Terms & Conditions

General Terms and Licensing Conditions for Companies

of Lano Software GmbH, Rosenthaler Str. 13, 10119 Berlin, Germany (hereinafter referred to at the Provider or Lano).

Version 1.4 – September 2020

§1 Scope

(1) These General Terms and Conditions for Business and Licensing (hereinafter referred to as “GTC”) in the version applicable at the time of the Customer’s order shall regulate the contractual relationship between the Provider (hereinafter referred to as “Lano” or the “Provider”) and people (hereinafter referred to as the “Customer”) who order software and accompanying services from the Provider. The Provider and the Customer are individually referred to as the “Party” and collectively as “Parties”.

(2) The Customer warrants that it is acting as an entrepreneur within the meaning of section 14 of the German Civil Code (BGB) in the exercise of its trade, business or profession. The Provider shall not conclude contracts with consumers.

(3) There are no verbal supplementary agreements between the Parties. These GTC shall apply exclusively. No deviating terms and conditions of the Customer, which are contrary to these GTC, shall apply; this shall also be the case if the Provider does not expressly contradict the Customer’s terms and conditions.

§2 Subject of the contract

(1) Lano offers its Customers a web-based, software-as-a-service solution for the management of local and international contractors (freelancers, service providers etc.). The software solution offered by Lano supports companies with onboarding, organisation and the payment of contractors.

(2) Contractors may also use the contractor version of Lano’s software for job management, invoicing and customer management. These GTC shall not apply to contractors, instead the Terms of Use for Contractors shall apply to them.

(3) The subject of the contract is the provision of the Software offered by Lano for the use of its functionalities (hereinafter referred to as “Software”), the provision of storage space for data generated by the Software or required for the use of the Software (hereinafter referred to as “Application Data”) as well as the provision of the selected module and, if applicable, support services by the Provider to the Customer against payment of the agreed fee by the Customer to the Provider.

(4) The functional scope of the Software arises from these GTC as well as the selected module (e.g. starter or individual package) and the service description specified in the ordering process (available at https://www.lano.io/en/pricing/). Insofar as the information on the module or the service description does not differ from these GTC, the Provider shall not be obliged to provide further support services in regard to the subject of the contract. However, if not already concluded, a cooperation agreement may be agreed between the Parties at any time. Irrespective of the specific individual agreement between the Parties, the right of the Provider to administer, update and maintain the Software shall remain unaffected. The information agreed to be rendered to the Customer must not be impaired by this.

§3 Conclusion of the contract

(1) In order to be able to use the Software from Lano, a customer account must be created. Once registration has been completed, the Customer shall receive the access data, comprising the username and password.

(2) Should the Customer wish to order a module which is not included in the starter package, it may request it from the Provider via the Software.

(3) A contract between the Customer and the Provider regarding the respective module ordered shall only be concluded when the Provider accepts the order by email or in another way, for example, releasing the module in the Software to the Customer.

(4) The conditions for the development of a payment obligation differ depending on the module selected and are derived from the respective module description.

§4 Provision of the Software and hosting the Application Data

(1) At the latest during the course of the working day following conclusion of the contract, the Provider shall have ready the Software ordered in the respective current version on one or more servers for use in accordance with the following provisions.

(2) The Provider shall be liable for ensuring that the module ordered and the Software provided are free of defects throughout the duration of the contract period, in particular that they are free from viruses and similar malware, which nullify the suitability of the Software for use as per the contract. Insofar as the Provider obtains the Software from third parties, it must have the last generally available version of the respective Software available on the market for use by the Customer no later than six months after general market release by the manufacturer. Insofar as the Provider manufactures the Software itself, it shall ensure that the Software it manufactures always corresponds to the tried and tested state of the art.

(3) Upon acceptance of the offer, the Provider shall send the Customer a link by email for the user (“Administrator”) specified by it at the time of ordering, via which the Customer can set a password. The Customer must choose a sufficiently secure password known only to it. Using its email address and the password chosen by the Customer, the Customer can log on to the website fms.lano.io in order to use the Software as the Administrator. The access data, including the password, must be kept secret by the Customer and not made available to unauthorised third parties. If permitted by the module selected, additional employees of the Customer appointed by it may be granted access to the Software. These and the Administrator are considered to be “authorised users”.

(4) The Customer may also send user invitations to contractors via the administration area of the fms.lano.io website using email addresses provided by it. During the logging on process, the invited user is asked to provide their login information, contact details and a password. The user can use this data to log on to fms.lano.io after activation of the account and confirmation by the Customer in the user or contractor area. Contractor accounts within the meaning of section 4 enable contractors to manage contract relations with several clients via the Lano website. The use of the contractor accounts is not exclusively limited to one customer or client.

(5) For access to the Software supplied, the Customer requires an Internet connection and an up-to-date browser of the types Internet Explorer, Chrome or Firefox. The Provider does not guarantee support for other browsers. Appropriate hardware is also required (e.g. an Internet-enabled terminal), which is able to run the above-mentioned browsers.

(6) The Provider shall make storage space available on the server for the Application Data from the date on which the service is initially provided agreed in section 4(1). The storage space for the Application Data is generally limited to 500 GB, unless specified to the contrary due to the licence model chosen. The Parties may agree to a different provision in writing.

(7) The Customer has no claim to the provision of a particular server for its sole use. With separation of the Customer’s data files within the scope of the server’s performance, the Provider may allow a large number of customers to use the server simultaneously.

(8) The Software and Application Data are backed up on the server regularly, at least daily. Backups are stored for 30 calendar days.

(9) The Customer shall inform the Provider without delay if there is a suspicion that the access data and/or passwords of the Customer or its users may have become known to unauthorised persons.

(10) If and to the extent that the provision of a new version or a change is accompanied by a change in the functionality of the Software, in the Customer’s work processes supported by the Software and/or by restrictions to the usability of previously generated data,the Provider shall notify the Customer of this in writing no later than six weeks prior to such a change taking effect. Should the Customer not object to the change in writing within a period of two weeks from receipt of the notice of the change, the change shall become part of the contract. Whenever such changes are announced, the Provider shall draw the Customer’s attention to the aforementioned deadline and the legal consequences of its expiry should the Customer not exercise its right to object.

(11) The transfer point for the Software and Application Data is the router output of the servers used by the Provider.

§5 Availability of the Software and access to the Application Data

(1) During the operating period (Mon-Fri: 7-8 p.m.), the Provider shall owe availability of the Software at the transfer point (interface between the Internet and the server hosting the Software) of 99% per month. The Parties understand availability to mean the possibility of using the Software at the transfer point in accordance with the contract.

