General Terms and Conditions Service of SECJUR GmbH

Version: February 26, 2025

secjur GmbH, Falkensteiner Ufer 40, 22587 Hamburg (hereinafter "SECJUR") offers technological software solutions in the field of compliance through a Software-as-a-Service model (hereinafter "Digital Compliance Office" or "DCO"). The contractual partner of SECJUR (hereinafter "Client") intends to use the DCO provided by SECJUR for a fee.

1. Applicability

1.1. These General Terms and Conditions of Service (hereinafter “GTC Service”) apply to supporting and supplementary services (herein-after “Services”) provided by SECJUR to the contractual partner of SECJUR (hereinafter “Client”). Examples of such services are consulting and training services, support in configuring and setting up the DCO, data migration services or the provision of external information security and data protection officers.

1.2. The contractual terms for the use of the DCO are regulated in the separate General Terms and Conditions for Software (hereinafter "GTC Software"). These are available here. In the event of a conflict, the GTC Service shall take precedence over the GTC Software with regard to the provision of Services.

1.3. The GTC Service, together with the re-spective offer detailing the provided services (hereinafter “Offer”), the associated Special Terms, the GTC Software, and any additional contractual agreements, constitute the contract (hereinafter “Contract”) between SECJUR and the Client.

1.4. The GTC Service shall also apply to all future services provided to the Client without the need for a renewed agreement.

1.5. The Client’s terms and conditions shall not apply, even if SECJUR does not expressly object to their validity in individual cases. Even if the Client refers to a document that contains or references the Client’s terms and conditions, SECJUR’s unconditional provision of services shall not be deemed as acceptance of those terms and conditions. Any deviating, conflicting, or supplementary terms and conditions of the Client shall only become part of the Contract if the parties have expressly agreed to their validity in writing.


2. Offer and Conclusion of Contract

SECJUR's offer is non-binding and without obligation unless it is expressly designated as binding or includes a specific acceptance period.

3. General Terms of Service

3.1. Unless otherwise agreed, SECJUR provides its Services as service contract obligations. Therefore, SECJUR does not owe a specific outcome (e.g., certification according to ISO 27001). By way of exception, the parties may separately agree on the applicability of contract-for-work provisions.

3.2. SECJUR is entitled to provide services through subcontracting to third parties (herein-after “Subcontractors”).

3.3. SECJUR may specify the services listed in the Offer in a service description. The service description is an integral part of the Contract.

3.4. The parties agree that the agreed-upon services may be adjusted by SECJUR as nec-essary during the term of the Contract to account for changes in technical, legal, or factual requirements and needs and/or due to technological advancements.

3.5. The exercise of the right to determine the scope of services is only permissible insofar as SECJUR takes the legitimate interests of the Client into account.

3.6. The exercise of the right to determine the scope of services must not restrict the core service provision to the detriment of the Client.

3.7. If SECJUR is unable to provide its ser-vices due to the Client’s failure to accept perfor-mance or for any other reason attributable to the Client’s operational sphere, the provisions of § 615 of the German Civil Code (BGB) shall ap-ply.

3.8. If the Contract includes services under a fixed price without a defined capacity limit, these shall be provided subject to reasonableuse (hereinafter "Fair Use Principle"). The Fair Use Principle is applied by SECJUR to ensure the availability of the respective services for all users. SECJUR may review the services uti-lized based on the available capacities. If the available capacities are exceeded, SECJUR may, after prior notice, implement capacity con-trol measures. This includes reducing or post-poning future services to be provided.

4. Expert Support

4.1. If included in the individual Offer, SECJUR provides expert support to the extent specified in the Offer. Depending on the individual Offer, expert support may include, among other things, professional guidance, instruction, and supervision in the development, implemen-tation, and management of a compliance man-agement system.

4.2. If the Offer refers to unlimited support, the service shall be provided subject to fair use (Fair Use Principle as per Clause 3.8.).

4.3. Depending on the individual Offer, expert support includes access to certified infor-mation security and/or data protection experts via a ticketing system.

5. Annual Audits

5.1. If included in the individual Offer, SECJUR conducts an annual internal infor-mation security and/or data protection audit. The information security audit is carried out by a certified information security expert, while the data protection audit is conducted by a certified data protection expert. The audit is performed through a document review (e.g., examination of policies and evidence). Additionally, employ-ees of the Client may be interviewed. An on-site audit does not take place.

