Terms & Conditions

General Terms and Licensing Conditions for Companies

of Lano Software GmbH, Rosenthaler Str. 13, 10119 Berlin, Germany (hereinafter referred to at the Provider or Lano).

Version 1.4 – January 2020

§ 1   Scope

  1. (1)   The version of these General Terms and Licensing Conditions (hereinafter referred to as Terms) applicable at the time of ordering shall govern the contractual relationship between the Provider and persons who order software and accompanying services from the Provider (hereinafter referred to as Clients). The Provider and the Client are each referred to individually as a Party and jointly as the Parties.
  2. (2)   The Client assures that, as an entrepreneur within the meaning of Section 14 of the German Civil Code (BGB), they are acting in the exercise of their commercial or independent professional activity. The Provider does not conclude contracts with consumers.
  3. (3)   There are no verbal ancillary agreements between the Parties. These Terms shall apply exclusively. Any terms and conditions of the Client that deviate from or contradict these Terms shall not apply; this shall also apply if the Provider does not expressly object to the Client’s terms and conditions.

§ 2   Object of the contract

  1. (1)   Lano offers its clients various, usually web-based, software-as-a-service solutions for freelancer management. The software solutions offered by Lano support companies in onboarding, organising and paying freelancers, partner companies and service providers.
  2. (2)   In addition, freelancers, partner companies and service providers can use the freelancer version software from Lano for order management, invoicing and customer administration purposes. Freelancers and other service providers are not subject to these Terms, but rather to separate terms of use for freelancers and service providers.
  3. (3)   The object of the contract is the provision of the software offered by Lano for the use of its functionalities (hereinafter referred to as the Software), the provision of storage space for data generated by the Software or required to use the Software (hereinafter referred to as Application Data) as well as, depending on the licensing model, support services by the Provider to the Client, in return for payment of the agreed remuneration.
  4. (4)   The functional scope of the Software is based on these Terms as well as the selected licensing model (e.g. Starter, Premium, Enterprise) and the service description provided at the time of ordering (available at https://www.lano.io/en/pricing/). Unless otherwise specified in these Terms, in the details of the licensing model or in the service description, the Provider shall not be obliged to provide further support with regard to the object of the contract. However, such support may – if not already arranged – be agreed between the Parties at any time. Regardless of the specific individual agreement between the Parties, the right of the Provider to maintain, update and service the Software shall remain unaffected.

§ 3   Conclusion of the contract

  1. (1)   The information contained in catalogues, advertisements and on websites shall be subject to change and non-binding and does not represent an offer by the Provider.
  2. (2)   The Client’s order shall represent an offer to the Provider to conclude a contract for the Software or service ordered by the Client.
  3. (3)   If the Client places an order via the internet or email or in any other way, they will receive an email from the Provider confirming receipt of the order and listing the details of the order (order confirmation). This order confirmation shall not represent an acceptance of the Client’s offer, but merely inform the Client that the Provider has received their order. The Client shall be bound to this order for 14 days after the Provider receives their order.
  4. (4)   A contract between the Client and the Provider concerning the Software or service ordered in the individual case shall only be concluded if and when the Provider accepts the order by sending another email or in another way, for example by sending the Client access data to the Software. The Provider reserves the right to accept the Client’s offer only in part; a contract shall not be concluded for Software that is not listed in the declaration of acceptance.

§ 4   Provision of the Software and hosting of the Application Data

  • (1)   At the latest during the course of the working day following conclusion of the contract, the Provider shall make the latest version of the Software ordered available on one or more servers for use in accordance with the following provisions.
  • (2)   The Provider shall be liable for ensuring that the Software provided is suitable for the purposes defined in the service description provided at the time of ordering, and that it is free from defects for the duration of the contract, in particular that it is free from viruses and similar malware which would make the Software unsuitable for the use specified in the contract. If the Provider obtains the Software from third parties, it shall be obliged to keep the last commercially available version of such Software ready for use by the Client for up to six months after its general market release by the manufacturer. Insofar as the Provider produces the Software itself, it shall ensure that the Software it has produced always reflects the established state of the art.
  • (3)   With the acceptance of the offer, the Provider shall send the Client an email containing a link for the user (“administrator”) specified by the Client in the order, via which the Client can set a password. The Client shall be obliged to choose a sufficiently secure password known only to them. Using their email address and the password chosen by the Client, the Client can log on to the Lano website to use the Software as an administrator. The Client shall keep the access data, including the password, secret and not make it accessible to unauthorised third parties. If provided for under the selected licensing model, additional employees of the Client, designated by the Client, may be granted access to the Software. These and the administrator shall be considered “authorised users”.
  • (4)   Furthermore, the Client shall be entitled to provide email addresses in order to send user invitations to freelancers and other service providers via the administration area of the website. During the registration process, the invited user will be asked to provide their login information, contact details and a password. Once the account has been activated and confirmed by the Client, the user can use this data to log in to the user or freelancer area of the website. Freelancer accounts within the meaning of this clause allow freelancers and other service providers to manage contractual relationships with several clients via the Lano website. The use of the freelancer accounts by freelancers and other service providers is not exclusively limited to one client or principle.
  • (5)   To access the provided Software, the Client requires an internet connection and a current browser of the types Internet Explorer, Chrome or Firefox. The Provider does not guarantee support for other browsers. Furthermore, appropriate hardware is required (e.g. internet-enabled device), which is capable of running the aforementioned browsers.
  • (6)   The Provider shall make storage space available on the server for the Application Data from the point in time of operational provision as agreed in Sect. 4 (1). The storage space for the Application Data shall generally be limited to 500 GB, unless otherwise agreed upon under the selected licensing model. The Parties may agree a different arrangement in writing.
  • (7)   The Client shall have no claim to the provision of a specific server for their sole use. If the data stocks of clients are separated, the Provider shall be entitled to allow multiple clients to use the server at the same time as long as the server has sufficient capacity.
  • (8)   The Software and Application Data are backed up on the server on a regular (at least daily) basis. The backups are kept for 30 calendar days.
  • (9)   The Client shall inform the Provider without undue delay if there is a suspicion that unauthorised persons have gained knowledge of the Client’s or their users’ access data and/or passwords.
  • (10) If and to the extent that the provision of a new version or a change is accompanied by a change in the functionalities of the Software, in the Client’s work processes supported by the Software, and/or in restrictions in the usability of previously generated data, the Provider shall notify the Client of this in writing at least six weeks before such a change takes effect. If the Client does not object to the change in writing within two weeks from receipt of the notice of change, the change shall become part of the contract. Whenever it announces changes, the Provider shall draw the Client’s attention to the aforementioned deadline, and to the legal consequences of the deadline passing in the event of failure to exercise the right of objection.
  • (11) The handover point for the Software and Application Data is the router exit of the servers used by the Provider.

§ 5   Software availability and access to Application Data

  • (1)   During the uptime (Mon-Fri: 7am–8pm), the Provider shall ensure 98% average monthly availability of the Software at the handover point (interface to the internet of the server on which the Software is hosted). By “availability” the Parties mean the possibility of using the Software in accordance with the contract at the handover point.
  • (2)   The Software shall also be considered available in the event of
    • (a)  disruptions to parts of the technical infrastructure that are necessary for the execution of the Software, or the internet, which do not have to be provided by the Provider or by the parties it uses to perform its obligations;
    • (b)  disruptions or other occurrences to which the Provider or one of the parties it uses to perform its obligations did not contribute;
    • (c)  scheduled downtime within the meaning of (4);
    • (d)  insignificant reductions in the suitability of the Software for use in accordance with the contract.
  • (3)  The Provider shall provide the Client with a website (https://lano.freshdesk.com/) for support requests and error messages. In addition, support requests and error messages can be submitted to the Provider using the contact information (email addresses and telephone numbers) provided on its website. Requests and error messages are processed on working days in Berlin between 7am and 8pm promptly and in order of urgency.
  • (4)  The Provider shall be entitled to schedule downtime for the Software and/or the server for servicing, maintenance, data backup and for other work on the Software and/or the server. Such scheduled downtime shall be announced to the Client with at least one week’s notice and should generally take place at times of low usage (Monday to Friday between 8pm and 6am and on weekends and German national holidays). The Provider shall not be required to give advance notice for work that is urgently required, e.g. to close security gaps or to maintain functionality. During the scheduled downtime, the Client shall have no legal claim to use the Software and/or the server. If the Client uses the Software and/or the server during the scheduled downtime, the Client shall nevertheless not be entitled to claim liability for defects or damages in the event of a reduction or discontinuation of the service.

§ 6   Further services of the Provider

  • (1)   Documentation
    • (a)  The Provider shall provide the Client with information online (e.g. at https://lano.freshdesk.com/support/home) that enables the Client to use the Software for the contractually intended purposes. The information shall be revised once a year to reflect significant changes in the use of the Software.
    • (b)  If the Provider provides Software of third parties and no documentation in German/English is generally available from that third party, the Provider shall be entitled to provide only the documentation to which it has access.
    • (c)  The Client shall be entitled to save, print out and make a reasonable number of copies of the documentation provided for the purposes of this contract, while retaining any proprietary rights notices. In all other respects, the restrictions of use for the Software agreed under Sect. 7 shall apply mutatis mutandis to the documentation.
  • (2)   Further services of the Provider, in particular training on how to use the application, can be agreed upon at any time in text form (e.g. by email). Such further services shall be rendered in return for reimbursement of the documented expenditure incurred, at the Provider’s prices which are generally applicable at the time of ordering.

