GTC & DPA for Driver/Courier

Table of Contents

1. Scope, Contracting Party, and Definitions
2. Subject of the Contract
3. Provider’s Services
4. Registration, Contract Conclusion
5. Contract Conclusion for Orders
6. Usage Rights
7. Support
8. Software Availability
9. Obligations of the BikeMessenger
10. Remuneration and Payment Terms
11. Liability for Defects
12. Liability for Damages
13. Legal Defects and Indemnification
14. Contract Duration and Termination
15. Data Protection and Confidentiality
16. Changes to the GTC
17. Final Provisions

1. Scope, Contracting Party, and Definitions

   1. The following General Terms and Conditions (hereinafter “GTC”) apply to all contracts between Martin Hawel, BikeMessenger24, Radlkoferstraße 2, 81373, Munich Germany, Tel.: +49 (0) 176 - 42006699, Email: mail@bikemessenger24.com (hereinafter neutrally referred to as “Provider”) and the customers (hereinafter neutrally referred to as “Messenger”, collectively also “Parties”) of the Provider.

   2. The Provider’s GTC apply exclusively. If the Messenger uses any General Terms and Conditions that oppose or supplement these, they are hereby rejected; they will only become part of the contract if the Provider expressly agrees to them.

   3. These GTC apply exclusively if the Messenger is an entrepreneur. An entrepreneur, per § 14 BGB, is a natural or legal person or a legally responsible partnership that enters into a legal transaction in the course of its commercial or independent professional activity. Conversely, a consumer, per § 13 BGB, is any natural person who enters into a legal transaction primarily for purposes that are neither commercial nor independent professional activities.

   4. Unless otherwise agreed between the Parties, these GTC shall apply to the Messenger in the version valid at the time of the Messenger’s order or, in any case, in the version last communicated to the Messenger in text form as a framework agreement for similar future contracts, without the Provider needing to refer to them again in each individual case. Individually concluded framework agreements or other contracts with the Messenger (including side agreements, additions, and amendments) take precedence in all cases and are merely supplemented by these GTC.

2. Subject of the Contract

   1. The subject of the contract is the provision, for a fee and limited to the contract term, of the use of the mobile application “App BikeMessenger24Driver” (hereinafter “App” or “Software”) for the Messenger's business via the internet.

   2. The use of the Software is provided through an app. The use of the app is subject to the terms of the respective app store provider, which are agreed to by the Messenger upon downloading the mobile application.

   3. The Software may contain links to external web services or third-party services. These GTC do not apply to such services, which are provided by a third party on their websites, even if they are free of charge and/or require registration with the Provider. For these services, only the General Terms and Conditions provided by the third-party provider before using the services or the statutory provisions in the relationship between the Messenger and the third-party provider apply. In this respect, the Provider only facilitates technical access to these services.

   4. Delivery orders are posted by visitors (hereinafter “MessengerCustomers”) to the BikeMessenger24.com website or by affiliated partners of the Provider. MessengerCustomers can be either consumers under § 13 BGB or entrepreneurs under § 14 BGB.

   5. The Provider creates, maintains, and supports the Software or app but does not act as a contracting party or intermediary between the Messenger and MessengerCustomers. Contracts for services displayed on BikeMessenger24.com are concluded directly through the Provider's app between the Messenger and the MessengerCustomer. Thus, only contractual relationships between the Messenger and the respective MessengerCustomer on the website are established through the conclusion of a delivery order. For the contract between the Messenger and the MessengerCustomer, the relevant statutory provisions and, if applicable, the Messenger’s own contractual terms apply.

   6. In addition to these GTC, the basic rules for Messengers apply to the use of the app, which the Messenger receives in text form during the registration process.

3. Provider’s Services

   1. The Provider grants the Messenger the use of the Software in its latest version via the internet.

   2. The Provider ensures the functionality and availability of the Software during the contract term and will maintain it in a condition suitable for the contractually agreed use. The software functionality is outlined in the current service description available on the Provider’s website at https://bikemessenger24.com/guide/#toggle-id-2.

   3. The Provider also provides the Messenger with user documentation after the contract is concluded. The documentation is made available to the Messenger in the form of tutorial videos and on the website at https://bikemessenger24.com/guide/#toggle-id-2.