(2) The Software is also considered to be available with

(a) disruptions to parts of the technical infrastructure or the Internet required for execution of the Software which are not to be provided by the Provider or its vicarious agents;

(b) disruptions or other events not caused by the Provider or its vicarious agents;

(c) scheduled unavailability within the scope of subsection 4;

(d) negligible reductions in the suitability of the Software for use in accordance with the contract.

(3) The Provider shall make available to the Customer a website (https://intercom.help/lano/) for support questions or error messages. In addition, the Provider may be reached via the contact information provided on its website (email addresses and telephone numbers) for support questions or error messages. Questions and error messages are processed in Berlin during working days between 7 a.m. and 8 p.m. within a reasonable period of time depending on the urgency of the matter.

(4) The Provider is entitled to arrange scheduled unavailability of the Software and/or the server for updates, maintenance, data backup and other work required on the Software and/or server. Such scheduled unavailability should be announced to the Customer with notice of at least one week and, as a rule, it should be scheduled at low-traffic times (Monday to Friday between 8 p.m. and 6 a.m. as well as on weekends and national public holidays). Prior notice by the Provider is not required for urgently needed work, e.g. to close security loopholes or to maintain functionality. During the scheduled unavailability, the Customer shall have no legal claim to use the Software and/or the server. Should the Customer use the Software and/or the server during the scheduled period of unavailability, however, it shall have no claim for defect liability or compensation in the event of a reduction in or suspension of service.

§6 Other services of the Provider

(1) Documentation

(a) The Provider shall provide the Customer online (e.g. at https://intercom.help/lano/) with information which enables the Customer to use the software for the purposes stipulated in the contract. The information is to be regularly amended if there are significant changes to the use of the Software.

(b) Should the Provider supply third-party Software and no documentation in German/English is generally available from this third party, the Provider shall be entitled to provide only the documentation available to it.

(c) The Customer shall be entitled to store, print and reproduce a reasonable quantity of the documentation provided while maintaining existing trade mark notations. Otherwise, the restrictions on the use of the documentation agreed under 7 for the Software shall apply accordingly.

(2) Further services of the Provider may be agreed at any time in text form (e.g. by email), in particular training on the application. Other such services shall be provided against reimbursement of the proven expenditure at the prices of the Provider generally applicable at the time of the order.

§7 Rights of use and application of the Software, rights of the Provider in the event that usage authorisation is exceeded

(1) The Customer shall receive simple, non-sublicensable and non-transferable rights of use for the Software, limited to the term of this contract, in accordance with the following provisions.

(2) Details of the rights of use result from the descriptions stipulated in the ordering process and the selected module, which apply as a supplement to these GTC.

(3) The Customer, and depending on the selected module, the Customer’s employees and users registered in accordance with section 4(4) and confirmed by the Customer shall be entitled to use the Software.

(4) The Customer’s right of use is limited to access to the Software on the server. There shall be no physical transfer of the Software to the Customer. The Customer may only use the Software for its own business activities.

(5) The Customer shall not be entitled to make changes to the Software. This does not apply to changes which are necessary for the correction of errors, provided that the Provider is in default with correction of the error, refuses to rectify the error or is unable to rectify the error due to the initiation of insolvency proceedings.

(6) Should the Provider create new versions, updates, upgrades or other new deliveries relating to the Software during the term, the above rights shall also apply to these.

(7) Insofar as rights are not expressly granted to the Customer, the Customer shall not be entitled to them. In particular, the Customer shall not be entitled to use the Software, including the source code, beyond its agreed use or to allow it to be used by third parties or to make the Software available to third parties. In particular, it shall not be permitted to copy, sell or transfer the Software for a limited period of time, especially not to lease or lend it. The Customer shall take the necessary precautions to prevent use of the Software by unauthorised persons.

(8) The Customer shall be liable for ensuring that the website and Software supplied to it by the Provider are not used for purposes which are racist, discriminatory, pornographic, endanger the protection of minors, are politically extreme or otherwise illegal or in breach of official regulations or regulations or that corresponding data, in particular Application Data, is not created and/or stored on the server. The Customer is responsible for the content posted by it and the users. The Provider does not check the contents for completeness, accuracy, legitimacy, topicality, quality or suitability for a specific purpose.

(9) The services available on the platform are intended exclusively for the intended purposes. Use for other commercial purposes is prohibited, unless such use has been previously been expressly permitted by the Provider in writing. Unauthorised commercial use shall include, in particular, all offers and applications of paid content, services and/or products, both its own and that of third parties, all offers and applications and the execution of activities with a commercial background such as competitions, prize draws, bartering, advertisements or pyramid systems.

(10) In the event of a breach of the above provisions, the Provider shall reserve the right to block the Customer’s or user’s access, either temporarily or permanently, but not before corresponding notification and the granting of a reasonable period of time to remedy the breach by the Customer. In the event of a temporary or permanent block, the Provider shall block the access authorisation and notify the Customer accordingly. Should the Customer continue to infringe or repeatedly infringe the above regulations despite a corresponding reminder from the Provider and if it is responsible for this, the Provider may terminate the contract extraordinarily without observing a notice period. Further claims on the part of the Provider shall remain unaffected.

(11) Insofar as and to the extent that a database, databases, a database work or database works are created on the Provider’s server during the term of this contract, in particular through the compilation of Application Data, as a result of activities carried out by the Customer permitted under this Agreement, all rights thereto shall be transferred to the Customer. The Customer shall remain the owner of the databases or database works and the rights thereto after the end of the contract.

§8 Obligations and duties of the Customer

(1) The Customer shall be obliged not to interfere or permit interference with the Software outside of normal use or to penetrate or promote such penetration of the Provider’s data networks without authorisation (e.g. carrying out load and/or penetration tests).

(2) The Customer agrees that it shall only access the Software and Application Data on the basis of these GTC and any cooperation agreement and via the interfaces provided by the Provider. In addition, the Customer shall not circumvent any safeguards which the Provider has taken to protect the Software and Application Data.

(3) Furthermore, the Customer shall be obliged to notify the Provider immediately of any defects in the contractual services, in particular defects in the Software. Should the Customer fail to make notification in good time for reasons for which it is responsible, this shall constitute contributory cause or contributory negligence. Insofar as the Provider was unable to remedy the situation as a result of the omission or delay in the notification, the Customer shall not be entitled to reduce the agreed remuneration, wholly or in part, to demand compensation for the damage caused by the defect or to extraordinary termination of the contract due to the defect without notice. The Customer must demonstrate that it is not responsible for the failure to notify.

(4) The Customer shall keep the username and password it uses secret, shall not pass them on to any unauthorised third party and shall protect them from access by third parties using appropriate and standard measures. The same shall apply to other access data known to the Customer in association with the use of the Software as well as to access data for user accounts set up by the Customer itself. Should the username and/or password nevertheless become known to unauthorised third parties or should the Customer suspect that this is the case, the Customer is obliged to inform the Provider immediately. The access data of former employees must be immediately deactivated or changed by the Customer.

