Terms and Conditions

General Terms and Conditions

Last Update: 2021-03-04

1. Preamble

Traversals Analytics and Intelligence GmbH, Gräfenberger Str. 34 91080 Uttenreuth, Germany (hereinafter “Contractor”) has developed an intelligence platform for numerous fields of applications, e.g. vendor risk management, medical intelligence, data leakage detection and compliance checks (hereinafter “Software”). The use of the Software and the provision of supplementary services (“Services”) are subject to these General Terms and Conditions (“GTC”). An individual agreement, if applicable, between the parties shall take precedence over these GTC.

2. Rights of Use

2.1 Subject to the full payment of the agreed remuneration, the Contractor shall grant the Customer the non-exclusive, non-transferable, worldwide, non-remunerated right to use the Software for the Software‘s intended use for the duration of the contract. The Customer may only use the Software within the scope of the contractual provisions. The Customer shall not be granted any right to the source code of the Software. The Customer may use the Software only for its own purposes. Use for own purposes shall include the intended use of the Software for general business purposes of the Customer and the processing of the Customer’s data. This does not include the use of the Software for and/or on behalf of third parties, for example as a service provider or any other use for and/or by third parties.

2.2 The Customer is entitled to have the software used by its own employees or by third parties for its own purposes. The Customer creates a Super-Admin-User-Account during the initial setup. The Super-Admin-User can then create standard user accounts. The Software may be used according to the remuneration model agreed in the respective order. The Customer shall document the respective authorized users. A joint use of the Software by different users under a common user account is excluded. The Customer shall be responsible for the use of the Software by its users and for all damages caused by negligent or intentional breaches of duty by its users.

2.3 Unless otherwise agreed, any rights to the Software and Services provided by the Contractor or developed under this Agreement shall be the sole property of the Contractor. Any rights to any kind of modification, development or improvement of the Software and/or Services made by the Customer are also exclusively owned by the Contractor.

2.4 The Software may contain open source software components. The use of these components is exclusively subject to the corresponding terms of use of the open-source software components which are transmitted and/or referenced within the framework of the open-source software components. No provision of the contract shall affect the rights or obligations of the Customer under the corresponding terms of use of the open-source software components. In the event of contradictions or conflicting provisions of the license terms of the open-source software and the provisions of the contract, the license terms of the open-source software shall take precedence.

2.5 The right to use the Software shall also extend to fixes, patches, developments and updates which the Contractor makes available to the Customer. The right to updates does not include the right to use new/additional products and functionalities which are made available as separate products/modules.

2.6 The contractor provides the Software and detailed documentation of the Software in electronic form.

2.7 Unless otherwise agreed or prescribed by mandatory law or applicable open source software terms of use, the Customer shall not be entitled

  1. to copy the Software beyond what is necessary for use in accordance with the contract, neither in whole nor in part;
  2. to modify, correct, adapt, translate, translate, improve the Software or otherwise make derived developments to the Software;
  3. to rent, lend, sell, license, transfer or otherwise make the Software available to third parties;
  4. to reverse engineer, decompile, disassemble or otherwise attempt to decipher the source code of the Software, either in whole or in part;
  5. circumvent or violate security devices or protection mechanisms contained in or used for the Software;
  6. to take measures that are suitable to cause damage to the Software or the servers of Contractor;
  7. remove, delete, erase, obliterate, modify, conceal, translate, combine, add to or otherwise alter any trademark, documentation, warranty, disclaimer of liability or other rights, such as intellectual property, signs, notices, markings or serial numbers, which are associated with the Software or documentation;
  8. to use the Software in a manner that violates applicable law and/or the rights of third parties;
  9. to use the Software for the purposes of benchmarking or competitive analysis of the Software, for the development, use or provision of a competing software product or competing services or for any other purpose that is detrimental to Contractor; and/or
  10. to use the Software for or in connection with the planning, construction, maintenance, operation or use of hazardous environments, systems or applications or other safety-critical applications or otherwise to use the Software in a manner that could lead to physical injury or serious damage to property.

3. Customer Obligations

3.1 The Customer shall support the Contractor to a reasonable extent in the performance of the contractual services. The Customer shall provide all cooperation services, information, data, files, materials, which are necessary for the Contractor to fulfill the contractual obligations in advance and without being asked. Should the Customer not cooperate sufficiently and/or cause delay, the Contractor shall not be obliged to fulfill the contractual obligations as long and to the extent that the Contractor is prevented from fulfilling the contractual obligations due to insufficient and/or delayed cooperation by the Customer. The Contractor shall inform the Customer of its insufficient or late cooperation and set a reasonable deadline for subsequent performance. If the Customer nevertheless fails to fulfill its obligations to cooperate, any increases in remuneration, additional expenses (e.g. overtime, cancellation costs, travel expenses) and postponements of deadlines that cannot be avoided by the Contractor shall be borne by the Customer. If the Customer fails to meet the deadline, the Software and/or Services concerned shall be deemed to have been made available or provided.

