§ 1 Validity, amendment of the terms and conditions
(1) Mable GmbH,Bahnhofplatz 12, 76137 Karlsruhe (hereinafter: "Contractor", "we"or "Party") provides itsservices exclusively on the basis of these General Terms and Conditions(hereinafter: GTC), the DataProcessing Agreement (hereinafter: DPA),[hereinafter all together: ContractualTerms].
(2) The contractualterms and conditions apply to all our business relationships with ourcontractual partners (hereinafter referred to as "Client" or"Party") who have accepted the GTC by placing an order or makinganother contractual declaration, even if they are not expressly agreed again.They shall only apply if the Client is an entrepreneur (Section 14 of theGerman Civil Code (BGB)), a legal entity under public law or a special fundunder public law. We shall only recognize provisions of the client that contradictor deviate from our contractual terms and conditions if we expressly agree totheir validity.
(3) Unless otherwiseagreed, the contractual terms and conditions in the version valid at the timeof conclusion of the contract or in any case in the version last communicatedin text form shall also apply as a framework agreement for similar futurecontracts without us having to refer to them again in each individual case.
(4) Individualagreements made with the client in individual cases (including collateralagreements, supplements and amendments) shall in any case take precedence overthese contractual terms and conditions.
(5) Legally relevantdeclarations and notifications by the Client in relation to the contractualterms and conditions (e.g. setting of deadlines, notification of defects,assertion of warranty rights) must be made in writing. Written form within themeaning of these contractual terms and conditions includes written and textform (e.g. letter, e-mail, fax). Statutory formal requirements and furtherevidence, in particular in the event of doubts about the legitimacy of thedeclaring party, shall remain unaffected.
§ 2 Performance obligations of the Contractor
(1) The object of thecontract is the granting of the use of the Mable software (hereinafter"Mable" or "Software") via the Internet for a fee and for alimited period of time for the duration of the contract.
(2) Mable isa SaaS solution that enables the tracking of user behavior on websites and thetargeted processing and forwarding of tracking data to third parties.
(3) Mable makes itpossible for the client,
a. to record thebehavior of visitors to the client's websites in a structured and completemanner (visitor behavior includes, among other things, data on where visitorscome from, which areas of a website are visited, how often and for how longwhich subpages and categories are viewed, which specific actions the visitortakes, such as subscribing to the newsletter or placing a product in theshopping cart, as well as data on the visitor's devices and browsers);
b. to process data,generate statistics from it and display them to the website operator.
c. to forward thedata collected in this way (in selected and/or processed form) to recipientsfreely determined by the client.
(4) Tracking data iscollected as first-party data in the front-end and back-end of the website.
(5) Mable isintegrated by incorporating the separately transmitted code in accordance withthe integration instructions, which are also transmitted separately. The clientis solely responsible for the correct integration.
(6) The software, thecomputing power required for use and the required storage and data processingspace as well as the required interfaces shall be made available for use by theContractor in the respectively agreed version at the router exit of the data centeror data centers in which the server or servers are operated (transfer point).
(7) The establishmentand maintenance of the data connection between the client's IT systems and thedescribed transfer point is not owed.
(8) The Contractormay, without being obliged to do so, update or further develop the software atany time and, in particular, adapt it due to changes in the legal situation,technical developments or to improve IT security. In doing so, the Contractorshall take appropriate account of the legitimate interests of the Client andinform the Client in good time of any necessary updates.
(9) The Contractor isnot responsible for customization to the Client's individual needs or ITenvironment.
(10)The Contractor shall regularly maintain the software and inform theClient of any associated restrictions in good time. Maintenance shall becarried out regularly outside the Client's normal business hours, unlessmaintenance must be carried out at a different time for compelling reasons.
(11)Insofar as the Contractor provides additional services free of charge,the Client shall have no claim to their provision. The Contractor shall beauthorized to discontinue or change such services previously provided free ofcharge within a period of 24 hours or to offer them only for a fee. In thiscase, the Contractor shall inform the Client immediately.
§ 3 Support, service levels; troubleshooting
(1) The Contractorhas set up a support service for the Client's inquiries about Mable functions.Inquiries can be made by e-mail. Inquiries are generally processed in the orderin which they are received.
(2) The Contractorguarantees that the software will be available at the transfer point for atleast 98% of the month. The transfer point is the router output of theContractor's data center.
(3) Availability isdeemed to be the ability of the client to use all main functions of thesoftware. Maintenance times as well as times of malfunction with adherence tothe rectification time shall be considered times of availability of thesoftware. Times of insignificant malfunctions shall not be taken into accountwhen calculating availability. The Contractor's measuring instruments in thedata center shall be decisive for the proof of availability.
(4) When determiningavailability, such downtimes are not taken into account that
a. the Contractor isnot responsible for, in particular impairments that are based on failuresand/or malfunctions of technical systems and/or network components outside theContractor's area of responsibility; in particular
- Failures causedby incoming IT attacks. This does not apply if the contractor is obliged to usevirus protection programs and these were not state of the art at the time ofthe IT attack;
- Failures causedby improper use of software or hardware on the part of the client;
b. maintenance workagreed with the Client or unforeseen maintenance work for which the Contractoris not responsible.
(5) The client mustreport faults immediately using the contact details provided athttps://de.mable.ai/legal-notice. Fault reporting and rectification isguaranteed Monday to Friday (excluding national holidays) between 8:00 a.m. and6:00 p.m. (service hours).
(6) The Contractorshall remedy any disruptions to the availability of Mable that occur during theterm of this contract in accordance with the following provisions.
(7) Any faultsdetected in the availability of Mable shall be assigned to the following faultclasses by the Contractor at its reasonable discretion, taking into account theinterests of the Client:
a. Fault class 1 -"Fault preventing operation":
b. Fault class 2 -"Operation-impeding fault":
c. A defect thathinders operation also exists if several minor defects together lead to a notinsignificant restriction of the use of a contractual service.
(8) The Contractorshall rectify the fault within the following processing times("rectification period"):
a. In the event of aclass 1 fault: Within six hours of receiving the message;
b. In the event ofan error class 2 fault: Within 24 hours of receiving the message;
c. The eliminationof insignificant faults is at the discretion of the contractor.