(5) The Customer shall indemnify the Provider against claims by third parties which are based on unlawful use of the Software by them or which result from data protection, copyright or other legal disputes caused by the Customer, which are connected with use of the Software.

(6) The Customer shall ensure that it observes all rights of third parties to material used by it (e.g. when transmitting texts/data from third parties to the Provider’s server); it must also take appropriate measures to ensure that any content posted by users does not violate the rights of third parties.

(7) Before sending data and information to the Provider, the Customer must check them for viruses and use state-of-the-art antivirus programs.

(8) When the Customer transmits data to the Provider in order to generate Application Data, the Customer must back it up regularly and in accordance with the importance of the data, creating its own backup copies in order to enable reconstruction of the data and information in the event of their loss.

(9) If and to the extent that the Customer is given the technical opportunity to do so by mutual consent, it shall regularly save the Application Data stored on the server by download. In particular, the Customer may save invoices, profiles, templates and other documents on its own data carriers at any time using the export functionalities provided by the Provider. The Customer shall be responsible for compliance with the retention periods stipulated by commercial and tax law for invoices and other tax-relevant documents which can be retrieved via the export function. The obligation of the Provider to back up data in accordance with section 4(8) of this contract shall remain unaffected.

(10) The Customer shall require authorised users as per section 4(3) to comply with all the provisions of section 8 accordingly.

(11) The customer may request a legal template document such as NDA’s, Contractor/Freelancer Agreement or other document through the software. The customer agrees and warrants that (i) the provision of legal templates is not a replacement for professional legal services, (ii) the legal template document does not create attorney-client relationship or privilege between lano and the customer and (iii) the legal template document provision is not a solicitation to offer legal advice by Lano.

§9 Confidentiality

(1) Confidential information is information expressly designated as confidential by the Party providing the information and information, the confidentiality of which is clear from the circumstances of its transfer. The Application Data in particular shall be treated confidentially by the Provider, should it become aware of the data.

(2) No confidential information shall be deemed to exist if the Party receiving the information demonstrates that the information was known to it or generally available to it prior to the date of receipt; was known to the public or publicly available prior to the date of receipt; became known to or generally available to the public after the date of receipt without the Party providing the information being responsible for this.

(3) The Parties shall maintain confidentiality with regard to all confidential information of which they have knowledge within the scope of this contractual relationship or shall use such information only with the prior written consent of the other Party vis-à-vis third parties – irrespective of the purpose.

(4) Excluded from this is the transfer or disclosure of confidential information due to judicial or government orders and due to prior consent to the specific transfer by the other Party.

(5) The Parties shall undertake to protect all confidential information brought to their attention as part of the contract using appropriate confidentiality measures.

(6) The Provider shall be entitled to publish the name, logo and activity of the Customer as well as the type of activity exclusively for its own reference purposes, for example on websites operated by it, insofar as the Customer does not object to this in writing. In the event of an objection by the Customer, the Provider shall immediately remove the reference. Public statements by the Parties regarding their cooperation shall otherwise be made only by prior mutual written agreement.

(7) The obligations as per subsection 2 shall also exist for an indefinite period beyond the end of the contract, for as long as an exception has not been established as per subsection 1.

§10 Data protection

(1) The Parties shall comply with the applicable data protection regulations, in particular those valid in Germany, and shall require their employees working in connection with the contract and its execution to maintain confidentiality in the handling of personal data, insofar as they are not already generally obliged to do so by law.

(2) Contractors may use their own accounts on fms.lano.io from Lano, as described in section 4(4). Insofar as data from the Customer’s contractors is processed when using the Software for the purposes of managing local and international contractors (e.g. within the scope of the functionalities for management of order relationships), the Parties shall act with joint responsibility for data protection with regard to the processing of this data in accordance with Article 26 of the GDPR and the agreement on joint responsibility attached as Appendix 1. Should the Customer collect, process or use personal data (e.g. data on salaried employees or end customers of the Customer) with the help of the Software for purposes other than those described in the agreement on joint responsibility, the Customer shall, in principle, operate according to its own independent data protection liability as per Article 4(7) of the GDPR. In particular, it shall vouch for the fact that it is entitled to process personal data in accordance with the applicable regulations, in particular provisions of data protection law, and in the event of an infringement shall indemnify the Provider against third-party claims.

(3) Insofar as the personal data of authorised users is processed on the platform as per section 4(3), the Provider shall act as a Processor in accordance with Article 28 of the GDPR and the processing contract attached to this contract as Appendix 2.

(4) The Provider shall point out that the usage activities may be monitored to the extent permitted by law. Where appropriate, this may also include the logging of IP connection data and the course of conversations as well as their analysis in the event of a concrete suspicion of a violation of the existing GTC and/or in the event of a concrete suspicion of the existence of any other illegal act or criminal offence.

§11 Remuneration and terms and conditions

(1) Remuneration for the services to be provided, the granting of use of the Software and the provision of storage space is based on the module selected in each case, the amount of which is stated in the ordering process. The Provider may adjust the amount of the fee in accordance with section 15.

(2) The fee for the selected module specified in the order process is processed automatically using the chosen method of payment. If the Customer has justifiably terminated the contract on exceptional grounds, the lump sum must be repaid on a pro rata basis.

(3) Payment may be made using the payment methods offered by the Provider. The Provider may instruct the payment service provider chosen by the Customer to make payments in accordance with the terms of this Agreement. The Provider shall reserve the right to exclude certain methods of payment. Insofar as payment against invoice is offered, the Provider shall reserve the right to carry out a credit check in individual cases.

(4) Other services shall be provided by the Provider at cost (time & material) according to the general list prices of the Provider valid at the time of the order.

(5) The Provider shall be entitled to send invoices in text form to the Customer’s email address it provided.

(6) Remuneration is payable plus VAT at the statutory rate applicable in each case.

(7) Offsetting by the Customer is not permitted unless the counterclaim by the Customer is undisputed or legally enforceable.

§12 Contacts and escalation level

(1) For the purpose of channelling communications, particularly in the event of disruptions to the service structure, the Parties shall each designate in writing a primary contact, who can make legally binding statements for the respective Party or can make such statements within four working days after the main contact of the other Party has informed them in writing of a situation and the need for a decision.

(2) If agreement at the level of the main contacts is not reached within six working days of notification of the facts and the need for a decision, the matter shall be submitted without delay to the respective management of the Parties or the representatives appointed by them for a decision. A final decision is to be reached at this escalation level within a period of a further six working days from receipt of the matter.