   4. The Provider may continuously develop the Software in consideration of the Messenger’s legitimate interests and may improve it with updates and upgrades due to changes in the legal situation, technical standards, or IT security. However, the Provider is not required to customize the Software to the individual needs or IT environment of the Messenger unless otherwise agreed. The Messenger will be informed of necessary updates or upgrades in the app/play store. If there is a substantial impairment of the Messenger’s legitimate interests, the Messenger has a special termination right according to Clause 14.2. of these GTC. Changes that have only an insignificant impact on the Provider’s services do not constitute changes to services within the meaning of this clause. This particularly applies to purely graphical changes and the mere rearrangement of functions.

   5. The Provider will regularly perform maintenance on the Software and eliminate any software errors as soon as technically possible. An error occurs when the Software does not fulfill the functions specified in the service description, produces incorrect results, or otherwise fails to operate correctly, thereby rendering the Software unusable or limited in functionality. Maintenance is performed outside the Messenger's regular business hours unless urgent maintenance is required.

   6. The Provider will implement data protection and backups in accordance with the state of the art. However, the Provider has no custodial or safekeeping obligations. The Messenger is responsible for adequate data backup (e.g., invoices).

   7. The Messenger retains sole ownership of the data stored on the Provider’s servers. The Messenger can request these data at any time.

Registration, Contract Conclusion

1. With successful registration, a usage contract is established between the Provider and the Messenger for the use of the Software under these GTC.

2. For registration, the Messenger can register by entering their data in the provided online form and clicking the button that completes the registration process. The submission of the registration data constitutes the Messenger's offer to conclude the usage contract, which the Provider may accept but is not obligated to accept. The Provider may accept the Messenger's offer within 14 days of receipt of the application by sending a confirmation email or activating the user account. If the Provider does not accept the contract offer within this period, it shall be considered rejected.

3. Only entrepreneurs as defined in Clause 1.3 of these GTC, who are either natural persons, legal entities, or partnerships, may register for using the Software. Registration of a legal entity can only be done by an authorized person, who must be named. Only messengers who are of legal age and have the legal capacity can register as natural persons.

4. Before concluding the contract, the Provider may require the Messenger to provide adequate proof of their status as an entrepreneur. This can be achieved by providing a valid VAT identification number from a European Union member state, proof of residency, or other suitable documentation (e.g., business registration, trade register excerpt, BG Verkehr extract). The Messenger must provide all necessary data for the documentation truthfully and in full.

5. The Provider saves the contract text, including the GTC, upon contract conclusion while maintaining data protection and sends it to the Messenger after the Messenger submits their order in written or text form (by letter or email). The Provider does not make the contract text accessible beyond this scope.

6. The Provider may also provide the contract text, including the GTC, via a reference to an online source (e.g., by link).

7. The contract is concluded exclusively in German.

8. The Messenger ensures that the data used to create their profile (hereinafter referred to as “Profile Data”) are truthful and complete. The Messenger is obligated to keep their data up-to-date and, in the event of changes, to update their data in their user account. The use of pseudonyms is not permitted. The same applies to all information provided by the Messenger when setting up employee logins.

9. When registering, the Messenger creates a password for their user account, which they can change at any time. The Messenger must not disclose or make the password accessible to third parties and must keep it secure to prevent misuse. The Messenger is also responsible for keeping employee logins confidential and will instruct their employees accordingly. The Messenger is required to inform the Provider immediately if the password is lost or if they become aware that unauthorized third parties have accessed the password. The Messenger is liable for any misuse by third parties unless they can prove that they are not at fault.

10. The Messenger may only register once. A user account is non-transferable to third parties or employees.

11. Registration can only be completed by subsequently clicking the checkboxes and the button to finalize the registration.

12. After completing the registration, the Messenger receives a confirmation email with an activation link to verify their identity by clicking on the activation link. To complete the registration, the Messenger must verify by clicking the link in the confirmation email.

13. The contract is concluded exclusively in German.

14. The email address serves as the Messenger's identification and personal designation. The Messenger must ensure that the email address provided during online registration and for order processing is correct, so that emails or notifications sent by the Provider can be received at this address or mobile number. In particular, if using spam filters, the Messenger must ensure that all emails sent by the Provider or third parties engaged in processing can be delivered.

5.  Contract Conclusion for Orders

• 1. If the Messenger sets their status within the app to available in the menu under the "Unavailable" button, they may receive offers for delivery assignments (hereinafter "Messenger Delivery Assignment").

  2. The Messenger receives a legally binding offer for a Messenger Delivery Assignment via the notification function and/or app, which was previously posted by the MessengerCustomer on the BikeMessenger24.com website or through affiliated partners of the Provider.