3.2 The Customer is responsible for (i) appropriate security processes, tools and controls for systems and networks that interact with the Software, (ii) the provision of alternative processes in the event of lack of availability of the Software, (iii) the determination of whether the technical and organizational measures of data protection and data security provided by the Contractor meet the specific requirements of the Customer, (iv) the appropriate internal training of the users and the provision of internal technical support, and (v) the proper backup of all programs and data on its system environment and of all programs and data transferred to or used in the Software. data and work results transferred into or created with the Software upon commencement of the use of the Software and at reasonable regular intervals thereafter.

4. Services (Professional Services, Consulting, Configuration, etc.)

4.1 Unless otherwise agreed, Services shall be invoiced on a time and material basis at the end of the calendar month in which they are provided. Invoicing shall be based on the Contractor’s timesheets. Unless otherwise agreed, reasonable travel expenses will be borne by the Customer and invoiced monthly.

4.2 When working on the Customer’s facilities, employees of the Contractor will follow the Customer’s safety instructions and policies. The Customer shall provide any such instructions and policies to the Contractor in advance.

4.3 The Contractor reserves any rights to all work results which are developed in the course of the providing Services to the Customer. This includes in particular software/code, interfaces, methods, processes and templates used, created or modified by the Contractor. The Contractor grants the Customer a non-exclusive, non-transferable right of use for its own purposes in accordance with Section 2.1 of these GTC.

4.4 Work results created by the Contractor in the course of providing services to the Customer, in particular customizing or modifying the Software, are not covered by Contractor’s standard support, unless these work results are incorporated into the standard Software. Such work results can also only be used with the version/release of the software current at the time of creation. Each upgrade or update may require additional migration services subject to a fee.

5. Warranties

5.1 Contractor warrants that the Software and the Services shall be provided by Contractor free of defects and, if used as intended, shall essentially comply with the specifications stated in the documentation. The Services shall be performed according to industry standards by experienced personnel.

5.2 Contractor warrants that the Customer’s use of the Software in compliance with these GTC does not infringe any third-party intellectual property rights.

5.3 Technical data, specifications and performance data in public statements, in particular in advertising material, do not in any way represent contractual quality specifications for the Software.

5.4 In the event of defects, the Customer’s claims for defects are initially limited to subsequent performance. The Customer shall notify the Contractor in writing of any defects that occur with a description of the defect and request that the defect be remedied. In the event of proven defects, the Contractor shall provide warranty by means of subsequent performance in such a way that the Contractor makes the Software or Service available or provides it again in a defect-free condition or rectifies the defect.

5.5 If the subsequent performance finally fails after two attempts at subsequent performance, the Customer may terminate the affected contract or reduce the remuneration appropriately. The Contractor shall pay damages or compensation for futile expenditure due to a defect within the limits of liability as set out in these GTC.

6. Provision of Software and Services

6.1 The Software shall be provided as “Software as a Service”, which means that the Contractor makes the Software available to the Customer in a logically separated account for remote access via the Internet. The Software shall not be distributed to the Customer. The Software is made available to the Customer in its current version/release.

6.2 The Contractor shall make the Software available to the Customer with an availability of at least 99.5% of the respective calendar month (hereinafter “Minimum Availability”). In this context, the Software shall be available if there is an uninterrupted connection between the servers on which the Software is hosted and the transfer point to the Internet and if the Customer is able to log on and has access to the Software. The minimum availability does not apply to test and development servers.

6.3 Based on the data collected and analyzed with the Software, the Software may, in specific use cases, generate evaluations, reports, analyses and recommendations (hereinafter “Recommendations”). The accuracy and quality of these Recommendations depend on various factors, in particular on the quality and quantity of the collected data. Accordingly, Recommendations are non-binding, Contractor assumes no consultant liability or other liability for the Recommendations, and the Customer should not make any decisions and material dispositions solely on the basis of the Recommendations of the Software.

6.4 Certain functionalities and use cases of the Software, in particular in connection with the collection of generally/publicly accessible data from various sources on the Internet, are dependent on the availability of the respective sources that are accessed during the collection of the data. Permanent availability cannot be guaranteed for all sources as, for example, data from a particular social network can no longer be collected if the collection is legally or technically impossible or because the terms of use prohibit the collection of data or because an interface/API required for the collection of data is no longer available or no longer available on reasonable terms.

6.5 The Customer shall provide a current standard web browser (Google Chrome or Mozilla Firefox) for the use of the Software (Google Chrome or Mozilla Firefox). The Customer is responsible for the provision and operation of all hardware and operating software and for a secure and fast Internet connection.

6.6 Unless expressly agreed otherwise, setup/setup and configuration of the Software shall be remunerated according to the hourly rates for services agreed in the contract.