5.2. The result of the audit is an audit report. The report includes the audit scope, a descrip-tion of the methodology, and a list of findings (e.g., identified vulnerabilities and recommen-dations for improvement).

6. External Officers

6.1. SECJUR provides, to the extent speci-fied in the Offer, natural persons for the appoint-ment as an external officer (e.g., Data Protec-tion Officer, Information Security Officer, or Compliance Officer) for the Client. These individuals (hereinafter “External Officers”) possess the necessary expertise and reliability re-quired to perform the respective duties.

6.2. Before commencing their duties, SECJUR will contact a designated representa-tive of the Client (hereinafter "Onboarding"). Onboarding generally takes place within 7-14 days after the conclusion of the Contract, but not before the start date of the contractual term.

6.3. External Officers are entitled to be sup-ported by trained auxiliary personnel and sub-contractors in the performance of their assigned duties. The Client has no right to be served by a specific External Officer.

6.4. If SECJUR becomes aware that an Ex-ternal Officer will no longer be able to continue their duties or will be prevented from providing services to the Client for an extended period, SECJUR will inform the Client accordingly. The parties agree that in such a case, a replacement of the External Officer is necessary. The Client shall, if required, revoke the appointment of the previous External Officer on the date of their de-parture or the start of their unavailability and ap-point the new External Officer designated by SECJUR.

6.5. Clause 6.4. shall apply accordingly if the External Officer resigns from their position with the Client. If the resignation takes effect im-mediately, Clause 6.4. shall apply with the pro-vision that the replacement of the External Of-ficer must be carried out without delay.

6.6. External Officers report to the highest management level of the Client. The External Officer is obligated to maintain strict confidenti-ality regarding any matters and trade secrets they become aware of, unless they are released from this obligation by the affected party.

6.7. The Client is obligated to support SECJUR and External Officers in fulfilling legal requirements, particularly by providing all nec-essary information.

6.8. The Client shall have no right to issue instructions to External Officers or their auxiliary personnel. The Client shall refrain from integrat-ing External Officers into its organization be-yond what is necessary for the performance of their contractual or legal duties, with respect to all individuals working on behalf of SECJUR.

6.9. SECJUR and External Officers shall have no right to issue instructions to the Client’s employees and no authority to represent the Cli-ent.

6.10. SECJUR assures the Client that it will not issue any instructions to External Officers or their auxiliary personnel regarding the exercise of their respective expertise (e.g., in the field of data protection or IT security).

6.11. External Officers may fulfill their coop-eration obligations with government authorities (e.g., data protection supervisory authorities) and comply with reporting obligations within their area of responsibility (e.g., pursuant to Article 33 GDPR) at any time.

7. Remuneration and Payment

7.1. The Client is obligated to pay SECJUR the remuneration specified in the Offer. Any ad-ditional or special services will be charged sep-arately.

7.2. The remuneration is due immediately and must be paid in full, without any deductions, no later than fourteen (14) days after receipt of the invoice to the account specified by SECJUR. Recurring and one-time payments are to be made annually in advance. Travel expenses and other costs, as well as separately commissioned services, will be invoiced to the Client in the following month.

7.3. All prices are exclusive of applicable statutory VAT.

7.4. If the Client is in default of payment, SECJUR may charge default interest at a rate of nine (9) percentage points above the applica-ble base interest rate per annum. The right to claim further damages due to delay remains re-served.

7.5. SECJUR is entitled to adjust the con-tractually agreed remuneration annually based on the German Consumer Price Index (Verbraucherpreisindex, VPI). The first adjustment shall take place one year after the start of the contractual term. The remuneration adjustment reflects changes in the costs relevant to price calculation, including but not limited to fluctua-tions in the costs of procuring hardware and software, energy, the use of communication networks, labor costs, and other changes in economic or legal conditions.

7.6. The Client is only entitled to offset claims to the extent that their counterclaim has been legally established or is undisputed. The Client is only entitled to assert a right ofretention due to counterclaims arising from this contractual relationship.

8. Obligations of the Client

8.1. The Client ensures that all necessary provisions and cooperation services are pro-vided in a timely manner and at no cost to SECJUR.

8.2. The Client ensures that SECJUR em-ployees and any subcontractors receive the greatest possible support in performing the re-quired services. This includes, among other things, providing a qualified employee for sup-port and coordination and ensuring that SECJUR receives all necessary information in a timely manner.