  3. The Messenger can view all relevant data (e.g., delivery location, payment, delivery time, delivery location) in the Messenger Delivery Assignment within the app and decide whether to accept or decline it.

  4. If the Messenger does not accept the Messenger Delivery Assignment, no further action is required. The assignment remains in the Provider's software for a period and is automatically removed if not accepted by the Messenger.

  5. If the Messenger accepts the Messenger Delivery Assignment, a contract is concluded between the Messenger and the MessengerCustomer when the Messenger clicks the button to complete the order process and submits the legally binding offer for a Messenger Delivery Assignment.

  6. The delivery of the Messenger Delivery Assignment must take place within the time window displayed in the app from the time the order is received.

  7. The terms for contract conclusion in clauses 4.13 and 4.14 apply accordingly.

• Usage Rights

  1. No physical provision of the software is made to the Messenger.

  2. The Messenger receives simple, non-sublicensable, non-transferable rights to use the latest version of the software for the contractually specified number of users, limited to the contract term, by accessing it via the app under the following terms.

  3. The Messenger may only use the software for their own business activities through their own personnel. Further use of the software by the Messenger is not permitted.

• Support

  1. The Provider offers support for Messenger inquiries regarding the software's functions. Inquiries can be sent via email to support@bikemessenger24.com. Inquiries are processed in the order in which they are received.

  2. For each inquiry, the Provider assigns a processing number ("Ticket"). Upon request, the Provider will implement an electronic ticketing system to allow tracking of the ticket processing status at all times.

  3. The Messenger should describe the issues as accurately as possible.

• Software Availability

The Provider's software is offered subject to availability. A 100 percent availability rate is technically unachievable and cannot be guaranteed to the Messenger. The Provider strives to keep the software available as consistently as possible. Maintenance, security, or capacity issues, as well as events beyond the Provider's control (e.g., disruptions in public communication networks, third-party service outages, power outages, hosting failures, hacking, disruptions in telecommunication lines at the internet transfer point, etc.), may cause interruptions or temporary shutdowns of the software and are not counted toward the minimum availability. Availability is calculated based on the time within each calendar month of the contractual period, minus maintenance times. The Provider will carry out maintenance work during low-use hours whenever possible.

9. Messenger Obligations

   1. The Messenger is responsible for creating the technical prerequisites for using the software.

   2. The Messenger must protect and store the access data provided to them against third-party access in accordance with current technology standards. The Messenger will ensure that usage only occurs within the contractually agreed scope. Unauthorized access must be reported to the Provider immediately.

   3. The Messenger is obligated not to store any data whose usage violates applicable laws, official requirements or orders, third-party rights, or agreements with third parties.

   4. The Messenger must check their data and information for viruses or other harmful components before entry, using virus protection programs that meet current standards.

   5. The Messenger is required to keep their data (particularly billing data) up-to-date and to update their data themselves or inform the Provider of any changes.

   6. Notwithstanding the Provider’s obligation for data backup, the Messenger is responsible for entering and maintaining the data and information required to use the software.

   7. Technologies that harm the software, the Provider, or third parties or that cause disturbance (e.g., viruses, bots, spiders, scrapers, crawlers, hacking, brute-force attacks) may not be used. Technologies that automatically accept delivery orders are also prohibited.

   8. The Messenger is prohibited from obtaining confidential information through reverse engineering. "Reverse engineering" includes any actions, such as observing, testing, examining, disassembling, and reassembling, aimed at obtaining confidential information. Permissions for reverse engineering under § 69d Abs. 3 and § 69e UrhG remain unaffected.

   9. The Provider is entitled to warn the Messenger in case of misuse of the software and/or to temporarily or permanently block access to the software and may take civil and criminal action as necessary.

10. Fees and Payment Terms

    1. 1. The BikeMessenger agrees to pay the Provider a percentage usage fee for the provision and use of the software. Unless otherwise agreed, the fee is based on the Provider's valid price list at the time of contract conclusion, accessible online at the link [LINK TO PRICE LIST]. The specified fee is in EURO and is a net price plus the applicable VAT on the invoicing date.

       2. The usage fee is billed monthly.

       3. The Provider reserves the right to adjust the fee at its reasonable discretion to maintain the price-performance ratio and to respond appropriately to future cost increases or decreases and other cost situations that cannot be otherwise compensated. Elements considered for adjustment may include modification, expansion, and/or adjustment of the Provider's SaaS services, administrative and overhead costs (e.g., rent, financing and transaction costs, personnel and service provider costs, energy and internet access costs, IT development costs), and government-imposed taxes, fees, contributions, and other charges. All fee adjustments take effect one (1) month after notification. The BikeMessenger’s right to terminate in accordance with Clause 13 of these terms remains unaffected.

