organisational measures in accordance with the appendix to this appendix.
(4) At the discretion of the Licensor, proof of compliance with the technical and organisational measures in accordance with the appendix to this Annex may also be provided by the submission of a suitable, up-to-date certificate, reports or report extracts from independent bodies (e.g. auditors, auditors, data protection officers, IT security department, data protection auditors or quality auditors) or a suitable certification by an IT security or data protection audit (e.g. BSI-Grundschutz), a confirmation of compliance with approved rules of conduct according to Art. 40 GDPR or certification according to an approved certification procedure according to Art. 42 GDPR, if these test reports enable the licensee to adequately satisfy himself of the compliance with the technical and organisational measures according to the Annex to this Annex.
(5) The licensee shall inform the licensor in good time (usually at least two weeks in advance) of all circumstances connected with the performance of the inspection. As a rule, the licensee may carry out one check per calendar year. This does not affect the right of the licensee to carry out further checks in the event of serious incidents.
(6) The costs of carrying out the inspection shall be borne by the licensee.

 

10. Subcontractor (further processor according to art. 28 par. 2 and 4 GDPR)

(1) The passing on of orders by the contractor to subcontractors or subcontractors (hereinafter uniformly referred to as subcontractors) within the scope of the activities specified in the main contract requires the prior written consent of the customer. The same applies to the replacement of an existing subcontractor.
(2) Such prior consent may only be refused by the principal for important reasons provable to the contractor. The subcontractors used by the contractor are listed in Annex 2. For the subcontractors referred to in Appendix 2, approval shall be deemed to have been granted upon signature of this agreement. The contractor shall inform the contracting authority in advance of any intended change in relation to the involvement or substitution of subcontractors, giving the contracting authority the possibility to object to this change (Article 28(2) GDPR). If no objection is raised within 14 days of notification, consent to the change shall be deemed given.
(3) If the Contractor places orders with subcontractors in compliance with para. 1, the Contractor shall be responsible for transferring its obligations under this contract to the subcontractor.
(4) If the subcontractor provides the agreed service outside the EU/EEA, the contractor shall ensure the admissibility under data protection law through appropriate measures in accordance with Art. 44 ff. GDPR safe.
(5) The involvement of subcontractors for whom the subcontractor merely uses an ancillary service to support the provision of services under the main contract, even if access to the customer’s data cannot be excluded; this includes in particular telecommunications services, postal or transport services, maintenance and user services or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. The contractor shall enter into customary confidentiality agreements with such subcontractors.

 

11. Deletion of data and return of data carriers

Upon completion of the contractual work or earlier upon request by the Licensee – at the latest upon termination of the main contract – the Licensor shall delete all data of the Licensee which have come into its possession and which are the subject matter of this Annex and hand over to the Licensee data carriers received from the Licensee which at that time still contain the Licensee’s data.

 

12. Liability

A liability provision agreed between the contracting parties in the main contract shall also apply to order processing, unless the contracting parties have expressly agreed otherwise.

 

13. Final provisions

 

(1) Insofar as no special provisions are contained in this Annex, the provisions of the main contract shall apply.
(2) Amendments and supplements to this Annex and all its components require a written annex. This also applies to the waiver of this formal requirement.
(3) The exclusive place of jurisdiction for all disputes arising from this Annex shall be the registered office of the Licensor, provided that the Licensee is a registered merchant, a legal entity under public law or a special fund under public law.
(4) German law applies.

Appendix: Overview of Technical and Organisational Measures
The licenser stores personal data within the scope of the service provision, among other things in a data center. The following describes the technical and organisational measures taken by the licensor and the data center operator to adequately protect the licensee’s data against misuse and loss, which comply with the requirements of the Basic Data Protection Ordinance:

I. Confidentiality (Art. 32 para. 1 lit. b GDPR)

1. Entrance control
Unauthorized persons must be denied access to data processing systems with which the personal data are processed and used.