8.3. If the Client fails to provide a required cooperation service, fails to provide it on time, or does not fulfill it in the agreed manner, the Client shall bear the resulting damages and ex-penses (e.g., delays, additional costs). As long as the Client’s cooperation services are not pro-vided in accordance with the contract, SECJUR shall be wholly or partially released from its cor-responding performance obligations to the ex-tent that SECJUR depends on such cooperation or provision. SECJUR is not responsible for ser-vice disruptions caused by the Client’s failure to provide contractual cooperation services.

8.4. The Client is obligated to provide files and data carriers that are free from defects both in content and technical integrity—particularly free of malware (e.g., "viruses"). In the event of a violation of this obligation, the Client shall compensate SECJUR for any resulting dam-ages and indemnify SECJUR against all third-party claims.

8.5. The Client is obligated to regularly back up their data, at the latest by the end of the con-tract term, on their own systems.

8.6. The Client is obligated to act in compli-ance with the law, meaning they must fulfill their contractual obligations and adhere to all appli-cable legal regulations, particularly concerning SECJUR, end customers, prospects, and other third parties. If the Client is legally required to provide proof of compliance with certain re-quirements, they shall also provide this proof to SECJUR, where permissible. Certificates or au-dit reports shall suffice as proof, provided that no stricter legal requirements apply.

8.7. In the event of defects or other disrup-tions, the Client is obligated to report them to SECJUR without delay and provide all neces-sary information available to them for trouble-shooting.

8.8. The Client must submit defect com-plaints with a comprehensible description of the error symptoms in writing and, where possible, provide supporting written records (such as screenshots), hard copies, or other documenta-tion illustrating the defects.

9. Liability

9.1. SECJUR shall be liable for damages and compensation for expenses in accordance with statutory provisions in cases of injury to life, body, or health, as well as for damages that give rise to a manufacturer’s liability under § 1 of the German Product Liability Act (Produkthaftung-sgesetz, ProdHaftG).

9.2. For other damages, SECJUR shall be liable exclusively in accordance with the follow-ing provisions. SECJUR shall be liable under statutory provisions for damages caused by fraudulent conduct, intent, or gross negligence. In cases of simple negligence, SECJUR shall only be liable if essential contractual obligations (so-called cardinal obligations) are violated. Es-sential contractual obligations are those whose fulfillment is necessary for the proper execution of the Contract and on which the Client regularly relies and may rely. In such cases, liability is lim-ited to the amount of the typical, foreseeable damage under the Contract.

9.3. In the event of liability for simple negli-gence, SECJUR’s obligation to compensate for advisory errors is limited to the maximum cov-erage amount of its financial loss liability insur-ance, which is EUR 10,000,000.00 per claim.9.4. The above exclusions and limitations of liability shall apply to the same extent in favor of SECJUR’s corporate bodies, legal representa-tives, employees, and other agents.

10. Competition

10.1. The Client undertakes not to solicit SECJUR’s qualified personnel during the term of the Contract. Solicitation is deemed to in-clude the submission of a concrete offer for alternative employment.

10.2. The Client shall not employ any person belonging to SECJUR’s qualified personnel for a period of twelve months after the termination of their employment relationship with SECJUR, regardless of the legal reason for termination, unless SECJUR has initiated the termination or has given prior written consent (§ 126 I BGB) in the specific case.

11. Reference

11.1. SECJUR is entitled to name the Client as a reference within the legal limits (hereinafter “Reference Mention”). The Reference Mention includes, among other things: the mention of the company name and the display of current and past company logos and trademarks, as well as a description of the content and scope of the services provided. The right to Reference Men-tion extends to, among others: all websites, blogs, and social media channels; press re-leases; interviews; professional articles; print advertisements; internal company documents; tenders; presentations; webinars; the Digital Compliance Office; company premises; and trade fairs.

11.2. The Client grants SECJUR and its affil-iated companies a simple, non-transferable, un-limited right in terms of time and geography to use the necessary name and trademark rights for the purpose of the Reference Mention.

11.3. The provisions of this section shall remain in effect for a period of four years after the termination of the Contract.12. Text FormAmendments and modifications to the agree-ments made shall only be effective if provided in text form (§ 126b BGB). This also applies to changes to this text form clause.

13. Notifications

13.1. The contractual parties shall mutually agree on organizational arrangements after the conclusion of the Contract. The parties agree to record specific agreements concerning cooper-ation – particularly scheduling arrangements – in text form (§ 126b BGB).

13.2. Where applicable, the Client is obli-gated to use the ticketing system provided by SECJUR for all communications related to the Contract.

