General Terms and Conditions

These General Terms and Conditions (hereinafter referred to as “GTC“) including all integrated exhibits and the Contract pursuant to Section 2.1 of these GTC constitute the Software Subscription License Agreement (collectively, the “Agreement”) which is entered into by and between Supplier and Customer. Supplier and Customer are each a “Party” and together the “Parties”. Capitalized terms used in this GTC but not otherwise defined herein will have the meanings given to them in the Agreement.

1. SCOPE OF APPLICATION AND GENERAL PROVISIONS

1.1 These GTC apply to the provision and use of the Supplier’s software products identified in the Agreement (“Software”) as Software-as-a-Service (“SaaS” or “Service”) by the Customer. The Services offered by the Supplier are addressed exclusively to companies or persons that legally qualify as business (Unternehmer) pursuant to Section 14 German Civil Code (BGB). Customer will use the Software exclusively for its business or commercial or independent professional purposes.

1.2 Deviations from these GTC shall only be considered agreed if they have expressly been confirmed in writing by the Supplier. In particular, the mere omission of an objection by the Supplier against any general terms and conditions of the Customer shall not cause such terms and conditions to be considered agreed. This shall also apply if Supplier performs Services unconditionally upon knowledge of opposing terms and conditions of the Customer or terms and conditions diverging from these GTC.

1.3 For important reasons, in particular in the event of changes to statutory provisions, judicial precedents, the Software or market conditions, Supplier may undertake amendments to these GTC and notify the Customer of these amendments. The amended GTC shall be deemed to have been agreed if the Customer has not objected to the amendment within one month upon receipt of the notification and Supplier has explicitly notified the Customer of this consequence. If Customer objects in due time to amendments, Supplier has the right to terminate the contractual relationship extraordinarily without notice or to continue the Agreement under the old terms. Regardless of the foregoing, material changes to the scope of the Contractual Service (Umfang der geschuldeten Leistungen) require the express consent of the Customer.

2. SAAS SERVICES; REGISTRATION AND CONTRACTUAL RELATIONSHIP

2.1 The conclusion of a contract for the provision of the Services (hereinafter referred to as the “Contract”) can be done in the following ways: (i) the Order Confirmation issued by Supplier, which concludes the automated sales process set up by Supplier on its website upon execution by Customer, or (ii) the Order Form, the contents of which constitute, in legally binding manner, the contents of prior individual contract negotiations between the Parties. No contract will exist between the Parties until Supplier accepts the offer by Customer. Regardless of the way of conclusion of the Contract, these GTC are a legally binding part of the Agreement between the Parties and set forth the rules for the use of the Software. These GTC shall also apply to the use of the Services as a trial version, unless different provisions are made for trial versions.

2.2 The Contract specifies the number of authorized users (“Users“) to whom the Customer may create user accounts (“Seats”). 

2.3 The Agreement will be effective as of the date Supplier sends the Order Confirmation or as of the date last signed on the Order Form, as the case may be (“Effective Date”).

2.4 Subject to the terms of the Agreement, Supplier will use commercially reasonable efforts to provide Customer the Services. As part of the registration process, Customer will identify an administrative user name and password for Customer’s Company account. Supplier reserves the right to refuse registration of, or cancel passwords it deems inappropriate. Customer is responsible for all activities that occur under its account(s) and for keeping the password and log-in information confidential and secure. Customer will notify Supplier immediately in text form of any unauthorized use of the account or password, or any other breach of security.

3. LICENSE GRANT; RESTRICTIONS

3.1 Supplier grants to Customer a non-exclusive, non-sublicensable, non-transferable, limited subscription license to use the Software for the agreed term and the amount of User set out in the Contract. Customer may use the Software exclusively for its internal use subject to the Agreement and any additional terms in the applicable Contract.

3.2 Customer will not: (i) permit any third party (including an affiliate or contractor) to use the Software or maintain or operate the Software on Customer’s behalf; (ii) use the Software for the benefit of any third party, including to process the data of any third party; (iii) disassemble, reverse engineer, or reverse compile the Software in whole or in part except to the extent permitted by applicable law; (iv) modify, adapt, alter, or create derivative works from the Software; (v) merge the Software with other software, except to the extent permitted by applicable law; (vi) remove any proprietary notices from the Software.

