SERVICE PROVIDER - MASTERSERVICEAGREEMENT

THIS MASTER SUBSCRIPTION AGREEMENT GOVERNS CUSTOMER’S ACQUISITION AND USE OF SERVICE PROVIDER SERVICES. CAPITALIZED TERMS HAVE THE DEFINITIONS SET FORTH HEREIN. BY ACCEPTING THIS AGREEMENT, BY (1) CLICKING A BOX INDICATING ACCEPTANCE, (2) EXECUTING AN ORDER FORM THAT REFERENCES THIS AGREEMENT, OR (3) USING FREE SERVICES, CUSTOMER AGREES TO THE TERMS OF THIS AGREEMENT. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT IS ACCEPTING ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, SUCH INDIVIDUAL REPRESENTS THAT THEY HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERM “CUSTOMER” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT DOES NOT HAVE SUCH AUTHORITY, OR DOES NOT AGREE WITH THESE TERMS AND CONDITIONS, SUCH INDIVIDUAL MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICES.

The Services may not be accessed for purposes of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purposes.

Service Provider’s direct competitors are prohibited from accessing the Services, except with Service Provider’s prior written consent.

This Agreement was last updated on 01.04.2021. It is effective between Customer and Service Provider as of the date of Customer’s accepting this Agreement.

1. Definitions

1.1

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Agreement” means this Master Subscription Agreement.

“Beta Services” means Service Provider services or functionality that may be made available to Customer to try at its option at no additional charge which is clearly designated as beta, pilot, limited release, developer preview, non-production, evaluation, or by a similar description.

“Content” means information obtained by Service Provider from publicly available sources or its third party content providers and made available to Customer through the Services, Beta Services or pursuant to an Order Form, as more fully described in the Documentation.

“Customer” means in the case of an individual accepting this Agreement on his or her own behalf, such individual, or in the case of an individual accepting this Agreement on behalf of a company or other legal entity, the company or other legal entity for which such individual is accepting this Agreement, and Affiliates of that company or entity (for so long as they remain Affiliates) which have entered into Order Forms.

“Customer Data” means electronic data and information submitted by or for Customer to the Services, excluding Content and Non-Service Provider Applications.

“Documentation” means the applicable Service’s Trust and Compliance documentation and its usage guides and policies, as updated from time to time.

“Free Services” means Services that Service Provider makes available to Customer free of charge. Free Services exclude Services offered as a free trial and Purchased Services.

“Malicious Code” means code, files, scripts, agents or programs intended to do harm, including, for example, viruses, worms, time bombs and Trojan horses.

“Non- Service Provider Application” means a Web-based, mobile, offline or other software application functionality that interoperates with a Service, that is provided by Customer or a third party and/or listed on a Marketplace. Non- Service Provider Applications, other than those obtained or provided by Customer, will be identifiable as such.

“Order Form” means an ordering document or online order specifying the Services to be provided hereunder that is entered into between Customer and Service Provider or any of their Affiliates, including any addenda and supplements thereto. By entering into an Order Form hereunder, an Affiliate agrees to be bound by the terms of this Agreement as if it were an original party hereto.

“Purchased Services” means Services that Customer or Customer’s Affiliate purchases under an Order Form or online purchasing portal, as distinguished from Free Services or those provided pursuant to a free trial.

“Services” means the products and services that are ordered by Customer under an Order Form or online purchasing portal, or provided to Customer free of charge (as applicable) or under a free trial, and made available online by Service Provider, including associated Service Provider offline or mobile components, as described in the Documentation. “Services” exclude Content and Non- Service Provider Applications.

“Service Provider” means the Fellow Consulting AG company described in the “Service Provider Contracting Entity, Notices, Governing Law, and Venue” section below.

“User” means, in the case of an individual accepting these terms on his or her own behalf, such individual, or, in the case of an individual accepting this Agreement on behalf of a company or other legal entity, an individual who is authorized by Customer to use a Service, for whom Customer has purchased a subscription (or in the case of any Services provided by Service Provider without charge, for whom a Service has been provisioned), and to whom Customer (or, when applicable, Service Provider at Customer’s request) has supplied a user identification and password (for Services utilizing authentication). Users may include, for example, employees, consultants, contractors and agents of Customer, and third parties with which Customer transacts business.

2. Service Provider RESPONSIBLITIES

2.1 Provision of Purchased Services

Service Provider will (a) make the Services and Content available to Customer pursuant to this Agreement, and the applicable Order Forms and Documentation, (b) provide applicable Service Provider standard support for the Purchased Services to Customer at no additional charge, and/or upgraded support if purchased, (c) use commercially reasonable efforts to make the online Purchased Services available 24 hours a day, 7 days a week, except for: (i) planned downtime (of which Service Provider shall give advance electronic notice), and (ii) any unavailability caused by circumstances beyond Service Provider reasonable control, including, for example, an act of God, act of government, flood, fire, earthquake, civil unrest, act of terror, strike or other labor problem (other than one involving Service Provider employees), Internet Service Provider failure or delay, Non-Service Provider Application, or denial of service attack, and (d) provide the Services in accordance with laws and government regulations applicable to Service Provider’s provision of its Services to its customers generally (i.e., without regard for Customer’s particular use of the Services), and subject to Customer’s use of the Services in accordance with this Agreement, the Documentation and the applicable Order Form.

2.2 Protection of Customer Data

Service Provider will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data, as described in the Documentation and in the Data Protection Act template at the bottom of this document. Those safeguards will include, but will not be limited to, measures for preventing access, use, modification or disclosure of Customer Data by Service Provider personnel except (a) to provide the Purchased Services and prevent or address service or technical problems, (b) as compelled by law in accordance with Section 7.3 (Compelled Disclosure) below. For the purposes of the Standard Contractual Clauses, Customer and its applicable Affiliates are each the data exporter, and Customer's acceptance of this Agreement, and an applicable Affiliate's execution of an Order Form, shall be treated as its execution of the Standard Contractual Clauses and Appendices. Upon request by Customer made within 30 days after the effective date of termination or expiration of this Agreement, SERVICE PROVIDER will make Customer Data available to Customer for export or download as provided in the Documentation. After such 30-day period, SERVICE PROVIDER will have no obligation to maintain or provide any Customer Data, and as provided in the Documentation will thereafter delete or destroy all copies of Customer Data in its systems or otherwise in its possession or control, unless legally prohibited. Free trial: Except with respect to a free trial, the terms of the data processing addendum (“DPA”) are hereby incorporated at the bottom of this document and shall apply to the extent Customer Data includes Personal Data, as defined in the DPA.

2.3 SERVICE PROVIDER Personnel

SERVICE PROVIDER will be responsible for the performance of its personnel (including its employees and contractors) and their compliance with SERVICE PROVIDER’s obligations under this Agreement, except as otherwise specified in this Agreement.

2.4 Beta Services

From time to time, SERVICE PROVIDER may make Beta Services available to Customer at no charge. Customer may choose to try such Beta Services or not in Customer sole discretion. Beta Services are intended for evaluation purposes and not for production use, are not supported, and may be subject to additional terms. Beta Services are not considered “Services” under this Agreement, however, all restrictions, SERVICE PROVIDER’s reservation of rights and Customer obligations concerning the Services and use of any related Non- SERVICE PROVIDER Applications and Content, shall apply equally to Customer’s use of Beta Services. Unless otherwise stated, any Beta Services trial period will expire upon the earlier of one year from the trial start date or the date that a version of the Beta Services becomes generally available without the applicable Beta Services designation. SERVICE PROVIDER may discontinue Beta Services at any time in SERVICE PROVIDER sole discretion and may never make them generally available. SERVICE PROVIDER will have no liability for any harm or damage arising out of or in connection with a Beta Service