6.7 Software and other work results shall be deemed delivered as soon as they have been made available to the Customer. Services shall be deemed to have been rendered as soon as the respective Service has been completed. Support/maintenance shall be deemed to have been provided on a monthly pro rata temporis basis.

6.8 Unless otherwise agreed, the Software and the Services shall not be subject to acceptance by the Customer, but shall be deemed accepted upon delivery. If acceptance is contractually agreed and if the Customer has not complied with the time or test plan for acceptance, or if such a test plan or a time limit for tests and acceptance is not available, the Software and the Services shall be deemed accepted ten working days after delivery.

6.9 The Contractor shall be entitled to use subcontractors or other vicarious agents (collectively referred to as “Subcontractors”) to perform the contractual obligations. The Contractor shall ensure that subcontractors are bound by obligations regarding secrecy and data protection in accordance with these GTC. The use of subcontractors shall not affect the Contractor’s contractual obligations towards the Customer. The Contractor shall be liable for any non-performance or improper performance of services by a subcontractor as if it were the Contractor’s own fault.

7. Support

7.1 Support includes assistance and advice to the Customer in solving problems with the use of the Software, including the examination, diagnosis and correction of significant defects and errors in the Software and the provision of bug fixes, corrections, modifications, changes, extensions, upgrades and new versions of the Software (Updates) to ensure the functionality of the Software.

7.2 Support does not extend to problems with or damage to the Software to the extent that such problems or damages are caused by (i) negligence, misuse or improper operation on the part of the Customer; (ii) operation, use of the Software not in accordance with the documentation or failure to comply with the specifications or limitations provided by the Contractor; (iii) modifications to the Software not performed or approved by the Contractor; (iv) acts of third parties; (v) products of third parties; and/or (vi) force majeure.

7.3 For each request/report, the Contractor will, at its sole discretion, prioritize in accordance with the criteria defined below. The Contractor may combine redundant requests/reports by the Customer relating to the same topic into one request/report.

7.4 Support shall be available as defined below under the contact data provided. “Business Day” refers to Monday to Friday, except on public holidays at the headquarter of the Contractor.

Availability

On Business Days 9:00 – 17:00 CET

Telephone

+49-(0)9131 92790 0

E-Mail

support@traversals.com

Languages

German, English

 

7.5 The Contractor shall react to any support requests/reports within the response times defined below. The response time is the time between the first request/report by the Customer (by telephone or electronically) and the first feedback (by telephone or electronically) from the Contractor. Only time intervals during the availability times are relevant for the response time.

Priority

Description

Response Time

1 – Show Stopper

The Software is not available at all and the Customer’s business is severely affected

3 Hours

2 – Critical

Functionality of the software not as described and thus significant impairment of the use of the software as a whole

8 Hours

3 – Major

Functionality of the software not as described, other use of the software is not or only insignificantly impaired

48 Hours

4 – Minor

Functionality of the software not affected, general question

1 Week

 

7.6 The Contractor attaches the highest importance to fixing bugs as quickly as possible, but it is not possible to generally define specific resolution times in advance, as bugs can have various types and causes. The Contractor will make every effort to fix bugs and malfunctions as quickly as possible and will regularly inform the Customer about the progress of the bug fix.

7.7 The Customer grants the Contractor the right to access its account of the Software and the data processed with the Software to fix bugs.

7.8 The Customer defines a support coordinator. Only the support coordinator will contact the Contractor with regard to support.

8. Payment Terms

8.1 Unless otherwise agreed, the provisioning of the Software is invoiced annually in advance upon delivery. Invoices are due within 14 days of the invoice date without discount or other deductions. Unless otherwise agreed, the indication of a purchase order number on the invoice is not a prerequisite for the payment obligation.

8.2 In the event of late payment, interest on arrears shall be due at the statutory rate. In the event of a delay in payment of more than 30 days, the Contractor is entitled to temporarily deactivate the Customer’s access to the Software until the overdue invoice has been paid.

8.3 The prices quoted do not include VAT or other taxes. If applicable, these will be invoiced separately to the Customer.

9. Limitation of Liability

9.1 Unlimited Liability: The Contractor is liable without limitation a) in the event of willful conduct or gross negligence; b) within the scope of a guarantee taken over by the Contractor; c) in the event that a defect to our Services is maliciously concealed; d) in case of an injury to life, body or health; and e) according to the German Product Liability Law.

9.2 Liability for Breach of Cardinal Duties: Unless the Contractor is liable in accordance with Section 9.1 (“Unlimited Liability”) above, if material contractual duties (“cardinal duties”), the fulfillment of which enables the proper implementation and execution of this Agreement and upon the fulfillment of which the Customer may reasonably rely, are infringed due to slight negligence, the Contractor’s liability shall be limited to foreseeable damages typical for this type of contract.