3.3 Supplier or its licensors own all intellectual property rights to the Software and all related materials and all derivative works thereof. There is no transfer or assignment by Supplier of any ownership right and Supplier reserves all rights not expressly granted under the Agreement.

4. AVAILABILITY

4.1 During the Contract period, the Supplier shall provide the Customer with the Services with an availability of 99.5% (per calendar year). This means the availability of the Services at the handover point where the system interfaces with the internet.

4.2 Periods of unavailability due to scheduled maintenance work on the Service shall not be considered as downtime.

5. MAINTENANCE AND SUPPORT SERVICES

5.1 Supplier will provide the Customer with maintenance and support services during the Contract period without additional remuneration. Maintenance and support services include technical support services where Supplier will handle errors or faults that occur in the Service and have been reported to Supplier (“Support Services”). An error exists in particular if the Service does not fulfil the functions specified in the Contract or the service description. An error shall not be deemed to exist if the aforementioned malfunctions occur as a result of improper handling of the Service and/or breaches of obligations by the Customer. ​

5.2 Support Services shall be available in German or English. 

5.3 Support Services shall be available from Monday to Friday from 9am until 6pm (CET). This shall not apply on days that are public holidays in Saarbrücken or on 24 and 31 December of each year. Requests received outside of these support hours shall be deemed to have been received during the next working day. During business hours, the initial response to all support requests shall occur within no more than 24 hours. All support requests shall be processed as quickly as possible and prioritised according to the following disruption severity levels:

(a) First severity level: Critical software fault leading to a total failure of the SaaS Services.

(b) Second severity level: The use of the SaaS Services is considerably limited, as the main features of the SaaS Services are not available.

(c) Third severity level: Minor faults affecting non-essential features of the SaaS Services.

5.4 Support Services shall not include any other services, such as, customizing, integration and/or training.

6. INVOICES, PAYMENT AND RENEWAL FEES

6.1 Invoicing: Fees for the Software will be invoiced by Supplier based on the Terms laid out in the Contract. Supplier may provide invoices to an email address provided by Customer. 

6.2 Payment: All payments are due as specified in the Contract and are non-refundable, non-cancelable, and irrevocable except as expressly stated in the Agreement. All payments shall be made without recoupment or set-off. Customer will pay all taxes and duties including, but not limited to, sales, use, rental, receipt, personal property, and other taxes (but excluding taxes based upon Supplier’s income), which may be levied or assessed in connection with the Agreement. If any payment due under the Agreement is not paid in accordance with the terms of the Agreement, then interest shall be payable and recoverable as a debt on all outstanding amounts pursuant to Sections 288, 247 German Civil Code (BGB).

6.3 Payment Methods: Supplier offers payment by credit card or via PayPal, Stripe or other direct payment services as offered by Supplier from time to time and if not agreed otherwise by the Parties. During the course of the automated sales process or the individual contract negotiations between the Parties, Customer provides Supplier with sufficient and valid information, required to carry out the selected payment method. Supplier is authorized to verify the information immediately upon receiving, and subsequently debit Customer’s account for all fees and charges due and payable under the Agreement.

6.4 Customer agrees that Supplier may take all necessary steps to collect these fees and charges and that Customer shall be responsible for all costs and expenses incurred in connection with such necessary collection efforts, including but not limited to collection fees, costs incurred due to the revocation of the credit card charges, if Supplier is unable to collect fees due under the Agreement from Customer’s account. In addition, Supplier may charge interest on any unpaid amounts due and payable to the maximum amount permitted by law.

6.5 Customer agrees to immediately notify Supplier of any change in its billing address or in the information used for the selected payment method. Supplier reserves the right at any time to change its prices and billing methods by e-mail delivery to Customer.

7. RESTRICTIONS AND RESPONSIBILITIES

7.1 Customer represents, covenants, and warrants that Customer will use the Services only in compliance with the Agreement, these GTC as amended from time to time, any other Supplier policies then in effect and disclosed to Customer as well as all applicable laws and regulations. Although Supplier has no obligation to monitor Customer’s use of the Services, Supplier may do so and may prohibit any use of the Services it believes may be (or alleged to be) in violation of the foregoing. In addition, Customer represents, covenants, and warrants that Users will use the Services according to the aforementioned standards and that Users fulfill all obligations imposed on them by the General Terms of Use. Customer will implement all structural processes to monitor the use of the Software by Users and a system to report any breaches of these obligations to Supplier.