2.5 Free Trial

If Customer registers on SERVICE PROVIDER’s or an Affiliate’s website for a free trial, SERVICE PROVIDER will make the applicable Service(s) available to Customer on a trial basis free of charge until the earlier of (a) the end of the free trial period for which Customer registered to use the applicable Service(s), or (b) the start date of any Purchased Service subscriptions ordered by Customer for such Service(s), or (c) termination by SERVICE PROVIDER in its sole discretion. Additional trial terms and conditions may appear on the trial registration web page. Any such additional terms and conditions are incorporated into this Agreement by reference and are legally binding. ANY DATA CUSTOMER ENTERS INTO THE SERVICES, AND ANY CUSTOMIZATIONS MADE TO THE SERVICES BY OR FOR CUSTOMER, DURING CUSTOMER’S FREE TRIAL WILL BE PERMANENTLY LOST UNLESS CUSTOMER PURCHASES A SUBSCRIPTION TO THE SAME SERVICES AS THOSE COVERED BY THE TRIAL, PURCHASES APPLICABLE UPGRADED SERVICES, OR EXPORTS SUCH DATA, BEFORE THE END OF THE TRIAL PERIOD. CUSTOMER CANNOT TRANSFER DATA ENTERED OR CUSTOMIZATIONS MADE DURING THE FREE TRIAL TO A SERVICE THAT WOULD BE A DOWNGRADE FROM THAT COVERED BY THE TRIAL (E.G., FROM ENTERPRISE EDITION TO PROFESSIONAL EDITION); THEREFORE, IF CUSTOMER PURCHASES A SERVICE THAT WOULD BE A DOWNGRADE FROM THAT COVERED BY THE TRIAL, CUSTOMER MUST EXPORT CUSTOMER DATA BEFORE THE END OF THE TRIAL PERIOD OR CUSTOMER DATA WILL BE PERMANENTLY LOST. NOTWITHSTANDING THE “REPRESENTATIONS, WARRANTIES, EXCLUSIVE REMEDIES AND DISCLAIMERS” SECTION AND “INDEMNIFICATION BY SERVICE PROVIDER” SECTION BELOW, DURING THE FREE TRIAL THE SERVICES ARE PROVIDED “AS-IS” WITHOUT ANY WARRANTY AND SERVICE PROVIDER SHALL HAVE NO INDEMNIFICATION OBLIGATIONS NOR LIABILITY OF ANY TYPE WITH RESPECT TO THE SERVICES FOR THE FREE TRIAL PERIOD UNLESS SUCH EXCLUSION OF LIABILITY IS NOT ENFORCEABLE UNDER APPLICABLE LAW IN WHICH CASE SERVICE PROVIDER’S LIABILITY WITH RESPECT TO THE SERVICES PROVIDED DURING THE FREE TRIAL SHALL NOT EXCEED €1,000.00. WITHOUT LIMITING THE FOREGOING, SERVICE PROVIDER AND ITS AFFILIATES AND ITS LICENSORS DO NOT REPRESENT OR WARRANT TO CUSTOMER THAT: (A) CUSTOMER’S USE OF THE SERVICES DURING THE FREE TRIAL PERIOD WILL MEET CUSTOMER’S REQUIREMENTS, (B) CUSTOMER’S USE OF THE SERVICES DURING THE FREE TRIAL PERIOD WILL BE UNINTERRUPTED, TIMELY, SECURE OR FREE FROM ERROR, AND (C) USAGE DATA PROVIDED DURING THE FREE TRIAL PERIOD WILL BE ACCURATE. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE “LIMITATION OF LIABILITY” SECTION BELOW, CUSTOMER SHALL BE FULLY LIABLE UNDER THIS AGREEMENT TO SERVICE PROVIDER AND ITS AFFILIATES FOR ANY DAMAGES ARISING OUT OF CUSTOMER’S USE OF THE SERVICES DURING THE FREE TRIAL PERIOD, ANY BREACH BY CUSTOMER OF THIS AGREEMENT AND ANY OF CUSTOMER’S INDEMNIFICATION OBLIGATIONS HEREUNDER. CUSTOMER SHALL REVIEW THE APPLICABLE SERVICE’S DOCUMENTATION DURING THE TRIAL PERIOD TO BECOME FAMILIAR WITH THE FEATURES AND FUNCTIONS OF THE SERVICES BEFORE MAKING A PURCHASE.

2.6 Free Services

SERVICE PROVIDER may make Free Services available to Customer. Use of Free Services is subject to the terms and conditions of this Agreement. In the event of a conflict between this section and any other portion of this Agreement, this section shall control. Free Services are provided to Customer without charge up to certain limits as described in the Documentation. Usage over these limits requires Customer’s purchase of additional resources or services. Customer agrees that SERVICE PROVIDER, in its sole discretion and for any or no reason, may terminate Customer’s access to the Free Services or any part thereof. Customer agrees that any termination of Customer’s access to the Free Services may be without prior notice, and Customer agrees that SERVICE PROVIDER will not be liable to Customer or any third party for such termination. Customer is solely responsible for exporting Customer Data from the Free Services prior to termination of Customer’s access to the Free Services for any reason, provided that if SERVICE PROVIDER terminates Customer’s account, except as required by law SERVICE PROVIDER will provide Customer a reasonable opportunity to retrieve its Customer Data. NOTWITHSTANDING THE “REPRESENTATIONS, WARRANTIES, EXCLUSIVE REMEDIES AND DISCLAIMERS” SECTION AND “INDEMNIFICATION BY SERVICE PROVIDER” SECTION BELOW, THE FREE SERVICES ARE PROVIDED “AS-IS” WITHOUT ANY WARRANTY AND SERVICE PROVIDER SHALL HAVE NO INDEMNIFICATION OBLIGATIONS NOR LIABILITY OF ANY TYPE WITH RESPECT TO THE FREE SERVICES UNLESS SUCH EXCLUSION OF LIABILITY IS NOT ENFORCEABLE UNDER APPLICABLE LAW IN WHICH CASE SERVICE PROVIDER’S LIABILITY WITH RESPECT TO THE FREE SERVICES SHALL NOT EXCEED €1,000.00. WITHOUT LIMITING THE FOREGOING, SERVICE PROVIDER AND ITS AFFILIATES AND ITS LICENSORS DO NOT REPRESENT OR WARRANT TO CUSTOMER THAT: (A) CUSTOMER’S USE OF THE FREE SERVICES WILL MEET CUSTOMER’S REQUIREMENTS, (B) CUSTOMER’S USE OF THE FREE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE OR FREE FROM ERROR, AND (C) USAGE DATA PROVIDED THROUGH THE FREE SERVICES WILL BE ACCURATE. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE “LIMITATION OF LIABILITY” SECTION BELOW, CUSTOMER SHALL BE FULLY LIABLE UNDER THIS AGREEMENT TO SERVICE PROVIDER AND ITS AFFILIATES FOR ANY DAMAGES ARISING OUT OF CUSTOMER’S USE OF THE FREE SERVICES, ANY BREACH BY CUSTOMER OF THIS AGREEMENT AND ANY OF CUSTOMER’S INDEMNIFICATION OBLIGATIONS HEREUNDER.

3. USE OF SERVICES AND CONTENT

3.1 Subscription

Unless otherwise provided in the applicable Order Form or Documentation, (a) Purchased Services and access to Content are purchased as subscriptions for the term stated in the applicable Order Form or in the applicable online purchasing portal, (b) subscriptions for Purchased Services may be added during a subscription term at the same pricing as the underlying subscription pricing, prorated for the portion of that subscription term remaining at the time the subscriptions are added, and (c) any added subscriptions will terminate on the same date as the underlying subscriptions. Customer agrees that its purchases are not contingent on the delivery of any future functionality or features, or dependent on any oral or written public comments made by SERVICE PROVIDER regarding future functionality or features.

3.2 Usage Limits

Services and Content are subject to usage limits specified in Order Forms and Documentation. If Customer exceeds a contractual usage limit, SERVICE PROVIDER may work with Customer to seek to reduce Customer’s usage so that it conforms to that limit. If, notwithstanding SERVICE PROVIDER’s efforts, Customer is unable or unwilling to abide by a contractual usage limit, Customer will execute an Order Form for additional quantities of the applicable Services or Content promptly upon SERVICE PROVIDER’s request, and/or pay any invoice for excess usage in accordance with the “Invoicing and Payment” section below.

3.3 Customer Responsibilities

Customer will (a) be responsible for Users’ compliance with this Agreement, Documentation and Order Forms, (b) be responsible for the accuracy, quality and legality of Customer Data, the means by which Customer acquired Customer Data, Customer’s use of Customer Data with the Services, and the interoperation of any Non-SERVICE PROVIDER Applications with which Customer uses Services or Content, (c) use commercially reasonable efforts to prevent unauthorized access to or use of Services and Content, and notify SERVICE PROVIDER promptly of any such unauthorized access or use, (d) use Services and Content only in accordance with this Agreement, Documentation, Order Forms and applicable laws and government regulations, and (e) comply with terms of service of any Non-SERVICE PROVIDER Applications with which Customer uses Services or Content. Any use of the Services in breach of the foregoing by Customer or Users that in SERVICE PROVIDER’s judgment threatens the security, integrity or availability of SERVICE PROVIDER’s services, may result in SERVICE PROVIDER’s immediate suspension of the Services, however SERVICE PROVIDER will use commercially reasonable efforts under the circumstances to provide Customer with notice and an opportunity to remedy such violation or threat prior to any such suspension.

3.4 Usage Restrictions

Customer will not (a) make any Service or Content available to anyone other than Customer or Users, or use any Service or Content for the benefit of anyone other than Customer or its Affiliates, unless expressly stated otherwise in an Order Form or the Documentation, (b) sell, resell, license, sublicense, distribute, make available, rent or lease any Service or Content, or include any Service or Content in a service bureau or outsourcing offering, (c) use a Service or Non-SERVICE PROVIDER Application to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party privacy rights, (d) use a Service or Non-SERVICE PROVIDER Application to store or transmit Malicious Code, (e) interfere with or disrupt the integrity or performance of any Service or third-party data contained therein, (f) attempt to gain unauthorized access to any Service or Content or its related systems or networks, (g) permit direct or indirect access to or use of any Services or Content in a way that circumvents a contractual usage limit, or use any Services to access or use any of SERVICE PROVIDER intellectual property except as permitted under this Agreement, an Order Form, or the Documentation, (h) modify, copy, or create derivative works based on a Service or any part, feature, function or user interface thereof, (i) copy Content except as permitted herein or in an Order Form or the Documentation, (j) frame or mirror any part of any Service or Content, other than framing on Customer's own intranets or otherwise for its own internal business purposes or as permitted in the Documentation, (k) except to the extent permitted by applicable law, disassemble, reverse engineer, or decompile a Service or Content or access it to (1) build a competitive product or service, (2) build a product or service using similar ideas, features, functions or graphics of the Service, (3) copy any ideas, features, functions or graphics of the Service, or (4) determine whether the Services are within the scope of any patent.

