SECJUR Terms and Conditions

Version: March 14, 2024
‍
SECJUR GmbH, Steinhöft 9, 20459 Hamburg (hereinafter "SECJUR") offers technical software solutions in the area of compliance by way of a software as a service (hereinafter "Digital Compliance Office" or "DCO"). The contractual partner of SECJUR (hereinafter the "Client") intends to make use of services provided by SECJUR.
‍
‍
1.    Applicability

1.1.    These General Terms and Conditions, together with the respective offer for the services listed therein (hereinafter the "Offer") and the corresponding Special Terms and Conditions as well as any further contractual understandings, if any, shall constitute the Agreement concluded between SECJUR and the Client (hereinafter the "Agreement").

1.2.    The General Terms and Conditions shall also apply to all future services rendered to the Client without the need for a new agreement to such effect.

1.3.    Client's or third party's terms and conditions shall not apply, even if SECJUR does not expressly object to their applicability in each individual case. Even if the Client refers to a letter that contains or refers to terms and conditions of the Client or a third party, this shall not constitute an acceptance of the validity of said terms and conditions.

‍
2.   Offer and Agreement Conclusion 

‍2.1.   Any Offer made by SECJUR shall be subject to changes and non-bindingunless it is expressly indicated as binding or contains a specific term foracceptance.

2.2.   The Agreement shall be deemed to be concluded by the Client's acceptanceof the Offer within a period of five (5) working days.




‍3.   SECJUR Services 

‍3.1.   SECJUR shall be entitled to render services by subcontracting them to third parties (hereinafter "Subcontractors").

3.2.   The services set forth in the Offer may be substantiated by SECJUR in a description of services. Any such service description shall form an integral part of the Agreement.

3.3.   The parties agree that the agreed services may be adapted by SECJUR tothe extent necessary due to changes in technical, legal or actual requirementsand needs and/or technical progress during the term of the Agreement.

3.4.   The exercise of the right to determine services shall only be permissible subject to SECJUR considering the legitimate interests of the Client.

3.5.   The exercise of the right to determine services shall not restrict the essence of the service provision to the Client's disadvantage.

3.6.   Any services by SECJUR that have not been requested shall expire at theend of the following quarter. In the case of KYC, KYB, PEP and Sanction Listscans, these expire at the end of the current contract year.

3.7.   Where SECJUR provides digital online trainings, the „General Terms AndConditions for the SECJUR Academy“ shall apply.

3.8.   Where SECJUR provides a whistleblowing tool, the „General Terms And Conditions for the usage of the Whistleblowing Solution of SECJUR GmbH“ shall apply.

3.9     Insofar as the contract includes services under a flat rate without a defined capacity limit, the client has the right to claim these services. SECJUR can check the services based on the existing capacities. If the existing capacities are exceeded, SECJUR can take measures to control capacity. This includes reducing or deferring the services to be provided inthe future.

4.    Remuneration and Payment

4.1.    The Client shall pay SECJUR the remuneration as stipulated in the Offer. Additional or extra services shall be charged separately.

4.2.    The remuneration shall be due immediately and payable without deduction no later than ten (10) days after receipt of the invoice to the account designated by SECJUR. Recurring and one-time payments shall be made annually in advance. Travel costs and expenses as well as any services ordered separately shall be invoiced to the Client in the respective following month.

4.3.    All prices are quoted excluding the statutory value added tax.

4.4.    If the Client is in default with payments, SECJUR may charge default interest in the amount of nine (9) percentage points above the respective base interest rate p.a. SECJUR reserves the right to claim higher damages for default.