(9) The manner inwhich the fault is rectified shall be at the dutiful discretion of theContractor. Should the Contractor determine that the fault cannot besuccessfully rectified within the rectification period, it must immediatelyinform the Client of the additional time required to rectify the fault.
(10)The Contractor shall provide the support services within its normalbusiness hours (Monday to Friday from 9.00 a.m. to 6.00 p.m.). Public holidaysare excluded. The applicable response and rectification periods shall not beginto run outside service hours.
(11)If faults of error classes 1 and 2 cannot be rectified within therectification period specified in paragraph 8, the Contractor shall provide theClient with a workaround until the fault has been completely rectified,provided this is technically possible.
(12)The Contractor shall perform the support services by way of remotemaintenance or remote diagnosis, provided that this is not disadvantageous forthe Client and, in particular, does not exceed the time frame for the provisionof the corresponding support services on site, there are no risks to ITsecurity and the technical requirements are met at the Client's premises.
§ 4 Obligations of the client
(1) The Client shallsupport the Contractor to a reasonable extent in the fulfillment of itscontractually owed performance and in the necessary preparatory actions. Thisincludes, in particular, the timely provision of information and data material,insofar as this is required by the Client's cooperation.
(2) The system requirements for the use of Mableresulting from the product description are the sole responsibility of theclient.
(3) The Clientwarrants that the information provided by it about its company is correct andcomplete. He undertakes to inform the Contractor immediately of any changes tothe information provided and to reconfirm the current accuracy within 15 daysof receipt at the Contractor's request. This applies in particular to the name,postal address, e-mail address and telephone and fax number of the Client.
(4) The client receives an invitation link whichthey can use to create an account themselves. As part of the registrationprocess, the client can generate a password that is required for further use ofMable. The client is obliged to keep the password and the access data secretand not to make them accessible to third parties. The client is obliged tochange the password if it is feared that it has been compromised by thirdparties.
(5) The client isresponsible for the proper and regular backup of his data.
§ 5 Relationships with subcontractors
The Client agrees to the use of thesubcontractors named in Annex II of the GCU and the applicable conditions ofthe subcontractor. The Contractor shall inform the Client when commissioningnew or additional subcontractors. If the Client objects to the use of a furthersubcontractor, the Contractor may, at its discretion, continue the service withthe help of the previous subcontractors or terminate the usage relationshipextraordinarily with one week's notice. In this case, any advance paymentsalready made shall be refunded on a pro rata basis.
§ 6 Force majeure
(1) In cases of forcemajeure, the Contractor shall be released from its obligation to perform forthe duration and to the extent of the impact. Force majeure is an externalevent caused by elementary forces of nature or other extraordinaryenvironmental events or by the actions of third parties, which is unforeseeableaccording to human insight and experience, cannot be prevented or renderedharmless by economically reasonable means, even with the utmost care reasonablyto be expected in the circumstances, and is not to be accepted due to itsfrequency.
(2) If the Contractorrealizes that it is permanently unable to provide the service due to theeffects of a force majeure event, it must inform the Client of thisimmediately. If the Contractor cannot reasonably be expected to provide theservice as a result of the delay, it may withdraw from or terminate thecontract by immediate written declaration to the Client.
§ 7 Prices and payment
(1) Payment for theservices provided by the Contractor shall be made in accordance with the pricelist valid at the time the contract is concluded, which can be accessed at https://mable.ai/pricing.
(2) The Contractorshall invoice the agreed remuneration on a monthly basis for the monthly plan.With the annual plan, invoicing takes place once a year.
(3) Unless otherwise agreed, the remuneration shallbe due and payable within 10 working days of receipt of the invoice by theclient. The client shall be in default upon expiry of the payment deadline.During the period of default, interest shall be charged on the remuneration atthe applicable statutory default interest rate. We reserve the right to assertfurther claims for damages caused by default.
(4) If the client is more than four weeks in arrearswith the payment of a due remuneration, the contractor is entitled to blockaccess to Mable after a priorreminder setting a deadline and expiry of the deadline. The contractor's claimto remuneration remains unaffected by the blocking. Access to Mable will bereactivated after payment of the arrears. The right to block access also existsas a milder measure if the contractor would be entitled to extraordinarytermination.
(5) The prices shown do not include VAT. This shallbe invoiced at the VAT rate applicable at the time of performance. If the VATrate is changed within the authorization period, the periods with therespective applicable VAT rates shall be deemed separate calculation periods.
(6) The Client may only offset claims of theContractor against uncontested or legally established claims. The same appliesto the assertion of a right of retention.
§ 8 Granting of rights
(1) The Contractorgrants the Client a non-exclusive, non-transferable and non-sublicensable rightto use the latest version of Mable for the duration of the contract.
(2) The client mayonly use Mable within the scope of its own business activities by its ownpersonnel. The contractual use of the software includes loading it into theworking memory, displaying and running Mable. The client is not entitled to anyfurther use, unless otherwise provided by law.
(3) The client is notentitled to sell Mable to third parties or to make it available to thirdparties in any other way (in particular by renting or lending it out).
(4) The client is notentitled to modify or edit the software.
(5) After terminationof the contract, the client is obliged to stop using Mable.
(6) Any use of Mableafter termination of the contract is not permitted.
§ 9 Nomination
The Contractor is entitled to name the Client asa reference customer using its brand and/or business name. The Client may notrefuse consent without good cause.
§ 10 Warranty
(1) The Contractorwarrants that the services owed on the basis of this contract are free fromdefects and third-party rights.
(2) The contractorassumes no guarantee for compatibility or support by third parties.
(3) Should thecontractual services infringe third-party property rights, the Contractor shallinform the Client immediately in writing and provide the Client with theinformation and other appropriate support required for defense.
(4) With regard tothe granting of the use of the software, the warranty provisions of tenancy law(Sections 535 et seq. BGB) shall also apply.
(5) The Client mustnotify the Contractor immediately of any defects.
(6) The warranty foronly insignificant reductions in the suitability of the service is excluded.No-fault liability pursuant to Section 536a (1) BGB for defects that alreadyexisted at the time the contract was concluded is excluded.