       4. The BikeMessenger must submit any objections to the Provider’s service invoice in writing within 14 days of receipt to the address indicated on the invoice. After this period, the invoice is deemed approved by the BikeMessenger. The Provider will expressly notify the BikeMessenger of the significance of their actions when sending the invoice.

       5. The BikeMessengerCustomer pays the fee for a delivery order via the payment service provider Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter “Stripe”). The Provider offers the BikeMessengerCustomer various payment methods via Stripe. The individual payment methods available through Stripe are communicated to the BikeMessengerCustomer on the Provider’s website. Stripe may use additional payment services for processing, which may have specific payment terms that the BikeMessengerCustomer will be informed about separately if applicable. Further information is available online at https://stripe.com/de.

       6. Payment processing between the BikeMessenger and the Provider is carried out via the payment service provider Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter referred to as “Stripe”). The Provider uses Stripe Connect for payment processing. Stripe Connect provides APIs and tools that enable the BikeMessenger to receive payments from end customers for services offered by them. Using Stripe Connect requires the BikeMessenger to register with Stripe Connect. After the end customer places an order on the Provider's website, Stripe initiates the payment transaction. Stripe collects the due fees on behalf of the BikeMessenger from the end customer's payment method and holds the fees in a non-interest-bearing escrow account. To this end, the Provider establishes its own escrow account with Stripe. Fees are automatically disbursed by Stripe to the Provider and BikeMessenger. If the payment transaction fails due to insufficient funds or incorrect bank account details provided by the BikeMessenger, or if the BikeMessenger disputes the direct debit without authorization, they are responsible for the fees incurred by the bank if at fault. Further information about Stripe is available online at https://stripe.com/de/connect, https://stripe.com/de/privacy, or https://stripe.com/payment-terms/legal.

       7. The fee for the provision and use of the software is payable by the BikeMessenger at the end of each month unless otherwise agreed. The fee is debited monthly by direct debit from the BikeMessenger's bank account. The fee is due upon issuance of a SEPA direct debit mandate, but not before the prenotification period has expired. Prenotification is any communication (e.g., invoice, policy, contract) from the Provider to the BikeMessenger announcing a SEPA direct debit. If the direct debit fails due to insufficient funds or incorrect bank account details provided by the BikeMessenger, or if the BikeMessenger disputes the direct debit without authorization, they are responsible for the fees incurred by the bank if at fault.

       8. Upon expiration of the payment period, the BikeMessenger is in default. The outstanding fee accrues interest during the default at the statutory default interest rate. The Provider reserves the right to claim further default damages (e.g., reasonable costs for necessary legal defense, including court and attorney fees, costs for dunning procedures or debt collection). For merchants, the Provider’s claim to commercial maturity interest (§ 353 HGB) remains unaffected. In the case of overdue claims, incoming payments from the BikeMessenger will first be applied to any costs and interest, and then to the oldest claim.

     

    1. 10. The BikeMessenger is only entitled to offset claims if their counterclaims are legally established, undisputed, mutually linked to the Provider's main claim, or acknowledged by the Provider.

       11. The BikeMessenger’s right of retention is excluded unless their counterclaim arises from the same contractual relationship and is undisputed or legally established. To assert the right, a written notice to the Provider is required.

       12. If, after the conclusion of the contract, it becomes apparent (e.g., through a bankruptcy application) that the Provider’s claim to the fee is jeopardized by the BikeMessenger’s lack of performance, the Provider is entitled to refuse performance under statutory provisions and, if necessary, to withdraw from the contract after setting a deadline (§ 321 BGB).

11. Warranty for Defects

    1. Regarding the granting of the right to use the software, the warranty provisions of rental law (§§ 535 ff. BGB) apply.

    2. The BikeMessenger must immediately notify the Provider of any defects.

    3. The Provider’s warranty is excluded if the software's functionality and operational readiness are only insignificantly impaired. The no-fault liability for defects under § 536a (1) BGB for pre-existing defects at contract conclusion is excluded.

12. Liability for Damages

    1. For services provided by the Provider, they and their legal representatives or agents are fully liable

• in cases of intent or gross negligence,

• for intentional or negligent injury to life, body, or health,

• for guarantee promises, as far as agreed between the parties,

• where the scope of the Product Liability Act applies.