4.5.    SECJUR reserves the right to adjust the contractually agreed remuneration annually based on the German Consumer Price Index (CPI). In addition to the adjustment according to the CPI, the remuneration will increase by 2.9% annually. This regulation reflects the continuous added value through the increasing degree of innovation of the software and addresses the inflation risk without nominally favoring SECJUR. The adjustment will be made for the first time one year after the start of the contract term. An adjustment of the remuneration takes place to reflect the development of costs that are significant for price calculation. This includes, among other things, changes in the costs of procuring hardware and software, energy, the use of communication networks, as well as changes in labor costs and other changes in economic or legal conditions.
‍
5.    Client Obligation

‍5.1.    The Client warrants that it will perform all required provision and cooperation services in a timely manner and at no cost to SECJUR.
‍
5.2.    The Client warrants that it will support staff of SECJUR and of possible Subcontractors to the greatest possible extent in the performance of the services to be rendered. This includes, among other things, the Client providing a qualified staff member for support and coordination and providing SECJUR with all necessary information in a timely manner.

5.3.    Where the Client does not provide the required cooperation, does not provide it in time or does not provide it in the agreed manner, the resulting damages and expenses (e.g. delays, any additional expenditure) shall be borne by the Client.

5.4.    It shall be the Client's obligation to provide files and data media free of content and technically flawless - in particular free of malware (e.g. "viruses") - and to indemnify SECJUR for any and all damages for possible violations of said obligation as well as to hold SECJUR harmless from any and all claims of third parties.

5.5.    It shall be the Client's obligation to back up his data on his own systems on a regular basis, but no later than at the end of the Agreement.

5.6.    The Client is obligated to conduct itself in a legally compliant manner, i.e. to comply with its obligations under the Agreement and any applicable statutory provisions, in particular vis-à-vis SECJUR, end customers, interested parties and any other third parties. Insofar as the Client is required by law to provide evidence of compliance with certain requirements, such evidence shall also be provided to SECJUR to the extent permissible. Certificates or test reports shall be sufficient proof, unless there are no stricter legal requirements.

6.    Liability

‍6.1.    SECJUR shall be liable within the scope of the statutory provisions for damages and reimbursement of expenses for loss of life, limb, or health as well as for damages which give rise to obligation to pay compensation by the manufacturer pursuant to Section 1 of the German Product Liability Act (ProdHaftG).

6.2.    For any other damages, SECJUR shall be liable only as provided in the following provisions. SECJUR shall be liable in accordance with the statutory provisions for damages caused by fraudulent conduct, intent, or gross negligence. In cases of simple negligence, SECJUR shall only be liable insofar as substantial contractual obligations (so-called Kardinalpflichten) are violated. Substantial contractual obligations are obligations the fulfilment of which makes the proper performance of the Agreement possible in the first place and on the fulfilment of which the Client regularly relies on and may rely. In such cases, liability shall be limited to the amount of the foreseeable damage typical for the Agreement.

6.3.    In case of liability for simple negligence, SECJUR's liability to pay compensation for consulting errors shall be limited to the maximum amount of the insurance coverage for pecuniary loss in the amount of EUR 10,000,000.00 per claim.6.4.    The above exclusions and limitations of liability equally apply to the benefit of SECJUR's corporate bodies, legal representatives, staff and other vicarious agents.
‍
7.    Non-Solicitation

‍7.1.    Client commits not to solicit SECJUR's qualified personnel during the term of the Agreement. The submission of a concrete offer for a different employment relationship shall be deemed to constitute solicitation.

7.2.    A person being part of the qualified personnel shall not be employed by the Client for a period of twelve months after the termination - for whatever legal reason - of the employment relationship between SECJUR and such person, unless SECJUR has initiated the termination of the employment relationship or has given its prior written consent to such termination in each individual case (Section 126 para. 1 German Civil Code (BGB)).
‍
8.    References

‍8.1.    SECJUR shall be entitled to name the Client as a reference within the scope of the statutory limits (hereinafter „References “). References shall include, but are not limited to: naming of the company and presentation of current and past company logos and brands; description of the content and scope of the services provided. The right to name References includes, but is not limited to: all websites, blogs and social media channels; press releases; interviews; professional articles; print advertisements; company documents; requests for proposals; presentations; webinars; the Digital Compliance Office; company premises; trade fairs.