(7) Insofar as theContractor provides sample texts as a template for the Client's privacy policyor for consent texts, this is merely a non-binding orientation aid orsuggestion, which generally requires adaptation to the respective situation andspecific use by the Client. No warranty or guarantee is given for thecompleteness and correctness of the sample texts or for the applicability ofthe sample texts to the specific needs of the client. In particular, sampletexts do not replace legal advice.
§ 11 Limitation of liability
(1) Unless otherwisestipulated in this contract, including the following provisions, the partiesshall be liable to each other for exercising the due care of a prudentbusinessman.
(2) The Contractorshall owe the care customary in the industry. When determining whether theContractor is at fault, it must be taken into account that software cannot becreated without technical errors.
(3) The Contractorshall be liable for intent and gross negligence. The Contractor shall only beliable for slight negligence in the event of a breach of a material contractualobligation (cardinal obligation), the fulfillment of which is essential for theproper execution of the contract and on the observance of which the Client mayregularly rely, as well as in the event of damage resulting from injury tolife, limb or health.
(4) In the event ofslight negligence, liability shall be limited to the amount of foreseeabledamage that can typically be expected to occur.
(5) The Contractorshall not be liable for the loss of data and/or programs to the extent that thedamage is due to the fact that the Client has failed to carry out data backupsand thereby ensure that lost data can be restored with reasonable effort.
(6) The abovelimitations of liability shall also apply to the personal liability of theContractor's employees, representatives and bodies.
§ 12 Contract term and termination
(1) The contractbegins on the day the contract is concluded, i.e. as soon as the General Termsand Conditions have been accepted and an account has been created.
(2) The contract isconcluded for an indefinite period and can be terminated by either party withfour weeks' notice to the end of the respective billing period. The right ofthe parties to extraordinary termination for good cause remains unaffected.
(3) The contract termbegins with a free trial period of 30 days. This free trial period is intendedto allow new contractual partners to try out Mable and familiarize themselveswith its functions. The contractor reserves the right to limit the availabilityor duration of the free trial phase under certain circumstances. If thecontract is not terminated before the end of the free trial period, the paymentobligation as well as the contract term and notice periods are based on theprevious provisions.
(4) The Contractorshall irretrievably delete all of the Client's data remaining on its servers 30days after termination of the contractual relationship. There is no right of retention or lien on the data infavor of the Contractor.
(5) All terminations must be made via the MableDashboard.
§ 13 Changesto the GTC, service descriptions and prices
(1) These GTC may beamended insofar as this does not affect essential provisions of the contractualrelationship and is necessary to adapt to developments that were notforeseeable when the contract was concluded and the failure to take them intoaccount would noticeably disturb the balance of the contractual relationship.
(2) Materialprovisions are in particular those relating to the type and scope of thecontractually agreed services and the term, including the provisions ontermination.
(3) Furthermore,adjustments or additions may be made to the GTC insofar as this is necessary toeliminate difficulties in the execution of the contract due to loopholes thathave arisen after the conclusion of the contract. This may be the case inparticular if case law changes and one or more clauses of these GTC areaffected by this.
(4) The service specifications may be amended ifthis is necessary for a valid reason, if the Client is not objectively placedin a worse position as a result compared to the service specifications includedat the time of conclusion of the contract (e.g. retention or improvement offunctionalities) and if there is no significant deviation from these. A validreason exists if there are technical innovations on the market for the servicesowed or if third parties from whom the contractor obtains the necessary preliminaryservices for the provision of their services change their range of services.
(5) The Contractorshall adjust the fees to be paid on the basis of this contract at itsreasonable discretion to the development of the costs that are decisive for theprice calculation. A price increase shall be considered and a price reductionshall be made if, for example, the costs for the procurement of hardware andsoftware as well as energy, the use of communication networks or wage costsincrease or decrease or other changes in the economic or legal frameworkconditions lead to a changed cost situation. Increases in one type of cost,e.g. wage costs, may only be used for a price increase to the extent that theyare not offset by any reduction in costs in other areas, such as the costs ofhardware and software. In the event of cost reductions, e.g. in hardware costs,the Contractor shall reduce the prices to the extent that these cost reductionsare not fully or partially offset by increases in other areas. When exercisingits reasonable discretion, the Contractor shall select the respective points intime of a price change in such a way that cost reductions are not taken intoaccount according to more unfavorable standards for the Client than costincreases, i.e. cost reductions are effective at least to the same extent ascost increases.
(6) The Client shallbe notified in writing of any intended changes to the GTC, the servicedescriptions and price increases in accordance with this paragraph at least two(2) months before they come into effect.
(7) The client hasthe right to object to such a change. If the Client does not object to theamended contractual conditions within 4 weeks of receipt of the changenotification and continues to use the software, the changes shall becomeeffective in accordance with the announcement. The Contractor shallspecifically point out to its clients in writing or by e-mail at the beginningof the period that the notification of change shall be deemed accepted if theclient does not object to it within 4 weeks.
§ 14 Secrecy
(1) Both partiesshall ensure that all relevant statutory regulations for the protection of theother party's business secrets are complied with in the provision of services.In particular, they shall ensure that their employees or the third partiescalled in by them for the execution of the order fully comply with the relevantprovisions of the law on the protection of business secrets (GeschGehG) of therespective other party.
(2) At the request ofthe other party, both parties shall provide evidence of compliance with theprovisions of the GeschGehG. All records, information, documents and files tobe kept secret in accordance with this may only be reproduced, made accessibleto unauthorized persons or published with the consent of the other party.
(3) Theconfidentiality obligations shall remain in effect for a period of five (5)years after termination of this agreement.
§ 15 Dataprotection and IT security
(1) The Contractorshall comply with all relevant laws and regulations for the protection ofpersonal data, in particular those of the General Data Protection Regulation(GDPR) and the Federal Data Protection Act (BDSG), when providing thecontractually owed services.
(2) A separate dataprocessing agreement (DPA) is required for the processing of personal data thatthe contractor processes to fulfill this contract on behalf of the client. TheDPA must be signed separately by the client when the account is created.