7.2 Customer shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Equipment”). Customer shall also be responsible for maintaining the security of the Equipment, Customer account, passwords (including but not limited to administrative and user passwords) and files, and for all uses of Customer account which do not take place on the Supplier’s side or the Equipment with or without Customer’s knowledge or consent.

8. CONFIDENTIALITY; PROPRIETARY RIGHTS

8.1 Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Proprietary Information” of the Disclosing Party). Proprietary Information of Supplier includes non-public information regarding features, functionality and performance of the Service.. The Receiving Party agrees: (i) to take reasonable precautions to protect such Proprietary Information, and (ii) not to use (except in performance of the Services or as otherwise permitted in the Agreement) or divulge to any third person any such Proprietary Information. The Disclosing Party agrees that the foregoing shall not apply with respect to any information after five (5) years following the disclosure thereof or any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it, prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party or (e) is required to be disclosed based on statutory obligations on the order of a court or authority.

8.2 Any disclosure of Proprietary Information to third Parties shall require the express written approval of the other Party, unless otherwise expressly agreed.

8.3 The Parties shall ensure through suitable contractual arrangements that the employees and contractors working for them shall also, without temporal restriction, refrain from individual use or disclosure of confidential information. The Parties shall only disclose to Users, employees or contractors Proprietary Information to the extent such employees or contractors need to know the information for the fulfilment of the Agreement.

8.4 Notwithstanding anything to the contrary, Supplier shall have the right to collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies (including, but without limitation, information concerning customer data and data derived therefrom), and Supplier will be free (during and after the term hereof) to (i) use such information and data to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and other Supplier offerings, and (ii) disclose such data solely in aggregate or other de-identified form in connection with its business. 

9. TERM AND TERMINATION

9.1 Unless otherwise agreed in the contract, the term of the contract shall be 12 months and shall be extended by 12 months in each case unless the contract is terminated with two months’ notice to the end of the respective term. Each termination must be made by declaration in text form.

9.2 A breach of any term of the Agreement will be considered a default. Parties immediately inform the respective other Party by written notice of any breach of duty of which they become aware. Supplier may terminate the Agreement by written notice, if Customer (i) fails to cure any default of the Agreement no later than thirty (30) days after receipt of written notice from Supplier of such default or (ii) is subject to a bankruptcy proceeding that is not dismissed within sixty (60) days. Upon any termination of the Agreement, all amounts owed to Supplier under the Agreement are immediately due and payable, all license rights immediately cease to exist, and Customer will discontinue all use of the Software. Customer will delete the Software and all copies and related materials no later than 10 days after the date of termination (and, upon request, certify such destruction to Supplier). Customer covenants and warrants that Users will fulfill all obligations imposed on them by the General Terms of Use for the case of a termination. The provisions of this section and sections ‘Ownership’, ‘Confidentiality’, ‘Limitation of Liability’, and ‘Governing Law’ will remain in full force and effect, notwithstanding any termination or expiration of the Agreement or any license granted under the Agreement.

9.3 Upon any termination, Supplier can request the export of his data in written format for a period of thirty (30) days. Thereafter Supplier may, but is not obligated to, delete stored customer data. The Supplier may continue to store, use and process anonymized operative data for analysis purposes.

10. EXCESS USE

Customer’s use of the Software is subject to the Agreement, including any applicable Usage Metric/s and respective volume/s stated in the Contract. Any use of the Software by Customer or its legal representatives or agents or any User that exceeds this scope will be subject to additional fees. Fees accrue from the date the excess use began. Customer will execute an additional Contract to document subscriptions for additional Usage Metrics and their volume. Supplier may invoice and Customer will pay for excess use based on applicable pricing in the Contract.

11. WARRANTY AND DISCLAIMER

Supplier shall use reasonable efforts consistent with prevailing industry standards to maintain the Services in a manner which minimizes errors and interruptions in the Services and shall perform the Implementation Services in a professional and workmanlike manner. Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Supplier or by third-party providers, or because of other causes beyond Supplier’s reasonable control, but Supplier shall use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled service disruption.

In the event of only an insignificant reduction in the suitability of the Services for the contractual use, the Customer shall have no claims due to defects. The strict liability of the provider due to defects that were already present at the time of the conclusion of the contract is excluded.