13.3. § 312i I Nr. 1, 2, and 3 BGB as well as § 312i I 2 BGB, which impose certain obligations on businesses in contracts concluded via elec-tronic commerce, shall not apply.

14. Protection of Personal Data

14.1. If SECJUR processes personal data on behalf of the Client, the provisions of the Data Processing Agreement between the parties shall apply (see Annex Data Processing Agree-ment).

14.2. If SECJUR processes the Client’s per-sonal data as a data controller, the Client shall support SECJUR in fulfilling its legal information obligations toward the affected individuals.

15. Confidentiality

15.1. "Confidential Information" includes all information, regardless of whether it is dis-closed in writing, orally, or in any other form, that (i) is inherently confidential or requires confiden-tiality, or (ii) should be recognized as confiden-tial by the receiving party under the given cir-cumstances. This includes, but is not limited to, technical data, trade secrets, software, product descriptions, pricing structures, and other busi-ness-related information.

15.2. The parties agree to: (i) not disclose confidential information of the other party to third parties without prior express written con-sent, unless necessary to fulfill the contractual obligations; (ii) use confidential information solely for the purposes specified in the contract; (iii) take appropriate security measures to main-tain the confidentiality of the information, at least to the same extent as they protect their own confidential information; (iv) promptly in-form the other party in writing of any misuse or suspected misuse of confidential information.

15.3. The confidentiality obligation does not apply to information that: (i) was already known to the receiving party prior to receipt and was not subject to any existing confidentiality obliga-tion; (ii) was disclosed by a third party who is not bound by a confidentiality obligation; (iii) is pub-licly known or becomes publicly known without fault of the receiving party; (iv) was inde-pendently developed by the receiving party without relying on confidential information of the disclosing party; (v) must be disclosed due to legal requirements or governmental orders,provided that the disclosing party is informed in a timely manner about the request to take legal protective measures.

15.4. The confidentiality obligation remains in effect for a period of five years after the termi-nation of this Contract or until the confidential information no longer retains its confidential na-ture, whichever occurs first.

15.5. Both parties are entitled to disclose confidential information to subcontractors, pro-vided that the subcontractors are obligated to comply with confidentiality obligations to an ex-tent that aligns with these provisions.

16. Duration, Termination

16.1. The term of the Contract begins on the 1st and 15th of the month following the contract signing (hereinafter "Contract Start").

16.2. The term is determined by the individual Offer.

16.3. The Contract for the Services will be ex-tended by its original term unless terminated with a notice period of three (3) months before the end of the respective term, except in the case of statutory special provisions. Example for clarification: If the expert support as per the Offer has a term of one ( 1 ) year, it will be ex-tended for another ( 1 ) year unless terminated within the notice period.

16.4. A change in the person of the External Officer shall have no impact on the validity of the Contract

16.5. The right of both parties to terminate the Contract for good cause remains unaffected by the preceding clauses. If the good cause is a breach of a contractual obligation, termination is only permitted after the unsuccessful expiration of a set deadline for remedy or after an unsuc-cessful warning, unless a deadline is unneces-sary due to mandatory legal provisions.

16.6. A significant cause justifying SECJUR's right to extraordinary termination of the Contract is, in particular, if the Client has not performed a required cooperation action to fulfill the Con-tract within a reasonable deadline set by SECJUR, provided SECJUR has specifically identified the action to be taken and declared that the Contract will be terminated extraordi-narily if the action is not performed by the end of the deadline.

16.7. A significant cause justifying SECJUR's right to extraordinary termination of the Contract also exists if the Client is in default of payment for at least two ( 2 ) monthly invoices.

17. Right to Amend

SECJUR reserves the right to amend these GTC Service to accommodate legal, technical, or business changes. Any amendments to the GTC Service will be communicated to the Cli-ent in text form (e.g., by email) at least four ( 4 ) weeks before the planned effective date. If the amendment is disadvantageous to the Client, the Client has the right to object in writing within two ( 2 ) weeks after receiving the notice. The notice of amendment will include infor-mation on the change, the right to object, the objection period, the requirement for text form, and the consequences of the objection. If the Client does not object within the specified pe-riod, the changes will be deemed accepted. In the case of a timely objection, the Contract will continue under the previous terms, with SECJUR reserving the right to terminate the Contract extraordinarily with one ( 1 ) month's notice.


18. Final Provisions

18.1. In the case of conflicts between differ-ent parts of this Contract, the provisions of the Offer shall take precedence. Contractual provi-sions of these GTC Service and the annexed Data Processing Agreement shall take prece-dence over the special conditions for additional services.