9.3 Liability for Breach of Non-Cardinal Duties: Unless the Contractor is liable in accordance with Section 9.1 (“Unlimited Liability”) above, if contractual duties which are not cardinal duties (as defined in Section 9.2) are infringed due to slight negligence, any liability for damages shall be excluded.

9.4 Liability for Loss of Data: If the Customer violates its obligation to properly back up data, the Contractor is liable according to this Section 9 for loss of data limited to the amount of damages that would have occurred even if the Customer had properly and regularly backed up the data.

9.5 Exclusion of Liability: Unless the Contractor is liable in accordance with Section 9.1 (“Unlimited Liability”) above, the Contractor is not liable a) for any damages, loss, costs or expenses you might incur from using, or your inability to use, the results of the Software and/or Services for any particular purpose; and b) for any damages, loss, costs or expenses you might incur due to any delay, a temporary interruption or non-availability of the Software and/or Services.

9.6 Scope: Except for liability in accordance with Section 9.1 (“Unlimited Liability”) above, the above limitations of liability shall apply to all claims for damages, irrespective of the legal basis, including claims for tort damages. The above limitations of liability also apply in the case of claims for a party’s damages against the respective other party’s employees, agents or bodies.

10. Confidentiality

10.1 Each of the parties undertakes to use all information received within the scope of the cooperation of the parties which (a) is marked “confidential” or “secret” or with an equivalent indication or is orally designated as confidential; (b) is to be regarded as confidential due to its content; or (c) is derived from confidential information which has been made available (hereinafter collectively “Confidential Information”); exclusively for the purposes of the fulfillment of the contract, to treat Confidential Information confidentially and to protect Confidential Information from being disclosed to unauthorized third parties. This confidentiality obligation shall be imposed on all persons entrusted with the fulfillment of the contract.

10.2 Excluded from the confidentiality obligation shall be information which (a) is publicly accessible or subsequently became publicly accessible or was already known to the other party at the time of conclusion of the contract; (b) was developed independently and autonomously by the other party; (c) was disclosed to the other party by a third party not subject to a confidentiality obligation or (d) must be disclosed due to statutory provisions or official or court orders (in which case the affected party shall be informed immediately).

11. Customer Data and Indemnification

11.1 As a technical service provider, the Contractor stores content and data for the Customer. The Customer undertakes to the Contractor not to process any illegal content and data and/or content and data that infringe the rights of third parties with the Software and not to use any programs containing viruses or other malicious software in connection with the Software. In particular, the Customer undertakes not to use the Software to offer or in connection with illegal services or goods.

11.2 The Customer is solely responsible for all content and data processed and/or used by the Customer or its users as well as the legal positions that may be required for this. The Contractor does not take note of contents of the Customer or its users and does not monitor the contents used with the Software.

11.3 In this context, the Customer undertakes to indemnify the Contractor against all liability, damages and costs, including possible and actual costs of legal proceedings, if claims are made against the Contractor by third parties, including employees of the Customer, as a result of alleged acts or omissions of the Customer. The Contractor shall notify the Customer of the claim and, to the extent legally possible, give the Customer the opportunity to defend itself against the asserted claim. At the same time, the Customer shall immediately provide the Contractor with all information available to the Customer on the facts of the case which are the subject of the claim. Any further claims for damages of the Contractor shall remain unaffected.

12. Data Protection and Information Security

12.1 The Contractor processes personal data provided in connection with setting up an account in relation to the users of the Software (name, first name, e-mail address, telephone number, password) and personal data relating to the use of the Software (log files). These personal data are processed by the Contractor as the controller in order to enable the users to use the Software. With regard to the rights of the persons concerned and other information duties in this respect, reference is made to the Privacy Policy on the Contractor’s website.

12.2 The Contractor shall be entitled to access the Customer’s account of Software in order to verify compliance with these GTC, including the remuneration, by the Customer; to make diagnoses and analyses and to adjust and optimize the settings of the Software in order to improve the performance and/or security of the Software, provided that these adjustments do not have a negative impact on the use of the Software by the Customer. Furthermore, the Contractor is entitled to collect system/metadata about the use of the Software in order to use it in the context of identifying and correcting potential defects and errors in the Software, to produce statistical analyses and to support and optimize the development of the Software.

12.3 In the course of using the Software, the Customer may process personal data. The Customer is the controller of such personal data and the Contractor is a processor. Such data processing is subject to the Data Processing Addendum attached as Appendix 1. The Data Processing Addendum shall be part of the contract and is expressly incorporated into the contract by the parties.

13. Term

The term of each order is defined in the respective order form. Every order may be terminated by either party at any time in the event of a material breach of contract by the other party if the breach of contract is not remedied within 30 days. This period shall commence from the date of delivery of the written notification of the material breach of contract. The Contractor may terminate an order without notice at any time if the Customer is dissolved or liquidated or takes steps to do so and/or if the Customer becomes insolvent or bankrupt.