§ 7   Rights of use and using the Software; rights of the Provider in the event that the rights of use are exceeded

  • (1)   The Client shall receive simple, non-sublicensable and non-transferable rights of use for the Software, limited to the term of this contract, in accordance with the following provisions.
  • (2)   The details of the rights of use shall depend on the descriptions displayed at the time of ordering and the selected licensing model, which shall apply as a supplement to these Terms.
  • (3)   The rights of use shall be granted to the Client and, depending on the selected licensing model, to the Client’s employees and to users registered and confirmed by the Client in accordance with 4 (4). If the number of users exceeds the number of users agreed upon under the respective licensing model, the Client shall pay a flat-rate monthly use fee of 1 EUR per user; this shall not affect any further claims on the part of the Provider in the event of additional use that exceeds the agreed use.
  • (4)   The Client’s right of use shall be limited to access to the Software on the server. There shall be no physical transfer of the Software to the Client. The Client shall only be permitted to use the Software for their own business activities.
  • (5)   The Client shall not be entitled to make changes to the Software. This shall not apply to changes that are necessary in order to rectify errors, if the Provider fails to remove the error on time, refuses to correct the error or is unable to correct the error due to the institution of insolvency proceedings.
  • (6)   If the Provider introduces new versions, updates, upgrades or other new releases concerning the Software during the term of the contract, the foregoing rights shall also apply to these.
  • (7)   If rights are not expressly granted to the Client above, the Client shall not enjoy such rights. In particular, the Client shall not be entitled to use the Software, including its source code, beyond the agreed use or to have it used by third parties or to make the Software accessible to third parties. In particular, it shall not be permitted to reproduce, sell, or temporarily transfer the Software, in particular to rent or lend it. The Client shall take the necessary precautions to prevent the use of the Software by unauthorised persons.
  • (8)   The Client shall be liable for ensuring that the website and Software made available to them by the Provider are not used for racist, discriminatory or pornographic purposes, purposes that endanger the protection of minors, are politically extreme or otherwise illegal or in breach of official regulations or requirements, and for ensuring that no data of this nature, in particular Application Data, is created and/or stored on the server. The Client shall be responsible for the content posted by them and by users. The Provider does not check whether content is complete, correct, legal, up to date, of a certain quality or suitable for a specific purpose.
  • (9)   The services available on the platform are intended exclusively for the purposes specified in Sect. 2. Use for other commercial purposes is prohibited, unless the Provider has given its express prior written consent. Unauthorised commercial use includes in particular all offers and promotions of paid content, services and/or products (both the Client’s own and those of third parties), as well as offering, promoting and performing activities with a commercial background such as competitions, prize draws, bartering, advertisements or pyramid schemes.
  • (10) In the event of a violation of the foregoing provisions, the Provider reserves the right to block the Client’s or the user’s access temporarily or permanently. In the event of temporary or permanent blocking, the Provider shall block the account and notify the Client. If the Client continues to violate or repeatedly violates the foregoing provisions despite having been reminded by the Provider and if the Client is responsible for this, the Provider shall have a right of extraordinary termination without notice. This shall not affect any further claims on the part of the Provider.
  • (11) If and to the extent that, during the term of this contract, a database, databases, a database work or database works are created on the Provider’s server as a result of activities by the Client which are permitted under this contract, the Client shall be entitled to all rights thereto. The Client shall remain the owner of the databases or database works even after the end of the contract.

§ 8   Obligations and duties of the Client

  • (1)   The Client shall refrain from interfering with the Software or allowing it to be interfered with in any way other than for normal use, as well as from penetrating the Provider’s data networks without permission or promoting such penetration (e.g. carrying out load and/or penetration tests).
  • (2)   The Client assures that they shall only access the Software and Application Data on the basis of these Terms and via the interfaces provided by the Provider. The Client shall also refrain from circumventing any security measures that the Provider has taken to protect the Software and Application Data.
  • (3)   Furthermore, the Client shall be obliged to notify the Provider without undue delay of any defects in contractual services, in particular defects in the Software. If the Client fails to notify the Provider in time for reasons for which the Client is responsible, this shall constitute contributory cause or contributory negligence. Insofar as the Provider was unable to remedy the situation as a result of failure to notify or a delay in the notification, the Client shall not be entitled to reduce the agreed remuneration in whole or in part, to demand compensation for the damage caused by the defect, or to terminate the contract without notice due to the defect. The Client shall be required to demonstrate that they are not responsible for the failure to notify.
  • (4)   The Client shall keep the username they use as well as their selected password secret, shall not pass these on to any unauthorised third party, and shall take appropriate and standard measures to protect them from access by third parties. The same shall apply to other access data of which the Client becomes aware in connection with using the Software as well as to access data for user accounts set up by the Client. If unauthorised third parties nevertheless become aware of the username and/or password or if the Client suspects that this has happened, the Client shall be obliged to inform the Provider without undue delay. When an employee leaves the company, the Client shall deactivate or change that person’s access data without undue delay.
  • (5)   The Client shall release the Provider from claims of third parties which are based on an illegal use of the Software by the Client or which result from data protection, copyright or other legal disputes caused by the Client and which are connected with the use of the Software.
  • (6)   The Client shall ensure that they observe all third-party rights to the material they use (e.g. when transmitting texts/data of third parties to the Provider’s server); likewise, they shall take suitable measures to ensure that any content posted by users does not infringe third-party rights.
  • (7)   Before sending data and information to the Provider, the Client shall check them for viruses and use up-to-date antivirus programs.
  • (8)   If the Client transmits data to the Provider for the purpose of generating Application Data, the Client shall be required to back up such data regularly and in a manner commensurate with the importance of the data, and to create their own backup copies, to enable the reconstruction of the data and information in the event of loss.
  • (9)   If and to the extent that they are given the technical opportunity to do so by mutual agreement, the Client shall regularly secure the Application Data stored on the server by downloading it. In particular, the Client shall be able to save invoices, profiles, templates and other documents on their own data carriers at any time using the export features provided by the Provider. The Client shall be responsible for compliance with retention periods under commercial and tax laws for invoices and other tax-relevant documents that can be retrieved via the export features. This shall not affect the Provider’s obligation to back up data under Sect. 4 (8) of this contract.
  • (10) The Client shall oblige authorised users under Sect. 4 (3) to comply with all provisions of Sect. 8 accordingly.

§ 9   Confidentiality

  • (1)   Information to be treated as confidential shall be the information expressly identified as confidential by the party providing the information and such information whose confidentiality is clearly evident from the circumstances of the transfer. The Provider must treat Application Data in particular as confidential, should it gain knowledge of it.
  • (2)   Information shall not be deemed confidential if the party receiving the information can prove that it was known or generally accessible to it before the date of receipt; was known or generally accessible to the public before the date of receipt; or became known or generally accessible to the public after the date of receipt, without the receiving party being responsible for this.
  • (3)   The Parties shall maintain secrecy about all confidential information of which they have become aware in connection with this contractual relationship, and shall only use such information in relation to third parties – for whatever purpose – with the prior written consent of the other Party.
  • (4)   This shall not apply to the forwarding or disclosure of confidential information due to court or official orders or due to prior consent to the specific forwarding by the other Party.
  • (5)   The Parties undertake to take appropriate confidentiality measures in order to protect all confidential information of which they become aware in connection with the contract.
  • (6)   Unless the Client objects in writing, the Provider shall be entitled to reference the Client’s name and logo as well as the fact that it has been commissioned by the Client, and the nature of the activities performed, exclusively for its own reference purposes, for example on the websites it operates. If the Client objects, the Provider shall remove the reference without undue delay. Otherwise, the Parties shall only issue public statements concerning their cooperation by prior mutual written agreement.
  • (7)   The obligations pursuant to (3) and (5) shall continue to apply indefinitely beyond the end of the contract, and in fact for as long as an exception pursuant to (2) has not been proven.

§ 10 Data protection

  • (1)   The Parties shall observe the applicable data protection regulations, in particular those valid in Germany, and shall oblige the employees they use in connection with the contract and its implementation to maintain confidentiality in the handling of personal data, unless they are already generally obliged to do so.
  • (2)   Freelancers and other service providers can, as described in Sect. 4 (4), use their own accounts on the Lano website. If, when using the Software for freelancer management purposes, the personal data of the Client’s freelancers or other service providers is processed (e.g. in connection with the features for managing contractual relationships), the Parties shall be jointly responsible for data protection pursuant to Art. 26 GDPR and the joint controllership agreement, which is included as Annex 1.
  • (3)   If the Client uses the Software to collect, process or use personal data for purposes other than those described in Sect. 10 (3) (e.g. data of the Client’s own employees or end clients), the Client shall in principle be the sole controller under data protection law pursuant to Art. 4 (7) GDPR. In particular, they shall be responsible for ensuring that they are entitled to process personal data in accordance with the applicable provisions, in particular those relating to data protection, and shall release the Provider from claims by third parties in the event of a breach. In such cases, the Provider shall act as a processor in accordance with Art. 28 GDPR and the data processing agreement included as Annex2 to this contract. In the event of contradictions between this contract and the data processing agreement, the latter shall prevail.
  • (4)   The Provider points out that use of the services may be monitored to the extent permitted by law. If applicable, this may also include logging IP connection data and conversations as well as evaluating these in the event of a specific suspicion of a violation of these Terms and/or in the event of a specific suspicion that any other illegal act or criminal offence has been committed.

§ 11 Fees and terms

  • (1)   The remuneration for the contractual services regarding the use of the Software and the provision of storage space shall be based on the monthly licence fee, the amount of which is specified at the time of ordering, depending on the chosen licensing model. The Provider shall be entitled to adjust the amount of the licence fee in accordance with the provisions of Sect. 15.
  • (2)   The licence fee specified at the time of ordering shall be due monthly from the date of operational provision. It shall be due 14 days after receipt of the invoice. If the Client has justifiably terminated the contract without notice, the flat rate shall be refunded on a pro rata temporis basis.
  • (3)   Payment can be made using the payment methods offered by the Provider. The Provider shall be entitled to instruct the Client’s chosen payment service provider to initiate payments in accordance with the provisions of this contract. The Provider reserves the right to exclude certain payment methods. If payment by invoice is offered, the Provider reserves the right to carry out credit checks in individual cases.
  • (4)   Other services performed by the Provider shall be charged for based on expenditure (time and materials) at the Provider’s general list prices valid at the time of ordering.
  • (5)   The Provider shall be entitled to send invoices in text form to the email address communicated to it by the Client.
  • (6)   Remuneration shall be subject to VAT at the applicable statutory rate.
  • (7)   Set-offs by the Client shall be excluded, unless the Client’s counterclaim is undisputed or legally binding.

§ 12 Contact person and escalation level

  • (1)   In order to facilitate the channelling of communication – in particular in the event of service disruptions – the Parties shall each appoint in writing a main contact person, who can make legally binding declarations for the respective Party or can bring about such declarations within four working days after the main contact person of the other Party has informed him/her in writing of the facts and the need for a decision.
  • (2)   If there is no agreement at the level of the main contact persons within six working days after notification of the facts and the need for a decision, the case must be submitted without undue delay to the Parties’ respective management, or to representatives appointed by them, for a decision. This escalation level should take a final decision within a period of a further six working days from receipt of the case.
  • (3)   The foregoing escalation deadlines shall not invalidate any other deadlines for reaction, execution, recovery or anything else which are agreed in this contract or its annexes. However, before going through the escalation procedure, any extraordinary termination shall generally be deemed invalid if and to the extent that such termination would be based on a difference of opinion between the Parties regarding the performance of the service.