1. 1. For breaches of essential contractual obligations, the Provider’s liability is limited to foreseeable, contract-typical damages unless unrestricted liability applies per clause 12.1. Essential contractual obligations are those that the contract imposes on the Provider to fulfill the contract’s purpose, whose fulfillment enables proper contract execution, and upon which the BikeMessenger may regularly rely (so-called cardinal obligations).

1. 1. The Provider is not liable for data loss if the BikeMessenger has not conducted data backups to ensure that lost data can be recovered with reasonable effort.

   2. Otherwise, the Provider's liability is excluded.

1. Legal Defects and Indemnification

13. 4. The Provider ensures that the software does not infringe third-party rights. The Provider will indemnify the BikeMessenger against all third-party claims due to an infringement of protective rights in connection with the contractual use of the software on first demand and will cover the costs of reasonable legal defense. The BikeMessenger shall promptly inform the Provider of any third-party claims asserted against them due to the contractual use of the software and shall grant all necessary powers of attorney and authority to defend against the claims.

    5. The BikeMessenger assures that the content and data stored on the Provider’s servers, as well as its use and provision by the Provider, do not violate applicable law, official orders, third-party rights, or agreements with third parties. The BikeMessenger shall indemnify the Provider against any claims made by third parties due to a breach of this clause on first demand and shall cover the costs of reasonable legal defense. The BikeMessenger will promptly notify the Provider if third parties raise claims against the Provider that fall under this indemnification obligation. The BikeMessenger is obliged to promptly provide the Provider with all available information about the relevant facts fully, truthfully, and immediately in written or text form (by letter or e-mail). Any additional claims by the Provider remain unaffected.

14. Contract Duration and Termination

    1. 1. The contract is concluded for an indefinite period. The contractual relationship begins upon conclusion and may be terminated in writing by either party at any time with one (1) month's notice to the end of the respective calendar month.

     

     

    1. 1. 10. Each party reserves the right to terminate the contract in whole or in part without notice for good cause, within a reasonable period after becoming aware of the reason for termination. Good cause exists if circumstances make it unreasonable to expect the terminating party to continue the contract, taking into account all circumstances and the interests of both parties. If the good cause results from a breach of a contractual duty, termination is only permissible after an unsuccessful grace period or warning, unless a grace period is dispensable in accordance with § 314 in conjunction with § 323 paragraph 2 BGB. In the event of termination for good cause, the Provider is entitled to remuneration for services provided under the contract until the termination takes effect. However, remuneration does not apply for services for which the BikeMessenger demonstrates a lack of interest due to the termination.

          11. The contract can be terminated in writing or in text form (e.g., by email to kuendigung@radkurier24.com or by letter).

          12. Services provided until the effective date of termination are to be remunerated; in the case of termination by the BikeMessenger due to the Provider's fault, this only applies if the services rendered are usable by the BikeMessenger.

          13. The Provider will irretrievably delete all data of the BikeMessenger remaining on its servers 30 days after the end of the contractual relationship. The Provider does not hold any retention rights or liens on the data.

     

    1. 1. Data Protection and Confidentiality

          1. The parties shall each comply with the applicable data protection regulations relevant to them.

          2. If and insofar as the Provider has access to the courier’s personal data in the course of service provision, the parties will conclude a data processing agreement with the signing of the main contract. In this case, the Provider will process the relevant personal data solely in accordance with these provisions and the instructions of the courier.

          3. If and insofar as the Provider has access to personal data of courier customers or couriers in the course of service provision, the parties will conclude a data processing agreement with the signing of the main contract. In this case, the Provider will act as a data processor as defined by Art. 28 (3) GDPR and will process the relevant personal data solely in accordance with these provisions and the instructions of the courier. Supplementary to these Terms and Conditions, special provisions of the data processing agreement can be accessed and retrieved under the link TO BE ADDED HERE.

          4. The Provider is obligated to maintain confidentiality on all confidential information (including trade secrets) that it learns in connection with this contract and its execution, and to neither disclose it to third parties, share it, nor use it in any other manner. Confidential information includes that which is marked as confidential or where confidentiality is apparent from the circumstances, regardless of whether it has been communicated in written, electronic, tangible, or oral form. The confidentiality obligation does not apply if the Provider is legally or by binding court or regulatory order required to disclose the confidential information. The Provider is obligated to impose a similar obligation on all employees and subcontractors as per the preceding paragraph.