14. Miscellaneous

14.1 The contract is subject to German law. In the event of any conflicts arising from this contract, the parties undertake to try to come to an amicable settlement first. Should this not be possible, legal venue shall be Erlangen, Germany.

14.2 The Contractor shall have the right to publicly state the fact that the Customer is using the Software or is its customer and to use the Customer’s name and logo for this purpose in its marketing materials, including on the Internet on its website and/or on its social media pages. Any other use of the name or logo of the Customer requires the prior consent of the Customer.

14.3 Any notices under the contract must be in writing and shall become effective upon first delivery.

14.4 The Contractor may make changes to these GTC if these become necessary as a result of changed circumstances, for example in the event of significant changes in legislation or case law, the relevant market and business environment or due to technical developments and if these changes are reasonable for the Customer. The Contractor will inform the Customer about the changes in electronic form within a reasonable period of time, at least one month before the changes come into effect. The Customer is entitled to object to such changes within 14 days of receipt of the notification of change. In the event of an objection on the part of the Customer, the Contractor shall be entitled to terminate the contractual relationship without notice. If the Customer does not object, its consent shall be deemed to have been given after the expiry of the above-mentioned periods. The Contractor shall expressly mention the objection period and the consequences of non-objection when announcing the changes to the GTC.

Appendix 1:

Data Processing Addendum

1. General

The Contractor provides its intelligence platform as Software as a Service (SaaS) to the Customer. With the Software the Customer can collect and process data, including, but not limited to personal data as defined under the applicable data protection laws.

Under the contract on the provisioning of the Software (“Main Contract”), the Contractor may process personal data on instruction of the Customer.

As part of the Main Contract, this Data Processing Addendum (“DPA”) specifies the obligations of both parties to comply with the applicable data protection laws, in particular the requirements of the European General Data Protection Regulation (“GDPR”).

2. Scope of Application

The Contractor shall process personal data on behalf and on instruction of the Customer. The parties agree that for the purposes of this DPA the Customer shall be the Controller and the Contractor shall be the Processor (“Controller” and “Processor” shall have the meaning as defined by the GDPR). The subject-matter of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects are specified in the Main Contract and in Annex 1 to this DPA. The term of this DPA depends on the term of the Main Contract.

3. Compliance with Instructions

3.1 The Contractor may only process personal data within the scope of the order and the documented instructions of the Customer. The instructions shall initially be specified in the Service Agreement and may then be changed, supplemented or replaced by the Customer in text form. Verbal instructions are to be confirmed by the Customer immediately in text form.

3.2 If the Contractor is obliged to process personal data in accordance with the law of the Union or the Member State to which the Contractor is subject, the Contractor shall inform the Customer thereof in writing prior to the respective processing, unless the law prohibits such information for important reasons of public interest. In the latter case, the Contractor shall inform the Customer immediately as soon as this is legally possible.

3.3 The Contractor shall inform the Customer without delay if it is of the opinion that an instruction violates applicable laws. The Contractor may suspend the implementation of the instruction until it has been confirmed or amended by the Customer.

3.4 The Contractor may use data concerning the use of the software by the Customer in anonymized form for the purposes of optimizing the software, user experience and for security-relevant evaluations. The Customer hereby issues a corresponding instruction for the corresponding anonymization.

4. Technical and Organisational Measures

4.1 The Contractor undertakes towards the Customer to comply with the technical and organisational measures required to comply with the applicable data protection regulations. This includes in particular the provisions of Art. 32 GDPR.

4.2 The status of the technical and organisational measures existing at the time of conclusion of this DPA is documented in Annex 2 to this DPA. The parties agree that changes to the technical and organisational measures may be necessary in order to adapt to technical and legal circumstances. The Contractor reserves the right to change the security measures taken, but it must be ensured that they do not fall below the contractually agreed level of protection. 
The Customer may at any time request an up-to-date overview of the technical and organisational measures taken by the Contractor.

5. Data Subject Rights

5.1 The Contractor shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III (in particular access, correction, blocking or deletion). To the extent that the assistance of the Contractor is necessary for the protection of rights of data subjects by the Customer, the Contractor shall take the necessary measures according to the instructions of the Customer. Taking into account the nature of the processing, the Contractor shall, insofar as possible, assist the Customer by appropriate technical and organizational measures to enable the Customer to fulfill its obligations to respond to data subject requests.

5.2 The Contractor may only provide information to third parties or to data subjects with the prior consent of the Customer. It shall forward requests addressed directly to the Contractor to the Customer without undue delay.

6. Other Obligations of the Contractor

6.1 The Contractor shall inform the customer immediately, at the latest within 48 hours, if it becomes aware of violations of the protection of personal data processed on behalf of the Customer.

6.2 The Contractor shall support the Customer in preparing and updating the records of processing activities regarding the data processing performed by the Contractor on behalf of the Customer, and, if necessary, in carrying out a data protection impact assessment. All necessary information and documentation must be made available to the Customer immediately upon request.