8.2.    The Client grants SECJUR and its affiliates a simple, temporally, and spatially unrestricted, non-transferable right of use with regard to the name and trademark rights required for this purpose.

8.3.    The provisions of this section shall continue to apply for a period of four years after termination of the Agreement.

‍9.    Text Form

‍Amendments and modifications to this Agreement require to be made in text form to be effective (Section 126b of the German Civil Code (BGB)). This shall also apply to any amendments to this text form clause.

10.    Notifications

‍10.1.    The contracting parties will mutually agree on any organisational arrangements after the conclusion of the Agreement. The contracting parties agree to record any specific agreements concerning the cooperation - in particular scheduling agreements - in text form (Section 126b of the German Civil Code (BGB)).

10.2.    If applicable, the Client shall be obligated to use the ticket system provided by SECJUR for all notifications within the scope of the Agreement.

‍11.    Protection of Personal Data

‍11.1.    Insofar as SECJUR processes personal data on behalf of the Client, the provisions of the Annex Data Processing Agreement shall apply.

11.2.    Insofar as SECJUR processes personal data of the Client as a controller, the Client shall support SECJUR in fulfilling the legal information obligations vis-à-vis the data subjects.

12.    Term and Termination

‍12.1.    The term of the Agreement shall commence on the first and fifteenth day of the month following the signing of the Agreement (hereinafter "Commencement of contract").

12.2.    The Agreement has a term of two (2) years from the Commencement of contract.

12.3.    The Agreement will be extended by two (2) further years at the end of each term if not terminated earlier than the end of the respective term subject to a notice period of three (3) months to the end of the term, except as otherwise provided by law.

12.4.    A change in the person of an External Officers shall not affect the validity and existence of the Agreement.

12.5.    For SECJUR, good cause justifying extraordinary termination of the Agreement shall in particular be constituted by the Client's failure to perform an act of cooperation required for the performance of the Agreement within a reasonable period of time determined by SECJUR, provided that SECJUR, when determining such period of time, has specifically described the act to be performed and has declared that it will terminate the Agreement extraordinarily if the act is not performed by the end of said period of time.

‍
‍13.    Final Provisions

‍13.1.    In case of contradictions between different parts of this Agreement, the provisions of the Offer shall prevail. The terms and conditions of these General Terms and Conditions and the Annex Data Processing Agreement shall take precedence over the special terms and conditions for other services.

13.2.    If any provision of the Agreement and/or its amendments or modifications is or becomes invalid, this shall not affect the validity of the remaining provisions of the Agreement. If a provision is invalid, the parties shall have the obligation to negotiate a valid and reasonable replacement provision that comes as close as possible to the economic purpose pursued by the contracting parties with the invalid provision.

13.3.    The Agreement conclusively and completely reflects the understanding between the parties regarding the subject matter of the Agreement and supersedes all previous written, oral, and implied agreements, understandings, or arrangements. No collateral agreements, written, oral or implied, have been made.

13.4.    The Agreement and all non-contractual matters or obligations arising from the Agreement, or the services shall be governed by the law of the Federal Republic of Germany, to the exclusion of the United Nations Convention on Contracts for the International Sale of Goods of 11 April 1980 (CISG).13.5.    To the extent permitted by law, the exclusive place of jurisdiction shall be Hamburg, Germany, or, at SECJUR's choice, (i) the court at which the SECJUR branch office primarily involved in the provision of the services has its registered office or (ii) the courts at the place where the Client has its registered office.


Special Terms and Conditions SECJUR GmbH DCO

Version: February 23, 2023


1.    Applicability

‍These Special Terms and Conditions of SECJUR GmbH DCO (hereinafter "GTC DCO") shall apply exclusively to the provision of access to the DCO by SECJUR and in addition to the General Terms and Conditions of SECJUR GmbH.

‍2.    Subject Matter

‍2.1.    SECJUR shall provide the Client with the DCO in the respective current version as a technical resource to support the Client's independent fulfilment of duties and implementation of requirements in the area of compliance for the term of this Agreement via a server that can be accessed by the Client via the Internet using a standard browser in the respective current version and against payment.