3.5 Removal of Content and Non-SERVICE PROVIDER Applications

If Customer receives notice that Content or a Non-SERVICE PROVIDER Application must be removed, modified and/or disabled to avoid violating applicable law, third-party rights, or the Acceptable Use and External Facing Services Policy, Customer will promptly do so. If Customer does not take required action in accordance with the above, or if in SERVICE PROVIDER’s judgment continued violation is likely to reoccur, SERVICE PROVIDER may disable the applicable Content, Service and/or Non-SERVICE PROVIDER Application. If requested by SERVICE PROVIDER, Customer shall confirm such deletion and discontinuance of use in writing and SERVICE PROVIDER shall be authorized to provide a copy of such confirmation to any such third party claimant or governmental authority, as applicable. In addition, if SERVICE PROVIDER is required by any third party rights holder to remove Content, or receives information that Content provided to Customer may violate applicable law or third-party rights, SERVICE PROVIDER may discontinue Customer’s access to Content through the Services.

4. NON-SERVICE PROVIDER PRODUCTS AND SERVICES

4.1 Non-SERVICE PROVIDER Products and Services

SERVICE PROVIDER or third parties may make available (for example, through a Marketplace or otherwise) third-party products or services, including, for example, Non-SERVICE PROVIDER Applications and implementation and other consulting services. Any acquisition by Customer of such products or services, and any exchange of data between Customer and any Non-SERVICE PROVIDER, product or service is solely between Customer and the applicable Non-SERVICE PROVIDER. SERVICE PROVIDER does not warrant or support Non-SERVICE PROVIDER Applications or other Non-SERVICE PROVIDER products or services, whether or not they are designated by SERVICE PROVIDER as “certified” or otherwise, unless expressly provided otherwise in an Order Form. SERVICE PROVIDER is not responsible for any disclosure, modification or deletion of Customer Data resulting from access by such Non-SERVICE PROVIDER Application or its provider.

4.2 Integration with Non-SERVICE PROVIDER Applications

The Services may contain features designed to interoperate with Non-SERVICE PROVIDER Applications. SERVICE PROVIDER cannot guarantee the continued availability of such Service features, and may cease providing them without entitling Customer to any refund, credit, or other compensation, if for example and without limitation, the provider of a Non-SERVICE PROVIDER Application ceases to make the Non-SERVICE PROVIDER Application available for interoperation with the corresponding Service features in a manner acceptable to SERVICE PROVIDER.

5. Fees and Payment

5.1 Fees

Customer will pay all fees specified in Order Forms. Except as otherwise specified herein or in an Order Form, (i) fees are based on Services and Content subscriptions purchased and not actual usage, (ii) payment obligations are non- cancelable and fees paid are non-refundable, and (iii) quantities purchased cannot be decreased during the relevant subscription term.

5.2 Invoicing and Payment

Customer will provide SERVICE PROVIDER with valid and updated credit card information, or with a valid purchase order or alternative document reasonably acceptable to SERVICE PROVIDER. If Customer provides credit card information to SERVICE PROVIDER, Customer authorizes SERVICE PROVIDER to charge such credit card for all Purchased Services listed in the Order Form for the initial subscription term and any renewal subscription term(s) as set forth in the “Term of Purchased Subscriptions” section below. Such charges shall be made in advance, either annually or in accordance with any different billing frequency stated in the applicable Order Form. If the Order Form specifies that payment will be by a method other than a credit card, SERVICE PROVIDER will invoice Customer in advance and otherwise in accordance with the relevant Order Form. Unless otherwise stated in the Order Form, invoiced fees are due net 30 days from the invoice date. Customer is responsible for providing complete and accurate billing and contact information to SERVICE PROVIDER and notifying SERVICE PROVIDER of any changes to such information.

5.3 Overdue Charges

If any invoiced amount is not received by SERVICE PROVIDER by the due date, then without limiting SERVICE PROVIDER’s rights or remedies, (a) those charges may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, and/or (b) SERVICE PROVIDER may condition future subscription renewals and Order Forms on payment terms shorter than those specified in the “Invoicing and Payment” section above.

5.4 Suspension of Service and Acceleration

If any charge owing by Customer under this or any other agreement for services is 30 days or more overdue, (or 10 or more days overdue in the case of amounts Customer has authorized SERVICE PROVIDER to charge to Customer’s credit card), SERVICE PROVIDER may, without limiting its other rights and remedies, accelerate Customer’s unpaid fee obligations under such agreements so that all such obligations become immediately due and payable, and suspend Services until such amounts are paid in full, provided that, other than for customers paying by credit card or direct debit whose payment has been declined, SERVICE PROVIDER will give Customer at least 10 days’ prior notice that its account is overdue, in accordance with the “Manner of Giving Notice” section below for billing notices, before suspending services to Customer.

5.5 Payment Disputes

SERVICE PROVIDER will not exercise its rights under the “Overdue Charges” or “Suspension of Service and Acceleration” section above if Customer is disputing the applicable charges reasonably and in good faith and is cooperating diligently to resolve the dispute.

5.6 Taxes

SERVICE PROVIDER's fees do not include any taxes, levies, duties or similar governmental assessments of any nature, including, for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction whatsoever (collectively, “Taxes”). Customer is responsible for paying all Taxes associated with its purchases hereunder. If SERVICE PROVIDER has the legal obligation to pay or collect Taxes for which Customer is responsible under this section, SERVICE PROVIDER will invoice Customer and Customer will pay that amount unless Customer provides SERVICE PROVIDER with a valid tax exemption certificate authorized by the appropriate taxing authority. For clarity, SERVICE PROVIDER is solely responsible for taxes assessable against it based on its income, property and employees.

6. PROPRIETARY RIGHTS AND LICENSES

6.1 Reservation of Rights

Subject to the limited rights expressly granted hereunder, SERVICE PROVIDER, its Affiliates, its licensors and Content Providers reserve all of their right, title and interest in and to the Services and Content, including all of their related intellectual property rights. No rights are granted to Customer hereunder other than as expressly set forth herein.

6.2 Access to and Use of Content

Customer has the right to access and use applicable Content subject to the terms of applicable Order Forms, this Agreement and the Documentation.

6.3 License by Customer to SERVICE PROVIDER

Customer grants SERVICE PROVIDER, its Affiliates and applicable contractors a worldwide, limited-term license to host, copy, use, transmit, and display any Non-SERVICE PROVIDER Applications and program code created by or for Customer using a Service or for use by Customer with the Services, and Customer Data, each as appropriate for SERVICE PROVIDER to provide and ensure proper operation of the Services and associated systems in accordance with this Agreement. If Customer chooses to use a Non-SERVICE PROVIDER Application with a Service, Customer grants SERVICE PROVIDER permission to allow the Non-SERVICE PROVIDER Application and its provider to access Customer Data and information about Customer’s usage of the Non-SERVICE PROVIDER Application as appropriate for the interoperation of that Non-SERVICE PROVIDER Application with the Service. Subject to the limited licenses granted herein, SERVICE PROVIDER acquires no right, title or interest from Customer or its licensors under this Agreement in or to any Customer Data, Non-SERVICE PROVIDER Application or such program code

6.4 License by Customer to SERVICE PROVIDER

Customer grants SERVICE PROVIDER, its Affiliates and applicable contractors a worldwide, limited-term license to host, copy, use, transmit, and display any Non-SERVICE PROVIDER Applications and program code created by or for Customer using a Service or for use by Customer with the Services, and Customer Data, each as appropriate for SERVICE PROVIDER to provide and ensure proper operation of the Services and associated systems in accordance with this Agreement. If Customer chooses to use a Non-SERVICE PROVIDER Application with a Service, Customer grants SERVICE PROVIDER permission to allow the Non-SERVICE PROVIDER Application and its provider to access Customer Data and information about Customer’s usage of the Non-SERVICE PROVIDER Application as appropriate for the interoperation of that Non-SERVICE PROVIDER Application with the Service. Subject to the limited licenses granted herein, SERVICE PROVIDER acquires no right, title or interest from Customer or its licensors under this Agreement in or to any Customer Data, Non-SERVICE PROVIDER Application or such program code.