18.2. Should any provision of the Contract and/or its amendments or supplements be or become invalid, the validity of the remaining provisions of the Contract shall not be affected. The parties are obligated, in the event of inva-lidity of a provision, to negotiate a valid and rea-sonable replacement provision that comes as close as possible to the economic purpose pur-sued by the parties with the invalid provision.

18.3. The Contract represents the complete and final agreement between the parties with regard to the subject matter of the Contract and supersedes all prior written, oral, and implied agreements, understandings, or arrangements. No side agreements, whether written, oral, or implied, have been made.

18.4. The Contract and all non-contractual matters or obligations arising from the Contract or the services provided shall be governed by the law of the Federal Republic of Germany, ex-cluding the United Nations Convention on Con-tracts for the International Sale of Goods of April 11, 1980 (CISG).

18.5. The exclusive place of jurisdiction, to the extent permitted by law, is Hamburg, Ger-many, or, at SECJUR's discretion, (i) the court where the SECJUR branch primarily responsi-ble for providing the services is located, or (ii) the courts at the location where the Client is domiciled.


Annex 1:

Purpose, Nature and Scope Of Data Processing, Type of Data and Categories of Data Subjects
Categories of data subjects: Clients; suppliers; employees; interested parties; other contractual partners and third parties whose personal data are processed in the Digital Compliance Office.Purposes, nature and scope of processing: fulfilment of legal obligations; creation and filing/storage of documents; communication between the contracting parties.Type of data: master data; contact data; content data; usage data; other personal data defined in Art. 4 No. 1 GDPR and transmitted or stored by the Client while using the Digital Compliance Office; special categories of personal data, if applicable.

Annex 2: Subcontractors

Subprocessor Location Server location Transfer mechanism (Art. 44 ff GDPR) Provided Service
Decareto GmbH GermanyGermany Websitescans incl. Cookiescans
Eagle lsp Rechtsanwaltsgesellschaft mbHGermanyGermany Support for DCO
Hubspot Inc.(Drittlandtransfer) USAGermany Data Privacy FrameworkCustomer-Relationship-Managementsystem, Ticketingsystem, Chatbot
Kombo Technologies GmbHGermanyGermany Integrator for DCO APIs
Microsoft Inc. USAGermany Data Privacy FrameworkHosting
Sentry.io / Functional Software, Inc.USAUSA Data Privacy FrameworkError detection and correction
Syngenity GmbHGermanyGermany Support for DCO


Annex 3: Technical and Organisational Measures
The following measures provide an overview of the implemented technical and organisational measures pursuant to Art. 32 GDPR to protect the integrity, confidentiality, and availability of personal data at SECJUR GmbH. The measures are always selected considering the existing risk of unauthorised disclosure, unauthorised modification or loss of personal data and are regularly reviewed for their effectiveness. The current state of the art is considered in the regular review so that no outdated protection mechanisms are implemented.