     

    1. Modification of the Terms and Conditions

       1. The Provider reserves the right to modify these Terms and Conditions at any time without specifying reasons, unless this is unreasonable for the courier. The Provider will notify the courier of changes to the Terms and Conditions in a timely manner in text form. If the courier does not object to the new Terms and Conditions within a period of four (4) weeks after notification, the modified Terms and Conditions shall be deemed accepted by the courier. The Provider will inform the courier in the notification of their right to object and the importance of the objection period. If the courier objects to the changes within the specified period, the contractual relationship shall continue under the original Terms and Conditions.

       2. Furthermore, the Provider reserves the right to amend these Terms and Conditions,

    • to the extent that the Provider is obligated to do so due to a change in the legal situation;

    • to the extent that the Provider is complying with a court ruling or administrative decision against it;

    • to the extent that the Provider introduces entirely new services, features, or elements that require a description in the Terms and Conditions, unless this adversely alters the previous contractual relationship;

    • if the change is solely beneficial to the courier; or

    • if the change is purely technical or process-based, provided it does not have significant implications for the courier.

    1. 1. The courier’s right of termination according to Section 14. remains unaffected.

    1. Final Provisions

    1. 3. 3. For these Terms and Conditions and the contractual relationship between the parties, the law of the Federal Republic of Germany shall apply.

          4. Assignment of claims arising from the contract between the parties by the courier, in particular the assignment of any defect claims of the courier, is excluded.

        

       3. If the courier is a merchant as defined by the German Commercial Code (Handelsgesetzbuch), an entrepreneur as per § 14 BGB, a legal entity under public law, or a special public asset, the exclusive – including international – place of jurisdiction for all disputes arising directly or indirectly from the contractual relationship shall be the business location of the Provider. In all cases, the Provider is also entitled to file a lawsuit at the place of performance of the service obligation in accordance with these Terms and Conditions or a priority individual agreement, or at the general place of jurisdiction of the courier. Mandatory statutory provisions, particularly concerning exclusive jurisdictions, remain unaffected.

    Effective Date: 05/02/2023

    General Terms and Conditions for Data Processing Pursuant to Art. 28(3) GDPR

    1. Scope and Contracting Parties

    The following General Terms and Conditions for Data Processing in Accordance with Art. 28(3) GDPR (hereinafter referred to as “DP-T&C”) specify the data protection obligations arising from a service contract concluded between the data controller (hereinafter referred to in a gender-neutral manner as the “Client”) and BikeMessenger24, Mr. Martin Hawel, Radlkoferstraße 2, 81373 Munich, Germany (hereinafter referred to in a gender-neutral manner as the “Processor,” collectively with the Client as the “Parties”), pursuant to Section 2.1 (hereinafter referred to as the “Main Contract”).

    2. Subject and Scope of Data Processing

       1. 1. Within the scope of service provision under the General Terms and Conditions dated 05/02/2023 (hereinafter referred to as the “Main Contract”), it is necessary for the Processor to handle personal data for which the Client acts as the data controller in the sense of applicable data protection regulations (hereinafter referred to as “Client Data”). This contract clarifies the data protection rights and obligations of the Parties concerning the Processor's handling of Client Data for performing the Main Contract.

          2. The Processor shall process the Client Data on behalf of and in accordance with the instructions of the Client pursuant to Art. 28 GDPR (Data Processing Agreement). The Client remains the data controller in the legal sense regarding data protection.

          3. The processing of Client Data by the Processor shall be carried out in the type, scope, and purpose as specified in Annex 1 (“Subject of Data Processing”) to this DP Agreement, and shall include the types of personal data and categories of data subjects specified therein. The duration of processing shall correspond to the duration of the Main Contract.

        

       1. The Processor reserves the right to anonymize or aggregate Client Data so that individual data subjects can no longer be identified. Such data may be used in this anonymized or aggregated form for the purpose of demand-oriented design, further development, and optimization, as well as for the provision of services as agreed in the Main Contract. The Parties agree that anonymized or aggregated Client Data, as defined above, shall no longer be considered Client Data within the meaning of this Agreement.

       2. The Processor may process and use Client Data independently and at its own responsibility for its own purposes within the scope of what is permissible under data protection law, if a legal authorization provision or a consent declaration from the data subject permits this. This Agreement does not apply to such data processing.

       3. The processing of Client Data by the Processor generally takes place within the European Union or in another Contracting State of the European Economic Area (EEA) Agreement. Nevertheless, the Processor is permitted to process Client Data outside the EEA, provided it informs the Client in advance of the location of data processing and complies with the provisions of this Agreement as well as the requirements of Articles 44–48 GDPR or an exception under Article 49 GDPR.