7. CONFIDENTIALITY

7.1 Definition of Confidential Information

“Confidential Information” means all information disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information of Customer includes Customer Data; Confidential Information of SERVICE PROVIDER includes the Services and Content, and the terms and conditions of this Agreement and all Order Forms (including pricing). Confidential Information of each party includes business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such party. However, Confidential Information does not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party. For the avoidance of doubt, the non-disclosure obligations set forth in this “Confidentiality” section apply to Confidential Information exchanged between the parties in connection with the evaluation of additional SERVICE PROVIDER services.

7.2 Protection of Confidential Information

As between the parties, each party retains all ownership rights in and to its Confidential Information. The Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care) to (i) not use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement and (ii) except as otherwise authorized by the Disclosing Party in writing, limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ employees and contractors who need that access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections not materially less protective of the Confidential Information than those herein. Neither party will disclose the terms of this Agreement or any Order Form to any third party other than its Affiliates, legal counsel and accountants without the other party’s prior written consent, provided that a party that makes any such disclosure to its Affiliate, legal counsel or accountants will remain responsible for such Affiliate’s, legal counsel’s or accountant’s compliance with this “Confidentiality” section. Notwithstanding the foregoing, SERVICE PROVIDER may disclose the terms of this Agreement and any applicable Order Form to a subcontractor or Non-SERVICE PROVIDER Application Provider to the extent necessary to perform SERVICE PROVIDER’s obligations under this Agreement, under terms of confidentiality materially as protective as set forth herein.

7.3 Compelled Disclosure

The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to that Confidential Information.

8. REPRESENTATIONS, WARRANTIES, EXCLUSIVE REMEDIES AND DISCLAIMERS

8.1 Representations

Each party represents that it has validly entered into this Agreement and has the legal power to do so.

8.2 Agreed Quality of the Services

SERVICE PROVIDER warrants that during an applicable subscription term (a) this Agreement, the Order Forms and the Documentation will accurately describe the applicable administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data, (b) SERVICE PROVIDER will not materially decrease the overall security of the Services, (c) the Services will perform materially in accordance with the applicable Documentation, and (d) subject to the “Integration with Non-SERVICE PROVIDER Applications” section above, SERVICE PROVIDER will not materially decrease the overall functionality of the Services.

8.3 Content

SERVICE PROVIDER is not designating or adopting Content as its own and assumes no warranty or liability for Content. The parties agree that the “Reporting of Defects”, “Remedies resulting from Defects” and “Exclusions” section shall apply accordingly to SERVICE PROVIDER’s responsibility in the event SERVICE PROVIDER is deemed responsible for Content by a court of competent jurisdiction.

8.4 Reporting of Defects

Customer shall report any deviation of the Services from the “Agreed Quality of the Services” section (“Defect”) to SERVICE PROVIDER in writing without undue delay and shall submit a detailed description of the Defect or, if not possible, of the symptoms of the Defect. Customer shall forward to SERVICE PROVIDER any useful information available to Customer for rectification of the Defect.

8.5 Remedies resulting from Defects

SERVICE PROVIDER shall rectify any Defect within a reasonable period of time. If such rectification fails, Customer may terminate the respective Order Form provided that SERVICE PROVIDER had enough time for curing the Defect. The “Refund or Payment upon Termination” section, sentence and 1 and sentence 3 shall apply accordingly. If SERVICE PROVIDER is responsible for the Defect or if SERVICE PROVIDER is in default with the rectification, Customer may assert claims for the damage caused in the scope specified in the “Limitation of Liability” section below.

8.6 Defects in Title

Defects in title of the Services shall be handled in accordance with the provisions of Clause 9 “Mutual Indemnification”.

8.7 Exclusions

Customer shall have no claims under this Clause 8 “Warranty” if a Defect was caused by the Services not being used by Customer in accordance with the provisions of this Agreement, the Documentation and the applicable Order Forms.

8.8 Disclaimers

EXCEPT AS EXPRESSLY PROVIDED HEREIN, NEITHER PARTY MAKES ANY WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND EACH PARTY SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. CONTENT AND BETA SERVICES ARE PROVIDED “AS IS,” AND AS AVAILABLE EXCLUSIVE OF ANY WARRANTY WHATSOEVER.

9. MUTUAL INDEMNIFICATION

9.1 Indemnification by SERVICE PROVIDER

SERVICE PROVIDER will defend Customer against any claim, demand, suit or proceeding made or brought against Customer by a third party alleging that any Purchased Service infringes or misappropriates such third party’s intellectual property rights (a “Claim Against Customer”), and will indemnify Customer from any damages, attorney fees and costs finally awarded against Customer as a result of, or for amounts paid by Customer under a settlement approved by SERVICE PROVIDER in writing of, a Claim Against Customer, provided Customer (a) promptly gives SERVICE PROVIDER written notice of the Claim Against Customer, (b) gives SERVICE PROVIDER sole control of the defense and settlement of the Claim Against Customer (except that SERVICE PROVIDER may not settle any Claim Against Customer unless it unconditionally releases Customer of all liability), and (c) gives SERVICE PROVIDER all reasonable assistance, at SERVICE PROVIDER’s expense. If SERVICE PROVIDER receives information about an infringement or misappropriation claim related to a Service, SERVICE PROVIDER may in its discretion and at no cost to Customer (i) modify the Services so that they are no longer claimed to infringe or misappropriate, without breaching SERVICE PROVIDER’s warranties under “SERVICE PROVIDER Warranties” above, (ii) obtain a license for Customer’s continued use of that Service in accordance with this Agreement, or (iii) terminate Customer’s subscriptions for that Service upon 30 days’ written notice and refund Customer any prepaid fees covering the remainder of the term of the terminated subscriptions. The above defense and indemnification obligations do not apply if (1) the allegation does not state with specificity that the Services are the basis of the Claim Against Customer; (2) a Claim Against Customer arises from the use or combination of the Services or any part thereof with software, hardware, data, or processes not provided by SERVICE PROVIDER, if the Services or use thereof would not infringe without such combination; (3) a Claim Against Customer arises from Services under an Order Form for which there is no charge; or (4) a Claim against Customer arises from Content, a Non-SERVICE PROVIDER Application or Customer’s breach of this Agreement, the Documentation or applicable Order Forms.

9.2 Indemnification by Customer

Customer will defend SERVICE PROVIDER and its Affiliates against any claim, demand, suit or proceeding made or brought against SERVICE PROVIDER by a third party alleging (a) that any Customer Data or Customer’s use of Customer Data with the Services, (b) a Non-SERVICE PROVIDER Application provided by Customer, or (c) the combination of a Non-SERVICE PROVIDER Application provided by Customer and used with the Services, infringes or misappropriates such third party’s intellectual property rights, or arising from Customer’s use of the Services or Content in an unlawful manner or in violation of the Agreement, the Documentation, or Order Form (each a “Claim Against SERVICE PROVIDER”), and will indemnify SERVICE PROVIDER from any damages, attorney fees and costs finally awarded against SERVICE PROVIDER as a result of, or for any amounts paid by SERVICE PROVIDER under a settlement approved by Customer in writing of, a Claim Against SERVICE PROVIDER, provided SERVICE PROVIDER (a) promptly gives Customer written notice of the Claim Against SERVICE PROVIDER, (b) gives Customer sole control of the defense and settlement of the Claim Against SERVICE PROVIDER (except that Customer may not settle any Claim Against SERVICE PROVIDER unless it unconditionally releases SERVICE PROVIDER of all liability), and (c) gives Customer all reasonable assistance, at Customer’s expense. The above defense and indemnification obligations do not apply if a Claim Against SERVICE PROVIDER arises from SERVICE PROVIDER’s breach of this Agreement, the Documentation or applicable Order Forms.

9.3 Exclusive Remedy

The below “Limitation of Liability” section shall apply to any claims resulting from this “Mutual Indemnification” section.

This “Mutual Indemnification” section states the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any third party claim described in this section.

10. LIMITATION OF LIABILITY

10.1 Unlimited Liability

The Parties shall be mutually liable without limitation (a) in the event of willful misconduct or gross negligence, (b) within the scope of a guarantee taken over by the respective party, (c) in the event that a defect is maliciously concealed, (d) in case of an injury to life, body or health, (e) according to the German Product Liability Law.

10.2 Liability for Breach of Cardinal Duties

If cardinal duties are infringed due to slight negligence and if, as a consequence, the achievement of the objective of this Agreement including any applicable Order Form is endangered, or in the case of a slightly negligent failure to comply with duties, the very discharge of which is an essential prerequisite for the proper performance of this Agreement (including any applicable Order Form), the parties’ liability shall be limited to foreseeable damage typical for the contract. In all other respects, any liability for damage caused by slight negligence shall be excluded.

10.3 Liability Cap

Unless the parties are liable in accordance with “Unlimited Liability” section above, in no event shall the aggregate liability of each party together with all of its Affiliates arising out of or related to this Agreement exceed the total amount paid by Customer and its Affiliates hereunder for the Services giving rise to the liability in the 12 months preceding the first incident out of which the liability arose. The foregoing limitation will not limit Customer’s and its Affiliates’ payment obligations under the “Fees and Payment” section above.