§ 13 Liability

  • (1)   The Parties shall be liable to each other without limitation in the event of intent or gross negligence for all damage caused by them and their legal representatives or parties which they use to perform their obligations.
  • (2)   In the event of slight negligence, the Parties shall be liable without limitation in the event of injury to life, body or health.
  • (3)   In all other respects, a Party shall only be liable to the extent that it has breached an essential contractual obligation. Essential contractual obligations are those obligations which are of particular importance for achieving the contractual objective, as well as all those obligations which, in the event of a culpable breach, could endanger the achievement of the contractual purpose. In these cases, liability shall be limited to compensation for foreseeable damage typical of this type of contract. The Provider’s strict liability for damages (Sect. 536a BGB) for defects existing at the time of contract conclusion shall be excluded; this shall not affect (1) and (2).
  • (4)   If the Provider is delayed in making the Software operationally available, its liability shall be governed by Sect. 13. The Client shall be entitled to withdraw from the contract if the Provider does not comply with a two-week grace period set by the Client, i.e. if it does not provide the full agreed functionality of the Software within the grace period.
  • (5)   If the Provider does not meet the agreed obligations in whole or in part after making the Software and/or Application Data operationally available, the monthly flat-rate use fee shall be reduced on a pro rata basis for the period during which the Software and/or Application Data were not available to the Client to the agreed extent or the storage space was not available to the agreed extent. Ongoing use fees shall only be incurred for business transactions that were actually carried out using the Software despite the restriction or discontinuation of services. If the Provider is responsible for this non-fulfilment, the Client shall also be entitled to claim damages in accordance with Sect. 16.
  • (6)   A Party shall only be obliged to pay a contractual penalty if this contract expressly provides for this. There is no need to reserve the right to a contractual penalty. Set-offs with and against such a penalty shall be permissible.
  • (7)   Neither Party shall be obliged to fulfil its contractual obligations in the event and for the duration of force majeure. The following circumstances in particular shall be considered force majeure in this sense: fire/explosions/flooding for which the Party is not responsible; war, mutiny, blockades, embargoes; industrial action lasting more than six weeks and not caused by the Party; technical problems involving the internet which cannot be influenced by a Party; this shall not apply if and insofar as the Provider also offers the telecommunication service. As soon as a case of force majeure occurs, each Party shall notify the other Party in writing.
  • (8)   This shall not affect liability under the German Product Liability Act.

§ 14 Term, termination

  • (1)   The contractual relationship shall commence with the conclusion of the contract and be concluded for an indefinite period. The provision of the services shall commence at the latest on the working day following the conclusion of the contract.
  • (2)   A minimum contract period of 12 months shall apply. Each Party shall be entitled to terminate the contractual relationship in writing, subject to one month’s notice to the end of the minimum contractual term. After the end of the minimum contract period, the contract shall be automatically renewed for the minimum contract period, unless the contract has been effectively terminated.
  • (3)   Extraordinary termination due to or in connection with a breach of obligation shall only be possible after a prior written warning setting a reasonable deadline of not less than 14 working days.
  • (4)   If the Party entitled to give notice of termination has been aware of the circumstances justifying the extraordinary termination for more than two months, it shall no longer be entitled to base the termination on these circumstances.
  • (5)   Notwithstanding the provision in (3), the Provider shall be entitled to terminate the contract without notice if the Client is in default of payment of the prices or a significant proportion of the prices for two consecutive months or, in a period spanning more than two months, in default of payment of fees equivalent to two months’ worth of fees. In such cases, the Provider shall be entitled to demand additional lump-sum compensation, due immediately as one sum, equivalent to one quarter of the remaining basic monthly lump sum until the end of the regular contract term. The Client reserves the right to prove that the damage incurred was lower.

§ 15 Changes to this contractual relationship; price adjustments

  • (1)   The Provider shall be entitled to change the provisions of these Terms at any time and without stating reasons, provided that this change does not result in a change of the essential contractual structure as a whole. The essential provisions of the contractual structure include, in particular, regulations concerning the type and scope of the contractually agreed services, the term and termination of the contract.
  • (2)   Furthermore, the Provider shall be entitled to adapt or supplement these Terms to the extent that this is necessary to eliminate difficulties in the execution of the contract due to gaps in the provisions that have arisen after conclusion of the contract. The changed conditions shall be sent to the Client by email at least six weeks before they come into effect. The changes shall be deemed approved if the Client does not object to them in text form. The objection must be received within six weeks after receipt of notice of the changed conditions. In its notice of the changed conditions, the Provider shall make special reference to the possibility of objection and the importance of the six-week deadline. If the Client exercises their right of objection, the Provider’s requested change(s) shall be considered rejected. The contract will then continue without the proposed changes. This shall not affect the Parties’ right to terminate the contract.
  • (3)   In order to compensate for an increase in its own overall costs, the Provider shall be entitled, under the following conditions, to increase the subscription prices owed by the Client for the recurring services to be provided under the contract. The overall costs consist of costs for the maintenance and operation of the digital (encryption and decryption) infrastructure, the technical supply of the Software including costs for additional programs and features, fees for any copyrights and ancillary copyrights, material costs, wage and ancillary wage costs including temporary employment costs, costs for customer administration (e.g. call centres, IT systems) and general administrative costs.
    • (a)   Subscription prices may only be adjusted up to the extent of the cost increase and depending on the share of the increased cost element relative to the overall costs; this shall only be permissible if the cost increase is based on changes that occurred after contract conclusion and were not initiated by the Provider. This shall be the case, for example, if upstream suppliers, subcontractors or other service providers used by the Provider increase their prices, if the services covered by the contract are subject to modified or additional taxes or duties, or in the case of increases in standard wages.
    • (b)   The Provider shall take into account any cost reductions when calculating its overall cost burden. An increase in subscription prices shall only be permitted once per calendar year. If circumstances which occurred after contract conclusion and which were not caused by the Provider lead to a reduction of the Provider’s overall costs in the sense of this clause, the Provider undertakes to reduce the subscription prices owed by the Client to the extent of the cost reduction and depending on the share of the reduced cost element relative to the overall costs. The Provider shall be entitled to take into account any increases in individual costs, insofar as these have not already been taken into account when increasing the subscription prices.
    • (c)    If the increase in subscription prices is more than 5% of the prices applicable up to the time of the increase, the Client shall be entitled to terminate the contract within six weeks of receipt of notice of the increase, effective from the time the increase takes effect. If the Client exercises this special right of termination, the increase shall not take effect and the contract shall be terminated with effect from the point in time when the increase in subscription prices takes effect. If the Client does not terminate the contract or does not terminate it in due time, the contract shall be continued subject to the new service fee from the point in time stated in the notice.
    • (d)   When giving notice of the increase in the service fee, the Provider shall also make special reference to the right of termination as well as to the consequences of not terminating the contract in due time. The Provider shall inform the Client of any adjustment of the service fee at least six weeks before it takes effect.
  • (4)   Notwithstanding the foregoing, the Provider shall be entitled to adjust the subscription prices accordingly in the event of a change in the statutory VAT.

§ 16 Demo version

  • (1)   At the Client’s request, the Provider may, at its own discretion, provide the Client with a free demo version of the Software (or a test account). The Provider shall provide a demo version only once per client.
  • (2)   Unless otherwise agreed, the Client shall be entitled to use the demo version for 14 days from receipt of the access data and exclusively for test purposes. These rights to use the demo version shall not be transferable to third parties.
  • (3)   The Provider does not guarantee the functionality of the demo version or the test account. The Client shall be prohibited from using the demo version to process personal data; instead, the Client shall be required to process only fictitious data in the demo version. To the extent permitted by law, the Provider shall assume no liability for the availability, integrity or confidentiality of the data processed by the Client in the demo version. This shall not affect liability for gross negligence and intent.
  • (4)   The Client shall have no claim to the provision of a demo version. The Provider shall also be entitled to withdraw the Client’s access to the demo version at any time and without giving reasons and to erase any data stored in the demo version.
  • (5)   As far as nothing else results from the foregoing paragraphs, the provisions of Sect. 7, 8, 9, 10, 15 and 17 of these Terms shall apply mutatis mutandis to the demo version. The other provisions from these Terms shall not apply to the demo version.

§ 17 Final provisions

  • (1)   There are no verbal ancillary provisions not contained in this contract and its annexes. Any earlier agreements regarding the object of the contract shall hereby become invalid. Changes or additions to this contract and the annexes must be made in text form (e.g. email) in order to be valid. This shall also apply to the waiver of this requirement of text form.
  • (2)   Should any individual provisions of this contract be invalid, this shall not affect the validity of the remaining provisions of the contract. Should any gaps arise in the application of this contract which the Parties have not anticipated, or should the invalidity of a provision be legally binding or agreed upon by both Parties, the Parties undertake to fill or replace this gap or invalid provision in an objective, reasonable manner which is in line with the economic purpose of the contract.
  • (3)   German substantive law shall apply to the contractual relationship.
  • (4)   Unless a legal norm mandatorily prescribes a different place of jurisdiction, the exclusive place of jurisdiction shall be the Provider’s registered office.

§ 18 List of annexes

Anlage 1: Joint controllership agreement pursuant to Art. 26 GDPR;

Anlage 2: Data processing agreement pursuant to Art. 28 GDPR.

General Terms and Licensing Conditions for Companies

of Lano Software GmbH, Rosenthaler Str. 13, 10119 Berlin, Germany (hereinafter referred to at the Provider or Lano).

Version 1.4 – January 2020

§ 1   Scope

  1. (1)   The version of these General Terms and Licensing Conditions (hereinafter referred to as Terms) applicable at the time of ordering shall govern the contractual relationship between the Provider and persons who order software and accompanying services from the Provider (hereinafter referred to as Clients). The Provider and the Client are each referred to individually as a Party and jointly as the Parties.
  2. (2)   The Client assures that, as an entrepreneur within the meaning of Section 14 of the German Civil Code (BGB), they are acting in the exercise of their commercial or independent professional activity. The Provider does not conclude contracts with consumers.
  3. (3)   There are no verbal ancillary agreements between the Parties. These Terms shall apply exclusively. Any terms and conditions of the Client that deviate from or contradict these Terms shall not apply; this shall also apply if the Provider does not expressly object to the Client’s terms and conditions.

§ 2   Object of the contract

  1. (1)   Lano offers its clients various, usually web-based, software-as-a-service solutions for freelancer management. The software solutions offered by Lano support companies in onboarding, organising and paying freelancers, partner companies and service providers.
  2. (2)   In addition, freelancers, partner companies and service providers can use the freelancer version software from Lano for order management, invoicing and customer administration purposes. Freelancers and other service providers are not subject to these Terms, but rather to separate terms of use for freelancers and service providers.
  3. (3)   The object of the contract is the provision of the software offered by Lano for the use of its functionalities (hereinafter referred to as the Software), the provision of storage space for data generated by the Software or required to use the Software (hereinafter referred to as Application Data) as well as, depending on the licensing model, support services by the Provider to the Client, in return for payment of the agreed remuneration.
  4. (4)   The functional scope of the Software is based on these Terms as well as the selected licensing model (e.g. Starter, Premium, Enterprise) and the service description provided at the time of ordering (available at https://www.lano.io/en/pricing/). Unless otherwise specified in these Terms, in the details of the licensing model or in the service description, the Provider shall not be obliged to provide further support with regard to the object of the contract. However, such support may – if not already arranged – be agreed between the Parties at any time. Regardless of the specific individual agreement between the Parties, the right of the Provider to maintain, update and service the Software shall remain unaffected.