1. Confidentiality
1.1 Physical Access Control
The following measures are implemented to prevent unauthorized access to personal data:
☒ Electronic locking system
☒ Security locks
☒ Lockable server cabinets
☒ Visitor badge
☒ Key control
☒ Access concept
☒ Alarm system
☒ Reception
☒ Accompanying guests
1.2 System Access Control
The following measures are implemented to prevent unauthorized access to IT systems and storage media:
☒ End-device encryption
☒ Data carrier encryption
☒ Password policy
☒ Blocking of unused accounts
☒ At least 8 characters length
☒ Minimum complexity
☒ Regular change periods
☒ Single passwords
☒ Antivirus software
Regular updating of antivirus software
☒ Firewall
Regular updating of the firewall
☒ Automatic screen lock
☒ Intrusion detection system
☒ Locking external interfaces
1.3 Data Access Control
The following measures are implemented to prevent unauthorized access to personal data in IT systems:
Authorization concept
Review granting and withdrawal of the authorizations
Differentiated assignment of rights
Definition of user groups
Deletion of personal data after the purpose has been achieved or the leagl retention period has expired
Secure overwriting of disks after hard disk formatting
Regular evaluation of the protocols
Logging accesses
Minimum number of administrator accesses
1.4 Separation Control
The following measures are implemented to separate personal data processed for different purposes:
☒ Client separation
☒ Various databases
☒ Development, test, and production system
☒ System-side separation
☒ Logical separation
1.5 Pseudonymization
Measures are implemented that enable the pseudonymization of personal data, if necessary. This is done, for example, by using hash values or Client numbers and restricting the allocation table.
2. Integrity
2.1 Transfer Control
The following measures have been implemented to ensure confidentiality and integrity when personal data is transferred:
☒ Documentation of data transfers
☒ Anonymization
☒ TLS 1.2 Encryption
☒ Regulation during physical transport
2.2 Input Control
The following measures are implemented to ensure the integrity of data during capture:
☒ Logging of inputs
☒ Protection of log data against manipulation
☒ Protection of log data against unauthorized viewing
3. Confidentiality And Resilience
3.1 Availability Control
The following measures are implemented to ensure the availability of personal data:
☒ Data backup concept
☒ Recovery concept
☒ Testing the recovery
☒ Emergency plan/emergency concept
☒ Encryption of the data backups
☒ Backup intervals: Daily
☒ UPS
☒ Air conditioners
☒ Fire alarm system
☒ Smoke detection system
☒ RAID system
☒ Backup strategy
☒ Hard disk mirroring
☒ Moisture detector
☒ Twin system
☒ Spam filter
4. Procedures for Regular Review, Assessment and Evaluation
4.1 Data Protection Management
The following organizational measures exist to ensure that personal data is handled in accordance with data protection requirements:
☒ Employees: Confidentiality obligation
☒ Employee training on data protection
☒ Data breach notification process
☒ Data processing in EU or EEA
☒ Compliance with Art. 28 and Art. 44 et seq. GDPR
☒ Designated Data Protection Officer
☒ Processes for exercising data subject rights
4.2 Incident Response Management
Incident response management is implemented on the process side.
4.3 Privacy-Friendly Default Settings
SECJUR GmbH systems are selected and developed in such a way that the default settings comply with the principles of Article 5 of the GDPR, in particular purpose limitation.
5. Data Processing on Behalf Control
The following measures are implemented for the processing of personal data on behalf of third parties that is permissible under data protection law:
Procedure for the selection of Subprocessors
☒ Written Agreements (DPAs)
☒ Checks and controls
6. Other Measures
☒ Regular execution of updates
☒ Deletion concept
☒ Remote maintenance


Annex 4: Data Processing Agreement

To the extent that processing activities of SECJUR qualify as processing on behalf of the Client, the following Data Processing Agreement shall apply to the parties:

§ 1 Subject Matter of the Agreement Within the scope of the provision of services under the Agreement (hereinafter "Main Agreement"), it is necessary for SECJUR (hereinafter "Processor") to handle personal data for which the Client acts as the controller within the meaning of the data protection provisions (hereinafter "Client Data"). This Data Processing Agreement (hereinafter “DPA”) specifies the rights and obligations of the contracting parties under data protection law in connection with the Processor's handling of Client Data for the purpose of implementing the Main Agreement.

§ 2 Scope of the Assignment

2.1 The Processor shall process the Client Data on behalf of and according to the instructions of the Client within the meaning of Art. 28 GDPR (data processing on behalf). The Client shall remain the controller in the sense of data protection law.

2.2 The processing of Client Data by the Processor shall be carried out in the manner, to the extent and for the purpose as specified in Annex 1 to this DPA; the processing concerns the types of personal data and categories of data subjects designated therein. The duration of the processing shall correspond to the term of the Main Agreement.

2.3 The Processor reserves the right to anonymize or aggregate Client Data so that it is no longer possible to identify individual data subjects and to use it in this form for the purpose of demand-oriented design, further development and optimization as well as the provision of the service agreed upon in accordance with the Main Agreement. The Parties agree that anonymized Client Data or Client Data aggregated in accordance with the above provision shall no longer be deemed Client Data within the meaning of this DPA.

2.4 The Processor may process and use the Client Data for its own purposes and on its own responsibility within the scope of what is permissible under data protection law if a statutory permission provision or a declaration of consent by the data subject permits to do so. This DPA does not apply to such data processing.

2.5 The processing of Client Data by the Processor shall generally take place within the European Union or in another state being part of the Agreement on the European Economic Area (EEA). However, the Processor shall be permitted to process Client Data outside the EEA in compliance with the provisions of this DPA if the Processor informs the Client in advance of the location of the data processing and the requirements of Art. 44-48 of the GDPR are met or an exception pursuant to Art. 49 of the GDPR applies.

§ 3 Client's Right to Instructions

3.1 The Processor shall process Client Data in accordance with the Client's instructions, unless the Processor is required by law to process them otherwise. In the latter case, the Processor shall notify the Client of such legal requirements prior to processing, unless the relevant law prohibits such notification due to an important reason of public interest.