6.3 If the Customer is subject to an audit by a supervisory authority or other parties or if a data subjects requests to exercise its rights against the Customer, the Contractor undertakes to support the Customer to the necessary extent insofar as the personal data processed on behalf of the Customer is affected.

6.4 The persons employed by the Contractor for the processing have committed themselves in writing to confidentiality, have been made familiar with the relevant provisions of all relevant data protection laws and are continuously appropriately instructed and monitored with regard to the fulfilment of data protection requirements.

6.5 The Contractor shall support the Customer in complying with the obligations set out in Articles 32 to 36 GDPR, taking into account the type of processing and the information available to the Contractor.

6.6 The Contractor designated a Data Protection Officer. The Contractor’s Data Protection Officer is Christian Schmoll (Tel.: +49 (0)89 4622 7322, E-Mail: schmoll@dp.institute). In case of questions or concerns regarding data protection, the Customer can contact the Contractor’s Data Protection Officer at any time directly.

7. Rights and Obligations of the Customer

7.1 The Customer shall be responsible for assessing the lawfulness of the data processing and for safeguarding the rights of data subjects.

7.2 The Customer shall be entitled to monitor and audit compliance with the provisions on data protection and the contractual agreements at the Contractor to a reasonable extent itself or by third parties, in particular by obtaining information and inspecting the stored data and data processing programs. The Contractor shall, as far as necessary and possible, provide access and insight to the persons entrusted with the inspection. The Contractor is obliged to provide necessary information, to demonstrate procedures and to provide evidence which is necessary for the performance of an inspection. Inspections at the Contractor’s premises shall be carried out without avoidable disruptions to its business operations. Unless otherwise indicated for urgent reasons to be documented by the Customer, inspections shall take place after reasonable advance notice and during business hours of the Contractor and not more frequently than every 12 months.

8. Subprocessors

8.1 The Contractor may only use subprocessors with the consent of the Customer. The Customer consents to the usage of subprocessors according to the List of Sub-Processors in Annex 3 to this DPA. The List of Sub-Processors also defines the process for future changes of subcontractors.

8.2 The Contractor must carefully select its subprocessors and check before using them that they can comply with the agreements made between the Customer and the Contractor. In particular, the Contractor shall check that all subcontractors have taken the necessary technical and organisational measures to protect personal data in accordance with Art. 32 GDPR.

8.3 Services which the Contractor uses with third parties as a pure ancillary service in order to carry out its business activities shall not be considered subproceessing in the context of this DPA. This includes, for example, cleaning services, pure telecommunications services without concrete reference to services provided by the Contractor for the Customer, postal and courier services, transport services and security services.

8.4 The usage of subprocessors shall not affect the Contractor’s contractual and data protection obligations towards the Customer. The Contractor shall be liable for any acts or omissions of its subprocessors as if they were its own acts or ommissions.

9. Data Transfer to Third Countries

Data is also processed by the Contractor in third countries (outside of the EU/EEA). The transfer of personal data to a third country by the Contractor is carried out on the basis of an adequacy decision in accordance with Art. 45 GDPR and/or on the basis of appropriate safeguards in accordance with Art. 46 GDPR (e.g. Standard Contract Clauses issued by the Commission and concluded between the Contractor and the subprocessor in a third country).

10. Deletion and Return of Personal Data

10.1 Copies of the personal data processed on behalf of the Customer shall not be made without the knowledge of the Customer, except for backup copies that are necessary to guarantee proper data processing, as well as data which are necessary with regard to compliance with statutory retention obligations.

10.2 Upon termination of the Main Contract or earlier upon request by the Customer, the Contractor shall hand over the data to the Customer or delete such data in accordance with the requirements of applicable data protection laws and regulations.

10.3 Documentations which serve as proof of the orderly and proper data processing shall be stored by the Contractor beyond the end of the contract in accordance with the respective retention periods.

11. Miscellaneous

11.1 If the data of the Customer processed by the Contractor should be endangered by measures of third parties (e.g. by seizure or confiscation), by insolvency proceedings or by other events, the Contractor shall inform the Customer immediately. The Contractor shall notify the creditors without delay of the fact that the data are processed on instruction of a third party.

11.2 Ancillary agreements must be made in writing. Should individual parts of this DPA be invalid, this shall not affect the validity of the remaining provisions of the DPA.

Annex 1 to the Data Processing Addendum

Details of the Data Processing

1. Subject-matter, Nature and Purpose of the Processing

The Contractor provides its intelligence platform to the Customer. The Customer might use the Contractor’s intelligence platform to collect and process personal data.

In this case, the Customer is the controller, as defined in the GDPR, and the Contractor is a processor, as defined in the GDPR.

If applicable, the personal data is processed for the purpose of performing the services of the Contractor agreed in the Main Contract.