(3) The Contractorshall only collect, process and use the data of the Client's customers andwebsite users, in particular customer addresses, to the extent that this isrequired by law or for the fulfillment of this contract. In particular, theContractor shall not transfer to third parties or make accessible to thirdparties any personal data of the Client's customers and website users which ithas obtained on the basis of this contract, with the exception of such datawhich it uses to provide the contractual service in question. Furthermore, theContractor shall not use personal data of customers and website users of theClient for its own marketing/advertising purposes, i.e. the Contractor shallnot contact customers and website users of the Client in any form outside thefulfillment of its contractual obligations or enable third parties to make suchuse or use personal data of customers and website users of the Client in amanner that violates data protection regulations or other applicable law,unless the Client and the respective customer or website user of the Clienthave given their express prior consent to this.
(4) The Contractor reserves the right to adapt orredesign the software in the future. This may also include a change to thebasic structure and responsibilities under data protection law. Any use of thedata collected for the Client's or third parties' own or joint purposes (e.g.for the purpose of cross-provider analysis) and those of the Contractor shallonly take place in compliance with data protection regulations and within theframework of a separate agreement between the two parties.
(5) Unless thecontracting parties agree otherwise, the processing of personal data of theClient's customers shall be carried out in accordance with the Client'sinstructions and shall be subject exclusively to the DPA.
(6) The clientwarrants that the persons authorized to issue instructions or the contactpersons named in the order form have the expertise and specialist knowledgerequired for the respective function.
(7) The dataprocessed under these terms and conditions may be used in aggregated and fullyanonymized form for product improvement by the provider for its own businesspurposes without restriction.
§ 16 Final provisions
(1) Should aprovision of the contractual terms and conditions be or become invalid orshould the contractual terms and conditions contain a gap that needs to befilled, this shall not affect the validity of the remaining provisions. Theinvalid provision or loophole shall be replaced by a provision that comes asclose as possible to the economic purpose of the contractual terms andconditions and that would have been agreed by the parties if they had beenaware of the invalidity of the provision.
(2) These contractualterms and conditions and its amendments as well as all contract-relevantdeclarations, notification and documentation obligations must be in text formin order to be effective, unless another form has been agreed or is required bylaw. Notwithstanding sentence 2, informal amendments or additions are alsoeffective if they are individual agreements within the meaning of Section 305bBGB.
(3) The place ofperformance and exclusive place of jurisdiction for all disputes relating tothe contractual terms and conditions is the Contractor's place of business(currently Karlsruhe), provided that the Client is a merchant within themeaning of the German Commercial Code, a legal entity under public law or aspecial fund under public law or an entrepreneur within the meaning of Section14 of the German Civil Code. In all cases, however, the Contractor shall beentitled to bring an action at the Client's general place of jurisdiction.Overriding statutory provisions, in particular regarding exclusivejurisdiction, shall remain unaffected.
(4) The law of theFederal Republic of Germany shall apply to the exclusion of the UN Conventionon Contracts for the International Sale of Goods.
Preamble
This DPA serves to specify the data protection obligations of theparties arising from the contract concluded between the parties for theprovision of the use of Mable (hereinafter referred to as the main contract)and to ensure compliance with the provisions of Art. 28 (3) and (4) of theGeneral Data Protection Regulation (GDPR). The obligations set out in this DPAapply to all activities of the Contractor that are related to the Main Contractand in which the Contractor's employees or other third parties commissioned bythe Contractor receive or may receive personal data of the Client.
Section I - General
1. Definitions
Where terms listed in Art. 4 GDPR are used, they have the same meaningas under the GDPR.
2. Description of the processing
The subject matter, type, purpose and duration of the order are set outin the main contract. In detail, the following data is affected by theprocessing carried out:
Categories of data subjects whose personal data are processed
● Customers / service recipients of the client
● Interested parties / potential customers of the client
● Website users / visitors of the client's website(s)
● Newsletter subscribers of any newsletters of the client
Categories of personal data that are processed
● Order number, order, order history
● Product name, ID & variant
● Quantity (of products)
● Price
● Currency
● E-mail address
● Phone number
● First & last name
● IP address
● User agent
● Date of birth
● Location data (country, state, zip code, city)
● Click IDs (FBCLID, GCLID, ...)
● URL query parameters (e.g. UTM parameters)
● Browser IDs (e.g. FBP), browser fingerprints
● External IDs (e.g. session ID)
● User behavior on the website
3. Obligations of the contractor
3.1. Instructions
a) The Contractor shall process personal data only on documentedinstructions from the Client, unless it is obliged to do so under Union law orthe law of a Member State to which it is subject. In such a case, theContractor shall inform the Client of these legal requirements prior toprocessing, unless the law in question prohibits this due to an importantpublic interest. The client may issue further instructions for the entireduration of the processing of personal data. Theseinstructions must always be documented.
b) The Contractor shall inform the Clientimmediately if it is of the opinion that instructions issued by the Clientviolate the GDPR or applicable data protection regulations of the Union or theMember States.
c) The Client's authority to issue instructionsalso includes instructions that lead to a change in the object of processingand procedural changes. In the event of a significant change to the subjectmatter of this DPA, the Contractor shall have the right to object.
3.2. Earmarking
The Contractor shall process the personal dataonly for the specific purpose(s) stated in Section 2, unless it receivesfurther instructions from the Client.
3.3. Duration of the processing of personal data
The data shall only be processed by the clientfor the duration of the main contract.