(3) The escalation deadlines specified above shall not inhibit response, execution, recovery or other deadlines agreed in this Agreement, including the appendices. However, before the escalation procedure has been completed, an extraordinary termination is generally ineffective if and to the extent that the termination is to be based on a difference of opinion between the Parties regarding the performance of services.

§13 Liability

(1) In the event of intent or gross negligence, the Parties shall be liable to each other without limitation for all damage caused by them and their legal representatives or vicarious agents.

(2) In the event of minor negligence, the Parties shall be liable without limitation for death, personal injury or damage to health.

(3) Otherwise, a Party shall only be liable if it has breached an essential contractual obligation. Essential contractual obligations are those obligations which are of particular importance to achievement of the goal of the contract as well as all those obligations which, in the event of a culpable breach, could jeopardise the achievement of the purpose of the contract. In such cases, liability shall be limited to reimbursement of the foreseeable, typically occurring damages. The Provider’s strict liability for compensation (section 536(a) of the German Civil Code) for defects existing at the conclusion of the contract is excluded; subsections 1 and 2 shall remain unaffected.

(4) Should the Provider default on operational provision of the Software, liability shall be governed by section 13. The Customer shall be entitled to withdraw from the contract if the Provider does not comply with a two-week grace period set by the Customer, i.e. does not supply the full agreed functionality of the Software within the grace period.

(5) If, after operational provision of the Software and/or Application Data, the Provider should fail, either wholly or in part, to comply with the agreed obligations, the monthly flat-rate usage fee shall be reduced pro rata for the period during which the Software and/or the Application Data were not available to the Customer to the agreed extent or the storage space was not available to the agreed extent. Ongoing user fees shall apply only for transactions that were actually carried out despite the restriction or discontinuation of services using the Software. Should the Provider be responsible for this non-performance, the Customer may also claim compensation in accordance with Section 13(1).

(6) A party shall only be obliged to pay a contractual penalty if this contract expressly provides for this. A contractual penalty need not be reserved. Offsetting with and against it is permissible.

(7) Neither Party shall be obliged to fulfil its contractual obligations in the event of and for the duration of force majeure. In particular, the following circumstances shall be regarded as force majeure in this sense: fire/explosion/flooding for which the Party is not responsible; war, mutiny, blockade, embargo; more than 6 weeks of industrial action which is not culpably caused by the Party; technical Internet issues which are beyond the influence of either Party; this shall not apply if and to the extent that the Provider also supplies the telecommunications service. Each Party shall immediately notify the other party in writing of the occurrence of an instance of force majeure.

(8) Liability under the German Product Liability Act shall remain unaffected.

§14 Duration, termination

(1) The contractual relationship begins with the conclusion of the contract and is for an indefinite period. The services shall be provided no later than on the working day following conclusion of the contract.

(2) A minimum contract term of 1 month shall apply. The contractual relationship may be terminated by either Party in writing with notice of one month to the end of the minimum contract term. Following expiry of the minimum contract term, the contract shall be extended again by the minimum contract term, unless the Contract has been effectively terminated.

(3) Extraordinary termination due to or in association with a breach of duty shall only be possible following a prior written warning with a reasonable period of not less than 14 working days.

(4) Should the Party entitled to terminate the contract have been aware of circumstances justifying extraordinary termination for more than two months, it may no longer use them as a basis for termination.

(5) Notwithstanding the provisions of subsection 3, the Provider may terminate the contract without compliance with a notice period if the Customer is in arrears for two consecutive months with the payment of the prices or a not inconsiderable part of the prices or in a period of more than two months with payment of the fee of an amount equal to fee for two months. If this is the case, the Provider may additionally claim flat-rate compensation in the amount of one quarter of the remaining monthly basic lump sum until the end of the regular contract period. The Customer shall reserve the right to provide evidence of lesser damage.

§15 Changes to this contractual relationship, price adjustments

(1) The Provider shall be entitled to amend provisions of these GTC which do not lead to a significant redesign of the contract structure or affect it at any time and without stating reasons, provided that this change does not lead to a redesign of the contract structure as a whole. The essential provisions of the contract structure include, in particular, provisions relating to the type and scope of the contractually agreed services, the duration and termination of the contract.

(2) Furthermore, the Provider shall be entitled to amend or supplement these GTC insofar as this is necessary to eliminate difficulties in the execution of the contract with the Customer due to regulatory loopholes which have arisen after conclusion of the contract. The amended conditions shall be emailed to the Customer at least six weeks prior to them coming into force. The changes shall be deemed to have been approved if the Customer does not object to them in text form. The objection must be received within six weeks of receipt of the notification of the amended conditions. The Provider shall make particular reference to the possibility of objection and the significance of the six-week period in the notification of the changed conditions. Should the Customer exercise its right of objection, the Provider’s wish for change shall be considered rejected. The contract shall then continue without the proposed amendments. The right of the Parties to terminate the contract shall remain unaffected.

(3) Under the following conditions, the Provider shall be entitled to increase the prices to be paid by the Customer for the recurring services to be provided within the scope of the contract in order to compensate for an increase in its total costs. The total costs shall consist of costs for the maintenance and operation of the digital (encryption and decryption) infrastructure, the technical supply of the Software including the costs for additional programs and features, fees for any copyright and ancillary copyrights, material costs, labour and incidental wage costs including contract and temporary work costs, costs for customer management (e.g. call centres, IT systems) and costs of general administration.

(a) Prices may only be adjusted up to the extent of the cost increase and equivalent to the share of the increased cost element in the total cost; it is permitted only if the cost increase is based on changes which occurred after conclusion of the contract and which were not initiated by the Provider. This is the case, for example, where sub-suppliers, vendors or other service providers of the Provider increase their prices, if the contractual services are subject to modified or additional taxes or levies or in the event of collective wage increases.

(b) Any cost savings shall be taken into account in the calculation of the Provider’s total cost burden. An increase in prices shall be permitted only once per calendar year. If circumstances which occurred after conclusion of the contract and which were not caused by the Provider lead to a reduction in the Provider’s total costs within the meaning of this clause, the Provider shall undertake to reduce the prices to be paid by the Customer to the extent of the cost reduction and according to the share of the reduced cost element in the total costs. The Provider may take into account any increases in individual costs, insofar as these have not already been taken into account in the context of a price increase.

(c) Should the increase in prices exceed 5% of the prices applicable up to the time of the increase, the Customer shall be entitled to terminate the contract within four weeks of receipt of the notification of the increase with effect from the time the increase comes into force. Should the Customer utilise this special right of termination, the increase shall not take effect and the contract shall be terminated with effect from the date on which the price increase comes into force. Should the Customer not terminate the contract or not terminate it within the time limit, the contract shall continue at the new service rate from the time specified in the notification.