    3. Client's Authority to Issue Instructions

       1. The Processor shall process Client Data in accordance with the Client's instructions unless the Processor is legally required to process it otherwise. In the latter case, the Processor shall inform the Client of these legal requirements prior to processing, provided that the relevant law does not prohibit such notification due to an important public interest.

       2. The Client's instructions are generally conclusively set forth and documented in the provisions of this Agreement. Individual instructions deviating from the provisions of this Agreement or setting forth additional requirements require the prior consent of the Processor and shall be documented according to the amendment process established in the Main Contract. Such documentation shall include the instruction itself and address the coverage of any additional costs incurred by the Processor as a result.

       3. The Processor ensures that it processes the Client Data in accordance with the Client's instructions. If the Processor believes an instruction from the Client violates this Agreement or applicable data protection law, it is entitled, after notifying the Client accordingly, to suspend the execution of the instruction until the Client confirms it. The Parties agree that the sole responsibility for the instruction-compliant processing of Client Data lies with the Client.

    4. Client's Responsibility

       1. 1. The Client is solely responsible for the legality of the processing of Client Data as well as for safeguarding the rights of data subjects in relation to the Parties. Should third parties assert claims against the Processor based on the processing of Client Data in accordance with this Agreement, the Client shall indemnify the Processor from all such claims upon first request.

        

       1. The Client is responsible for providing the Processor with Client Data in a timely manner for the provision of services under the Main Contract and is accountable for the quality of Client Data. The Client must promptly and fully inform the Processor if, upon reviewing the Processor's results, they identify any errors or irregularities regarding data protection regulations or their instructions.

       2. The Client shall provide the Processor, upon request, with the information specified in Art. 30(2) GDPR, insofar as it is not already available to the Processor.

       3. If the Processor is obligated to provide information regarding the processing of Client Data to a governmental authority or individual, or otherwise cooperate with such entities, the Client is obligated, upon first request, to support the Processor in providing such information or fulfilling other obligations to cooperate.

    5. Personnel Requirements

    The Processor shall require all persons processing Client Data to commit to confidentiality regarding the processing of Client Data.

    6. 6. Security of Processing

          1. In accordance with Art. 32 GDPR, the Processor shall implement the necessary and appropriate technical and organizational measures, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing Client Data, as well as the varying likelihood and severity of the risk to the rights and freedoms of data subjects, to ensure a level of security appropriate to the risk for Client Data.

          2. The Processor is permitted to modify or adjust technical and organizational measures, particularly those listed in Annex 2 (“Technical and Organizational Measures”) of this Agreement, during the contract term, provided they continue to meet legal requirements.

       7. Use of Additional Sub-processors

          1. The Client hereby grants the Processor general authorization to engage additional sub-processors for processing Client Data. Additional sub-processors engaged at the time of contract conclusion are listed in Annex 3 (“Sub-processors”). Agreements with service providers that involve the inspection or maintenance of data processing systems or equipment, or other ancillary services, are generally not subject to authorization, even if access to Client Data cannot be ruled out, provided that the Processor makes appropriate arrangements to protect the confidentiality of Client Data.

          2. The Processor shall inform the Client about intended changes regarding the involvement or replacement of additional sub-processors. The Client has the right, on a case-by-case basis, to object to the engagement of a potential additional sub-processor. The Client may raise an objection only for a significant reason, which must be demonstrated to the Processor. If the Client does not raise an objection within 14 days after receiving notification, the Client's right to object to the relevant engagement expires. If the Client raises an objection, the Processor is entitled to terminate the Main Contract and this Agreement with three months' notice.

          3. The contract between the Processor and the additional sub-processor must impose the same obligations on the sub-processor as are incumbent upon the Processor under this Agreement. The Parties agree that this requirement is met if the contract maintains a level of protection corresponding to this Agreement, or if the additional sub-processor is subject to the obligations stipulated in Art. 28(3) GDPR.

          4. In compliance with the requirements of this clause, the provisions in this clause 7. shall also apply if an additional sub-processor is engaged in a third country. The Client hereby authorizes the Processor, on behalf of the Client, to enter into an agreement with an additional sub-processor incorporating the EU Standard Contractual Clauses for the transfer of personal data to processors in third countries, dated February 5, 2010. The Client agrees to cooperate as necessary to meet the requirements of Art. 49 GDPR.