3.4. Safety of processing
a) The Contractor shall demonstrably takeappropriate and effective technical and organizational measures to ensure thesecurity of the personal data. This includes the protection of the data againsta breach of security which, whether unintentional or unlawful, results in thedestruction, loss, alteration or unauthorized disclosure of, or access to, thedata (hereinafter "personal data breach"). In assessing theappropriate level of protection, the parties shall take due account of thestate of the art, the costs of implementation, the nature, scope, context andpurposes of the processing referred to in Clause 2 and the risks presented tothe data subjects. These security measures shall include all measures set outin this DPA. The measures shall be described in detail by the Contractor in Annex I and shall include at least thefollowing:
1. Measures to ensure that only authorizedemployees can access the personal data for the stated purposes;
2. Measures that include the contractor grantingits employees and sub-processors access to the personal data only viaindividually named accounts, with the use of these accounts being appropriatelylogged and the accounts concerned granting their users access only to thosepersonal data whose access is necessary for the legal person concerned;
3. Measures to protect personal data againstaccidental or unlawful destruction, accidental loss or alteration andunauthorized or unlawful storage, processing, access or disclosure;
4. Measures designed to identify vulnerabilities inrelation to the processing of personal data in the systems used to provideservices to the client;
5. Measures to ensure that personal data is alwaysavailable when access to it is required;
6. other measures agreed by the Parties as set outin Annex I.
b) The parties are aware that technical andorganizational measures are subject to constant technical progress and thatcompliance with appropriate security standards requires regular review ofexisting and updating of outdated security measures. Therefore, the Contractorshall review the measures taken to fulfill this Section 3.4 at regularintervals and, if necessary, adapt them if they no longer correspond to thesecurity level required by this Section 3.4 or Art. 32 GDPR. In the course oftechnical progress, the Contractor is also permitted to use alternativeadequate measures in deviation from AnnexI, provided that this does not fall below the security level of theexisting measures. The Contractor is obliged to comply with the level of dataprotection defined in Section 3.4.a). However, it is free to choose the meansby which it ensures compliance with this level of data protection.
c) The Contractor shall only grant its personnelaccess to the personal data that is the subject of the processing to the extentthat this is absolutely necessary for the performance, administration andmonitoring of the main contract. The Contractor warrants that the personsemployed by it to process the personal data under this DPA have undertaken tomaintain confidentiality or are subject to appropriate statutoryconfidentiality obligations. To this end, the Contractor must inform allpersons who may access the Client's personal data as intended of the datasecrecy and instruct these persons appropriately about the obligations underdata protection law. In particular, the persons employed must be informed thatdata secrecy continues to exist even after the termination of the activity.
d) The Contractor shall store and process the dataprocessed under this DPA logically separately from other data sets that theContractor processes on its own behalf or on behalf of third parties.
e) The Contractor shall not make any copies orduplicates of the data processed under this DPA without the Client's knowledge.This shall not apply to technically necessary, temporary copies, provided thatany impairment of the agreed level of data protection is excluded.
3.5. Sensitive data
If the processing concerns personal datarevealing racial or ethnic origin, political opinions, religious orphilosophical beliefs, or trade union membership, or containing genetic data orbiometric data for the purpose of uniquely identifying a natural person, dataconcerning health, sex life or sexual orientation of a person, or data relatingto criminal convictions and offenses (hereinafter "sensitive data"),the client shall apply specific restrictions and/or additional safeguards.
3.6. Documentation and compliance with this DPA
a) The Contractor shall process requests from theClient regarding the processing of data in accordance with this DPA promptlyand appropriately.
b) The Contractor shall list the processingoperations carried out under this DPA in a record ofprocessing activities in accordance with Art. 30 GDPR. Upon request, theContractor shall provide the Client with all information that must be listed inthe record of processing activities in accordance with Art. 30 GDPR. Inaddition, the Contractor shall make the register available to the supervisoryauthority upon request.
c) The Contractor shall provide the Client with allinformation required to demonstrate compliance with the obligations set out inthis DPA and arising directly from the GDPR, the BDSG or other relevant dataprotection regulations. At the request of the Client and following jointagreement on a date, the Contractor shall allow the processing activitiescovered by this DPA to be audited at least once a year or if there areindications of breaches of this DPA or other IT and data security-relatedincidents. The Contractor shall support the Client in this to the greatestpossible reasonable extent. Should the Client identify inadequacies in theContractor's security measures in the course of such an audit, it shall beentitled to issue appropriate instructions to the Contractor to revise itssecurity concept. The Contractor shall implement these within a reasonableperiod of time.
d) The Client may carry out the audit itself orcommission an independent auditor. Audits may also include inspections of theContractor's premises or physical facilities and shall be carried out withreasonable notice where appropriate.
e) The exact scope, duration, organization andcosts of examinations shall be mutually agreed in each case.
f) The Parties shall make the information referredto in this Section 3.6, including the results of audits, available to thecompetent supervisory authority(ies) upon request.
3.7. Use of subcontractedprocessors
The Contractor shall have the Client's generalauthorization to engage sub-processors included in an agreed list (Annex II). The Contractor shallexpressly inform the Client in writing at least four weeks in advance of anyintended changes to this list by adding or replacing sub-processors, thusgiving the Client sufficient time to object to these changes before the sub-processor(s)concerned is/are engaged. The Contractor shall provide the Client with thenecessary information to enable the Client to exercise its right to object.
a) The Contractor shall carefully select thesub-processor, taking particular account of its suitability with regard tocompliance with the technical and organizational measures agreed between theparties.
b) If the Contractor engages a sub-processor tocarry out certain processing activities (on behalf of the Principal), suchengagement shall be by way of a contract which imposes on the sub-processorsubstantially the same data protection obligations as those applicable to theContractor under this DPA. The Contractor shall ensure that the sub-processorfulfills the obligations to which the Contractor is subject in accordance withthis DPA and the GDPR.
c) The Contractor shall provide the Client with acopy of such a subcontracting agreement and any subsequent amendments at theClient's request. To the extent necessary to protect trade secrets or otherconfidential information, including personal data, the Contractor may redactthe wording of the agreement before providing a copy.
d) The Contractor shall be fully liable to theClient for ensuring that the sub-processor fulfills its obligations under thecontract concluded with the Contractor. The Contractor shall notify the Clientif the sub-processor fails to fulfill its contractual obligations.
3.8. International data transfers
a) Any transfer of data by the Contractor to athird country or an international organization shall be made exclusively on thebasis of documented instructions from the Client or to comply with a specificprovision under Union law or the law of a Member State to which the Contractoris subject and shall comply with Chapter V of the GDPR.
b) The Client agrees that in cases where theContractor uses a sub-processor pursuant to Section 3.7 to carry out certainprocessing activities (on behalf of the Client) and these processing activitiesinvolve a transfer of personal data within the meaning of Chapter V of theGDPR, the Processor and the sub-processor may ensure compliance with Chapter Vof the GDPR by using standard contractual clauses adopted by the Commissionpursuant to Article 46(2) of the GDPR, provided that the conditions for the applicationof these standard contractual clauses are met.