(d) The Provider shall specifically draw the Customer’s attention to the right of termination and the consequences of termination not being made in due time as part of its notification of the increase in the service rate. The Provider shall inform the Customer of any adjustment to the service rate at least six weeks before its entry into force.

(4) Notwithstanding the above, the Supplier shall be entitled to adjust the prices accordingly in the event of a change in the statutory VAT.

§16 Final provisions

(1) There shall be no additional verbal provisions outside this contract and its appendices. Any previous agreements on the subject of the contract shall hereby be rendered invalid. In order to be effective, any amendments or additions to this contract and its appendices must be made in writing (e.g. email). This shall also apply to the waiver of the requirement for written form.

(2) The possible invalidity of individual provisions of this contract shall not affect the validity of the remaining content of the contract. Should loopholes become apparent in the application of this contract for which the Parties have not provided, or should the invalidity of a provision be legally determined or determined by both Parties, they shall undertake to close or replace this loophole or invalid provision in a manner, which is appropriate and reflects the economic purpose of the contract.

(3) German substantive law applies to the contractual relationship.

(4) The exclusive place of jurisdiction shall be the registered office of the Provider unless otherwise mandated by a standard.

§17 List of appendices

Appendix 1: Contract for joint controllers as per Article 26 of the GDPR;

Appendix 2: Processing contract (PC) as per Article 28 of the GDPR.

Appendix 1 to the PC: Technical and organisational measures of the Provider

Appendix 2 to the PC: Subcontractual relationships of the Provider

 

 

Appendix 1

Agreement on cooperation as joint controllers within the meaning of Article 26 of the GDPR with respect to the contractor’s data

Preamble

The Customer (hereinafter: “Controller 2”) and the Provider (hereinafter: “Controller 1”) are independent companies which, within the scope of using the services of Controller 1, regularly jointly process personal data from the contractors in order to manage them. In this connection, they have jointly defined the purposes and means of processing. Between both Controllers, there is a relationship of joint responsibility for the contractors as per Article 26 of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, the free movement of data and the repeal of Directive 95/46/EC, “GDPR”). With regard to the data of the employees in the company or with Controller 2, there exists an order processing relationship as per Article 28 of the GDPR. The corresponding order processing contract is attached as Appendix 2.

The Parties shall endeavour to comprehensively protect the privacy of the data subjects and their personal data and to guarantee lawful processing. The aim of this Agreement is to transparently define which of the contracting parties shall fulfil which of the obligations as per the European General Data Protection Regulation, in particular with regard to the exercising of the rights of the data subjects as specified in Articles 12–23 of the GDPR and how the information obligations as per Articles 13 and 14 of the GDPR are fulfilled. This Agreement is attached as Appendix 1 to the General Terms and Conditions with this application.

Against this background, the contracting parties shall agree the following:

Section 1 Scope and definitions

(1) The following provisions apply to all services provided by Controller 1 to Controller 2 on the basis of the Main Contract.

(2) Should the term “data processing” or “processing” be used in this Agreement, this shall generally refer to the use of personal data. Data processing or the processing of data refers to any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, synchronisation or combination, blocking, erasure or destruction.

(3) Reference is made to the other definitions in Article 4 of the GDPR.

(4) Controllers 1 and 2 are hereinafter abbreviated to C1 and C2.

Section 2 Functions and relationships of the joint controllers with respect to the data subjects

(1) C1 offers contractors various software-as-service solutions as a digital platform (especially under lano.io) and as an app solution for order management, invoicing, customer management and comparable functionalities. With the help of the software offered by C1, contractors can network with C2. C2 is able to manage its orders with contractors using C1’s software and thus, in particular, has access to the data of the contractors it provides in its profile and for order performance and order settlement.

(2) The contracting parties shall process the personal data of the following data subjects

  1. Contractor

(3) The contracting parties process the following categories of data:

  1. Profile data (name, form of address, title/academic degree, date of birth, self-description, skills, photo)
  2. Contact details (email address, telephone number, address)
  3. Order data of orders from C2 (order details, services)
  4. Order history
  5. Order billing data and payment information (invoice details, bank details, credit card information)
  6. Other documents provided by C2 or the data subject for C2

Section 3 Purposes and means of data processing

The Parties shall jointly determine the following purposes and means of processing:

The main purpose of data sharing is the management of the above-mentioned data for order generation and settlement between the data subjects and C2 by means of C1’s platform.

Section 4 Contact point for data subjects

The Parties have not established a central contact point for questions from data subjects regarding data protection issues arising as a result of joint data processing. Data subjects may either contact

Lano Software GmbH,

Rosenthaler Str. 13

10119 Berlin

Germany

or

the contact address of V2.

Section 5 Transfer to third countries and subcontractors

The processing and use of data by both C1 and C2 shall take place exclusively within the territory of the Federal Republic of Germany, in a Member State of the European Union or in another State party to the Agreement on the European Economic Area. Any relocation to a third country must be communicated to the other Controller and may only take place if the specific requirements of Article 44 et seq. of the GDPR have been fulfilled.

C2 shall agree to the use of the subcontractors of C1 listed in Appendix 3.

Section 6 Technical and organisational measures

The Contracting Parties shall undertake, in particular in compliance with the principles of correct data processing as per Article 32 in conjunction with Article 5(1) of the GDPR, to ensure through appropriate controls that the jointly processed personal data is processed exclusively in accordance with this Agreement and the underlying Main Contract. The joint controllers shall mutually assure each other that the personal data shall be handled securely and in compliance with data protection regulations. In particular, they will ensure the following safeguards:

  • Unauthorised persons shall be denied access to personal data. This shall apply irrespective of whether the data is stored in electronic form or as hard copy.
  • Computer systems are to be secured by passwords and kept technically up to date.
  • The personal data may only be viewed and processed by those persons who are entrusted with the specific order processing. Employees are obliged to treat personal data confidentially.
  • The data of different clients or business partners is systematically separated according to the task.
  • Insofar as the Controllers determine that special transmission methods are necessary according to the state of the art in order to guarantee the secure transmission of electronically stored data, these shall be implemented.
  • The Controllers shall mutually assist each other in the fulfilment of the rights of the data subjects, in particular with regard to data portability, rectification, restriction of the processing and erasure, notification and exchange of information, upon first request and within the scope of their abilities. Should a Controller receive a data protection request from a data subject which is also relevant for the other Controller, the Controller shall immediately forward this request to the other Controller, leaving them to respond to the request, or carry it out jointly.
  • Furthermore, the Controllers shall support each other in all other obligations arising for the Controllers from the GDPR and, if applicable, from other data protection regulations and special statutes which concern joint data processing.