Measures taken by licensors:
• Determination of the persons entitled to access
• Access regulations for external persons
• Use of an access control system, key regulation and current key list
• Security also outside working hours by alarm system

Measures taken by Data Center:
• Determination of the persons entitled to access
• Closed shop operation (only authorized persons have access)
• Revision capability of access authorizations
• Creation of security zones
• Threat analysis
• Identification by means of ID cards
• Use of an access control system, key regulation and current key list
• Access regulations for external persons
• Measures to secure the inner and outer skin
• Logging of inflows and outflows
• Reception / Doorman
• Security also outside working hours by alarm system

2. Admission control
Data processing systems must be prevented from being used by unauthorized persons.

Measures taken by licensors:
• Determination of the persons entitled to use the building
• Identification and authentication of users
• Encryption of the data to be transmitted
• Logging of users and their activities
• Access data to systems via certificates and passwords
• access data are changed at regular intervals

Measures taken by Data Center:
• Determination of the persons entitled to use the building
• Identification and authentication of users
• Encryption of the data to be transmitted
• Logging of users and their activities
• Password policy
• regulations on telework

3. Access control
It must be ensured that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage.

Measures taken by licensors:
• Identification and authentication of users
• Central allocation office for user rights
• Introduction of measures restricting access (read-only)
• Automatic check of authorizations
• Access data to systems via certificates and passwords
• access data are changed at regular intervals

Measures taken by Data Center:
• Creation of revisable user profiles
• Identification and authentication of users
• Automatic check of authorizations
• Introduction of measures restricting access (read-only)
• Temporal limitation of access options
• Restriction of the free query options of databases
• User-related logging
• Use of encryption methods
• Central allocation office for user rights
• Intrusion detection system

4. Separation control
It must be ensured that data collected for different purposes can be processed separately.

Measures taken by licensors:
• Data storage is provided with the purpose of data collection (by file name)
• Client separation – Logical separation of data (through different file directories)
• Client separation at user administration level

Measures taken by Data Center:
• Client separation – Logical separation of data (different file directories)
• Use of encryption
• Execution and documentation of the separation of functions
• Implementation of an internal control system

II. Integrity (Art. 32 para. 1 lit. b GDPR)

1. Handover control
It must be ensured that personal data cannot be read, copied, altered or removed without authorization during electronic transmission or during transport or storage on data carriers, and that it is possible to check and determine to which points personal data is to be transmitted by data transmission devices.

Measures taken by licensors:
• Encryption of data
• Checking all data and data carriers for viruses
• Logging of data transmission
• Duplication of the data carriers
• Use of a VPN
• Remote maintenance concept

Measures taken by Data Center:
• Logging of data transmission
• Evaluation options for the transmission logs in order to be able to determine the recipients or callers in a targeted manner
• determination of the persons entitled to transfer or transport
• Duplication of the data carriers
• Encryption of data
• Checking all data and data carriers for viruses
• completeness and accuracy check (after transmission)
• Remote maintenance concept
• Use of a VPN

2. Input control
It must be ensured that it can be subsequently checked and established whether and by whom personal data have been entered, changed or removed in data processing systems.

Measures taken by licensors:
• Definition of input powers
• Logging of entries, changes and deletions

Measures taken by Data Center:
• Definition of input powers
• Logging of entries, changes and deletions
• Storage of the initiator
• Complete process logging for each individual case

III Availability, resilience (Art. 32 para. 1 lit. b GDPR) and rapid recoverability (Art. 32 para. 1 lit. c GDPR)

Personal data must be protected against accidental destruction or loss.

Measures taken by licensors:
• Backup systems for the recovery of lost data
• Object security, especially of server rooms
• Air conditioning
• Virus protection concept
• Fire detector

Measures taken by Data Center:
• Backup systems for the recovery of lost data
• Testing the recovery
• Emergency concept with restart plan
• UPS (uninterruptible power supply)
• Redundant line supply
• emergency power generator
• Fire detector
• fire protection and disaster regulations
• Documented data backup concept
• Central data backup
• Spatially separate storage of the data backups created
• Object security, especially of server rooms
• Virus protection concept
• Air conditioning
• Geo-redundancy on server and application level

IV. Procedure for regular review, evaluation and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)

1. Order control
Data processing in accordance with the order and instructions must be guaranteed.

Measures taken by licensors:
• delimitation of competences and duties between licensor and licensee
• Clear drafting and execution of contracts
• formalization of order placement
• Sanctions for breach of contract

Measures taken by Data Center:
• Clear drafting and execution of contracts
• delimitation of competences and duties between licensor and licensee
• Careful selection of the licensor
• formalization of order placement
• Logging and control of the proper execution of the contract
• Sanctions for breach of contract

2. External tests, audits, certifications
The contractor regularly carries out the following tests/audits with regard to the technical and organisational measures or is certified as follows:

Measures taken by licensors:
• data protection officer regularly carries out audits and/or spot checks

Measures taken by Data Center:
• Certification according to ISO 27001 or comparable standard