§ 3   Conclusion of the contract

  1. (1)   The information contained in catalogues, advertisements and on websites shall be subject to change and non-binding and does not represent an offer by the Provider.
  2. (2)   The Client’s order shall represent an offer to the Provider to conclude a contract for the Software or service ordered by the Client.
  3. (3)   If the Client places an order via the internet or email or in any other way, they will receive an email from the Provider confirming receipt of the order and listing the details of the order (order confirmation). This order confirmation shall not represent an acceptance of the Client’s offer, but merely inform the Client that the Provider has received their order. The Client shall be bound to this order for 14 days after the Provider receives their order.
  4. (4)   A contract between the Client and the Provider concerning the Software or service ordered in the individual case shall only be concluded if and when the Provider accepts the order by sending another email or in another way, for example by sending the Client access data to the Software. The Provider reserves the right to accept the Client’s offer only in part; a contract shall not be concluded for Software that is not listed in the declaration of acceptance.

§ 4   Provision of the Software and hosting of the Application Data

  • (1)   At the latest during the course of the working day following conclusion of the contract, the Provider shall make the latest version of the Software ordered available on one or more servers for use in accordance with the following provisions.
  • (2)   The Provider shall be liable for ensuring that the Software provided is suitable for the purposes defined in the service description provided at the time of ordering, and that it is free from defects for the duration of the contract, in particular that it is free from viruses and similar malware which would make the Software unsuitable for the use specified in the contract. If the Provider obtains the Software from third parties, it shall be obliged to keep the last commercially available version of such Software ready for use by the Client for up to six months after its general market release by the manufacturer. Insofar as the Provider produces the Software itself, it shall ensure that the Software it has produced always reflects the established state of the art.
  • (3)   With the acceptance of the offer, the Provider shall send the Client an email containing a link for the user (“administrator”) specified by the Client in the order, via which the Client can set a password. The Client shall be obliged to choose a sufficiently secure password known only to them. Using their email address and the password chosen by the Client, the Client can log on to the Lano website to use the Software as an administrator. The Client shall keep the access data, including the password, secret and not make it accessible to unauthorised third parties. If provided for under the selected licensing model, additional employees of the Client, designated by the Client, may be granted access to the Software. These and the administrator shall be considered “authorised users”.
  • (4)   Furthermore, the Client shall be entitled to provide email addresses in order to send user invitations to freelancers and other service providers via the administration area of the website. During the registration process, the invited user will be asked to provide their login information, contact details and a password. Once the account has been activated and confirmed by the Client, the user can use this data to log in to the user or freelancer area of the website. Freelancer accounts within the meaning of this clause allow freelancers and other service providers to manage contractual relationships with several clients via the Lano website. The use of the freelancer accounts by freelancers and other service providers is not exclusively limited to one client or principle.
  • (5)   To access the provided Software, the Client requires an internet connection and a current browser of the types Internet Explorer, Chrome or Firefox. The Provider does not guarantee support for other browsers. Furthermore, appropriate hardware is required (e.g. internet-enabled device), which is capable of running the aforementioned browsers.
  • (6)   The Provider shall make storage space available on the server for the Application Data from the point in time of operational provision as agreed in Sect. 4 (1). The storage space for the Application Data shall generally be limited to 500 GB, unless otherwise agreed upon under the selected licensing model. The Parties may agree a different arrangement in writing.
  • (7)   The Client shall have no claim to the provision of a specific server for their sole use. If the data stocks of clients are separated, the Provider shall be entitled to allow multiple clients to use the server at the same time as long as the server has sufficient capacity.
  • (8)   The Software and Application Data are backed up on the server on a regular (at least daily) basis. The backups are kept for 30 calendar days.
  • (9)   The Client shall inform the Provider without undue delay if there is a suspicion that unauthorised persons have gained knowledge of the Client’s or their users’ access data and/or passwords.
  • (10) If and to the extent that the provision of a new version or a change is accompanied by a change in the functionalities of the Software, in the Client’s work processes supported by the Software, and/or in restrictions in the usability of previously generated data, the Provider shall notify the Client of this in writing at least six weeks before such a change takes effect. If the Client does not object to the change in writing within two weeks from receipt of the notice of change, the change shall become part of the contract. Whenever it announces changes, the Provider shall draw the Client’s attention to the aforementioned deadline, and to the legal consequences of the deadline passing in the event of failure to exercise the right of objection.
  • (11) The handover point for the Software and Application Data is the router exit of the servers used by the Provider.

§ 5   Software availability and access to Application Data

  • (1)   During the uptime (Mon-Fri: 7am–8pm), the Provider shall ensure 98% average monthly availability of the Software at the handover point (interface to the internet of the server on which the Software is hosted). By “availability” the Parties mean the possibility of using the Software in accordance with the contract at the handover point.
  • (2)   The Software shall also be considered available in the event of
    • (a)  disruptions to parts of the technical infrastructure that are necessary for the execution of the Software, or the internet, which do not have to be provided by the Provider or by the parties it uses to perform its obligations;
    • (b)  disruptions or other occurrences to which the Provider or one of the parties it uses to perform its obligations did not contribute;
    • (c)  scheduled downtime within the meaning of (4);
    • (d)  insignificant reductions in the suitability of the Software for use in accordance with the contract.
  • (3)  The Provider shall provide the Client with a website (https://lano.freshdesk.com/) for support requests and error messages. In addition, support requests and error messages can be submitted to the Provider using the contact information (email addresses and telephone numbers) provided on its website. Requests and error messages are processed on working days in Berlin between 7am and 8pm promptly and in order of urgency.
  • (4)  The Provider shall be entitled to schedule downtime for the Software and/or the server for servicing, maintenance, data backup and for other work on the Software and/or the server. Such scheduled downtime shall be announced to the Client with at least one week’s notice and should generally take place at times of low usage (Monday to Friday between 8pm and 6am and on weekends and German national holidays). The Provider shall not be required to give advance notice for work that is urgently required, e.g. to close security gaps or to maintain functionality. During the scheduled downtime, the Client shall have no legal claim to use the Software and/or the server. If the Client uses the Software and/or the server during the scheduled downtime, the Client shall nevertheless not be entitled to claim liability for defects or damages in the event of a reduction or discontinuation of the service.

§ 6   Further services of the Provider

  • (1)   Documentation
    • (a)  The Provider shall provide the Client with information online (e.g. at https://lano.freshdesk.com/support/home) that enables the Client to use the Software for the contractually intended purposes. The information shall be revised once a year to reflect significant changes in the use of the Software.
    • (b)  If the Provider provides Software of third parties and no documentation in German/English is generally available from that third party, the Provider shall be entitled to provide only the documentation to which it has access.
    • (c)  The Client shall be entitled to save, print out and make a reasonable number of copies of the documentation provided for the purposes of this contract, while retaining any proprietary rights notices. In all other respects, the restrictions of use for the Software agreed under Sect. 7 shall apply mutatis mutandis to the documentation.
  • (2)   Further services of the Provider, in particular training on how to use the application, can be agreed upon at any time in text form (e.g. by email). Such further services shall be rendered in return for reimbursement of the documented expenditure incurred, at the Provider’s prices which are generally applicable at the time of ordering.

§ 7   Rights of use and using the Software; rights of the Provider in the event that the rights of use are exceeded

  • (1)   The Client shall receive simple, non-sublicensable and non-transferable rights of use for the Software, limited to the term of this contract, in accordance with the following provisions.
  • (2)   The details of the rights of use shall depend on the descriptions displayed at the time of ordering and the selected licensing model, which shall apply as a supplement to these Terms.
  • (3)   The rights of use shall be granted to the Client and, depending on the selected licensing model, to the Client’s employees and to users registered and confirmed by the Client in accordance with 4 (4). If the number of users exceeds the number of users agreed upon under the respective licensing model, the Client shall pay a flat-rate monthly use fee of 1 EUR per user; this shall not affect any further claims on the part of the Provider in the event of additional use that exceeds the agreed use.
  • (4)   The Client’s right of use shall be limited to access to the Software on the server. There shall be no physical transfer of the Software to the Client. The Client shall only be permitted to use the Software for their own business activities.
  • (5)   The Client shall not be entitled to make changes to the Software. This shall not apply to changes that are necessary in order to rectify errors, if the Provider fails to remove the error on time, refuses to correct the error or is unable to correct the error due to the institution of insolvency proceedings.
  • (6)   If the Provider introduces new versions, updates, upgrades or other new releases concerning the Software during the term of the contract, the foregoing rights shall also apply to these.
  • (7)   If rights are not expressly granted to the Client above, the Client shall not enjoy such rights. In particular, the Client shall not be entitled to use the Software, including its source code, beyond the agreed use or to have it used by third parties or to make the Software accessible to third parties. In particular, it shall not be permitted to reproduce, sell, or temporarily transfer the Software, in particular to rent or lend it. The Client shall take the necessary precautions to prevent the use of the Software by unauthorised persons.
  • (8)   The Client shall be liable for ensuring that the website and Software made available to them by the Provider are not used for racist, discriminatory or pornographic purposes, purposes that endanger the protection of minors, are politically extreme or otherwise illegal or in breach of official regulations or requirements, and for ensuring that no data of this nature, in particular Application Data, is created and/or stored on the server. The Client shall be responsible for the content posted by them and by users. The Provider does not check whether content is complete, correct, legal, up to date, of a certain quality or suitable for a specific purpose.
  • (9)   The services available on the platform are intended exclusively for the purposes specified in Sect. 2. Use for other commercial purposes is prohibited, unless the Provider has given its express prior written consent. Unauthorised commercial use includes in particular all offers and promotions of paid content, services and/or products (both the Client’s own and those of third parties), as well as offering, promoting and performing activities with a commercial background such as competitions, prize draws, bartering, advertisements or pyramid schemes.
  • (10) In the event of a violation of the foregoing provisions, the Provider reserves the right to block the Client’s or the user’s access temporarily or permanently. In the event of temporary or permanent blocking, the Provider shall block the account and notify the Client. If the Client continues to violate or repeatedly violates the foregoing provisions despite having been reminded by the Provider and if the Client is responsible for this, the Provider shall have a right of extraordinary termination without notice. This shall not affect any further claims on the part of the Provider.
  • (11) If and to the extent that, during the term of this contract, a database, databases, a database work or database works are created on the Provider’s server as a result of activities by the Client which are permitted under this contract, the Client shall be entitled to all rights thereto. The Client shall remain the owner of the databases or database works even after the end of the contract.