Section 7 Mutual information obligations

The Controllers shall immediately inform each other of any disruptions, breaches of data protection law or the provisions laid down in this Agreement by the persons employed by them or any suspected breaches or irregularities in the processing of personal data relating to joint data processing. This shall apply, in particular, to unauthorised access to personal data by third parties (e.g. hacking). The Controller where the data protection breach occurred shall document the process including the effects and remedial measures and make this documentation available to the other Controller at any time on request. Should the Controller be unable to comply with its legal reporting obligation due to delayed, incomplete, incorrect or otherwise improper information from the other Controller, the Controller shall compensate all damages resulting from this delay. The Controllers shall support each other in the comprehensive and timely fulfilment of any reporting obligations.

In the event of any control measures taken by a data protection supervisory authority, or in the event of other requests, investigations or enquiries by the data protection supervisory authority, the Controllers shall inform each other without delay of the implementation of the control measure as far as personal data relating to joint processing is concerned.

C2 shall appoint a contact for C1 to whom messages as per sections 7 and 8(3) are to be sent.

Section 8 Distribution of duties in response to rights of data subjects

  • In the event that a data subject asserts rights to the rectification, erasure or blocking of personal data or to information about the stored personal data, the party against whom the rights are asserted shall be responsible for the fulfilment of the claims of the data subject.
  • Should the rights of data subject be asserted in accordance with the preceding paragraph, the Parties shall mutually assist each other to the extent necessary or appropriate to safeguard the rights of the data subjects.

(3) The Parties shall be obliged to notify each other without delay if a data subject asserts rights in accordance with subsection 1, unless it can be excluded that the assistance of the other Party is necessary in accordance with subsection 3.

Section 9 Fulfilment of information obligations

  • C1 has formulated a privacy policy for the platform at lano.io and for the app solution. C1 is responsible for the legality and completeness of the privacy policy. C1 shall provide all information to the data subjects in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
  • C1 shall amend and supplement the online privacy policy insofar as this is necessary or appropriate due to changes in the data processing procedures or for legal reasons. Should C2 become aware of circumstances that make it necessary or appropriate to amend or supplement the privacy policy, C2 shall notify C1 immediately.
  • C1 shall undertake to make the essential content of the agreement on joint responsibility based on data protection law available to the data subjects (Article 26(2) of the GDPR).

Section 9 Miscellaneous

(1) In the event of any conflicts between the provisions of this Agreement and the provisions of the Main Contract, the provisions of this Agreement shall prevail.

(2) Amendments and additions to this Agreement shall require the mutual consent of the Parties, with specific reference to the provisions of this Agreement to be amended. There are no verbal supplementary agreements and they are also excluded for future amendments to this Agreement.

(3) This Agreement shall be subject to German law.

(4) Should access to the data be prevented by third-party measures (e.g. measures taken by an insolvency administrator, seizure by tax authorities etc.), the Parties shall notify each other.

 

 

Appendix 2

Processing contract within the meaning of Article 28 of the GDPR with regard to the data of employees in the company

Preamble

Between the Customer (hereinafter referred to as: “Controller”) and the Provider (hereinafter referred to as: “Processor”) exists a contractual relationship within the meaning of Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, the free movement of data and the repeal of Directive 95/46/EC, “GDPR”)with regard to the data of users with the Controller. Joint responsibility shall exist with regard to the data of the contractors in accordance with Article 26 of the GDPR. The corresponding contract is in Appendix 1.

This Agreement, including all appendices (collectively referred to as the “Agreement”) specifies the data protection obligations of the Parties arising from the underlying General Terms and Conditions for Business and Licensing (“GTC”). This Agreement is attached as Appendix 2 to the General Terms and Conditions with this application.

The Processor shall commit to the Controller to fulfil this Agreement in accordance with the following provisions:

Section 1 Scope and definitions

(1) The following provisions apply to all processing services within the meaning of Article 28 of the GDPR which the Processor provides to the Controller on the basis of the Main Contract.

(2) Should the term “data processing” or “processing” of data be used in this Agreement, this shall generally refer to the use of personal data. Data processing or the processing of data refers to any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, synchronisation or combination, blocking, erasure or destruction.

(3) Reference shall be made to the other definitions in Article 4 of the GDPR.

Section 2 Subject and duration of the data processing

(1) The Processor shall process personal data on behalf of and in accordance with the instructions of the Controller.

(2) The subject of the order is the use of the platform provided by the Processor as software-as-a-service (“SaaS”) for the management of the contractors of the Controller and the associated management of the beneficial employees in the platform of the Processor within the scope agreed with the Processor in accordance with the GTC.

(3) This Agreement shall apply exclusively to the processing of personal data by the Processor in accordance with the instructions given and which is limited to the user accounts of the Controller’s employees. Insofar as the Parties are deemed to be acting independently or jointly according to data protection law, this Agreement shall not apply.

(4) The duration of this Agreement corresponds to the duration of the Main Contract.

Section 3 Type and purpose of data processing

The type and purpose of the processing of personal data by the Processor are specified in the GTC. This includes the following activities and purposes:

The Processor provides the Controller with its platform as a software-as-a-service service. The Controller uses the platform to manage its contractors and set up corresponding user accounts for its employees.

This management includes contract management and compliance, sourcing, payment, onboarding, HR planning, monitoring, budget planning and internal performance evaluation.

Section 4 Categories of data subjects

Under this Agreement, personal data of the following categories of data subjects is to be processed:

  • Employees of the Controller

Section 5 Type of personal data

The following types of data are affected by order processing:

  • Registration data (address, name, date of birth, business contact details)
  • Profile data (photo, language)
  • Activities in the software (project management, partner network, invoice payment)

Section 6 Rights and obligations of the Controller

(1) The Controller shall have sole responsibility for assessing the admissibility of data processing and for safeguarding the rights of the data subjects and is thus the controller within the meaning of Article 4(7) of the GDPR.

(2) The Controller is entitled to issue instructions regarding the type, scope and methods of data processing. At the request of the Processor, verbal instructions shall be confirmed immediately by the Controller in writing or in text form (e.g. by email).

(3) Insofar as the Controller considers it necessary, persons authorised to issue instructions may be named. The Controller shall inform the Processor of this in writing or in text form. In the event that these persons authorised to issue instructions change at the Controller, the Processor shall be informed of this in writing or in text form, with designation of the new person.

(4) The Controller shall notify the Processor immediately if errors or irregularities are discovered in association with the processing of personal data by the Processor.

Section 7 Obligations of the Processor

(1) Data processing

The Processor shall process personal data exclusively in accordance with this Agreement and/or the underlying Main Contract, as well as in accordance with the instructions of the Controller.