12. IPR INDEMNITY

12.1 Indemnity: Supplier will indemnify Customer from any legitimate third party action against Customer to the extent proximately based upon an allegation that the licensed use of the Software infringes any third party’s intellectual property right, and pay those damages or costs (including reasonable attorneys’ fees) incurred by Customer related to the settlement of such action or awarded against Customer, provided that Customer: (i) promptly notifies Supplier of any such action; (ii) gives Supplier full authority, information, and assistance to defend such claim; and (iii) gives Supplier sole control of the defense of such claim and all negotiations for the compromise or settlement of such claim.

12.2 Exceptions: Supplier will have no indemnity obligation nor other liability under the Agreement to the extent the claim is based upon: (i) Software that was modified by anyone other than Supplier; (ii) use of other than the then-current release of the Software, if the infringement could have been avoided by use of the then-current release and such release was made available to Customer; or (iii) use of the Software in conjunction with other software, hardware or Customer data, where such use gave rise to the infringement claim.

12.3 Remedy: If Supplier determines that the Software is likely to be the subject of a claim of infringement, Supplier may, in its sole discretion: (i) replace or modify the Software; (ii) procure the right for Customer to continue using the Software; or (iii)terminate the license to the Software and refund to Customer a pro-rated portion of the applicable unused subscription fees. This section ‘IPR Indemnity’ state Supplier’s exclusive liability and Customer’s exclusive remedy regarding any claim of intellectual property infringement by the Software or any materials or services provided under the Agreement.

13. LIMITATION OF LIABILITY

13.1 The Supplier shall be liable to the Customer

• • for damages caused by him as well as his legal representatives or vicarious agents intentionally or through gross negligence,
  • according to the product liability law and
  • for damages resulting from injury to life, body or health for which the Supplier, its legal representatives or vicarious agents are responsible.

13.2 The Supplier shall not be liable in the event of slight negligence, except to the extent that it has breached a material contractual obligation, the fulfillment of which is a prerequisite for the proper performance of the contract or the breach of which jeopardizes the achievement of the purpose of the contract and on the observance of which the Customer may regularly rely. In the case of damage to property and financial loss, this liability shall be limited to the foreseeable damage typical of the contract. This also applies to lost profits and savings. Liability for other consequential damages is excluded.

For an individual case of damage, liability is limited to the amount of remuneration per contract year, but not less than EUR 10,000. The contracting parties may agree in writing on a more extensive liability upon conclusion of the contract, usually against a separate remuneration. The liability according to clause 13.1 remains unaffected by this paragraph.

13.3 The Supplier shall only be liable for damages under a guarantee if this was expressly assumed in the guarantee. In the event of slight negligence, this liability shall be subject to the limitations set forth in Section 13.2.

13.4 Any contributory negligence on the part of the Customer shall be taken into account. In particular, Supplier shall only be liable for the recovery of data if the Customer has taken all necessary and reasonable data backup precautions and ensured that the data can be recovered at reasonable cost from data material kept in machine-readable form.

13.5 This liability arrangement is conclusive. It shall apply with respect to all damage compensation claims, irrespective of their legal ground, particularly also with respect to pre-contractual claims or collateral contractual claims. This liability arrangement shall also apply in favor of legal representatives and agents of Supplier if claims are asserted directly against them.

13.6 The Customer is obliged to immediately notify any damage pursuant to the above liability provisions to Supplier in text form or to have such damage documented by Supplier, so that Supplier is informed as early as possible and can possibly still mitigate the damage together with the Customer.

14. LIMITATION OF CLAIMS

14.1 Claims of the Customer based on the breach of any duty not consisting of a defect become time-barred, except in the event of intention or gross negligence, within one year from the beginning of the limitation period. This shall not apply if the damage in question incurred by the Customer consists in personal injury. Claims for personal injury become time-barred within the statutory limitation period.

14.2 Any rescission of contract or reduction of payments shall be invalid if the claim to performance or subsequent performance of the Customer has become time-barred.

15. TRIAL PHASE

Insofar as Supplier enables Customer to use a free test phase (“Trial Phase”), the following provisions shall apply in deviation from the other terms of these GTC:

15.1 The Trial Phase is free of charge.

15.2 The term of the Trial Phase shall be specified in the Agreement. During the Trial Phase, the Agreement may be terminated by either party at any time without notice. If the Trial Phase is not terminated at the end of the term, the Agreement automatically continues subject to the general fees and any other regulations of these GTC.