§ 8   Obligations and duties of the Client

  • (1)   The Client shall refrain from interfering with the Software or allowing it to be interfered with in any way other than for normal use, as well as from penetrating the Provider’s data networks without permission or promoting such penetration (e.g. carrying out load and/or penetration tests).
  • (2)   The Client assures that they shall only access the Software and Application Data on the basis of these Terms and via the interfaces provided by the Provider. The Client shall also refrain from circumventing any security measures that the Provider has taken to protect the Software and Application Data.
  • (3)   Furthermore, the Client shall be obliged to notify the Provider without undue delay of any defects in contractual services, in particular defects in the Software. If the Client fails to notify the Provider in time for reasons for which the Client is responsible, this shall constitute contributory cause or contributory negligence. Insofar as the Provider was unable to remedy the situation as a result of failure to notify or a delay in the notification, the Client shall not be entitled to reduce the agreed remuneration in whole or in part, to demand compensation for the damage caused by the defect, or to terminate the contract without notice due to the defect. The Client shall be required to demonstrate that they are not responsible for the failure to notify.
  • (4)   The Client shall keep the username they use as well as their selected password secret, shall not pass these on to any unauthorised third party, and shall take appropriate and standard measures to protect them from access by third parties. The same shall apply to other access data of which the Client becomes aware in connection with using the Software as well as to access data for user accounts set up by the Client. If unauthorised third parties nevertheless become aware of the username and/or password or if the Client suspects that this has happened, the Client shall be obliged to inform the Provider without undue delay. When an employee leaves the company, the Client shall deactivate or change that person’s access data without undue delay.
  • (5)   The Client shall release the Provider from claims of third parties which are based on an illegal use of the Software by the Client or which result from data protection, copyright or other legal disputes caused by the Client and which are connected with the use of the Software.
  • (6)   The Client shall ensure that they observe all third-party rights to the material they use (e.g. when transmitting texts/data of third parties to the Provider’s server); likewise, they shall take suitable measures to ensure that any content posted by users does not infringe third-party rights.
  • (7)   Before sending data and information to the Provider, the Client shall check them for viruses and use up-to-date antivirus programs.
  • (8)   If the Client transmits data to the Provider for the purpose of generating Application Data, the Client shall be required to back up such data regularly and in a manner commensurate with the importance of the data, and to create their own backup copies, to enable the reconstruction of the data and information in the event of loss.
  • (9)   If and to the extent that they are given the technical opportunity to do so by mutual agreement, the Client shall regularly secure the Application Data stored on the server by downloading it. In particular, the Client shall be able to save invoices, profiles, templates and other documents on their own data carriers at any time using the export features provided by the Provider. The Client shall be responsible for compliance with retention periods under commercial and tax laws for invoices and other tax-relevant documents that can be retrieved via the export features. This shall not affect the Provider’s obligation to back up data under Sect. 4 (8) of this contract.
  • (10) The Client shall oblige authorised users under Sect. 4 (3) to comply with all provisions of Sect. 8 accordingly.

§ 9   Confidentiality

  • (1)   Information to be treated as confidential shall be the information expressly identified as confidential by the party providing the information and such information whose confidentiality is clearly evident from the circumstances of the transfer. The Provider must treat Application Data in particular as confidential, should it gain knowledge of it.
  • (2)   Information shall not be deemed confidential if the party receiving the information can prove that it was known or generally accessible to it before the date of receipt; was known or generally accessible to the public before the date of receipt; or became known or generally accessible to the public after the date of receipt, without the receiving party being responsible for this.
  • (3)   The Parties shall maintain secrecy about all confidential information of which they have become aware in connection with this contractual relationship, and shall only use such information in relation to third parties – for whatever purpose – with the prior written consent of the other Party.
  • (4)   This shall not apply to the forwarding or disclosure of confidential information due to court or official orders or due to prior consent to the specific forwarding by the other Party.
  • (5)   The Parties undertake to take appropriate confidentiality measures in order to protect all confidential information of which they become aware in connection with the contract.
  • (6)   Unless the Client objects in writing, the Provider shall be entitled to reference the Client’s name and logo as well as the fact that it has been commissioned by the Client, and the nature of the activities performed, exclusively for its own reference purposes, for example on the websites it operates. If the Client objects, the Provider shall remove the reference without undue delay. Otherwise, the Parties shall only issue public statements concerning their cooperation by prior mutual written agreement.
  • (7)   The obligations pursuant to (3) and (5) shall continue to apply indefinitely beyond the end of the contract, and in fact for as long as an exception pursuant to (2) has not been proven.

§ 10 Data protection

  • (1)   The Parties shall observe the applicable data protection regulations, in particular those valid in Germany, and shall oblige the employees they use in connection with the contract and its implementation to maintain confidentiality in the handling of personal data, unless they are already generally obliged to do so.
  • (2)   Freelancers and other service providers can, as described in Sect. 4 (4), use their own accounts on the Lano website. If, when using the Software for freelancer management purposes, the personal data of the Client’s freelancers or other service providers is processed (e.g. in connection with the features for managing contractual relationships), the Parties shall be jointly responsible for data protection pursuant to Art. 26 GDPR and the joint controllership agreement, which is included as Annex 1.
  • (3)   If the Client uses the Software to collect, process or use personal data for purposes other than those described in Sect. 10 (3) (e.g. data of the Client’s own employees or end clients), the Client shall in principle be the sole controller under data protection law pursuant to Art. 4 (7) GDPR. In particular, they shall be responsible for ensuring that they are entitled to process personal data in accordance with the applicable provisions, in particular those relating to data protection, and shall release the Provider from claims by third parties in the event of a breach. In such cases, the Provider shall act as a processor in accordance with Art. 28 GDPR and the data processing agreement included as Annex2 to this contract. In the event of contradictions between this contract and the data processing agreement, the latter shall prevail.
  • (4)   The Provider points out that use of the services may be monitored to the extent permitted by law. If applicable, this may also include logging IP connection data and conversations as well as evaluating these in the event of a specific suspicion of a violation of these Terms and/or in the event of a specific suspicion that any other illegal act or criminal offence has been committed.

§ 11 Fees and terms

  • (1)   The remuneration for the contractual services regarding the use of the Software and the provision of storage space shall be based on the monthly licence fee, the amount of which is specified at the time of ordering, depending on the chosen licensing model. The Provider shall be entitled to adjust the amount of the licence fee in accordance with the provisions of Sect. 15.
  • (2)   The licence fee specified at the time of ordering shall be due monthly from the date of operational provision. It shall be due 14 days after receipt of the invoice. If the Client has justifiably terminated the contract without notice, the flat rate shall be refunded on a pro rata temporis basis.
  • (3)   Payment can be made using the payment methods offered by the Provider. The Provider shall be entitled to instruct the Client’s chosen payment service provider to initiate payments in accordance with the provisions of this contract. The Provider reserves the right to exclude certain payment methods. If payment by invoice is offered, the Provider reserves the right to carry out credit checks in individual cases.
  • (4)   Other services performed by the Provider shall be charged for based on expenditure (time and materials) at the Provider’s general list prices valid at the time of ordering.
  • (5)   The Provider shall be entitled to send invoices in text form to the email address communicated to it by the Client.
  • (6)   Remuneration shall be subject to VAT at the applicable statutory rate.
  • (7)   Set-offs by the Client shall be excluded, unless the Client’s counterclaim is undisputed or legally binding.

§ 12 Contact person and escalation level

  • (1)   In order to facilitate the channelling of communication – in particular in the event of service disruptions – the Parties shall each appoint in writing a main contact person, who can make legally binding declarations for the respective Party or can bring about such declarations within four working days after the main contact person of the other Party has informed him/her in writing of the facts and the need for a decision.
  • (2)   If there is no agreement at the level of the main contact persons within six working days after notification of the facts and the need for a decision, the case must be submitted without undue delay to the Parties’ respective management, or to representatives appointed by them, for a decision. This escalation level should take a final decision within a period of a further six working days from receipt of the case.
  • (3)   The foregoing escalation deadlines shall not invalidate any other deadlines for reaction, execution, recovery or anything else which are agreed in this contract or its annexes. However, before going through the escalation procedure, any extraordinary termination shall generally be deemed invalid if and to the extent that such termination would be based on a difference of opinion between the Parties regarding the performance of the service.

§ 13 Liability

  • (1)   The Parties shall be liable to each other without limitation in the event of intent or gross negligence for all damage caused by them and their legal representatives or parties which they use to perform their obligations.
  • (2)   In the event of slight negligence, the Parties shall be liable without limitation in the event of injury to life, body or health.
  • (3)   In all other respects, a Party shall only be liable to the extent that it has breached an essential contractual obligation. Essential contractual obligations are those obligations which are of particular importance for achieving the contractual objective, as well as all those obligations which, in the event of a culpable breach, could endanger the achievement of the contractual purpose. In these cases, liability shall be limited to compensation for foreseeable damage typical of this type of contract. The Provider’s strict liability for damages (Sect. 536a BGB) for defects existing at the time of contract conclusion shall be excluded; this shall not affect (1) and (2).
  • (4)   If the Provider is delayed in making the Software operationally available, its liability shall be governed by Sect. 13. The Client shall be entitled to withdraw from the contract if the Provider does not comply with a two-week grace period set by the Client, i.e. if it does not provide the full agreed functionality of the Software within the grace period.
  • (5)   If the Provider does not meet the agreed obligations in whole or in part after making the Software and/or Application Data operationally available, the monthly flat-rate use fee shall be reduced on a pro rata basis for the period during which the Software and/or Application Data were not available to the Client to the agreed extent or the storage space was not available to the agreed extent. Ongoing use fees shall only be incurred for business transactions that were actually carried out using the Software despite the restriction or discontinuation of services. If the Provider is responsible for this non-fulfilment, the Client shall also be entitled to claim damages in accordance with Sect. 16.
  • (6)   A Party shall only be obliged to pay a contractual penalty if this contract expressly provides for this. There is no need to reserve the right to a contractual penalty. Set-offs with and against such a penalty shall be permissible.
  • (7)   Neither Party shall be obliged to fulfil its contractual obligations in the event and for the duration of force majeure. The following circumstances in particular shall be considered force majeure in this sense: fire/explosions/flooding for which the Party is not responsible; war, mutiny, blockades, embargoes; industrial action lasting more than six weeks and not caused by the Party; technical problems involving the internet which cannot be influenced by a Party; this shall not apply if and insofar as the Provider also offers the telecommunication service. As soon as a case of force majeure occurs, each Party shall notify the other Party in writing.
  • (8)   This shall not affect liability under the German Product Liability Act.

§ 14 Term, termination

  • (1)   The contractual relationship shall commence with the conclusion of the contract and be concluded for an indefinite period. The provision of the services shall commence at the latest on the working day following the conclusion of the contract.
  • (2)   A minimum contract period of 12 months shall apply. Each Party shall be entitled to terminate the contractual relationship in writing, subject to one month’s notice to the end of the minimum contractual term. After the end of the minimum contract period, the contract shall be automatically renewed for the minimum contract period, unless the contract has been effectively terminated.
  • (3)   Extraordinary termination due to or in connection with a breach of obligation shall only be possible after a prior written warning setting a reasonable deadline of not less than 14 working days.
  • (4)   If the Party entitled to give notice of termination has been aware of the circumstances justifying the extraordinary termination for more than two months, it shall no longer be entitled to base the termination on these circumstances.
  • (5)   Notwithstanding the provision in (3), the Provider shall be entitled to terminate the contract without notice if the Client is in default of payment of the prices or a significant proportion of the prices for two consecutive months or, in a period spanning more than two months, in default of payment of fees equivalent to two months’ worth of fees. In such cases, the Provider shall be entitled to demand additional lump-sum compensation, due immediately as one sum, equivalent to one quarter of the remaining basic monthly lump sum until the end of the regular contract term. The Client reserves the right to prove that the damage incurred was lower.