(2) Rights of the data subject

The Processor shall support the Controller as far as is possible in fulfilling the rights of the data subjects, in particular with regard to rectification, restriction of processing and erasure, notification and provision of information. Should the Processor process the personal data referred to in section 5 of this Agreement on behalf of the Controller and should this data be the subject of a request for data portability as per Article 20 of the GDPR, the Processor shall make the relevant data record available to the Controller within a reasonable period of time, otherwise within seven working days, in a structured, commonly used and machine-readable format.

At the instruction of the Controller, the Processor shall correct, erase or restrict the processing of the personal data referred to in Section 5 of this Agreement, which are processed by order. The same shall apply if this Agreement provides for the correction, erasure or restriction of the processing of data.

Insofar as a data subject contacts the Processor directly for the purpose of correcting, erasing or restricting the processing of the personal data referred to in Section 5 of this Agreement, the Processor shall forward this request to the Controller immediately upon receipt.

(3) Control obligations

The Processor shall ensure, by means of appropriate controls, that the personal data processed in the order is processed exclusively in accordance with this Agreement and/or the Main Contract and/or the corresponding instructions.

The Processor shall organise its company and operating procedures in such a way that the data processed on behalf of the Controller is secured to the extent necessary in each case and is protected against unauthorised access by third parties.

The Processor shall confirm that it has designated a data protection officer in accordance with Article 37 of the GDPR and, if applicable, in accordance with section 38 of the Federal Data Protection Act (BDSG) and that it is monitoring compliance with data protection and data security regulations with the involvement of the data protection supervisor. The data protection officer of the Processor is currently:

Ms Inna Gendelman

support@lano.io (marking your letter “FAO Data protection officer”)

(4) Information obligations

For its part, the Processor shall notify the Controller immediately if, in its opinion, an instruction issued by the Controller violates statutory provisions. The Processor shall be entitled to suspend execution of the relevant instruction until it is confirmed or amended by the Controller.

The Processor shall support the Controller in complying with the obligations referred to in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to it.

(5) Location of the data processing

The processing of the data shall take place principally within the territory of the Federal Republic of Germany, in a Member State of the European Union or in another State party to the Agreement on the European Economic Area. Any relocation to a third country may only occur if the specific requirements of Article 44 et seq. of the GDPR have been fulfilled.

(6) Erasure of personal data following completion of order

Following termination of the Main Contract, the Processor shall either erase or return all personal data processed on behalf of the Controller, provided that the erasure of said data does not conflict with any statutory storage obligations of the Processor. The erasure related to data protection is to be documented and confirmed to the Controller on request.

Section 8 Control rights of the Controller

(1) Following timely prior notification during normal business hours and without interrupting the operations of the Processor or endangering the safeguards for other controllers and at its own expense, the Controller shall be entitled to check compliance with the regulations on data protection and the contractual agreements to the extent required either itself or via third parties. The controls may also be carried out by accessing the Processor’s existing industry-standard certifications, current audits or reports from an independent party (such as a certified accountant, external data protection officer, auditor or external data protection auditor) or via self-reporting. The Processor shall provide the necessary assistance to carry out the checks.

(2) The Processor shall inform the Controller of the implementation of control measures taken by the supervisory authority insofar as the measures or data processing may concern that carried out by the Processor for the Controller.

Section 9 Subcontractual relationships

(1) The Controller shall authorise the Processor to use other processors in accordance with the following paragraphs in Section 9 of this Agreement. This authorisation shall constitute general written authorisation as per Article 28 (2) of the GDPR.

(2) In fulfilling the order , the Processor is currently working with the subcontractors named in Appendix 2 that the Controller has agreed to engage.

(3) The Processor shall be entitled to engage other processors or to replace processors already engaged. The Processor shall notify the Controller in advance of any intended changes with regard to the involvement or replacement of a further processor. The Controller may object to an intended change.

(4) The objection to the proposed change shall be raised with the Processor within 2 weeks of receipt of the information about the change. In the event of an objection, the Processor may, at its own discretion, provide the service without the intended change or propose an alternative additional processor and agree this with the Controller. Should provision of the service without the intended change not be reasonable to the Processor – for example, due to the associated disproportionate expenses for the Processor – or if agreement on another processor fails, the Controller and the Processor may terminate this Agreement and the Main Contract with notice of one month to the end of the month.

(5) Where an additional further processor is involved, a level of protection of personal data comparable to that of this Agreement must always be guaranteed. The Processor shall be responsible to the Contractor for all acts and omissions of the other processors employed by it.

Section 10 Confidentiality

(1) The Processor shall be obliged to maintain confidentiality when processing data for the Controller.

(2) When fulfilling the order, the Processor shall be obliged to use only employees or other vicarious agents who themselves are obliged to maintain confidentiality when handling the personal data provided and who have been familiarised with the data protection requirements in an appropriate manner. On request, the Processor shall provide evidence to the Controller of the performance of these obligations.

(3) Should the Controller be subject to other rules regarding confidentiality, it shall inform the Processor accordingly. The Processor shall require its employees to comply with these confidentiality rules in accordance with the requirements of the Controller.

Section 11 Technical and organisational measures

(1) The technical and organisational measures set out in Appendix 1 shall be agreed as appropriate. The Processor may update and amend these measures, provided that such updates and/or changes do not significantly reduce the level of protection.

(2) The Processor shall observe the principles of proper data processing in accordance with Articles 32 and 5(1) of the GDPR. It guarantees the contractually agreed and legally required data security measures. It shall take all necessary measures to secure the data or ensure the security of processing, in particular also taking into account the state of the art, as well as to mitigate potentially adverse consequences for data subjects. The measures to be taken shall include, in particular, measures to protect the confidentiality, integrity, availability and resilience of the systems and measures to ensure continuity of processing after incidents. In order to always be able to guarantee an appropriate level of processing security, the Processor shall regularly evaluate the measures implemented and make adjustments if necessary.

Section 12 Liability/exemption

(1) The Processor shall be liable to the Controller in accordance with the statutory provisions for all damage caused by culpable breaches of this Agreement or the statutory data protection provisions applicable to it which the Processor, its employees or those commissioned by it to execute the contract cause in the performance of the contractual service. The Processor shall not be obliged to pay damages, provided that the Processor proves that it processes the data of the Controller provided to it exclusively in accordance with the instructions of the Controller and has complied with its obligations from the GDPR specifically imposed on Processors.

(2) The Controller shall indemnify the Processor against all claims of third parties which are asserted against the Processor as a result of a culpable breach of the obligations under this Agreement or applicable data protection regulations by the Controller.

Section 13 Miscellaneous

(1) In the event of any conflicts between the provisions of this Agreement and the provisions of the Main Contract, the provisions of this Agreement shall prevail.