2. Categories of Data Subjects

The personal data processed on instruction of the Customer, if any, concern the following categories of data subjects:

Customers may submit personal data to the Software and/or collect personal data with the Software, the extent of which is determined and controlled by the Customer in its sole discretion.

The personal data may include, but is not limited to, personal data relating to the following categories of data subjects:

Personal data of customers, prospective customers, marketing addressees, suppliers, employees, applicants, etc. of the Customer may be subject of the data processing, provided that the Customer imports them into the Contractor’s intelligence platform.

In the context of the various use cases of the intelligence platform, for example in the collection of generally/publicly accessible personal data in social media listening/monitoring, vendor risk management or in the context of compliance checks, the collection and processing of personal data may also affect Internet users who use social media and other websites, e.g. blogs, etc., and publish content there that identifies them as a natural person.

3. Types of Personal Data

The personal data processed on instruction of the Customer, if any, relates to the following categories of data:

When processing personal data that the Customer imports into the intelligence platform, the categories of personal data that the Customer imports into the intelligence platform are affected.

When collecting and processing personal data within the scope of the various use cases of the intelligence platform, for example when collecting generally/publicly accessible personal data for social media listening/monitoring, vendor risk management or within the scope of compliance checks, the categories of data affected are those that are collected within the scope of the searches and/or analyses defined by the Customer, in particular names, user names, user IDs, social media IDs (e.g. Twitter handle), contact data (such as e-mail addresses), published content (if a personal reference exists or can be established) and other content and information published and/or exchanged via social media and other websites, e.g. blogs.

4. Special Categories of Personal Data

Personal data that the Customer imports into the intelligence platform may contain special categories of personal data (e.g. health data), depending on the type of data the Customer imports into the intelligence platform.

Personal data collected in the context of the use of the intelligence platform may contain special categories of personal data depending on the use of the intelligence platform by the Customer or the searches defined by the Customer (e.g. definition of specific search queries to collect generally/publicly accessible personal data in social media).

5. Duration of Processing

Personal data will be processed for the duration of the Main Contract.

Annex 2 to the Data Processing Addendum:

Technical and Organizational Measures

1. Confidentiality

1.1 Physical Access Control

Hosting/Data Center:

The Software is hosted in Google data centers (Google Cloud Platform).

The technical and organizational measures taken in the data centers of the subcontractor Google are described in detail here:

https://cloud.google.com/terms/data-processing-terms?hl=de#appendix-2:-security-measures

Office Space:

The Contractor’s offices are located in an office building in Uttenreuth, Germany. The access to the office building and to the Contractor’s offices is closed day and night. Only the landlord and the tenants of the office rooms have access to the office building. A locking system is used, which is managed by the landlord. However, each tenant of the office building has the possibility to manage the keys handed over and to grant and withdraw access rights. This is managed by the Contractor’s personnel department.

Key allocation and key management is carried out according to a defined process, which regulates the granting or withdrawal of access rights to rooms both at the beginning and at the end of an employment relationship.

Access authorizations are only granted to an employee if this has been requested by the respective superior and/or the human resources department. When granting authorizations, the principle of necessity is taken into account.

Visitors are only granted access to the office building and then to the office rooms after the doors have been opened by the reception.

Each visitor is recorded in a visitor book and then accompanied by the receptionist to his or her respective contact person.

Visitors are not allowed to move freely in the office rooms without escort.

1.2 System Access Control

To gain access to IT systems, users must have appropriate access authorization. For this purpose, corresponding user authorizations are assigned by administrators. This, however, only if this has been requested by the respective supervisor.

The user then receives a username and an initial password, which must be changed the first time he or she logs on. The password specifications include a minimum password length of 8 characters, whereby the password must consist of upper/lower case letters, numbers and special characters.

Passwords are changed every 90 days. Exceptions are passwords that have a minimum length of 32 characters.

A password history is stored. This ensures that the past 10 passwords cannot be used again.

Incorrect login attempts are logged. If an incorrect password is entered 3 times, the respective user account is blocked.

Remote access to the contractor’s IT systems is always via encrypted connections.

All servers are protected by firewalls, which are always maintained and supplied with updates and patches.

The access of servers and clients to the Internet and the access to these systems via the Internet is also secured by firewalls. This also ensures that only the ports required for the respective communication can be used. All other ports are blocked accordingly.

All employees are instructed to lock their IT systems when they leave them.

Passwords are always stored encrypted.

1.3 Data Access Control

Authorizations for the Contractor’s IT systems and applications are set up exclusively by administrators.

Authorizations are always assigned according to a strict need-to-know principle. Only those staff members who support and/or maintain data, applications or databases or are involved in the development are granted access rights to data, applications and/or databases, subject to a corresponding request for authorization for an employee by the competent supervisor/manager.

Contractor implemented a role-based authorization concept with the possibility of differentiated assignment of access authorizations, which ensures that employees receive access rights to applications and data depending on their respective area of responsibility and, if necessary, on a project basis.