10.4 Scope

With the exception of liability in accordance with the “Unlimited Liability” section, the above limitations of liability shall apply to all claims for damages, irrespective of the legal basis including claims for tort damages. The above limitations of liability also apply in the case of claims for a party’s damages against the respective other party’s employees, agents or bodies.

10.5 Limitation of Liability

IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EACH PARTY TOGETHER WITH ALL OF ITS AFFILIATES ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER AND ITS AFFILIATES HEREUNDER FOR THE SERVICES GIVING RISE TO THE LIABILITY IN THE TWELVE MONTHS PRECEDING THE FIRST INCIDENT OUT OF WHICH THE LIABILITY AROSE. THE FOREGOING LIMITATION WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, BUT WILL NOT LIMIT CUSTOMER'S AND ITS AFFILIATES’ PAYMENT OBLIGATIONS UNDER THE “FEES AND PAYMENT” SECTION ABOVE.

10.6 Exclusion of Consequential and Related Damages

IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR ANY LOST PROFITS, REVENUES, GOODWILL, OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER, BUSINESS INTERRUPTION OR PUNITIVE DAMAGES, WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF A PARTY OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF A PARTY’S OR ITS AFFILIATES’ REMEDY OTHERWISE FAILS OF ITS ESSENTIAL PURPOSE. THE FOREGOING DISCLAIMER WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW.

11. TERM AND TERMINATION

11.1 Term of Agreement

This Agreement commences on the date Customer first accepts it and continues until all subscriptions hereunder have expired or have been terminated.

11.2 Term of Purchased Subscriptions

The term of each subscription shall be as specified in the applicable Order Form. Except as otherwise specified in an Order Form, subscriptions will automatically renew for additional periods equal to the expiring subscription term or one year (whichever is shorter), unless either party gives the other written notice (email acceptable) at least 30 days before the end of the relevant subscription term. The per- unit pricing during any renewal term will increase by up to 8% above the applicable pricing in the prior term, unless We provide You notice of different pricing at least 60 days prior to the applicable renewal term. Except as expressly provided in the applicable Order Form, renewal of promotional or one-time priced subscriptions will be at SERVICE PROVIDER’s applicable list price in effect at the time of the applicable renewal. Notwithstanding anything to the contrary, any renewal in which subscription volume or subscription length for any Services has decreased from the prior term will result in re-pricing at renewal without regard to the prior term’s per-unit pricing.

11.3 Termination

A party may terminate this Agreement for cause (i) upon 30 days written notice to the other party of a material breach if such breach remains uncured at the expiration of such period, or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.

11.4 Refund or Payment upon Termination

If this Agreement is terminated by Customer in accordance with the “Termination” section above, SERVICE PROVIDER will refund Customer any prepaid fees covering the remainder of the term of all Order Forms after the effective date of termination. If this Agreement is terminated by SERVICE PROVIDER in accordance with the “Termination” section above, Customer will pay any unpaid fees covering the remainder of the term of all Order Forms to the extent permitted by applicable law. In no event will termination relieve Customer of its obligation to pay any fees payable to SERVICE PROVIDER for the period prior to the effective date of termination. If this Agreement is terminated by Customer for any reason other than a termination expressly permitted for by this Agreement, Customer agrees that SERVICE PROVIDER shall be immediately entitled to all of the fees for Services due under this Agreement for the balance of the entire Term, with said fees to be considered as Liquidated Damages for Customer’s failure to abide by the terms and conditions of this Agreement.

11.5 Surviving Provisions

The sections titled “Free Services,” “Fees and Payment,” “Proprietary Rights and Licenses,” “Confidentiality,” “Disclaimers,” “Mutual Indemnification,” “Limitation of Liability,” “Refund or Payment upon Termination,” “Removal of Content and Non-SERVICE PROVIDER Applications,” “Surviving Provisions” and “General Provisions” will survive any termination or expiration of this Agreement, and the section titled “Protection of Customer Data” will survive any termination or expiration of this Agreement for so long as SERVICE PROVIDER retains possession of Customer Data

12. GENERAL PROVISIONS

12.1 Anti-Corruption

Neither party has received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from an employee or agent of the other party in connection with this Agreement. Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction. If Customer learns of any violation of the above restriction, Customer will use reasonable efforts to promptly notify SERVICE PROVIDER.

12.2 Entire Agreement and Order of Precedence

This Agreement is the entire agreement between SERVICE PROVIDER and Customer regarding Customer’s use of Services and Content and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. The parties agree that any term or condition stated in a Customer purchase order or in any other Customer order documentation (excluding Order Forms) is void. In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) the applicable Order Form, (2) this Agreement, and (3) the Documentation. Titles and headings of sections of this Agreement are for convenience only and shall not affect the construction of any provision of this Agreement.

12.3 Relationship of the Parties

The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties. Each party will be solely responsible for payment of all compensation owed to its employees, as well as all employment-related taxes.

12.4 Third-Party Beneficiaries

There are no third-party beneficiaries under this Agreement.

12.5 Waiver

No failure or delay by either party in exercising any right under this Agreement will constitute a waiver of that right.

12.6 Severability

If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision will be deemed null and void, and the remaining provisions of this Agreement will remain in effect.

12.7 Assignment

Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the other party’s prior written consent (not to be unreasonably withheld); provided, however, either party may assign this Agreement in its entirety (including all Order Forms), without the other party’s consent to its Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Notwithstanding the foregoing, if a party is acquired by, sells substantially all of its assets to, or undergoes a change of control in favor of, a direct competitor of the other party, then such other party may terminate this Agreement upon written notice. In the event of such a termination, SERVICE PROVIDER will refund Customer any prepaid fees covering the remainder of the term of all subscriptions for the period after the effective date of such termination. Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties, their respective successors and permitted assigns.

12.8 Governing Law

This Agreement will be governed exclusively by German law. Any legal action or proceeding by either Party to enforce, construe or otherwise concerning this Agreement will be brought exclusively in the German courts, legal venue being Munich. In any such action or proceeding, each Party hereby agrees irrevocably to submit to the exclusive personal and subject matter jurisdiction and venue of such courts.

12.9 Manner of Giving Notice

Except as otherwise specified in this Agreement, all notices related to this Agreement will be in writing and will be effective upon (a) personal delivery, (b) the second business day after mailing, or (c), except for notices of termination or an indemnifiable claim (“Legal Notices”), which shall clearly be identifiable as Legal Notices, the day of sending by email. Billing-related notices to Customer will be addressed to the relevant billing contact designated by Customer. All other notices to Customer will be addressed to the relevant Services system administrator designated by Customer.

The following template „Data Protection Act“ is purposely in German language. Please contact us in case you require an English version. Mustervertrag zur Auftragsverarbeitung gemäß Art. 28 DS-GVO


Vereinbarung

zwischen dem/der

- Verantwortlicher - nachstehend Auftraggeber genannt -
und dem/der

Fellow Consulting AG, Anzinger Straße 21, 85586 Poing

Auftragsverarbeiter - nachstehend Auftragnehmer genannt
[ggf.: Vertreter gemäß Art. 27 DS-GVO:

]

Hinweis
„Die einzelnen Festlegungen nach Art. 28 Abs. 3 DS-GVO sollten vollständig in die Vereinbarung übernommen und wie eine Checkliste abgearbeitet werden. Die für das konkrete Dienstleistungsverhältnis zutreffenden Alternativen sollten angekreuzt werden. Leerfelder sind ggf. entsprechend des konkreten Auftrags auszufüllen. Vergütungs- und Haftungsregelungen zu den einzelnen Leistungen des Auftragnehmers sollten im Hauptvertrag vereinbart werden.“

1. Gegenstand und Dauer des Auftrags

(1) Gegenstand

oder

(2) Dauer

oder

oder

oder

2. Konkretisierung des Auftragsinhalts

(1) Art und Zweck der vorgesehenen Verarbeitung von Daten

oder

Die Erbringung der vertraglich vereinbarten Datenverarbeitung findet ausschließlich in einem Mitgliedsstaat der Europäischen Union oder in einem anderen Vertragsstaat des Abkommens über den Europäischen Wirtschaftsraum statt. Jede Verlagerung in ein Drittland bedarf der vorherigen Zustimmung des Auftraggebers und darf nur erfolgen, wenn die besonderen Voraussetzungen der Artt. 44 ff. DS-GVO erfüllt sind. Das angemessene Schutzniveau in ……………………….

(2) Art der Daten

oder

(3) Kategorien betroffener Personen

oder

3. Technisch-organisatorische Maßnahmen

(1) Der Auftragnehmer hat die Umsetzung der im Vorfeld der Auftragsvergabe dargelegten und erforderlichen technischen und organisatorischen Maßnahmen vor Beginn der Verarbeitung, insbesondere hinsichtlich der konkreten Auftragsdurchführung zu dokumentieren und dem Auftraggeber zur Prüfung zu übergeben. Bei Akzeptanz durch den Auftraggeber werden die dokumentierten Maßnahmen Grundlage des Auftrags. Soweit die Prüfung/ein Audit des Auftraggebers einen Anpassungsbedarf ergibt, ist dieser einvernehmlich umzusetzen.