§ 15 Changes to this contractual relationship; price adjustments

  • (1)   The Provider shall be entitled to change the provisions of these Terms at any time and without stating reasons, provided that this change does not result in a change of the essential contractual structure as a whole. The essential provisions of the contractual structure include, in particular, regulations concerning the type and scope of the contractually agreed services, the term and termination of the contract.
  • (2)   Furthermore, the Provider shall be entitled to adapt or supplement these Terms to the extent that this is necessary to eliminate difficulties in the execution of the contract due to gaps in the provisions that have arisen after conclusion of the contract. The changed conditions shall be sent to the Client by email at least six weeks before they come into effect. The changes shall be deemed approved if the Client does not object to them in text form. The objection must be received within six weeks after receipt of notice of the changed conditions. In its notice of the changed conditions, the Provider shall make special reference to the possibility of objection and the importance of the six-week deadline. If the Client exercises their right of objection, the Provider’s requested change(s) shall be considered rejected. The contract will then continue without the proposed changes. This shall not affect the Parties’ right to terminate the contract.
  • (3)   In order to compensate for an increase in its own overall costs, the Provider shall be entitled, under the following conditions, to increase the subscription prices owed by the Client for the recurring services to be provided under the contract. The overall costs consist of costs for the maintenance and operation of the digital (encryption and decryption) infrastructure, the technical supply of the Software including costs for additional programs and features, fees for any copyrights and ancillary copyrights, material costs, wage and ancillary wage costs including temporary employment costs, costs for customer administration (e.g. call centres, IT systems) and general administrative costs.
    • (a)   Subscription prices may only be adjusted up to the extent of the cost increase and depending on the share of the increased cost element relative to the overall costs; this shall only be permissible if the cost increase is based on changes that occurred after contract conclusion and were not initiated by the Provider. This shall be the case, for example, if upstream suppliers, subcontractors or other service providers used by the Provider increase their prices, if the services covered by the contract are subject to modified or additional taxes or duties, or in the case of increases in standard wages.
    • (b)   The Provider shall take into account any cost reductions when calculating its overall cost burden. An increase in subscription prices shall only be permitted once per calendar year. If circumstances which occurred after contract conclusion and which were not caused by the Provider lead to a reduction of the Provider’s overall costs in the sense of this clause, the Provider undertakes to reduce the subscription prices owed by the Client to the extent of the cost reduction and depending on the share of the reduced cost element relative to the overall costs. The Provider shall be entitled to take into account any increases in individual costs, insofar as these have not already been taken into account when increasing the subscription prices.
    • (c)    If the increase in subscription prices is more than 5% of the prices applicable up to the time of the increase, the Client shall be entitled to terminate the contract within six weeks of receipt of notice of the increase, effective from the time the increase takes effect. If the Client exercises this special right of termination, the increase shall not take effect and the contract shall be terminated with effect from the point in time when the increase in subscription prices takes effect. If the Client does not terminate the contract or does not terminate it in due time, the contract shall be continued subject to the new service fee from the point in time stated in the notice.
    • (d)   When giving notice of the increase in the service fee, the Provider shall also make special reference to the right of termination as well as to the consequences of not terminating the contract in due time. The Provider shall inform the Client of any adjustment of the service fee at least six weeks before it takes effect.
  • (4)   Notwithstanding the foregoing, the Provider shall be entitled to adjust the subscription prices accordingly in the event of a change in the statutory VAT.

§ 16 Demo version

  • (1)   At the Client’s request, the Provider may, at its own discretion, provide the Client with a free demo version of the Software (or a test account). The Provider shall provide a demo version only once per client.
  • (2)   Unless otherwise agreed, the Client shall be entitled to use the demo version for 14 days from receipt of the access data and exclusively for test purposes. These rights to use the demo version shall not be transferable to third parties.
  • (3)   The Provider does not guarantee the functionality of the demo version or the test account. The Client shall be prohibited from using the demo version to process personal data; instead, the Client shall be required to process only fictitious data in the demo version. To the extent permitted by law, the Provider shall assume no liability for the availability, integrity or confidentiality of the data processed by the Client in the demo version. This shall not affect liability for gross negligence and intent.
  • (4)   The Client shall have no claim to the provision of a demo version. The Provider shall also be entitled to withdraw the Client’s access to the demo version at any time and without giving reasons and to erase any data stored in the demo version.
  • (5)   As far as nothing else results from the foregoing paragraphs, the provisions of Sect. 7, 8, 9, 10, 15 and 17 of these Terms shall apply mutatis mutandis to the demo version. The other provisions from these Terms shall not apply to the demo version.

§ 17 Final provisions

  • (1)   There are no verbal ancillary provisions not contained in this contract and its annexes. Any earlier agreements regarding the object of the contract shall hereby become invalid. Changes or additions to this contract and the annexes must be made in text form (e.g. email) in order to be valid. This shall also apply to the waiver of this requirement of text form.
  • (2)   Should any individual provisions of this contract be invalid, this shall not affect the validity of the remaining provisions of the contract. Should any gaps arise in the application of this contract which the Parties have not anticipated, or should the invalidity of a provision be legally binding or agreed upon by both Parties, the Parties undertake to fill or replace this gap or invalid provision in an objective, reasonable manner which is in line with the economic purpose of the contract.
  • (3)   German substantive law shall apply to the contractual relationship.
  • (4)   Unless a legal norm mandatorily prescribes a different place of jurisdiction, the exclusive place of jurisdiction shall be the Provider’s registered office.

§ 18 List of annexes

Anlage 1: Joint controllership agreement pursuant to Art. 26 GDPR;

Anlage 2: Data processing agreement pursuant to Art. 28 GDPR.

Annex 1

Agreement on cooperation as joint controllers pursuant to Article 26 GDPR with regards to the Data of Freelancers/service provides

Preamble

The customer (hereinafter referred to as „Controller 2“) and the provider (hereinafter referred to as „Controller 1“) are independent companies which, in the context of using the services of Controller 1, regularly process personal data of the freelancers or service providers jointly in order to be able to manage them. In doing so, they have jointly determined the purposes and means of processing. The Controllers jointly process the freelancer or service provider data pursuant to Art. 26 of the Basic Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, „DPA“). If the provider processes customer data on behalf of the customer (e.g. data relating to the customer’s employees or end customers), a contract processing relationship exists pursuant to Art. 28 DSGVO. The corresponding contract for commissioned processing is attached to the GTC as Annex 2.

The parties shall endeavour to comprehensively protect the privacy of the data subjects and their personal data and to guarantee lawful processing. The aim of this Agreement is to transparently define which of the contracting parties shall fulfil which of the obligations as per the European General Data Protection Regulation (GDPR), in particular with regard to the exercise of the rights of data subjects laid down in Articles 12–23 of the GDPR and how the information obligations under Articles 13 and 14 of the GDPR are complied with. This agreement shall apply as Annex 1 to the GTC together with these.

Against this background, the contracting parties shall agree the following:

§ 1   Scope and definitions

  1. (1)   The following provisions apply to all services provided by Controller 1 to Controller 2 on the basis of the main contract.
  2. (2)   Should the term “data processing” or “processing” be used in this Agreement, this shall generally refer to the use of personal data. Data processing or the processing of data refers to any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, synchronisation or combination, blocking, erasure or destruction.
  3. (3)   Reference is made to the other definitions in Article 4 of the GDPR.
  4. (4)   The Controller 1 and 2 are abbreviated in the following by C1 and C2.

§ 2   Functions and relationships of the joint Controllers with respect to the data subjects

  • (1)   C1 offers freelancers and service providers various Software-as-a-Service solutions as a digital platform (especially under lano.io) and as an app solution for order management, invoicing, customer management and similar functionalities. Using the software offered by C1, freelancers and service providers can network with C2. C2 can use C1’s software to manage its orders to freelancers and service providers and thus has access in particular to the freelancers‘ and service providers‘ data that they provide in their profile and for order fulfilment and order invoicing.
  • (2)   The parties shall process personal data of the following data subjects
  • (a)   Freelancers or service providers
  • (3)   The parties process the following categories of data:
  • (a)    Profile data (name, title, academic degree, date of birth, self-description, photo)
  • (b)   Contact details (e-mail address, telephone number, address)
  • (c)   Order data of orders from C2 (order details, services)
  • (d)   Order history
  • (e)   Order invoice data and payment information (invoice details, bank details, credit card information)
  • (f)   Other documents provided by C2 or by data subjects for C2

§ 3   Purposes and means of data processing

The parties shall jointly determine the following purposes and means of processing:

The main purpose of data sharing is to manage the above-mentioned data for order generation and billing between the data subjects and C2 using the C1 platform.

§ 4    Contact point for data subjects

The parties have not established a central contact point for questions from data subjects on data protection issues arising from joint data processing. Data subjects may choose to contact either

Lano Software GmbH, Rosenthaler Str. 13, 10119 Berlin

or

to the contact address of C2.

§ 5   Transfer to third countries

The processing and use of the data, both in the case of C1 and C2, takes place exclusively within the territory of the Federal Republic of Germany, in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any relocation to a third country must be notified to the other responsible party and may only take place if the requirements of Art. 44 et subseq. GDPR are fulfilled.

C2 declares its agreement to the use of C1’s sub-service providers listed in Annex 3.

§ 6   Technical and organisational measures

The contracting parties shall undertake, in particular in compliance with the principles of correct data processing as per Article 32 in conjunction with Article 5(1) of the GDPR, to ensure through appropriate controls that the jointly processed personal data are processed exclusively in accordance with this Agreement and the underlying main contract. The joint Controllers shall mutually assure each other that the personal data shall be handled securely and in compliance with data protection regulations. In particular, they will ensure the following security measures:

  • –   Unauthorised persons shall be denied access to personal data. This shall apply irrespective of whether the data are stored in electronic form or as hard copy.
  • –   Computer systems are to be secured by passwords and kept technically up to date.
  • –   The personal data may only be viewed and processed by those persons who are entrusted with the specific order processing. Employees are to be obliged to treat personal data confidentially.
  • –   The data of different clients or business partners are systematically separated according to the task.
  • –   Insofar as the Controllers determine that special transmission methods are necessary according to the state of the art in order to guarantee a secure transmission of electronically stored data, these shall be implemented.
  • –   The Controllers shall mutually assist each other in the fulfilment of the rights of the data subjects, in particular with regard to data portability, rectification, restriction of the processing and erasure, notification and exchange of information, upon first request and within the scope of their abilities. Should a data protection request from a data subject be received by a Controller, which is also relevant for the other person, the Controller shall immediately forward this request to the other Controller, leaving them to respond to the request, or carry it out jointly.
  • –   Furthermore, the Controllers shall support each other in all other obligations arising for the Controllers from the GDPR and, if applicable, from other data protection regulations and special statutes which concern joint data processing.