2.2.    The handover point of the DCO is the router output of the cloud provider of SECJUR.

‍3.    Availability

‍3.1.    The availability of the DCO is specified in the service description.

3.2.    The monitoring of the basic functions of the DCO as well as the regular maintenance windows are listed in the service description. As far as possible, SECJUR shall inform the Client immediately about any maintenance work to be carried out.
‍
4.    Rights of Use

‍4.1.    The Client shall receive a non-exclusive, non-sublicensable and non-transferable right to use the DCO for its own internal purposes via a browser, this right shall be limited to the duration of this Agreement and shall be spatially unlimited. The granting of rights does not apply to the source code of the DCO. No rights are granted to edit, distribute, or make the DCO publicly available.

4.2.    The Client shall only have the right to reproduce to the extent that this is permissible through the intended use of the DCO in accordance with the respective current service description. Permissible reproduction includes loading the DCO into the main memory on SECJUR's server, but not even temporary installation or storage of the DCO on data carriers such as the hard disk of the hardware used by the Client.

4.3.    The Client is not permitted to make the DCO available for use by third parties, either for payment or free of charge. The Client is expressly not permitted to sublease the DCO.

4.4.    The use of the DCO is only permitted by individuals (hereinafter "Named User") named by the Client.

4.5.    Even under consideration of the rights of use granted, all property rights of the DCO shall remain with SECJUR.

5.    Client Obligation

‍5.1.    The Client is obligated to use the DCO only within the scope of the rights of use granted for it. In this context, it is the Client's obligation to ensure that the individuals named by the Client are appropriately bound to comply with the rights of use granted to the Client.

5.2.    The Client's personnel shall use the DCO after an individual password has been created in advance.  The Client shall bind its personnel to keep the individual passwords secret and not to make them accessible to any third party.

5.3.    The Client has the obligation to obtain the necessary consents from the data subjects, as far as this is necessary for the usage of the DCO and no other legal basis for processing is applicable.

5.4.    At the end of the Agreement, the Client's access to the DCO shall be deactivated. It is the Client's duty to save relevant data on its systems prior to the end of the Agreement.

Annex 1: Zweck, Art und Umfang der Datenverarbeitung, Art der Daten und Kategorien der betroffenen Personen
‍
‍Kategorien betroffener Personen: Kunden; Lieferanten; Mitarbeiter; Interessenten; sonstige Vertragspartner und Dritte, deren personenbezogene Daten im Digital Compliance Office verarbeitet werden Zwecke, Art und Umfang der Verarbeitung: Erfüllung gesetzlicher Pflichten; Erstellung sowie Ablage/Speicherung von Dokumenten; Kommunikation zwischen den Vertragsparteien Art der Daten: Stammdaten; Kontaktdaten; Inhaltsdaten; Nutzungsdaten; sonstige personenbezogene Daten, die in Art 4 Nr. 1 der DSGVO definiert sind und die vom Auftraggeber im Zuge der Nutzung des Digitalen Compliance Office übermittelt oder gespeichert werden; ggf. besondere Kategorien personenbezogener Daten.


6.    Warranty

‍SECJUR's warranty is governed by Sections 536 et seq. German Civil Code (BGB), unless the parties have expressly agreed otherwise.

‍Annex 1: Data Processing Agreement

‍To the extent that processing activities of SECJUR qualify as processing on behalf of the Client, the following Data Processing Agreement shall apply to the parties:

‍§ 1 Subject Matter of the Agreement Within the scope of the provision of services under the Agreement (hereinafter "Main Agreement"), it is necessary for SECJUR (hereinafter "Processor") to handle personal data for which the Client acts as the controller within the meaning of the data protection provisions (hereinafter "Client Data"). This Data Processing Agreement (hereinafter “DPA”) specifies the rights and obligations of the contracting parties under data protection law in connection with the Processor's handling of Client Data for the purpose of implementing the Main Agreement.