3.2 The instructions of the Client are generally conclusively defined and documented by the provisions of this DPA. Individual instructions deviating from the stipulations of this DPA or imposing additional requirements are subject to the prior approval of the Processor and shall be carried out in accordance with the amendment procedure stipulated in the Main Agreement, where the instruction shall be documented and the assumption of any resulting additional costs incurred by the Processor shall be borne by the Client.

3.3 The Processor warrants to process Client Data in accordance with Client's instructions. If the Processor is of the opinion that an instruction of the Client violates this DPA or the applicable data protection law, it shall be entitled, following a corresponding notification to the Client, to suspend the execution of the instruction until the Client confirms the instruction. The Parties agree that the sole responsibility for the processing of Client Data in accordance with the instructions lies with the Client.

§ 4 Client Responsibility

4.1 The Client shall be solely responsible for legal compliance of the processing of Client Data as well as for the protection of the rights of the data subjects regarding the contractual relationship between the parties. To the extent that third parties assert claims against the Processor based on the processing of Client Data in accordance with this DPA, the Client shall indemnify against and hold the Processor harmless from against all such claims upon first request.

4.2 The Client shall be responsible for providing the Processor with Client Data in due time for the performance of services under the Main Agreement and shall be responsible for the quality of the Client Data. The Client shall inform the Processor immediately and in full if he discovers errors or irregularities with regard to data protection provisions or its instructions when checking the Processor's order results.

4.3 Upon request, the Client shall provide the Processor with the information referred to in Article 30 (2) of the GDPR, unless the Processor is in possession of such information itself.

4.4 If the Processor is obligated vis-à-vis a government agency or individual to provide information on the processing of Client Data or to otherwise cooperate with such agencies, the Client shall be obligated to support the Processor upon first request in providing such information or in fulfilling other obligations to cooperate.

§ 5 Requirements for Personnel

The Processor shall oblige all persons who process Client Data to maintain confidentiality regarding the processing of Client Data.

§ 6 Security of Processing

6.1 In accordance with Article 32 of the GDPR, the Processor shall take the necessary, appropriate technical and organisational measures, taking into account the state of the art, the implementation costs and the nature, scope, context and purposes of the processing of Client Data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of protection for the Client Data appropriate to the risk. A specification of the technical and organisational measures implemented is included in Annex 3.

6.2 The Processor shall be permitted to modify or adapt technical and organisational measures during the term of the DPA  as long as they continue to meet the legal requirements.

§ 7 Use of Subprocessors

7.1 The Client hereby grants the Processor general approval to involve other processors with regard to the processing of Client Data (hereinafter “Subprocessor”. All Subprocessors engaged at the time of conclusion of this DPA are listed in Annex 2. No approval shall generally be required for contractual relationships with service providers that involve the testing or maintenance of data processing procedures or systems by other bodies or other ancillary services, even if access to Client Data cannot be excluded in the process, as long as the Contractor makes appropriate arrangements to protect the confidentiality of such Client Data.

7.2 The Processor shall inform the Client of any intended changes regarding the involvement or replacement of Subprocessors. In individual cases, the Client shall have the right to object to the engagement of a potential Subprocessor. Such objection may only be raised by the Client for good cause to be proven to the Processor. If the Client does not raise an objection within fourteen (14) days after receipt of the notification, its right to object concerning the corresponding engagement shall expire. If the Client raises an objection, the Processor shall be entitled to terminate the Main Agreement and this DPA with a notice period of three (3) months.

7.3 The Agreement between the Processor and any Subprocessor shall impose the same obligations on the latter as are imposed on the Processor by virtue of this DPA. The parties agree that this requirement is met if the Agreement has a level of protection corresponding to this DPA or if the obligations set out in Article 28 (3) GDPR are imposed on the Subprocessor.

§ 8 Rights of the Data Subjects

8.1 The Processor shall support the Client with technical and organisational measures within reasonable limits in fulfilling its obligation to respond to requests to exercise the rights of data subjects to which they are entitled.

8.2 Insofar as a data subject asserts a request to exercise the rights to which it is entitled directly against the Processor, the Processor shall promptly forward this request to the Client.

8.3 The Processor shall provide the Client with information about the stored Client Data, the recipients to which the Processor transfers Client Data in accordance with the order, and the purpose of the storage, unless the Client has access to said information himself or can obtain it on his own.