4. Support for the client
a) The Contractor shall inform the Clientimmediately of any request (information, deletion, etc.) received from the datasubject. It shall not respond to the request itself unless it has beenauthorized to do so by the client.
b) Taking into account the nature of theprocessing, the Contractor shall support the Client in fulfilling itsobligation to respond to requests from data subjects to exercise their rights.If the Client is subject to an inspection by supervisory authorities or otherbodies, the Contractor undertakes to support the Client to the extentnecessary, insofar as processing operations under this DPA are concerned. Infulfilling its obligations under letters a and b, the Contractor shall followthe Client's instructions.
c) Apart from the Contractor's obligation tosupport the Client in accordance with Clause 4 b), the Contractor shall alsosupport the Client in complying with the following obligations, taking intoaccount the type of data processing and the information available to it:
1 Obligation to carry out an assessment of theimpact of the intended processing operations on the protection of personal data(hereinafter "data protection impact assessment") if a form ofprocessing is likely to result in a high risk to the rights and freedoms ofnatural persons;
2 Obligation to consult the competent supervisoryauthority(ies) prior to processing if a data protection impact assessmentindicates that the processing would result in a high risk, unless the clienttakes measures to mitigate the risk;
3 Obligation to ensure that the personal data isaccurate and up to date by the Contractor informing the Client immediately ifit discovers that the personal data it is processing is incorrect or out ofdate;
4 Obligation to create and update the record ofprocessing activities in accordance with Article 30 GDPR;
5 Obligations pursuant to Article 32 GDPR.
5. Notification of personal databreaches
In the event of a personal data breach, theContractor shall cooperate with and assist the Client accordingly to enable theClient to comply with its obligations under Articles 33 and 34 GDPR, takinginto account the nature of the processing and the information available to theContractor.
5.1. Violation of the protection of data processed bythe client
In the event of a breach of the protection ofpersonal data in connection with the data processed by the Client, theContractor shall support the Client as follows:
a) in notifying the personal data breach to thecompetent supervisory authority(ies) without undue delay after becoming awareof it (unless the personal data breach is unlikely to result in a risk to therights and freedoms of natural persons);
b) when obtaining the following information to beprovided in the notification from the client in accordance with Article 33(3)of the GDPR, which must include at least the following information:
1 the nature of the personal data, where possible,indicating the categories and approximate number of data subjects concerned andthe categories and approximate number of personal data records concerned;
2 the likely consequences of a personal databreach;
3 the measures taken or proposed by the client toaddress the personal data breach and, where appropriate, measures to mitigateits possible adverse effects.
If and to the extent that not all suchinformation can be provided at the same time, the initial notification willcontain the information available at that time and further information will beprovided as soon as it becomes available without undue delay thereafter;
c) in complying with the obligation under Article34 GDPR or to notify the data subject without undue delay of a personal databreach where the personal data breach is likely to result in a high risk to therights and freedoms of natural persons.
5.2. Violation of the protection of data processed bythe contractor
In the event of a breach of the protection ofpersonal data in connection with the data processed by the Contractor, theContractor shall notify the Client immediately after becoming aware of thebreach. This notification must contain at least thefollowing information:
a) a description of the nature of the breach (ifpossible, specifying the categories and approximate number of data subjectsaffected and the approximate number of data records affected);
b) Contact details of a contact point where furtherinformation about the personal data breach can be obtained;
c) the likely consequences and the measures takenor proposed to address the personal data breach, including measures to mitigateits possible adverse effects.
If and to the extent that not all suchinformation can be provided at the same time, the initial notification willcontain the information available at that time and further information will beprovided as soon as it becomes available without undue delay thereafter.
The Parties shall set out in Annex I any other information that theContractor must provide to assist the Client in fulfilling its obligationsunder Articles 33 and 34 GDPR.
6. Violations of the clauses and termination of theDPA
a) If the Contractor fails to comply with itsobligations under this DPA, the Client may - without prejudice to theprovisions of the GDPR - instruct the Contractor to suspend the processing ofpersonal data until it complies with this Agreement or the DPA is terminated.The Contractor shall inform the Client immediately if it is unable to complywith these clauses for any reason whatsoever.
b) The Client shall be entitled to terminate thisDPA and the parts of the main contract affected by this DPA for cause insofaras it relates to the processing of personal data in accordance with this DPA if
1 the client has suspended the processing ofpersonal data by the contractor in accordance with point (a) and compliancewith this DPA has not been restored within a reasonable period, but in any casewithin one month of the suspension;
2 the Contractor violates this DPA to asignificant extent or persistently or fails to fulfill its obligations underthe GDPR;
3 the Contractor fails to comply with a bindingdecision of a competent court or the competent supervisory authority orauthorities relating to its obligations under this DPA or the GDPR.
c) The Contractor shall be entitled to terminatethis DPA and the parts of the main contract affected by this DPA with onemonth's notice insofar as it concerns the processing of personal data inaccordance with this DPA if the Client insists on the fulfillment of itsinstructions after being informed by the Contractor that its instructionsviolate applicable legal requirements in accordance with Section 3.1 letter b).Until termination of the main contract, the Contractor shall continue toprovide the contractually agreed service.
d) After termination of the main contract, theContractor shall delete all personal data processed on behalf of the Client andcertify to the Client that this has been done and delete existing copies,unless there is an obligation to store the personal data under Union law or thelaw of the Member States. Until the data is deleted, the Contractor shallcontinue to ensure compliance with these clauses.
7. Right of retention
The defense of the right of retention of datatransmitted under this DPA is excluded, regardless of its legal basis.