16. MISCELLANEOUS

16.1 Assignment: Customer may not assign, transfer, delegate, or sublicense any of Customer’s rights or obligations under the Agreement without Supplier’s prior written consent. Any assignment, transfer, delegation, or grant of sublicense without Supplier’s consent is null and void. Supplier may transfer and assign any of its rights and obligations under the Agreement without consent.

16.2 Data Protection: The obligations of the Parties in connection with the processing of personal data according to Art. 4 No. 1 of the General Data Protection Regulation (GDPR), are set out in the Data Processing Agreement (Attachment DPA) between the Parties. The Parties confirm that they have read, understood and accepted this Data Processing Agreement. In the event of any inconsistency between the Data Processing Agreement and these Terms or any other contractual agreement between the parties in this regard, the provisions of the Data Processing Agreement shall prevail.

16.3 Independent Contractors: The Parties are independent contractors and have no power to bind or incur obligations on the other Party’s behalf.

16.4 Force Majeure: Neither Party is liable for failing to perform an obligation under the Agreement if such failure is due to any case of Force Majeure. Force Majeure is an external event caused by elementary forces of nature or by the actions of third parties, which is unforeseeable according to human insight and experience, cannot be prevented or rendered harmless by economically acceptable means, even by the utmost care reasonably to be expected in the circumstances, and cannot be accepted because of its frequency.

16.5 Governing Law: The Agreement is governed by the laws of Germany without giving effect to its conflicts-of-laws provisions and excluding the United Nations Convention on Contracts for the International Sale of Goods (CISG). The parties agree that the exclusive personal jurisdiction, procedure and venue for legal disputes arising from or connected with the Agreement shall lie with the courts of Saarbrücken, Germany. Arbitration processes are excluded.

16.6 Marketing: The Customer consents for Supplier to disclose the collaboration between Supplier and the Customer for marketing purposes and in this connection also use the company logo of the Customer. The Customer may revoke this consent at any time by declaration in text form (e.g. via e-mail to media@sicross.com)

Attachment: Data Processing Agreement (DPA)

1. Subject of the contract

In the context of the provision of services under the SaaS Contract with the Customer (hereinafter referred to as “Controller”) (hereinafter referred to as the “Main Contract“), it is necessary for the Supplier (hereinafter referred to as “Processor”) to handle personal data for which the Controller acts as controller within the meaning of the data protection provisions (hereinafter referred to as “Data“). This contract specifies the rights and obligations of the parties under data protection law in connection with the Processor’s handling of Processing Data for the purpose of implementing the Main Contract.

2. Type, scope, purpose and duration of commissioned data processing

2.1 The processor processes the processing data on behalf of and according to the instructions of the controller within the meaning of Article 28 of the General Data Protection Regulation (“GDPR”) (commissioned data processing). The data controller remains the data controller in the sense of Article 4 No. 7 of the GDPR.

2.2 This Data Processing Agreement shall be effective for the duration of the Main Contract and shall terminate automatically upon expiration or termination of the Agreement for any reason.

2.3 The scope, nature and purpose of the Processing of Personal Data hereunder shall be as defined in the Main Contract.

2.4 Processing may include the following types/categories of Personal Data: 

• • Personal information: Name
  • Business related information: Email address, phone number, job description
  • Content: Videos, voice recordings
  • Technical Data: IP address, usage data, device data

2.5 The data subjects concerned by the Processing hereunder are assigned to the following categories: 

• • Employees of Customer
  • Suppliers of Customer 
  • Business contacts of Customer

2.6 The Processing Data shall generally be processed in the territory of the Federal Republic of Germany, in another member state of the European Union or in another state party to the Agreement on the European Economic Area. Notwithstanding the foregoing, the Processor is also permitted to process Processing Data outside the EEA in compliance with the provisions of this Agreement if this is permitted under the provisions of the GDPR, in particular Art. 44 et seq. 

2.7 The term and termination of this contract shall be governed by the provisions on the term and termination of the main contract. Termination of the main contract shall automatically result in termination of this contract. An isolated termination of this contract is excluded.