‍§ 2 Scope of the Assignment

‍2.1 The Processor shall process the Client Data on behalf of and according to the instructions of the Client within the meaning of Art. 28 GDPR (data processing on behalf). The Client shall remain the controller in the sense of data protection law.

2.2 The processing of Client Data by the Processor shall be carried out in the manner, to the extent and for the purpose as specified in Annex 1 to this DPA; the processing concerns the types of personal data and categories of data subjects designated therein. The duration of the processing shall correspond to the term of the Main Agreement.

2.3 The Processor reserves the right to anonymize or aggregate Client Data so that it is no longer possible to identify individual data subjects and to use it in this form for the purpose of demand-oriented design, further development and optimization as well as the provision of the service agreed upon in accordance with the Main Agreement. The Parties agree that anonymized Client Data or Client Data aggregated in accordance with the above provision shall no longer be deemed Client Data within the meaning of this DPA.

2.4 The Processor may process and use the Client Data for its own purposes and on its own responsibility within the scope of what is permissible under data protection law if a statutory permission provision or a declaration of consent by the data subject permits to do so. This DPA does not apply to such data processing.

2.5 The processing of Client Data by the Processor shall generally take place within the European Union or in another state being part of the Agreement on the European Economic Area (EEA). However, the Processor shall be permitted to process Client Data outside the EEA in compliance with the provisions of this DPA if the Processor informs the Client in advance of the location of the data processing and the requirements of Art. 44-48 of the GDPR are met or an exception pursuant to Art. 49 of the GDPR applies.

‍§ 3 Client's Right to Instructions

‍3.1 The Processor shall process Client Data in accordance with the Client's instructions, unless the Processor is required by law to process them otherwise. In the latter case, the Processor shall notify the Client of such legal requirements prior to processing, unless the relevant law prohibits such notification due to an important reason of public interest.

3.2 The instructions of the Client are generally conclusively defined and documented by the provisions of this DPA. Individual instructions deviating from the stipulations of this DPA or imposing additional requirements are subject to the prior approval of the Processor and shall be carried out in accordance with the amendment procedure stipulated in the Main Agreement, where the instruction shall be documented and the assumption of any resulting additional costs incurred by the Processor shall be borne by the Client.

3.3 The Processor warrants to process Client Data in accordance with Client's instructions. If the Processor is of the opinion that an instruction of the Client violates this DPA or the applicable data protection law, it shall be entitled, following a corresponding notification to the Client, to suspend the execution of the instruction until the Client confirms the instruction. The Parties agree that the sole responsibility for the processing of Client Data in accordance with the instructions lies with the Client.
‍

‍§ 4 Client Responsibility

‍4.1 The Client shall be solely responsible for legal compliance of the processing of Client Data as well as for the protection of the rights of the data subjects regarding the contractual relationship between the parties. To the extent that third parties assert claims against the Processor based on the processing of Client Data in accordance with this DPA, the Client shall indemnify against and hold the Processor harmless from against all such claims upon first request.

4.2 The Client shall be responsible for providing the Processor with Client Data in due time for the performance of services under the Main Agreement and shall be responsible for the quality of the Client Data. The Client shall inform the Processor immediately and in full if he discovers errors or irregularities with regard to data protection provisions or its instructions when checking the Processor's order results.

4.3 Upon request, the Client shall provide the Processor with the information referred to in Article 30 (2) of the GDPR, unless the Processor is in possession of such information itself.

4.4 If the Processor is obligated vis-à-vis a government agency or individual to provide information on the processing of Client Data or to otherwise cooperate with such agencies, the Client shall be obligated to support the Processor upon first request in providing such information or in fulfilling other obligations to cooperate.

§ 5 Requirements for Personnel

‍The Processor shall oblige all persons who process Client Data to maintain confidentiality regarding the processing of Client Data.