(2) Der Auftragnehmer hat die Sicherheit gem. Artt. 28 Abs. 3 lit. c, 32 DS-GVO insbesondere in Verbindung mit Art. 5 Abs. 1, Abs. 2 DS-GVO herzustellen. Insgesamt handelt es sich bei den zu treffenden Maßnahmen um Maßnahmen der Datensicherheit und zur Gewährleistung eines dem Risiko angemessenen Schutzniveaus hinsichtlich der Vertraulichkeit, der Integrität, der Verfügbarkeit sowie der Belastbarkeit der Systeme. Dabei sind der Stand der Technik, die Implementierungskosten und die Art, der Umfang und die Zwecke der Verarbeitung sowie die unterschiedliche Eintrittswahrscheinlichkeit und Schwere des Risikos für die Rechte und Freiheiten natürlicher Personen im Sinne von Art. 32 Abs. 1 DS-GVO zu berücksichtigen [Einzelheiten in Anlage 1].

(3) Die technischen und organisatorischen Maßnahmen unterliegen dem technischen Fortschritt und der Weiterentwicklung. Insoweit ist es dem Auftragnehmer gestattet, alternative adäquate Maßnahmen umzusetzen. Dabei darf das Sicherheitsniveau der festgelegten Maßnahmen nicht unterschritten werden. Wesentliche Änderungen sind zu dokumentieren.

Die Kosten dafür trägt der Auftraggeber.

4. Berichtigung, Einschränkung und Löschung von Daten

(1) Der Auftragnehmer darf die Daten, die im Auftrag verarbeitet werden, nicht eigenmächtig sondern nur nach dokumentierter Weisung des Auftraggebers berichtigen, löschen oder deren Verarbeitung einschränken. Soweit eine betroffene Person sich diesbezüglich unmittelbar an den Auftragnehmer wendet, wird der Auftragnehmer dieses Ersuchen unverzüglich an den Auftraggeber weiterleiten.

(2) Soweit vom Leistungsumfang umfasst, sind Löschkonzept, Recht auf Vergessenwerden, Berichtigung, Datenportabilität und Auskunft nach dokumentierter Weisung des Auftraggebers unmittelbar durch den Auftragnehmer sicherzustellen.

5. Qualitätssicherung und sonstige Pflichten des Auftragnehmers

Der Auftragnehmer hat zusätzlich zu der Einhaltung der Regelungen dieses Auftrags gesetzliche Pflichten gemäß Artt. 28 bis 33 DS-GVO; insofern gewährleistet er insbesondere die Einhaltung folgender Vorgaben:

a)

b)

c)

d)

Die Wahrung der Vertraulichkeit gemäß Artt. 28 Abs. 3 S. 2 lit. b, 29, 32 Abs. 4 DS-GVO. Der Auftragnehmer setzt bei der Durchführung der Arbeiten nur Beschäftigte ein, die auf die Vertraulichkeit verpflichtet und zuvor mit den für sie relevanten Bestimmungen zum Datenschutz vertraut gemacht wurden. Der Auftragnehmer und jede dem Auftragnehmer unterstellte Person, die Zugang zu personenbezogenen Daten hat, dürfen diese Daten ausschließlich entsprechend der Weisung des Auftraggebers verarbeiten einschließlich der in diesem Vertrag eingeräumten Befugnisse, es sei denn, dass sie gesetzlich zur Verarbeitung verpflichtet sind.

e)

Die Umsetzung und Einhaltung aller für diesen Auftrag erforderlichen technischen und organisatorischen Maßnahmen gemäß Artt. 28 Abs. 3 S. 2 lit. c, 32 DS-GVO [Einzelheiten in Anlage 1].

f)

Der Auftraggeber und der Auftragnehmer arbeiten auf Anfrage mit der Aufsichtsbehörde bei der Erfüllung ihrer Aufgaben zusammen.

g)

Die unverzügliche Information des Auftraggebers über Kontrollhandlungen und Maßnahmen der Aufsichtsbehörde, soweit sie sich auf diesen Auftrag beziehen. Dies gilt auch, soweit eine zuständige Behörde im Rahmen eines Ordnungswidrigkeits- oder Strafverfahrens in Bezug auf die Verarbeitung personenbezogener Daten bei der Auftragsverarbeitung beim Auftragnehmer ermittelt.

h)

Soweit der Auftraggeber seinerseits einer Kontrolle der Aufsichtsbehörde, einem Ordnungswidrigkeits- oder Strafverfahren, dem Haftungsanspruch einer betroffenen Person oder eines Dritten oder einem anderen Anspruch im Zusammenhang mit der Auftragsverarbeitung beim Auftragnehmer ausgesetzt ist, hat ihn der Auftragnehmer nach besten Kräften zu unterstützen.

i)

Der Auftragnehmer kontrolliert regelmäßig die internen Prozesse sowie die technischen und organisatorischen Maßnahmen, um zu gewährleisten, dass die Verarbeitung in seinem Verantwortungsbereich im Einklang mit den Anforderungen des geltenden Datenschutzrechts erfolgt und der Schutz der Rechte der betroffenen Person gewährleistet wird.

j)

Nachweisbarkeit der getroffenen technischen und organisatorischen Maßnahmen gegenüber dem Auftraggeber im Rahmen seiner Kontrollbefugnisse nach Ziffer 7 dieses Vertrages.

6. Unterauftragsverhältnisse

(1) Als Unterauftragsverhältnisse im Sinne dieser Regelung sind solche Dienstleistungen zu verstehen, die sich unmittelbar auf die Erbringung der Hauptleistung beziehen. Nicht hierzu gehören Nebenleistungen, die der Auftragnehmer z.B. als Telekommunikationsleistungen, Post-/Transportdienstleistungen, Wartung und Benutzerservice oder die Entsorgung von Datenträgern sowie sonstige Maßnahmen zur Sicherstellung der Vertraulichkeit, Verfügbarkeit, Integrität und Belastbarkeit der Hard- und Software von Datenverarbeitungsanlagen in Anspruch nimmt. Der Auftragnehmer ist jedoch verpflichtet, zur Gewährleistung des Datenschutzes und der Datensicherheit der Daten des Auftraggebers auch bei ausgelagerten Nebenleistungen angemessene und gesetzeskonforme vertragliche Vereinbarungen sowie Kontrollmaßnahmen zu ergreifen.

(2) Der Auftragnehmer darf Unterauftragnehmer (weitere Auftragsverarbeiter) nur nach vorheriger ausdrücklicher schriftlicher bzw. dokumentierter Zustimmung des Auftraggebers beauftragen.

a)

b)

Firma Unterauftragnehmer Anschrift/Land Leistung

c)

(3) Die Weitergabe von personenbezogenen Daten des Auftraggebers an den Unterauftragnehmer und dessen erstmaliges Tätigwerden sind erst mit Vorliegen aller Voraussetzungen für eine Unterbeauftragung gestattet.

(4) Erbringt der Unterauftragnehmer die vereinbarte Leistung außerhalb der EU/des EWR stellt der Auftragnehmer die datenschutzrechtliche Zulässigkeit durch entsprechende Maßnahmen sicher. Gleiches gilt, wenn Dienstleister im Sinne von Abs. 1 Satz 2 eingesetzt werden sollen.

(5) Eine weitere Auslagerung durch den Unterauftragnehmer

sämtliche vertraglichen Regelungen in der Vertragskette sind auch dem weiteren Unterauftragnehmer aufzuerlegen.

7. Kontrollrechte des Auftraggebers

(1) Der Auftraggeber hat das Recht, im Benehmen mit dem Auftragnehmer Überprüfungen durchzuführen oder durch im Einzelfall zu benennende Prüfer durchführen zu lassen. Er hat das Recht, sich durch Stichprobenkontrollen, die in der Regel rechtzeitig anzumelden sind, von der Einhaltung dieser Vereinbarung durch den Auftragnehmer in dessen Geschäftsbetrieb zu überzeugen.

(2) Der Auftragnehmer stellt sicher, dass sich der Auftraggeber von der Einhaltung der Pflichten des Auftragnehmers nach Art. 28 DS-GVO überzeugen kann. Der Auftragnehmer verpflichtet sich, dem Auftraggeber auf Anforderung die erforderlichen Auskünfte zu erteilen und insbesondere die Umsetzung der technischen und organisatorischen Maßnahmen nachzuweisen.

(3) Der Nachweis solcher Maßnahmen, die nicht nur den konkreten Auftrag betreffen, kann erfolgen durch

(4) Für die Ermöglichung von Kontrollen durch den Auftraggeber kann der Auftragnehmer einen Vergütungsanspruch geltend machen.