3. Powers of instruction of the person responsible

3.2 The processor shall process the processing data only on the documented instructions of the controller, including in relation to the transfer of personal data to a third country or an international organisation, unless obliged to do so by Union or Member State law to which the processor is subject. In the event of such an obligation, the processor shall communicate those legal requirements to the controller prior to the processing, unless the law concerned prohibits such communication on grounds of important public interest. The controller shall be entitled to issue individual instructions.

3.3 If the processor is of the opinion that an individual instruction is unlawful, it shall inform the controller thereof without delay. In addition, the processor shall be entitled to suspend the execution of the instruction until the controller confirms the instruction.

4. Rights and duties of the person responsible

4.1 The Controller is responsible for the lawfulness of the processing of the Processing Data and for safeguarding the rights of the Data Subjects. Should third parties assert claims against the Processor due to the processing of Processing Data, the Controller shall indemnify the Processor against all such claims upon first request.

4.2 The Controller shall immediately and fully inform the Processor if it discovers errors or irregularities with regard to data protection provisions or its instructions during the examination of the Processor’s order results.

5. Rights and obligations of the processor

5.1 The Processor shall ensure and regularly monitor that the Data Processing in the context of the provision of the Services under the Main Contract within its area of responsibility, which includes sub-processors under Clause 9 of this Contract, is carried out in accordance with the provisions of this Contract.

5.2 The Processor shall support the Controller in the event of inspections by the supervisory authority within the scope of what is reasonable and necessary, insofar as these inspections concern data processing by the Processor.

5.3 The Processor shall ensure that the persons authorised to process the Personal Data have committed themselves to confidentiality or are subject to an appropriate legal duty of confidentiality.

5.4 The Contractor’s data protection officer can be contacted at 

pascal@sicross.com

6. Breaches of the processor to be notified

6.1 The Processor shall inform the Controller without undue delay if it discovers that it or an employee has violated data protection regulations or provisions of this Agreement in the processing of Processing Data, insofar as there is therefore a risk that Processing Data may have been unlawfully transmitted or otherwise unlawfully disclosed to third parties.

6.2 Insofar as the controller is subject to statutory duties to provide information due to unlawful acquisition of knowledge of processing data as a result of an incident pursuant to Section 7.1, the processor shall support the controller in fulfilling the duties to provide information at the controller’s request within the scope of what is reasonable and necessary.

7. Control rights of the responsible person

7.1 The Processor shall provide the Controller with all information necessary to demonstrate compliance with the Processor’s obligations set out in this Contract and shall enable and support audits – including inspections – carried out by the Controller or any other auditor appointed by the Controller.

7.2 The Controller shall be entitled to enter the business premises of the Processor where Processing Data are processed during normal business hours (Monday to Friday from 10 a.m. to 6 p.m.) at its own expense, without disrupting operations and subject to strict confidentiality of the Processor’s trade and business secrets, in order to satisfy itself of compliance with the technical and organisational measures pursuant to Annex 1 to this Agreement.

7.3 The Processor shall grant the Controller the access, information and inspection rights required to carry out the checks pursuant to Clause 8.2. In exercising these rights, the Principal shall show consideration for the Processor’s operational concerns and trade and business secrets. The Controller shall not be entitled to have access to data or information on other principals of the Processor, to information regarding costs, to quality audit and contract management reports, and to any other confidential data of the Processor that is not directly relevant to the agreed control purposes.

7.4 The Processor shall be entitled, at its discretion, taking into account the Controller’s legal obligations, not to disclose information that is sensitive with respect to the Processor’s business or if the Processor would be in breach of any legal or other contractual provisions by disclosing it. The Controller shall not be entitled to have access to data or information relating to other clients of the Processor, information relating to costs, quality audit and contract management reports and any other confidential data of the Processor which is not directly relevant to the agreed control purposes.

7.5 The controller shall inform the processor in good time (as a rule at least two weeks in advance) of all circumstances related to the performance of the inspection. As a rule, the controller may carry out one inspection per calendar year. This does not affect the right of the controller to carry out further inspections in the event of special incidents.

7.6 If the Controller commissions a third party to carry out the inspection, the Controller shall impose the same obligation in writing on the third party as the Controller is obliged to impose on the Processor under this Clause 8 of this Agreement. In addition, the Controller shall oblige the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional confidentiality obligation. At the request of the Processor, the Controller shall immediately submit to the Processor the commitment agreements with the third party. The Controller may not commission a competitor of the Processor to carry out the inspection.