‍§ 6 Security of Processing

‍6.1 In accordance with Article 32 of the GDPR, the Processor shall take the necessary, appropriate technical and organisational measures, taking into account the state of the art, the implementation costs and the nature, scope, context and purposes of the processing of Client Data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of protection for the Client Data appropriate to the risk. A specification of the technical and organisational measures implemented is included in Annex 3.

6.2 The Processor shall be permitted to modify or adapt technical and organisational measures during the term of the DPA  as long as they continue to meet the legal requirements.

§ 7 Use of Subprocessors

‍7.1 The Client hereby grants the Processor general approval to involve other processors with regard to the processing of Client Data (hereinafter “Subprocessor”. All Subprocessors engaged at the time of conclusion of this DPA are listed in Annex 2. No approval shall generally be required for contractual relationships with service providers that involve the testing or maintenance of data processing procedures or systems by other bodies or other ancillary services, even if access to Client Data cannot be excluded in the process, as long as the Contractor makes appropriate arrangements to protect the confidentiality of such Client Data.

7.2 The Processor shall inform the Client of any intended changes regarding the involvement or replacement of Subprocessors. In individual cases, the Client shall have the right to object to the engagement of a potential Subprocessor. Such objection may only be raised by the Client for good cause to be proven to the Processor. If the Client does not raise an objection within fourteen (14) days after receipt of the notification, its right to object concerning the corresponding engagement shall expire. If the Client raises an objection, the Processor shall be entitled to terminate the Main Agreement and this DPA with a notice period of three (3) months.

7.3 The Agreement between the Processor and any Subprocessor shall impose the same obligations on the latter as are imposed on the Processor by virtue of this DPA. The parties agree that this requirement is met if the Agreement has a level of protection corresponding to this DPA or if the obligations set out in Article 28 (3) GDPR are imposed on the Subprocessor.

§ 8 Rights of the Data Subjects

‍8.1 The Processor shall support the Client with technical and organisational measures within reasonable limits in fulfilling its obligation to respond to requests to exercise the rights of data subjects to which they are entitled.

8.2 Insofar as a data subject asserts a request to exercise the rights to which it is entitled directly against the Processor, the Processor shall promptly forward this request to the Client.

8.3 The Processor shall provide the Client with information about the stored Client Data, the recipients to which the Processor transfers Client Data in accordance with the order, and the purpose of the storage, unless the Client has access to said information himself or can obtain it on his own.

8.4 The Processor shall enable the Client to correct, delete or restrict the further processing of Client Data within the scope of what is reasonable and necessary against reimbursement of the expenses and costs to be proven incurred by the Processor as a result thereof or, at the request of the Client, to rectify, block or restrict further processing itself if and to the extent this cannot be done by the Client on his own.

8.5 Insofar as the data subject has a right to data portability vis-à-vis the Client with regard to Client Data pursuant to Art. 20 GDPR, the Processor shall support the Client within the scope of what is reasonable and necessary in providing the Client Data in a common and machine-readable format against reimbursement of the resulting expenses and costs to be proven incurred by the Processor, if the Client cannot procure the data otherwise.


§ 9 Notification and Support Obligations of the Processor

‍9.1 Insofar as the Client is subject to a legal obligation to report or notify a breach of the protection of Client Data (in particular pursuant to Art. 33, 34 GDPR), the Processor shall inform the Client in due time about any reportable events in his area of responsibility. The Processor shall support the Client in fulfilling the reporting and notification obligations at the Client's request within the scope of what is reasonable and necessary against reimbursement of the resulting expenses and costs to be proven incurred by the Processor.

9.2 The Processor shall support the Client within the scope of what is reasonable and necessary against reimbursement of the resulting expenses and costs to be proven incurred by the Processor in connection with any data protection impact assessments to be carried out by the Client and any subsequent consultations with the supervisory authorities pursuant to Art. 35, 36 GDPR.


§ 10 Data Deletion

‍10.1 The Processor shall delete Client Data after termination of this DPA, unless there is a legal obligation for the Processor to retain the Client Data.