8. Liability
a) The parties shall be jointly and severallyliable to data subjects for any damage caused by processing that does notcomply with the rules of the GDPR.
b) The Contractor shall only be liable for damageresulting from processing carried out by him in which
1 it has not complied with the obligationsresulting from the GDPR and specifically imposed on processors, or
2 he acted in disregard of lawful instructionsissued by the client or
3 he has acted contrary to lawful instructionsissued by the client.
c) Insofar as limitations of liability are providedfor in the main contract, these shall apply mutatis mutandis to this GCT, withthe proviso that:
1 all limitations of liability for the loss ofand/or damage to Personal Data are excluded;
2 all limitations of liability for fines imposedby a regulatory authority that are excluded in direct connection with poorperformance by the Contractor or negligent or willful conduct attributable tothe Contractor.
d) The parties shall indemnify each other againstliability if a party proves that it is not responsible in any respect for thecircumstance that caused the damage to a party concerned. Section 8.c.2. shallapply accordingly in the event of a fine imposed on a party, whereby theindemnification shall be made to the extent that the respective other partybears a share of the responsibility for the infringement sanctioned by thefine.
e) In the event that the parties are jointly andseverally liable to third parties, they are obliged to contribute to thedamages and costs in proportion to their share of fault, unless the GDPRprovides otherwise in individual cases.
9. Confidentiality
The rules on confidentiality from the maincontract apply accordingly to this DPA.
Technical and organizational measures (Annex I)
Technical and organizational measures (TOMs) in accordance with Art. 32GDPR
the organization
Mable GmbH
Organizations that collect, process or usepersonal data themselves or on their behalf must take the technical andorganizational measures necessary to ensure compliance with the provisions ofdata protection laws. Measures are only necessary if their cost isproportionate to the intended purpose of protection.
The above-mentioned organization meets thisrequirement through the following measures:
1. confidentiality
1.1 Access control
Measures that are suitable for preventing unauthorized persons fromgaining access to data processing systems with which personal data is processedor used. The following measures have been taken:
- The most important IT systems used to processpersonal data were recorded.
- The premises with stationary IT systems wererecorded.
- The offices are lockable and are lockedoutside office hours.
- The office complexes are secured by atransponder locking system.
- Important data processing systems are outsourcedto data center service providers.
- Only authorized persons have access to thecomplex.
- There is a mandatory access authentication forall persons.
- Visitors are welcomed and accompanied to therespective areas by employees.
- Visitor zones are separated from processingzones so that third parties cannot enter rooms with IT systems alone. As arule, however, no third parties enter the office premises.
- The company premises and building openings(e.g. windows) were sufficiently taken into account in the measures.
- Only authorized employees have access to theserver room, as the server room is located in the data center.
- The server room is equipped with motionsensors.
- Servers and firewalls are housed in lockablerooms in the data center.
- Keys for the locking system are issued via akey concept.
- The issue and return of the keys aredocumented.
- Master keys are only issued to authorizedpersons. The allocation is minimized.
- Home offices and mobile work devices areincluded in the company's security strategy. Affected employees have been boundby agreement to comply with the rules of conduct and data protection.
- Appropriate agreements have been made withexternal service providers who have access to the complex.
1.2 Access control
Measures that are suitable for preventing data processing systems, e.g.computers, from being used by unauthorized persons. The following measures havebeen taken:
- IT processing systems are known and recorded.
- Depending on the protection requirements,access control systems are used (e.g. passwords, 2-factor authentication).
- Employees are authenticated individually usinga user name and password.
- The internal network is isolated from theInternet by a firewall.
- Servers that are accessible from outside aresecured in the data center.
- All IT systems are equipped with the latestanti-virus technologies.
- Passwords are designed securely using a tool(security features, length, complexity).
- Any default passwords for IT systems have beendeactivated.
- Passwords are only stored in encrypted form.
- All passwords are changed if there is asuspicion of possible unauthorized reading of passwords.
- Authorizations are granted or withdrawnaccording to department and group membership.
- Access is blocked if login attempts are toofrequent.
- Logins to the network are technically logged,but only analyzed in security-relevant cases.
- Remote access is limited to a minimum.
- There are binding requirements in the event ofloss of means of identification.
- When leaving the company, the correspondingaccess data is blocked. The procedure is logged.
- The integrated protection functions of the ITsystems are used as standard and kept up to date.
1.3 Access control
Measures to ensure that persons authorized to use a data processingsystem can only access the data subject to their access authorization and thatpersonal data cannot be read, copied, modified or removed without authorizationduring processing, use and after storage. The following measures have beentaken:
- All locations where personal data is storedare documented.
- The authorization concept controls who canaccess which systems and data statuses.
- The IT systems support various access securityprocedures
- State-of-the-art encryption methods are used.
- Passwords are transmitted securely in thelocal network.
- The most important places where personal datais stored are documented. This primarily concerns the servers in the datacenters.
- Externally used end devices such as notebooksare fully encrypted before use.
- Data carriers that are no longer used ordefective are disposed of safely.
- Data that is no longer required is securelydeleted.
- It is regulated who may save, change or deletedata.
- The user role system regulates accessauthorizations to applications and folders.
- Default passwords have been deactivated.
- External access is restricted to authorizedpersons using encryption and firewall technologies.
- The use of private data carriers is prohibited.
- Old paper documents are securely shredded.
- Access for specialist and system tasks isstrictly separated.
- Backup data carriers are securely stored inthe data center.
- Service providers are bound by AV contracts tocomply with the internal guidelines.
- Access to applications is logged (applicationlogs), but only analyzed in security cases.
1.4 Separation control
Measures to ensure that data collected for different purposes can beprocessed separately. The following measures have been taken:
- Data collection is limited to what isnecessary so that the objectives can be achieved.
- Different data is processed separately byseparating the systems, databases and their columns and data carriers, as inthe case of productive and test systems.
- Clients are separated.
- Access options to the systems are controlledby authorization concepts.
- Routers are used to generate and controldifferent network segments.
- Access to applications is separated atapplication level
1.5 Pseudonymization
Personal data is processed in such a way that the data can no longer beattributed to a specific data subject without the use of additionalinformation, provided that such additional information is keptseparately and is subject to appropriate technical and organizational measures.The following measures have been taken:
- Documents with personal data in the laboratoryarea are given an individual number. This number is used in the system so thatonly the original department can establish a link to the person.