8. Mitteilung bei Verstößen des Auftragnehmers

(1) Der Auftragnehmer unterstützt den Auftraggeber bei der Einhaltung der in den Artikeln 32 bis 36 der DS-GVO genannten Pflichten zur Sicherheit personenbezogener Daten, Meldepflichten bei Datenpannen, Datenschutz-Folgeabschätzungen und vorherige Konsultationen. Hierzu gehören u.a.

a) die Sicherstellung eines angemessenen Schutzniveaus durch technische und organisatorische Maßnahmen, die die Umstände und Zwecke der Verarbeitung sowie die prognostizierte Wahrscheinlichkeit und Schwere einer möglichen Rechtsverletzung durch Sicherheitslücken berücksichtigen und eine sofortige Feststellung von relevanten Verletzungsereignissen ermöglichen

b) die Verpflichtung, Verletzungen personenbezogener Daten unverzüglich an den Auftraggeber zu melden

c) die Verpflichtung, dem Auftraggeber im Rahmen seiner Informationspflicht gegenüber dem Betroffenen zu unterstützen und ihm in diesem Zusammenhang sämtliche relevante Informationen unverzüglich zur Verfügung zu stellen

d) die Unterstützung des Auftraggebers für dessen Datenschutz-Folgenabschätzung

e) die Unterstützung des Auftraggebers im Rahmen vorheriger Konsultationen mit der Aufsichtsbehörde

(2) Für Unterstützungsleistungen, die nicht in der Leistungsbeschreibung enthalten oder nicht auf ein Fehlverhalten des Auftragnehmers zurückzuführen sind, kann der Auftragnehmer eine Vergütung beanspruchen.

9. Weisungsbefugnis des Auftraggebers

(1) Mündliche Weisungen bestätigt der Auftraggeber unverzüglich (mind. Textform).

(2) Der Auftragnehmer hat den Auftraggeber unverzüglich zu informieren, wenn er der Meinung ist, eine Weisung verstoße gegen Datenschutzvorschriften. Der Auftragnehmer ist berechtigt, die Durchführung der entsprechenden Weisung solange auszusetzen, bis sie durch den Auftraggeber bestätigt oder geändert wird.

10. Löschung und Rückgabe von personenbezogenen Daten

(1) Kopien oder Duplikate der Daten werden ohne Wissen des Auftraggebers nicht erstellt. Hiervon ausgenommen sind Sicherheitskopien, soweit sie zur Gewährleistung einer ordnungsgemäßen Datenverarbeitung erforderlich sind, sowie Daten, die im Hinblick auf die Einhaltung gesetzlicher Aufbewahrungspflichten erforderlich sind.

(2) Nach Abschluss der vertraglich vereinbarten Arbeiten oder früher nach Aufforderung durch den Auftraggeber – spätestens mit Beendigung der Leistungsvereinbarung – hat der Auftragnehmer sämtliche in seinen Besitz gelangten Unterlagen, erstellte Verarbeitungs- und Nutzungsergebnisse sowie Datenbestände, die im Zusammenhang mit dem Auftragsverhältnis stehen, dem Auftraggeber auszuhändigen oder nach vorheriger Zustimmung datenschutzgerecht zu vernichten. Gleiches gilt für Test- und Ausschussmaterial. Das Protokoll der Löschung ist auf Anforderung vorzulegen.

Dokumentationen, die dem Nachweis der auftrags- und ordnungsgemäßen Datenverarbeitung dienen, sind durch den Auftragnehmer entsprechend der jeweiligen Aufbewahrungsfristen über das Vertragsende hinaus aufzubewahren. Er kann sie zu seiner Entlastung bei Vertragsende dem Auftraggeber übergeben.