10.2 Documentation which serves as evidence of the proper processing of Client Data in accordance with the order may be retained by the Processor even after the end of this DPA.


§ 11 Verifications and Audit Rights

‍11.1 The Processor shall provide the Client at the latter's request with all information required and available at the Processor to prove compliance with its obligations under this DPA.

11.2 The Client shall be entitled to verify the Processor with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organisational measures; including by means of audits.

11.3 In order to carry out any audits in accordance with Section 11.2, the Client shall be entitled to enter the Processor's business premises where Client Data are processed during normal business hours (Monday to Friday from 10 a.m. to 6 p.m.) at its own expense and after giving due notice in accordance with Section 11.5, without disrupting operations and subject to strict confidentiality of Processor's trade and business secrets.

11.4 The Processor shall be entitled, at its own discretion, considering the Client's legal obligations, not to disclose information which is sensitive with regard to the Processor's business or if the Processor would violate legal or other contractual regulations by disclosing such information. The Client shall not be entitled to have access to data or information concerning other Clients of the Processor, to information regarding costs, to quality review and Agreement management reports and to any other confidential data of the Processor which is not directly relevant for the agreed review purposes.

11.5 The Client shall inform the Processor in due time (as a rule at least two (2) weeks in advance) about all circumstances related to the performance of the audit. The Client may carry out one audit per calendar year. Further inspections shall be carried out against reimbursement of costs and after coordination with the Processor.

11.6 If the Client engages a third party to carry out the audit, the Client shall obligate the third party in writing in the same way as the Client is obligated to the Processor pursuant to Section 11 of this DPA. In addition, the Client shall bind the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional confidentiality obligation. Upon request of the Processor, the Client shall immediately submit the obligation Agreements with the third party to the Processor. The Client may not engage any competitor of the Processor to carry out audit.

11.7 At the Processor's sole discretion, proof of compliance with the obligations under this DPA may, instead of an audit, also be provided by the submission of a suitable, up-to-date attestation or report by an independent body (e.g., auditor, audit, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit - e.g., in accordance with BSI-Grundschutz - (hereinafter "Audit Report") if such Audit Report reasonably enables the Client to assure himself of compliance with the obligations under this DPA.

§ 12 Term and Termination

‍The term and termination of this DPA shall be governed by the provisions governing the term and termination of the Main Agreement. Termination of the Main Agreement automatically results in termination of this DPA. An isolated termination of this DPA is excluded.

‍§ 13 Final Provisions

‍13.1 If individual provisions of this DPA are or become invalid or contain omissions, this shall not affect the remaining provisions. The parties undertake to replace the invalid provision with a legally permissible provision that comes as close as possible to the purpose of the invalid provision and meets the requirements of Article 28 GDPR.

13.2 In case of contradictions between this DPA and other Agreements between the Parties, in particular the Main Agreement, the provisions of this DPA shall prevail.
‍
‍
‍Annex 1: Purpose, Nature and Scope Of Data Processing, Type of Data and Categories of Data Subjects
‍Categories of data subjects: Clients; suppliers; employees; interested parties; other contractual partners and third parties whose personal data are processed in the Digital Compliance Office.Purposes, nature and scope of processing: fulfilment of legal obligations; creation and filing/storage of documents; communication between the contracting parties.Type of data: master data; contact data; content data; usage data; other personal data defined in Art. 4 No. 1 GDPR and transmitted or stored by the Client while using the Digital Compliance Office; special categories of personal data, if applicable.

Annex 2: Subprocessors

Annex 3: Technical and Organisational Measures
The following measures provide an overview of the implemented technical and organisational measures pursuant to Art. 32 GDPR to protect the integrity, confidentiality, and availability of personal data at SECJUR GmbH. The measures are always selected considering the existing risk of unauthorised disclosure, unauthorised modification or loss of personal data and are regularly reviewed for their effectiveness. The current state of the art is considered in the regular review so that no outdated protection mechanisms are implemented.

‍