2. integrity
2.1 Transfer control
Measures to ensure that personal data cannot be read, copied, altered orremoved without authorization during electronic transmission or during theirtransport or storage on data carriers and that it is possible to check anddetermine to which bodies personal data are to be transmitted by datatransmission equipment. The following measures have been taken:
- Data is transferred between networks viasecure connections using VPN technology or encryption.
- Communication with web servers takes place viaencrypted connections such as https or sFTP.
- Sensitive data sent by e-mail is onlytransmitted in encrypted form.
- Firewalls protect data traffic into thecompany.
- Antivirus systems protect data traffic withinthe network
- Server systems are specially hardened againstexternal influences.
- Backups are encrypted.
- Important data (analog / digital) is stored invarious secure locations as required.
- Mobile devices such as notebooks andsmartphones are documented and are only issued to authorized employees.
- Data is transmitted tamper-proof via digitalcommunication.
2.2 Input control
Measures to ensure that it is possible to subsequently check anddetermine whether and by whom personal data has been entered, modified orremoved from data processing systems. The following measures have been taken:
- All IT systems in which data may be entered,changed and deleted are documented.
- There is a technical logging of the entry,modification and deletion of data.
- The logs are only evaluated if necessary,otherwise they are deleted according to internal guidelines.
- Authorizations have been granted depending onwho is allowed to enter, delete or change data.
- Home office activities on the server systemsare recorded and logged.
3. availability and resilience
3.1 Availability control
Measures to ensure that personal data is protected against accidentaldestruction or loss. The following measures have been taken:
- Rooms with IT systems are equipped with fireand smoke detection systems (RZ).
- There is a fire extinguisher approved forelectronic devices (RZ) in the server room.
- Power is supplied to electronic devices viaprotective socket strips.
- Important IT systems (servers) are protectedfrom power fluctuations by a UPS (data center).
- Backups (for servers and applications) arecarried out according to a defined and documented backup concept.
- Regular backups are set up. The backupprocesses are monitored.
- Backup copies are stored in encrypted form.
- Separate partitions are set up for operatingsystems and user data.
- Data is stored redundantly on raid systems(RZ.
- Automatic e-mail archiving takes place.
- Various methods are used to protect systemsfrom malware.
- An appropriate risk and vulnerability analysiswas carried out within the IT infrastructure.
- The effectiveness of the existing measures isreviewed at least once a year.
4. procedures for regular review,assessment and evaluation
4.1 Data protection management
Measures for the organization of data protection within the company. Thefollowing measures have been taken:
- The effectiveness of the technical andorganizational measures is reviewed regularly at least once a year.
- An external data protection officer has beenappointed and notified to the competent supervisory authority.
- Employees are sensitized at least once a year.
- In critical areas, a substitution arrangementis in place for employees.
- The requirements regarding the informationobligations pursuant to Art. 13 and 14 GDPR are met.
4.2 Incident response management
Support measures for responding to security breaches. The followingmeasures have been taken:
- Firewalls are used, which are updatedregularly.
- IT systems are protected by up-to-date virusscanners, which regularly receive new signatures.
- Spam filters with regular updates are used.
- The data protection officer is involved insecurity incidents.
4.3 Privacy-friendly defaultsettings
Privacy by design / Privacy by default. The following measures have beentaken:
- No more personal data is collected than isnecessary for the respective purpose.
4.4 Order control
Measures to ensure that personal data processed on behalf of the clientcan only be processed in accordance with the client's instructions. Thefollowing measures have been taken:
- Safety measures taken by the contractor andtheir documentation are checked in advance.
- The contractors are selected with duediligence, especially in the areas of data protection and data security.
- Processors receive the necessary agreement fororder processing.
- The contractor's employees must have beenobligated to maintain confidentiality.
- Effective control rights vis-à-vis thecontractor are agreed.
- Contractors are audited regularly (every 3years).
- The use of other subcontractors is regulated.
- After completion of the order, the data willbe destroyed or returned.
- The data protection officer has a list of allcases of commissioned processing.
5. deletion periods
- Deletion periods are generally based on thestatutory provisions
- A deletion rule is created and stored for eachdata category.
Authorized sub-processors (AnnexII)
The Contractor currently works with thefollowing sub-processors in the performance of the contract, whosecommissioning the Client expressly consents to.
If the data processing takes place outside theEEA or is accessed from outside the EEA, the following overview must also listthe measures and guarantees that ensure an adequate level of data protectionduring processing in accordance with Art. 44 GDPR ff. (e.g. EU standardcontractual clauses, binding corporate rules, or adequacy decision of the EUCommission).
Subcontractor (company, address, contact person)
Processed data categories
Processing activity / purpose of subcontracted data processing
Measures / guarantees in accordance with Art. 44 - 50 GDPR
Amazon Web Services EMEA SARL,
38 Avenue John F. Kennedy,
L-1855, Luxembourg
All of the above.
Hosting
Data is transferred on the basis of the Standard Contractual Clauses (SCCs).
Has performed self-certification according to its Data Privacy Framework
(see DPA)
Google Cloud EMEA Limited,
70 Sir John Rogerson's Quay,
Dublin 2, Ireland
All of the above.
Hosting
Data transfer is based on the Standard Contractual Clauses (SCCs).
Has carried out self-certification in accordance with its Data Privacy Framework
(see DPA)
Datadog, Inc,
620 8th Avenue
45th Floor
New York, NY 10018-1741 USA
All of the above.
Logging & Monitoring
Data transfer is based on the Standard Contractual Clauses (SCCs).
Has carried out self-certification in accordance with its Data Privacy Framework
(see DPA)
Contact details (Annex III)
In the event of a change or long-term absence ofthe contact person, the contractual partner must be informed of the successoror representative.
1. authorized instructors and recipients ofinstructions of the contractor
Name
Telephone
Nils Jessen
+49 176 44240402
nils@mable.ai
3. data protection officer of the contractor
Name, address
Telephone
Mr. Thomas Ott, kolbcom GmbH P7, 22, 68161 Mannheim
+49 621 12182931
info@kolbcom.de