7.7 At the choice of the Processor, proof of compliance with the technical and organisational measures pursuant to Annex 2 may also be provided instead of an on-site inspection by submitting a suitable, current audit certificate, reports or report extracts from independent bodies (e.g. auditor, audit, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit – e.g. in accordance with BSI-Grundschutz – (“audit report”), if the audit report reasonably enables the Controller to satisfy itself of compliance with the technical and organisational measures in accordance with Annex 1 to this Agreement.

8. Subcontracting relationships

8.1 The controller authorises the processor to establish sub-processing relationships with other processors (hereinafter “sub-processors”) with regard to the processing of processing data (Art. 28 II 2 GDPR). The current list of sub-processors can be found under https://sicross.com/sub-processors. The Processor shall inform the Controller of any intended change with regard to the use or replacement of Sub-Processors. The controller may object to such changes. The Processor shall impose the same data protection obligations on the Sub-processor as are set out in this Contract between the Controller and the Processor. The Processor shall only engage sub-processors located in a non-EU/non-EEA third country if the requirements of Art. 44 et seq. GDPR are complied with. 

8.2 If the sub-processor fails to comply with its data protection obligations, the processor shall be liable to the controller for compliance with the obligations of that other sub-processor.

9. Rights of the data subjects

9.1 Insofar as a data subject should contact the processor directly for the purpose of accessing, correcting, deleting or blocking the data concerning him or her, the processor shall forward this request to the controller in a timely manner.

9.2 In the event that a data subject exercises his or her rights under Chapter III of the GDPR, in particular to rectify or erase processing data or to obtain information about the stored processing data and the purpose of the storage, the processor shall support the controller in doing so with appropriate technical and organisational measures where possible. 

9.3 The Processor shall assist the Controller, taking into account the information available to it, in fulfilling the Controller’s obligations under Articles 32 to 36 of the GDPR.

9.4 The Processor shall enable the Controller to rectify, erase or block Processing Data or, at the request of the Controller, carry out the rectification, blocking or erasure itself, unless there is an obligation to store the Processing Data under Union or EU Member State law.

10. Relationship to the main contract

Insofar as no special provisions are contained in this contract, the provisions of the main contract shall apply. In the event of contradictions between this contract and provisions from other agreements, in particular from the main contract, the provisions from this DPA shall take precedence.

** This DPA is bindingly agreed between the Parties as part of the General Terms and Conditions without separate signature.**

Annex 1 - Technical and organisational measures

1. si:cross office / si:cross internal

There are no servers in the si:cross office. All servers are located in the Amazon Web Services data centre in Frankfurt am Main (Germany). 

• Access control
  • The si:cross office has security locks
  • Only the 2 managing directors of si:cross will be handed a key
  • Withdrawal of means of access after expiry of authorisation
  • Visitors are received outside the office e.g. in co-working spaces
• Work from abroad
  • Internal policies are in place to ensure device security measures
  • These include but are not limited to  password protection after the boot sequence and when left unattended, file vault enablement and up to date anti-virus protection
  • Printing of documents with customer sensitive information is to be avoided at all
  • Documents that are no longer needed must be disposed securely
• Access control (also applies for home office)
  • Firewall router
  • MAC Allowed List for LAN & WLAN
  • Clean Desk Policy 
  • All laptops are personalised for each employee, password protected and use the latest operating system. 
  • The following rules apply to the use of a secure password:
    • must contain at least one uppercase letter, one lowercase letter, one special character and one number, and be at least 8 characters long 
    • Staff members are instructed to lock the laptop when leaving. 
  • All logins are secured with MFA
  • Encrypted hard disks at workstations that contain login data for personal data
  • Immediate blocking of authorisations when employees leave the company
• Transfer control
  • Encryption of storage media
  • Secure file transfer (e.g. sftp)
  • Secure data transport (e.g. SSL, ftp, ftps, TLS)
  • Hard disks can be remotely erased/locked in case of loss or theft
  • Prohibition of the use of private data carriers for work related data
  • Procedure for the deletion/disposal of data carriers and documents in compliance with data protection requirements
• Input control (not applicable)
• Order control (not applicable)
• Availability control
  • Backup procedure/regular backup copies 
  • Mirroring hard disks 
  • Use of protection programmes (virus protection, firewall, SPAM filter) 
  • Automated standard routines for regular updating of protection software (e.g. virus scanner, malware protection and firewall systems)
• Data separation (not applicable)
• Organisational control
  • All employees were committed in writing to data secrecy and instructed. 
  • All employees are trained regularly (at least once a year) on data protection in the work environment.
  • Auditing by the data protection officer(s) is carried out on a regular basis.
  • There is a procedure for regular review, assessment and evaluation (Art. 32 (1) (d) of the GDPR) in the form of a data protection management system.