The destruction of data media and paper is carried out by a service provider who guarantees proper destruction.

Employees are generally prohibited from installing unauthorized software on IT systems.

All server and client systems are regularly updated with security updates.

1.4 Separation Control

All IT systems used by the Contractor for customers are multi-client capable. The logical assignment of the data processed on behalf of a customer to the respective customer and thus the logical separation of the data is always ensured.

1.5 Pseudonymization & Encryption

Administrative access to server systems is always done via encrypted connections.

2. Integrity

2.1 Input Control

Every entry, modification and deletion of personal data processed by the Contractor on behalf of the Customer is recorded.

Employees are obliged to always work with their own accounts. User accounts may not be shared or shared with other persons.

2.2 Transfer Control

A transfer of personal data, which is carried out on behalf of the Contractor’s customers, may only take place to the extent agreed upon with the Customer or to the extent necessary to provide the contractual services for the Customer.

All employees who work on a customer project are instructed regarding the permissible use of data and the modalities of data transfer.

As far as possible, data will be transmitted to recipients in encrypted form.

The use of private data carriers is prohibited for the Contractor’s employees in connection with customer projects.

The Contractor’s employees are regularly trained on data protection topics. All employees are obliged to handle personal data confidentiality.

3. Availability and Resilience

All data in the Software is secured against accidental or willful destruction or loss by a backup strategy (online/offline; on-site/off-site) and reporting procedures. The import of backups is tested regularly.

All data centers have an uninterruptible power supply. All server systems are subject to monitoring, which immediately triggers reports to an administrator in the event of malfunctions.

The Contractor implemented a disaster recovery and business continuity plan.

4. Order Control

The Contractor’s Software is hosted in the European Union.

The Contractor designated a Data Protection Officer.

The Contractor enters into contracts in accordance with the requirements of the applicable data protection laws with every subprocessor. Every contractor is diligently audited prior to the commencement of data processing and regularly on an ongoing basis.

5. Privacy by Design and Privacy by Default

At Traversals Analytics and Intelligence GmbH, it is ensured that the principle of necessity is already taken into account during the development of the Software. The type of data collection using the Intelligence Platform and the data categories to be collected can be individually adapted and managed by the Customer.

The Contractor’s Software supports the input control by a flexible and adaptable audit trail, which allows an unchangeable storage of changes to data and user authorizations.

Authorizations on data or applications can be set flexibly and granularly.

6. Procedure for Regular Testing, Assessing and Evaluating

The Contractor implemented a comprehensive data protection management system, including detailed policies on data protection and information security.

A Data Protection and Information Security Team has been established to plan, implement, evaluate and adjust measures in the area of data protection and information security. All implemented measures and all policies are regularly evaluated and adjusted with regard to their effectiveness.

In particular, it is ensured that data protection incidents are recognized by all employees and are reported to the Data Protection and Information Security Team without undue delay. The Data Protection and Information Security Team will immediately investigate every incident. If data is affected that are processed on instruction of customers, it is ensured that the respective customers are informed about the type and extent of the incident immediately.

Annex 3 to the Data Processing Addendum:

List of Sub-Processors

The Contractor uses the following sub-processors to provide the services under the Main Contract:

Sub-Processor

Services/Processing Operations

Location of Data Processing

Appropriate Safeguards

Google Ireland Limited (Ireland)

Hosting of the Software (Google Cloud Platform), E-Mail-Processing and Storage, Website & Application Analytics

EU (Hosting) and global for the automatic translation of content

Standard Contractual Clauses (SCC)

    
    
    

Contractor may replace sub-processors or appoint suitable and reliable additional sub-processors as follows:

The Contractor shall inform the Customer by electronic means (via the Software and/or by email) reasonably in advance (at least 30 days) of granting access to personal data to a sub-processor (except for Emergency Replacements as defined below) of any changes to the List of Sub-processors.

If the Customer has a legitimate, material reason to object to Contractor’s use of a new sub-processor, Customer shall notify Contractor thereof in writing within 7 days after receipt of the information.

If Customer does not object during such time-period, the new sub-processor(s) shall be deemed agreed and consented to by the Customer.

If the Customer objects to the use of a new sub-processor, the Contractor shall take reasonable steps to address the objections raised by the Customer. If such steps are not sufficient to eliminate the Customer’s reasonable objections, either the Customer or the Contractor may terminate the Main Contract with immediate effect to the extent that it relates to services which require the use of the proposed new sub-processor, without bearing liability for such termination.

“Emergency Replacement” refers to a sudden replacement of a sub-processor where such change is outside of the Contractor’s reasonable control (such as if the sub-processor ceases business, abruptly discontinues services to the Contractor, or breaches its contractual duties owed to the Contractor). In such case, the Contractor will inform the Customer of the replacing sub-processor as soon as possible and the process to formally appoint the replacing sub-processor defined above shall be triggered.