(2) Amendments and additions to this Agreement shall require the mutual consent of the Parties, with specific reference to the provisions of this Agreement to be amended. There are no verbal supplementary agreements and they are also excluded for future amendments to this Agreement.

(3) This Agreement shall be subject to German law.

(4) If access to the data that the Controller has transmitted to the Processor for data processing is jeopardised by third-party measures (e.g. measures taken by an insolvency administrator, seizure by tax authorities etc.), the Processor must immediately notify the Controller of this.

 

 

Appendix 1

Technical and organisational measures to ensure data processing security

The Processor agrees to have undertaken the following technical and organisational measures:

A Measures for pseudonymisation

Measures that reduce direct personal references during processing in such a way that a specific data subject can only be identified with the inclusion of additional information. The additional information is to be kept separately from the pseudonym using appropriate technical and organisational measures.

Description of the pseudonymisation: None because it is being processed on a central server.

B Measures for encryption

Measures or operations where a clearly legible text/information is converted into an illegible, i.e. not easily interpretable string (ciphertext) by means of an encryption process (cryptosystem):

Only known encryption libraries and encryption algorithms are to be used.

Use of appropriate encryption algorithms (such as AES, 3DES, SHA2) and key sizes

Type Key size in bits

Symmetrical 128

Asymmetrical 2048

Hashes 200 – 256

Encrypted data is to be decrypted only when used.

Plain text data is to be securely deleted immediately after use.

Separation of (encrypted) data and keys.

Store keys on separate systems.

C Measures to safeguard confidentiality

Admittance control

Measures which physically prevent unauthorised persons from admittance to IT systems and data processing systems used to process personal data, as well as confidential files and data carriers:

Description of the admittance control system:

Pass reader, controlled key distribution, chip card etc.

Door locking (electronic door opener etc.)

Porter

Surveillance equipment (alarm systems, video)

Surveillance equipment (alarm systems, video)

System access control

Measures to prevent unauthorised persons from processing or using data protected by data protection laws.

Description of the access control system:

System and data access are restricted to authorised users

Users must identify themselves with username and password

User rights are granted only to a limited extent

All logins/logouts are recorded

Use of a central password policy

Data access control

Measures to ensure that persons authorised to use the data processing system may access only that data which they are authorised to access, so that personal data cannot be read, copied, altered or removed without authorisation during processing, use and storage.

Description of the data access control system:

Authorisation policies (profiles, roles etc.) and their documentation

Evaluation/logs

Encryption of data carriers

Archiving concept

Logging of access and abuse attempts

System and data access are restricted to authorised users

Users must identify themselves with username and password

Separation rule

Measures to ensure that data collected for different purposes is processed separately and is therefore separated from other data and systems in such a way as to prevent unplanned use of such data for other purposes.

Description of the separation control process:

Authorisation policies

Systems allow data segregation by different software

Productive and test systems are separated from each other

Records are only accessible via systems which are predefined

Database user rights are centrally output and managed

D Measures to ensure integrity

Data integrity

Measures to ensure that stored personal data is not damaged by system malfunctions:

Description of the data integrity:

Installation of new releases and patches with release/patch management

Functional test of installation and releases/patches by IT department

Logging

Transport processes with individual responsibility

Transmission control

Measures to ensure that it is possible to verify and determine the bodies to which personal data has been or may be transmitted or made available using data communication equipment:

Description of the transmission control:

Logging

Transport processes with individual responsibility

Checksums

Transport control

Measures to ensure that the confidentiality and integrity of personal data are protected during the transfer of personal data and when transporting data carriers:

Description of the transport control:

Transmission of data via encrypted data networks or tunnelling connections (VPN)

Transport processes with individual responsibility

Encryption methods which detect data changes during transport

HTTPS

Comprehensive logging procedures

Input control

Measures to ensure that it is possible after the fact to check and ascertain whether personal data has been entered into, altered, or removed from DP systems and if so, by whom.

Description of the input control process:

Logging all system activities and retaining these logs for at least three years

Log evaluation systems

Checksums

Digital signatures

Use of centralised rights management to input, modify and delete data

E Measures to ensure availability and resilience

Availability control

Measures to ensure that personal data is protected from accidental destruction or loss.

Description of the availability control system:

Backups are created on a regular basis

There is a backup and recovery plan in place

Backup files are stored in a secure and remote location

Localisation

Data recovery is regularly tested

As well as various other measures of the server service providers

Rapid recoverability

Measures to ensure the ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident

Description of the measures for rapid recoverability:

Data backup procedures

Regular testing of data recoverability

Emergency plans

Reliability

Measures to ensure that all system functions are available and that any malfunctions which occur are reported:

Description of the reliability measures:

Automatic monitoring with email notification

Emergency plans with responsibilities

IT emergency service 24/7

Regular tests to restore data

F Measures for the regular evaluation of data processing security

Review procedures

Measures which ensure data processing is secure and complies with data protection requirements.

Description of the review procedures:

Data protection management

Formalised processes for data protection incidents

Instructions from the client are documented

Formalised job management

Service level agreements for executing controls

Involvement of external data protection officers in all data protection issues

Order control

Measures to ensure that personal data processed on behalf of others is processed only in strict compliance with the client’s instructions:

Description of job control measures:

Instructions from the client are documented

Formalised job management

 

 

Appendix 2

Subcontractual relationships

For performance of the order, the processor is currently working with the following other processors that the controller has agreed to engage.

Docusign

Name/company: Docusign Germany GmbH

Function/services: Electronic processing of contractual documents

Registered office: Frankfurt, Germany

Stripe

Name/company: Stripe, Inc.

Function/services: Online payment processing

Registered office: San Francisco, USA

Guarantee of an adequate level of data protection in the event of processing in third countries (outside the EU or EEA): We have concluded an EU Commission standard contract with Stripe.

Sendgrid / Twilio

Name/company: Twilio Ireland Limited

Function/services: Email delivery platform

Registered office: Dublin, Ireland

Guarantee of an adequate level of data protection in the event of processing in third countries: The Contract Partner is Ireland Limited. Should the US parent company Twilio Inc. receive data, this is certified according to the EU-US Privacy Shield.

Google Analytics

Name/company: Google LLC

Function/services: Data analysis

Registered office (city, country): Mountain View, USA

Guarantee of an adequate level of data protection in the event of processing in third countries: Google LLC Analytics is certified according to the EU-US Privacy Shield.

Fin API

Name/company: finAPI GmbH

Function/services: Payment gateway

Registered office (city, country): Munich, Germany

Currencycloud

Name/company: Currencycloud Ltd

Function/services: Payment service

Registered office (city, country): London, UK