2. si:cross Software as a Service(SaaS) - AWS Infrastructure

• Access Control
  see Amazon Web Services Inc’s (AWS) documents:
  https://aws.amazon.com/compliance/data-center/data-centers/
  https://aws.amazon.com/compliance/data-center/controls/

• Access control

  • All data on storage systems (e.g. database) is stored in encrypted form.
  • Only Tech Leads have access to productive systems
  • Source code cannot be manipulated on productive systems. Changes must be implemented as part of our development process, which includes testing for bugs and security vulnerabilities.
  • Access to productive systems is secured by strong authentication procedures and MFA
  • Implementation of the “least privilege” principle. Each user or technical resource only has exactly the permissions that are needed to implement the respective task.

• Transfer control

  • Electronic data transmission is encrypted end-to-end by TLS (e.g. HTTPS). This ensures the integrity and confidentiality of the data.
  • Access to personal data, including the requesting user, is logged.
  • All available endpoints are protected by firewalls

• Input control

  • Changes/entries of personal data directly in the si:cross database are recorded, as are external accesses by users (log file for logins).
  • The si:cross database records administrative accesses, including time stamp and IP address. Access attempts are also recorded, including timestamp, user and target database.
  • Failed access attempts are logged
  • Separation of development, test and productive systems

• Order control

  • General Terms and Conditions & Order Processing Agreement
  • Subcontractor hosting personal data: AWS 

• Availability control

  • AWS guarantees a highly available cloud infrastructure 
  • Our systems are redundant to prevent single points of failure. System errors are corrected immediately and automatically
  • All data is protected against loss by backups. Backups are kept locally separate from the original data to ensure appropriate disaster recovery. 
  • The infrastructure is additionally monitored by us for availability, performance and errors in addition to the monitoring mechanisms implemented by AWS
  • A multi-level virus protection concept is implemented to protect against viruses. When uploading files, only potentially harmless files are allowed for upload (audio/video/picture files). The systems are shielded from each other and only have the authorisations necessary for their task. Furthermore, virtualisation concepts at operating system level ensure that sub-applications are isolated and run independently of each other

• Data separation

  • We implement a multi-layer isolation concept for data separation. Each layer of the application uses its own mechanisms to ensure that only data for which the current user is authorised can be accessed.
  • See also si:cross Security Concept 

3. si:cross search - Algolia Service

• Access Control
  see Algolia Documents:
  https://www.algolia.com/pdf/DPA-latest.pdf (especially Appendix 2 – Security Measures)
  https://www.algolia.com/solutions/security/https://www.algolia.com/doc/faq/security-privacy/gdpr/

• Access control

  • https://www.algolia.com/pdf/DPA-latest.pdf (in particular Annex 2 – Security Measures)
  • Only Tech Leads have access to productive systems
  • Access to productive systems is secured by strong authentication procedures and MFA
  • Implementation of the “least privilege” principle. Each user or technical resource only has exactly the permissions that are needed to implement the respective task.

• Transfer control

  • Electronic transmission of data: TLS & HTTPS
  • Access to personal data, including the requesting user, is logged.

• Input control

  • Changes/inputs of personal data directly in the data stored by Algolia are recorded, as are external accesses by users (log file for logins).
  • Separation of development, test and productive systems

• Order control

  • General Terms and Conditions & Order Processing Agreement
  • Subcontractor hosting personal data: Algolia 

• Availability control

  • Algolia guarantees a highly available cloud infrastructure 
  • Redundancies & Backups

• Data separation

  • Data from different tenants are stored logically separate from each other in Algolia. Access across these boundaries is not possible
  • We implement a multi-level isolation concept for data separation. Each layer of the application uses its own mechanisms to ensure that only data for which the current user is authorised can be accessed.