§ 7    Mutual information obligations

The Controllers shall immediately inform each other of any disruptions, breaches of data protection law or the provisions laid down in this Agreement as well as suspected breaches of data protection or irregularities in the processing of personal data relating to joint data processing. This shall apply, in particular, to unauthorised access to personal data by third parties (e.g. hacking). The Controller where the data protection breach occurred shall document the process including the effects and remedial measures and make this documentation available to the other Controller at any time on request. Should the Controller be unable to comply with their legal reporting obligation due to delayed, incomplete, incorrect or otherwise improper information from the other Controller, the Controller shall compensate all damages resulting from this delay. The Controllers shall support each other in the comprehensive and timely fulfilment of any reporting obligations. Reports according to § 7 and § 8 (3) to C1 are to be sent to: privacy@lano.io.

In the event of any control measures taken by a data protection supervisory authority, or in the event of other requests, investigations or enquiries by the data protection supervisory authority, the Controllers shall inform each other without delay of the implementation of the control measure as far as personal data relating to joint processing are concerned.

§ 8   Distribution of duties in response to rights of data subjects and fulfilment of information obligations

  • (1)   In the event that a data subject asserts rights to correction, deletion or blocking of personal data or to information about the stored personal data, the party against whom the rights are asserted shall be responsible for fulfilling the claims of the data subjects.
  • (2)   If rights of data subjects are asserted in accordance with the preceding paragraph, the parties shall support each other mutually to the extent that this is necessary or expedient to safeguard the rights of data subjects.
  • (3)   The parties are obliged to notify each other immediately if a person affected asserts rights in accordance with paragraph 1, unless it can be excluded that the assistance of the other party becomes necessary in accordance with paragraph 3.

§ 9    Fulfilment of information duties

  • (1)   C1 has formulated a privacy policy for the platform under lano.io and for the app solution. C1 is responsible for the legality and completeness of the data protection declaration. C1 will provide all information to the data subjects in a precise, transparent, comprehensible and easily accessible form in clear and simple language.
  • (2)   C1 will amend and supplement the online data protection declaration insofar as this is necessary or expedient due to changed data processing procedures or for legal reasons. If C2 becomes aware of circumstances that make an amendment or supplement to the data protection declaration appear necessary or expedient, C2 will inform C1 of this immediately.
  • (3)   C1 undertakes to make the essential content of the agreement on joint data protection responsibility available to the data subjects (Art. 26 Para. 2 DSGVO).

§ 10  Miscellaneous

  • (1)   In the event of any conflicts between the provisions of this Agreement and the provisions of the main contract, the provisions of this Agreement shall prevail.
  • (2)   Amendments and supplements to this agreement shall require the mutual consent of the contracting parties with specific reference to the provision of this agreement to be amended. Verbal collateral agreements do not exist and are also excluded for future amendments of this agreement.
  • (3)   This agreement is subject to German law.
  • (4)   If access to the data is prevented by measures of third parties (e.g. measures of an insolvency administrator, seizure by tax authorities, etc.) the parties must inform each other.

Annex 2

Data Processing Agreement pursuant to Art. 28 GDPR

Preamble

The Customer (hereinafter referred to as “Controller”) has selected the Provider (hereinafter referred to as “Processor”) to act as a service provider in accordance with Art. 28 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”).

This Data Processing Agreement, including all Annexes (hereinafter referred to collectively as the “Agreement”), specifies the data protection obligations of the parties from the underlying General Terms and Licensing Conditions for Companies (“Terms”), the Service Level Agreement and/or the order descriptions (hereinafter referred to collectively as the “Principal Agreement”). This Agreement shall apply as Annex 2 to the Terms together with the Terms.

The Processor guarantees the Controller that it will fulfil the Principal Agreement and this Agreement in accordance with the following terms:

Sect. 1   Scope and definitions

 

(1)           The following provisions shall apply to all services of data processing provided by the Processor on behalf of the Controller under Art. 28 GDPR, which the Processor performs on the basis of the Principal Agreement.

(2)           If this Agreement uses the term “data processing” or “processing” of data, this shall be generally understood to mean the use of personal data. Data processing or the processing of data shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(3)           Reference is made to further definitions set forth in Art. 4 GDPR.

Sect. 2   Subject matter and duration of the data processing

 

(1)           The Processor shall process personal data on behalf and in accordance with the instructions of the Controller.

(2)           The data processing shall involve the use of the platform provided by the Processor as Software-as-a-Service („SaaS“) for the administration of freelancers as agreed upon in the Principal Agreement.

(3)          This agreement applies exclusively to the processing of personal data by the Processor on behalf of the controller. To the extent that the parties are acting as separate or joint controllers, this Agreement shall not apply.

(4)           The duration of this Agreement corresponds to the duration of the Principal Agreement.

Sect. 3   Nature and purpose of the data processing

The nature and purpose of the processing of personal data by the Processor is specified in the Principal Agreement. The Principal Agreement includes the following activities and purposes:

  • The processor provides the controller with his platform as a Software-as-a-Service. The controller uses the platform to manage freelancers, partner companies and service providers.
  • This management includes contract management and compliance, sourcing, payment, onboarding, personnel planning, monitoring, budget planning and internal performance evaluation. The data required for this is provided to the processor by the controller.

Sect. 4   Categories of data subjects

 

The categories of individuals affected by the processing of personal data under this Agreement (“data subjects”) include:

  • Employees of the controller
  • Freelancer and other service providers of the controller
  • Employees of service providers of the controller
  • Other persons determined by the controller (e.g. end customers, whose data is processed by the controller on the platform).

Sect. 5   Types of personal data

 

The following types of personal data shall be processed under this Agreement:

  • Personal master data (name, title, academic degree, date of birth)
  • Contact details (email address, phone number, postal address)
  • Accounting data
  • Contract data (contract details, services, customer number)
  • Data to support the professional qualification (curriculum vitae, references, certificates

Sect. 6   Rights and duties of the Controller

(1)           The Controller is solely responsible for assessing the lawfulness of the data processing and for safeguarding the rights of data subjects, and is hence a controller within the meaning of Art. 4 (7) GDPR.

(2)           The Controller is entitled to issue instructions concerning the nature, scale and method of data processing. Upon request by the Processor, the Controller shall confirm verbal instructions immediately in writing or in text form (e.g. by email) to the Processor.

(3)           Insofar as the Controller deems it necessary, persons authorized to issue instructions may be appointed. The Processor shall be notified of such in writing or in text form. In the event that the persons authorized to issue instructions change, the Controller shall notify the Processor of this change in writing or in text form, naming the new person in each case.

(4)           The Controller shall notify the Processor immediately of any errors or irregularities detected in relation to the processing of personal data by the Processor.

Sect. 7   Duties of the Processor

 

(1)           Data processing

The Processor shall process personal data exclusively in accordance with this Agreement and/or the underlying Principal Agreement and in accordance with the Controller’s instructions.

(2)           Data subjects’ rights

  1. The Processor shall, within its capabilities, assist the Controller in complying with the rights of data subjects, particularly with respect to rectification, restriction of processing, deletion of data, notification and information. If the Processor processes the personal data specified under Sect. 5 of this Agreement on behalf of the Controller and these data are the subject of a data portability request under Art. 20 GDPR, the Processor shall, upon request, make the dataset in question available to the Controller within a reasonably set time frame, otherwise within seven business days, in a structured, commonly used and machine-readable format.
  1. If so instructed by the Controller, the Processor shall rectify, delete or restrict the processing of personal data specified under Sect. 5 of this Agreement. The same applies if this Agreement stipulates the rectification, deletion or restriction of the processing of data.
  1. If a data subject contacts the Processor directly to have his or her personal data specified under Sect. 5 of this Agreement rectified, deleted or the processing restricted, the Processor shall forward this request to the Controller immediately upon receipt.

(3)           Monitoring duties

  1. The Processor shall ensure, by means of appropriate controls, that the personal data processed on behalf of the Controller are processed solely in accordance with this Agreement and/or the Principal Agreement and/or the relevant instructions.
  1. The Processor shall organize its business and operations in such way that the data processed on behalf of the Controller are secured to the extent necessary in each case and protected from unauthorized access by third parties.
  1. The Processor confirms that it has appointed a Data Protection Officer in accordance with Art. 37 GDPR and, if applicable, in accordance with Sect. 38 FDPA, and that the Processor shall monitor compliance with data protection and security laws. The Processor’s Data Protection Officer currently is:

Frau Inna Gendelman

support@lano.io (mit dem Zusatz „z.Hd. Datenschutzbeauftragter“)

(4)           Information duties

  1. The Processor shall inform the Controller immediately if, in its opinion, an instruction issued by the Controller violates legal regulations. In such cases, the Processor shall be entitled to suspend execution of the relevant instruction until it is confirmed or changed by the Controller.
  1. The Processor shall assist the Controller in complying with the obligations set out in Articles 32 to 36 GDPR taking into account the nature of processing and the information available to the Processor.
  1. In the event that the Processor establishes, or if facts justify the assumption, that personal data processed by the Processor on behalf of the Controller have been unlawfully transmitted or otherwise unlawfully disclosed to third parties or that any other personal data breach has occurred, the Processor shall provide the Controller with the following information:
  • a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • a description of the likely consequences of the personal data breach;
  • a description of the measures taken or proposed to be taken by the processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

(5)           Location of processing

The processing of the data shall in principle take place in the territory of the Federal Republic of Germany, in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any transfer to a third country is reported to the controller in advance and may only take place if the special requirements of Art. 44 et seqq. GDPR are fulfilled.

(6)           Deletion of personal data after order completion

After termination of the Principal Agreement, the Processor shall delete or return all the personal data processed on behalf of the Controller to the Controller after the end of the provision of services relating to processing and delete existing copies, provided that the deletion of these data does not conflict with any statutory storage obligations of the Processor. The deletion in accordance with data protection and data security regulations must be documented and confirmed upon request to the Controller.

Sect. 8   Monitoring rights of the Controller

 

(1)           The Controller shall be entitled, after prior notification in good time and during normal business hours, to carry out an inspection of compliance with the provisions on data protection and the contractual agreements to the extent required, either himself or through third parties, without disrupting the Processor’s business operations or endangering the security measures for other Controller and at his own expense. Controls can also be carried out by accessing existing industry-standard certifications of the Processor, current attestations or reports from an independent body (such as auditors, external data protection officers or external data protection auditors) or self-assessments. The Processor shall offer the necessary support to carry out the checks.