8.4 The Processor shall enable the Client to correct, delete or restrict the further processing of Client Data within the scope of what is reasonable and necessary against reimbursement of the expenses and costs to be proven incurred by the Processor as a result thereof or, at the request of the Client, to rectify, block or restrict further processing itself if and to the extent this cannot be done by the Client on his own.

8.5 Insofar as the data subject has a right to data portability vis-à-vis the Client with regard to Client Data pursuant to Art. 20 GDPR, the Processor shall support the Client within the scope of what is reasonable and necessary in providing the Client Data in a common and machine-readable format against reimbursement of the resulting expenses and costs to be proven incurred by the Processor, if the Client cannot procure the data otherwise.


§ 9 Notification and Support Obligations of the Processor

9.1 Insofar as the Client is subject to a legal obligation to report or notify a breach of the protection of Client Data (in particular pursuant to Art. 33, 34 GDPR), the Processor shall inform the Client in due time about any reportable events in his area of responsibility. The Processor shall support the Client in fulfilling the reporting and notification obligations at the Client's request within the scope of what is reasonable and necessary against reimbursement of the resulting expenses and costs to be proven incurred by the Processor.

9.2 The Processor shall support the Client within the scope of what is reasonable and necessary against reimbursement of the resulting expenses and costs to be proven incurred by the Processor in connection with any data protection impact assessments to be carried out by the Client and any subsequent consultations with the supervisory authorities pursuant to Art. 35, 36 GDPR.


§ 10 Data Deletion

10.1 The Processor shall delete Client Data after termination of this DPA, unless there is a legal obligation for the Processor to retain the Client Data.

10.2 Documentation which serves as evidence of the proper processing of Client Data in accordance with the order may be retained by the Processor even after the end of this DPA.


§ 11 Verifications and Audit Rights

11.1 The Processor shall provide the Client at the latter's request with all information required and available at the Processor to prove compliance with its obligations under this DPA.

11.2 The Client shall be entitled to verify the Processor with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organisational measures; including by means of audits.

11.3 In order to carry out any audits in accordance with Section 11.2, the Client shall be entitled to enter the Processor's business premises where Client Data are processed during normal business hours (Monday to Friday from 10 a.m. to 6 p.m.) at its own expense and after giving due notice in accordance with Section 11.5, without disrupting operations and subject to strict confidentiality of Processor's trade and business secrets.

11.4 The Processor shall be entitled, at its own discretion, considering the Client's legal obligations, not to disclose information which is sensitive with regard to the Processor's business or if the Processor would violate legal or other contractual regulations by disclosing such information. The Client shall not be entitled to have access to data or information concerning other Clients of the Processor, to information regarding costs, to quality review and Agreement management reports and to any other confidential data of the Processor which is not directly relevant for the agreed review purposes.

11.5 The Client shall inform the Processor in due time (as a rule at least two (2) weeks in advance) about all circumstances related to the performance of the audit. The Client may carry out one audit per calendar year. Further inspections shall be carried out against reimbursement of costs and after coordination with the Processor.

11.6 If the Client engages a third party to carry out the audit, the Client shall obligate the third party in writing in the same way as the Client is obligated to the Processor pursuant to Section 11 of this DPA. In addition, the Client shall bind the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional confidentiality obligation. Upon request of the Processor, the Client shall immediately submit the obligation Agreements with the third party to the Processor. The Client may not engage any competitor of the Processor to carry out audit.

11.7 At the Processor's sole discretion, proof of compliance with the obligations under this DPA may, instead of an audit, also be provided by the submission of a suitable, up-to-date attestation or report by an independent body (e.g., auditor, audit, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit - e.g., in accordance with BSI-Grundschutz - (hereinafter "Audit Report") if such Audit Report reasonably enables the Client to assure himself of compliance with the obligations under this DPA.

§ 12 Term and Termination

The term and termination of this DPA shall be governed by the provisions governing the term and termination of the Main Agreement. Termination of the Main Agreement automatically results in termination of this DPA. An isolated termination of this DPA is excluded.

§ 13 Final Provisions

13.1 If individual provisions of this DPA are or become invalid or contain omissions, this shall not affect the remaining provisions. The parties undertake to replace the invalid provision with a legally permissible provision that comes as close as possible to the purpose of the invalid provision and meets the requirements of Article 28 GDPR.

13.2 In case of contradictions between this DPA and other Agreements between the Parties, in particular the Main Agreement, the provisions of this DPA shall prevail.