Anlage 1 – Technisch-organisatorische Maßnahmen

Security allgemein
Informationssicherheitsleitlinie Security Policy Art. 32 (1) lit. d DSGVO
Definierte Verantwortlichkeiten Incident Management - Workflow Art. 32 (1) lit. d DSGVO
Definierte Verantwortlichkeiten Incident Management - Verantwortlichkeiten und Vorgaben Art. 32 (1) lit. d DSGVO
Definierte Verantwortlichkeiten Compliance Prüfungen Art. 32 (1) lit. d DSGVO
Business Continuity Management (BCM) Definierter maximaler Datenverlust Art. 32 (1) lit. c DSGVO
Business Continuity Management (BCM) Definierte maximale Ausfallzeiten Art. 32 (1) lit. c DSGVO
End User
PCs, Notebooks
Sichere Infrastruktur Verwendung sicherer Systeme Art. 32 (1) lit. b DSGVO
Datenschutzfreundliche Voreinstellungen Grundkonfiguration erfolgt nach datenschutzfreundlichen Voreinstellungen Art. 25 (2) DSGVO
Sichere Infrastruktur nur ausgewählte Personen haben Adminrechte Art. 32 (1) lit. b DSGVO
Zugangskontrolle benutzerspezifische Passwortvergabe für Clients Art. 32 (1) lit. b DSGVO
Zugangskontrolle sichere Passwortvergabe / Änderung Art. 32 (1) lit. b DSGVO
Zugangskontrolle Passwortpolicy mit mind. 3 Komplexitätsanforderungen Art. 32 (1) lit. b DSGVO
Zugangskontrolle Sperrung des Accounts bei zu vielen ungültigen Anmeldeversuchen Art. 32 (1) lit. b DSGVO
Zugangskontrolle Kontosperrung größer 30 Minuten bei zu vielen ungültigen Anmeldeversuchen Art. 32 (1) lit. b DSGVO
Zugangskontrolle Zentrale Benutzerverwaltung Art. 32 (1) lit. b DSGVO
Zugangskontrolle Berechtigungsverwaltung für Laufwerke und Applikationen Art. 32 (1) lit. b DSGVO
Zugangskontrolle Berechtigungsverwaltung gruppenbasiert Art. 32 (1) lit. b DSGVO
Virenschutz Virenschutzkonzept Art. 32 (1) lit. b DSGVO
Virenschutz Incident Management Art. 32 (1) lit. b DSGVO
Change Management Regelmäßige Betriebssystemupdates Art. 32 (1) lit. b DSGVO
Change Management Regelmäßige Updates der Applikationen Art. 32 (1) lit. b DSGVO
Laptops
Verschlüsselung Festplattenverschlüsselung Art. 32 (1) lit. a DSGVO
Verschlüsselung Übertragungsverschlüsselung Art. 32 (1) lit. a DSGVO
Endpoint Security weitere Schutzmaßnahmen am Client Art. 32 (1) lit. b DSGVO
Mobile Endgeräte
Sichere Infrastruktur Sichere Administration Art. 32 (1) lit. b DSGVO
Datenschutzfreundliche Voreinstellungen Grundkonfiguration erfolgt nach datenschutzfreundlichen Voreinstellungen Art. 25 (2) DSGVO
Zugriffskontrolle Passwortschutz / Pin Art. 32 (1) lit. b DSGVO
Sichere Verwaltung der Mobilgeräte Device Management Art. 32 (1) lit. b DSGVO
Change Management Regelmäßige Softwareupdates Art. 32 (1) lit. b DSGVO
Virenschutz Virenschutzkonzept Art. 32 (1) lit. b DSGVO
Sichere Verwaltung der Mobilgeräte Change Management bei Änderungen Art. 32 (1) lit. b DSGVO
Zugangskontrolle Berechtigungsverwaltung bei Zugriffen auf Unternehmensressourcen Art. 32 (1) lit. b DSGVO
Serverraum / Infrastruktur
Dokumentation der IT Arbeitsanweisungen Art. 32 (1) lit. c DSGVO
Dokumentation der IT Netzpläne Art. 32 (1) lit. c DSGVO
Selbstkontrolle Serverraum Art. 32 (1) lit. d DSGVO
Zutritt
Zutrittskontrolle Schlüssel / ID Art. 32 (1) lit. b DSGVO
Zutrittskontrolle Berechtigte Personen werden erfasst Art. 32 (1) lit. b DSGVO
Zutrittskontrolle Berechtigungsvergabe mit Freigabe Art. 32 (1) lit. b DSGVO
Einbruchschutz Alarmierung Art. 32 (1) lit. b DSGVO
Brandmeldeanlage
Brandschutz Brandmeldeanlage / Rauchmelder Art. 32 (1) lit. b DSGVO
Definierte Verantwortlichkeiten Incident Management Art. 32 (1) lit. d DSGVO
Brandschutz Löschanlage Art. 32 (1) lit. b DSGVO
Brandschutz Feuerlöscher Art. 32 (1) lit. b DSGVO
USV / Notstrom
Business Continuity Management (BCM) Notstrom - USV Vorhanden Art. 32 (1) lit. c DSGVO
Business Continuity Management (BCM) Notstrom - USV überbrückt bei Stromausfall Zeit bis zum
Herunterfahren der Serveroder bis zur Übernahme eines Notstromaggregats
Art. 32 (1) lit. c DSGVO
Definierte Verantwortlichkeiten Incident Management Art. 32 (1) lit. d DSGVO
Business Continuity Management (BCM) Notstromaggregat vorhanden Art. 32 (1) lit. c DSGVO
Kühlung
Business Continuity Management (BCM) Temperaturregulierung Art. 32 (1) lit. c DSGVO
Business Continuity Management (BCM) Temperaturüberwachung Art. 32 (1) lit. c DSGVO
Server und Storage
Server
Sichere Infrastruktur OnPremise Systeme werden sicher administriert Art. 32 (1) lit. b DSGVO
Datenschutzfreundliche Voreinstellungen Grundkonfiguration erfolgt nach
datenschutzfreundlichen Voreinstellungen.
Art. 25 (2) DSGVO
Business Continuity Management (BCM) Redundante Stromversorgung Art. 32 (1) lit. c DSGVO
Business Continuity Management (BCM) Redundante Netzwerkanbindung Art. 32 (1) lit. c DSGVO
Change Management Regelmäßige Betriebssystemupdates Art. 32 (1) lit. b DSGVO
Definierte Verantwortlichkeiten Benannte Serveradministratoren Art. 32 (1) lit. d DSGVO
Zugriffskontrolle Berechtigte Personen haben administrative Rechte
für einzelne Aufgaben (z.B. Applikationen)
Art. 32 (1) lit. b DSGVO
Zugangskontrolle Regelmäßige Passwortänderung bei Adminkonten Art. 32 (1) lit. b DSGVO
Definierte Verantwortlichkeiten Security Policy für Server Art. 32 (1) lit. d DSGVO
Virenschutz Virenschutzkonzept Art. 32 (1) lit. b DSGVO
Definierte Verantwortlichkeiten Incident Management Art. 32 (1) lit. d DSGVO
System-Monitoring Serverüberwachung Art. 32 (1) lit. d DSGVO
Sichere Infrastruktur E-Mail System Art. 32 (1) lit. b DSGVO
Verschlüsselung Übertragungsverschlüsselung Art. 32 (1) lit. a DSGVO
Sichere Infrastruktur ERP System Art. 32 (1) lit. b DSGVO
Sichere Infrastruktur Serverapplikationen Art. 32 (1) lit. b DSGVO
Storage
Sichere Infrastruktur Storage Art. 32 (1) lit. b DSGVO
Sichere Infrastruktur Anbindung des Storage Art. 32 (1) lit. b DSGVO
Backup
Backup-Konzept Backup-System Art. 32 (1) lit. b DSGVO
Backup-Konzept Backup erfolgt auf eigenes Medium Art. 32 (1) lit. b DSGVO
Backup-Konzept Off-Site Backup Art. 32 (1) lit. b DSGVO
Backup-Konzept Backup Monitoring Art. 32 (1) lit. b DSGVO
Backup-Konzept Incident Management Art. 32 (1) lit. b DSGVO
Backup-Konzept Berechtigte Personen werden bei nicht erfolgreicher Sicherung informiert Art. 32 (1) lit. b DSGVO
Backup-Konzept Wiederherstellung wird geprüft Art. 32 (1) lit. b DSGVO
Netzwerk
Firewall
Sichere Infrastruktur Firewall Art. 32 (1) lit. b DSGVO
Business Continuity Management (BCM) Notstrom Art. 32 (1) lit. c DSGVO
Business Continuity Management (BCM) Redundante Netzwerkanbindung Art. 32 (1) lit. c DSGVO
Sichere Infrastruktur Netzwerkadministratoren (personalisiert) Art. 32 (1) lit. b DSGVO
Sichere Infrastrukturt Passwortschutz für die Firewall Art. 32 (1) lit. b DSGVO
Sichere Infrastruktur getrennte Netze (extern / Intern) Art. 32 (1) lit. d DSGVO
Sichere Infrastruktur interne getrennte Netze Art. 32 (1) lit. b DSGVO
Definierte Verantwortlichkeiten Security Policy Art. 32 (1) lit. d DSGVO
Change Management Softwareupdates Art. 32 (1) lit. b DSGVO
Backup-Konzept Firewallbackup Art. 32 (1) lit. b DSGVO
Change Management Dokumentierte Änderungen am FW Regelwerk Art. 32 (1) lit. b DSGVO
System-Monitoring Firewallmonitoring Art. 32 (1) lit. d DSGVO
Proxy
Sichere Infrastruktur Proxyserver Art. 32 (1) lit. b DSGVO
Zugriffskontrolle Berechtigungsvergabe Art. 32 (1) lit. b DSGVO
WLAN
Sichere Infrastruktur WLAN für Clients aktiv Art. 32 (1) lit. b DSGVO
Sichere Infrastruktur Gästewlan Art. 32 (1) lit. b DSGVO
Verschlüsselung WLAN Verschlüsselung Art. 32 (1) lit. a DSGVO
Zugangskontrolle Authorisierung Art. 32 (1) lit. b DSGVO
LAN
Definierte Verantwortlichkeiten Netzwerkadministratoren Art. 32 (1) lit. d DSGVO
Zugangskontrolle Netzwerkadministratoren Art. 32 (1) lit. b DSGVO
Zugangskontrolle Passwortschutz (individuelle Passwörter) Art. 32 (1) lit. b DSGVO
Zugangskontrolle Netzwerktrennung Art. 32 (1) lit. b DSGVO
Business Continuity Management (BCM) Notstrom Art. 32 (1) lit. c DSGVO
Business Continuity Management (BCM) Redundante Netzwerkanbindung Art. 32 (1) lit. c DSGVO
System-Monitoring Monitoring der Switche Art. 32 (1) lit. d DSGVO
Physikalische Sicherheit
Gebäude
Zutrittskontrolle Gebäude Art. 32 (1) lit. b DSGVO
Zutrittskontrolle Schlüssel / ID Art. 32 (1) lit. b DSGVO
Zutrittskontrolle Dokumentation der Rechtevergabe Art. 32 (1) lit. b DSGVO
Einbruch und Feuerschutz
Einbruchschutz Einbruchmeldeanlage Art. 32 (1) lit. b DSGVO
Brandschutz Rauchmelder Art. 32 (1) lit. b DSGVO
Brandschutz Feuermelder Art. 32 (1) lit. b DSGVO
Zentrale Alarmierung Incident Management Art. 32 (1) lit. b DSGVO
Weitere Schutzmaßnahmen
Pseudonimisierung Daten nicht mehr zuordenbar Art. 32 (1) lit. a DSGVO
Trennungskontrolle Mandantenfähigkeit, Sandboxing Art. 32 (1) lit. b DSGVO
Audits technische Audits Art. 32 (1) lit. d DSGVO
Audits organisatorische Prüfungen der Prozesse Art. 32 (1) lit. d DSGVO
Security Incident Management Incident Management Art. 32 (1) lit. d DSGVO
Softwareentwicklung und -bereitstellung
Sicherheit in Entwicklungsprozessen
Sicherer Entwicklungsprozess Leitlinie für sichere Entwicklung Art. 32 (1) lit. b DSGVO
Sicherer Entwicklungsprozess Änderungskontrollverfahren Art. 32 (1) lit. d DSGVO
Sicherer Entwicklungsprozess Sichere Entwicklungsumgebung Art. 32 (1) lit. d DSGVO
Sicherer Entwicklungsprozess Ausgelagerte Entwicklung Art. 32 (1) lit. d DSGVO
Sicherer Entwicklungsprozess Systemsicherheitsprüfungen Art. 32 (1) lit. d DSGVO
Sicherer Entwicklungsprozess Systemabnahmeprüfung Art. 32 (1) lit. d DSGVO
Sicherheitsanforderungen
Sicherheitsanforderungen Spezifizierung der Security-Anforderungen Art. 32 (1) lit. b DSGVO
Sicherheitsanforderungen Übertragung über öffentliche Netze Art. 32 (1) lit. a DSGVO
Sicherheitsanforderungen Sicherung von Testdaten Art. 32 (1) lit. a DSGVO
Datenschutzfreundliche Voreinstellungen Grundkonfiguration erfolgt nach
datenschutzfreundlichen Voreinstellungen.
Art. 25 (2) DSGVO
Vernichtung / Löschung
Vernichtung von Dokumenten
Schreddern von vertraulichen Papierdokumenten Aktenvernichtermit mind. Sicherheitsstufe 5 nach DIN 66399 Art. 32 (1) lit. b DSGVO
Schreddern von vertraulichen Papierdokumenten Aktenvernichtermit mind. Sicherheitsstufe 4 nach DIN 66399 Art. 32 (1) lit. b DSGVO
Schreddern von vertraulichen Papierdokumenten Aktenvernichtermit mind. Sicherheitsstufe 3 nach DIN 66399 Art. 32 (1) lit. b DSGVO
Vernichtung von Festplatten und Speichermedien
Sichere Löschung Daten werden mehrfach überschrieben,
damit Ursprungsdaten nicht mehr lesbar sind
Art. 32 (1) lit. b DSGVO
Physikalische Zerstörung Datenträger werden physikalisch zerstört Art. 32 (1) lit. b DSGVO
Löschung von Daten
Definition Löschfristen Im Verfahrensverzeichnis sind Löschfristen festgelegt Art. 32 (1) lit. b DSGVO
Umsetzung / Durchführung Löschung Regelmäßig wird die Löschung von Daten,
deren Zweckbindung erlöschen ist, durchgeführt.
Art. 32 (1) lit. b DSGVO