(2)           The Processor shall inform the Controller of the execution of inspection measures by the supervisory authority to the extent that such measures or requests may concern data processing operations carried out by the Processor on behalf of the Controller.

Sect. 9   Subprocessing

 

(1)           The Controller authorizes the Processor to make use of other processors in accordance with the following subsections in Sect. 9 of this Agreement. This authorization shall constitute a general written authorization within the meaning of Art. 28 (2) GDPR.

(2)           The Processor currently works with the subcontractors specified in Annex 2 and the Controller hereby agrees to their appointment.

(3)           The Processor shall be entitled to appoint or replace other processors. The Processor shall inform the Controller in advance of any intended change regarding the appointment or replacement of other processors. The Controller may object to an intended change.

(4)           The objection to the intended change must be lodged with the Processor within 2 weeks after receipt of the information on the change. In the event of an objection, the Processor may, at his own discretion, either provide the service without the intended change or propose an alternative subcontractor and coordinate it with the Controller. Insofar as the provision of the service is unreasonable for the Processor without the intended modification – for example, due to the associated disproportionate costs for the Processor – or the agreement on an alternative subcontractor fails, the Controller and the Processor may terminate this Agreement as well as the Principal Agreement with a notice period of one month to the end of the month.

(5)           A level of protection comparable to that of this Agreement must always be guaranteed when other processors are involved. The Processor is liable to the Controller for all acts and omissions of other processors it appoints. The processor shall impose on the other processor the same data protection obligations as those set out in this agreement between the controller and the processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.

Sect. 10    Confidentiality

 

(1)           The Processor is obliged to maintain confidentiality when processing data for the Controller.

(3)           In fulfilling its obligations under this Agreement, the Processor undertakes to employ only employees or other agents who are committed to confidentiality in the handling of personal data provided and who have been appropriately familiarized with the requirements of data protection. Upon request, the Processor shall provide the Controller with evidence of the confidentiality commitments.

(4)           Insofar as the Controller is subject to other confidentiality provisions, it shall inform the Processor accordingly. The Processor shall oblige its employees to observe these confidentiality rules in accordance with the requirements of the Controller.

Sect. 11    Technical and organizational measures

(1)           The technical and organisational measures described in Annex 1 are agreed upon as appropriate. The Processor may update and amend these measures provided that the level of protection is not significantly reduced by such updates and/or changes.

(2)           The Processor shall observe the principles of due and proper data processing in accordance with Art. 32 in conjunction with Art. 5 (1) GDPR. It guarantees the contractually agreed and legally prescribed data security measures. It will take all necessary measures to safeguard the data and the security of the processing, in particular taking into account the state of the art, as well as to reduce possible adverse consequences for the affected parties. Measures to be taken include, in particular, measures to protect the confidentiality, integrity, availability and resilience of systems and measures to ensure continuity of processing after incidents. In order to ensure an appropriate level of processing security at all times, the Processor will regularly evaluate the measures implemented and make any necessary adjustments.

Sect. 12    Liability/Indemnification

(1)           The Processor shall be liable to the Controller for any and all loss or damage culpably caused in the performance of the services under the Principal Agreement or by a breach of applicable statutory data protection obligations on the part of the Processor, its employees or parties commissioned by it to implement the Principal Agreement. The Processor shall not be obliged to pay compensation if the Processor proves that it has processed the data provided by the Controller solely in accordance with the instructions of the Controller and that it has complied with its obligations arising from the GDPR specifically directed to processors.

(2)           The Controller shall indemnify the Processor against any and all claims for damages asserted against the Processor based on the Controller’s culpable breach of its own obligations under this Agreement or under applicable data protection and security regulations.

Sect. 14    Miscellaneous

 

(1)           In case of contradictions between the provisions contained in this Agreement and provisions contained in the Principal Agreement, the provisions of this Agreement shall prevail.

(2)           Amendments and supplements to to this Agreement shall be subject to the mutual consent of the contracting parties, with specific reference to the provisions of this Agreement to be amended. Verbal side agreements do not exist and shall also be excluded for any subsequent changes to this Agreement.

(3)           This Agreement is exclusively subject to the laws of the Federal Republic of Germany.

(4)           In the event that access to the data which the Controller has transmitted to the Processor for data processing is jeopardized by third-party measures (measures taken by an insolvency administrator, seizure by revenue authorities, etc.), the Processor shall notify the Controller of such without undue delay.

Schedule of Annexes

 

Annex 1                Technical and organizational measures taken to ensure the security of processing

Annex 2                Subprocessors pursuant to Sect. 9 of this Data Processing Agreement

Annex 1

Technical and organizational measures to ensure the security of processing

 

The Processor guarantees that the following technical and organizational measures have been taken:

  1. Pseudonymization measures

Measures that reduce direct references to persons during processing in such a way that it is only possible to associate data with a specific person if additional information is included. The additional information must be kept separately from the pseudonym by appropriate technical and organizational measures.

Description of the pseudonymization: None, because processing takes place on a central server

  1. Encryption measures

Measures or operations in which a clearly legible text/information is converted into an illegible, i.e. not easily interpreted, character string (secret text) by means of an encryption method (cryptosystem).

Description of the encryption measure(s):

  • Exclusive use of known encryption libraries and encryption algorithms.
  • Use of suitable encryption algorithms (such as AES, 3DES, SHA2) and key sizes
Typ Keysize in bit
Symmetrisch 128
Asymmetrisch 2048
Hashes 200 – 256
  • Decrypt encrypted data only when in use.
  • Securely delete plain text data immediately after use.
  • Separate (encrypted) data and key.
  • Store keys on separate systems.
  1. Measures to ensure confidentiality
  2. Physical access control

Measures that physically deny unauthorized persons access to IT systems and data processing equipment used to process personal data, as well as to confidential files and data storage media.

Description of physical access control:

  • ID card reader, controlled key assignment, chip card, etc.
  • Door protection (electronic door opener, etc.)
  • Factory security/gatekeeper
  • Monitoring device (alarm systems, video surveillance)
  • Control system for visitors

 

 

  1. Logical access control

Measures to prevent unauthorized persons from processing or using data which is protected by data privacy laws.

Description of logical access control system:

  • System and data access are restricted to authorized users
  • Users must identify themselves with username and password
  • User rights are granted only to a limited extent
  • All logins/logoffs are recorded
  • Use of a central password policy
  1. Data access control

Measures to ensure that persons authorized to use data processing systems can only access personal data according to their access rights, so that data cannot be read, copied, changed or removed without authorization during processing, use and storage.

Description of data access control:

  • Authorization concepts (profiles, roles, etc.) and their documentation
  • Evaluation/logging
  • Encryption of data carriers
  • Archiving concept
  • Logging of access and abuse attempts
  • System and data access are restricted to authorized users
  • Users must identify themselves with username and password

 

  1. Separation rule

Measures to ensure that data collected for different purposes are processed separately and separated from other data and systems in such a way as to preclude the unplanned use of such data for other purposes.

Description of the separation control process:

  • Authorization concepts
  • Systems allow data segregation through different software
  • Production and test systems are separate from each other
  • Data records are only accessible through systems that are predefined
  • Databases User rights are issued and managed centrally
  1. Further measures (if applicable)

[Please insert]

  1. Measures to ensure integrity
  2. Data integrity

Measures to ensure that stored personal data cannot be corrupted by means of a malfunctioning of the system.

Description of data integrity:

  • Import of new releases and patches with release/patch management
  • Functional test during installation and releases/patches by the IT department
  • Logging
  • Transport processes with individual responsibility
  1. Transmission control

Measures to ensure that it is possible to verify and establish to which bodies personal data may be or have been transmitted or made available using data communication equipment.

Description of transmission control:

  • Logging
  • Transport processes with individual responsibility
  • Checksums
  1. Transport control

Measures to ensure that the confidentiality and integrity of data is protected during transmission of personal data and transport of data carriers.

Description of transport control:

  • Transmission of data via encrypted data networks or tunnel connections (VPN)
  • Transport processes with individual responsibility
  • Encryption methods that detect data changes during transport
  • HTTPS
  • Comprehensive logging procedures

 

  1. Input control

Measures to ensure that it can be subsequently verified and ascertained whether and by whom personal data have been entered or modified in data processing systems.

Description of the input control process:

  • Logging of all system activities and keeping of these logs for at least three years
  • Protocol evaluation systems
  • Checksums
  • Digital signatures
  • Use of the central rights management for the entry, modification and deletion of data
  1. Measures to ensure availability and resilience
  2. Availability control

Measures to ensure that personal data are protected against accidental destruction or loss.

Description of the availability control system:

  • Regular backups are made.
  • Backup and recovery plan is in place.
  • Backup files are stored in a secure and remote location.
  • Localization
  • Data recovery is tested regularly
  • As well as various other measures of the server service providers
  1. Quick recovery

Measures to ensure the ability to quickly restore the availability of and access to personal data and used systems in the event of a physical or technical incident.

Description of the measures for quick recovery:

  • Data backup procedure
  • Regular tests of data recovery
  • Emergency plans
  1. Reliability

Measures to ensure that the functions of the system are available and malfunctions are reported.

Description of measures for reliability:

  • Automatic monitoring with email notification
  • Emergency plans with responsibilities
  • IT emergency service 24/7
  • Regular tests of data recovery
  1. Measures for the regular testing and evaluation of the security of data processing
  1. Verification process

Measures to ensure that the data are processed securely and in compliance with data protection regulations.

Description of verification process:

  • Data protection management
  • Formalized processes for data privacy incidents
  • Documentation of instructions received by the Controller
  • Formalized order management
  • Service level agreements for carrying out controls
  • Consultation of the external data protection officers on all data protection-related issues
  1. Order control

Measures to ensure that personal data processed on behalf of the Controller can only be processed in accordance with the instructions of the Controller.

Description of the order control measures:

  • Instructions from the Controller are documented
  • Formalized order management

 

Annex 2

Subprocessors pursuant to Sect. 9 Data Processing Agreement

 

The Processor currently works with the following subcontractors and the Controller hereby agrees to their appointment.

  1. Docusign

Company name: Docusign Germany GmbH

Data processing activity: electronic processing of contract documents

Location: Frankfurt, Germany

  1. Stripe

Company name: Stripe, Inc.

Data processing activity: Online payment processing

Location San Francisco, USA

guarantee of an adequate level of data protection in case of processing in third countries (outside the EU/EEA): Standard Contractual Clauses of the EU

  1. Sengrid / Twilio

Company name:  Twilio Ireland Limited

Data processing activity: Mailing service provider

Location: Dublin, Irland

guarantee of an adequate level of data protection in case of processing in third countries (outside the EU/EEA): If the US parent company Twilio Inc. should receive data, it is certified according to the EU-US Privacy Shield.