     

    6. 6. Rights of Data Subjects

          1. The Processor shall assist the Client, within the scope of what is reasonable and feasible, in meeting their obligation to respond to requests by data subjects seeking to exercise their rights.

          2. If a data subject submits a request directly to the Processor to exercise their rights, the Processor will promptly forward this request to the Client.

          3. The Processor shall inform the Client about the stored Client Data, recipients of Client Data to whom the Processor transfers it in accordance with the agreement, and the purpose of the storage, insofar as the Client does not already have this information or cannot obtain it themselves.

          4. The Processor shall, to the extent feasible and necessary, enable the Client, upon reimbursement of the documented expenses and costs incurred, to rectify, delete, or restrict further processing of Client Data, or shall carry out such rectification, blocking, or restriction upon the Client's request if and to the extent the Client is unable to do so themselves.

          5. If the data subject has a right to data portability with regard to the Client Data under Art. 20 GDPR, the Processor shall assist the Client, within the bounds of reasonableness and necessity, by providing the Client Data in a common, machine-readable format, upon reimbursement of the documented expenses and costs incurred, if the Client cannot obtain the data in any other way.

       7. Processor’s Notification and Assistance Duties

          1. If the Client has a statutory reporting or notification obligation due to a breach of Client Data protection (especially under Art. 33, 34 GDPR), the Processor will promptly inform the Client of any reportable events within its area of responsibility. Upon the Client's request, the Processor shall assist them, within the bounds of reasonableness and necessity, in fulfilling their reporting and notification obligations, subject to reimbursement of the documented expenses and costs incurred by the Processor.

          2. The Processor shall assist the Client, within the scope of what is reasonable and necessary, in performing any data protection impact assessments and any subsequent consultations with supervisory authorities under Art. 35, 36 GDPR, upon reimbursement of the documented expenses and costs incurred by the Processor.

       8. Data Deletion

          1. The Processor shall delete Client Data upon termination of this Agreement unless there is a statutory requirement for the Processor to retain the Client Data.

          2. The Processor may retain documentation that demonstrates the commissioned and proper processing of Client Data even after the termination of the Agreement.

       9. Evidence and Audits

          1. 1. The Processor shall provide the Client, upon request, with all necessary information available to the Processor to demonstrate compliance with its obligations under this Agreement.

             2. The Client is entitled to audit the Processor to verify compliance with the provisions of this Agreement, particularly the implementation of technical and organizational measures, including through inspections.

           

          1. To conduct inspections in accordance with Section 11.2., the Client is entitled to enter the Processor's premises, where Client Data is processed, during regular business hours from Monday to Friday, 10:00 a.m. to 6:00 p.m. (excluding public holidays at the Processor’s location) with prior notice as stipulated in Section 11.5.. Such inspections are at the Client's expense, must not disrupt business operations, and must strictly maintain the confidentiality of the Processor's business and trade secrets.

          2. The Processor reserves the right, at its discretion and in accordance with the Client's legal obligations, to withhold information that is sensitive with respect to the Processor’s business or would cause the Processor to breach legal or other contractual provisions. The Client is not entitled to access data or information related to the Processor’s other clients, cost-related information, quality assessment and contract management reports, or any other confidential data of the Processor that is not directly relevant to the agreed audit purposes.

          3. The Client shall inform the Processor in advance (usually at least two weeks prior) of all circumstances related to the conduct of the audit. The Client may conduct one audit per calendar year. Additional audits are subject to reimbursement of costs and must be coordinated with the Processor.

          4. If the Client engages a third party to conduct the audit, the Client must obligate the third party in writing to the same extent as the Client is bound to the Processor under this Section 11. of this Agreement. The Client must also impose confidentiality and secrecy obligations on the third party, unless the third party is subject to a professional obligation of secrecy. Upon the Processor's request, the Client shall promptly provide copies of the engagement agreements with the third party. The Client may not assign a competitor of the Processor to conduct the audit.

          5. At the Processor’s option, proof of compliance with obligations under this Agreement may also be provided, instead of an on-site inspection, by presenting a suitable, current attestation or report from an independent body (e.g., auditor, compliance department, data protection officer, IT security department, data protection auditors, or quality auditors) or an appropriate certification by an IT security or data protection audit – e.g., based on BSI basic protection – (“audit report”), provided that the audit report reasonably enables the Client to verify compliance with contractual obligations.

     

    6. Contract Duration and Termination

    The duration and termination of this contract are subject to the provisions of the main contract regarding term and termination. Termination of the main contract also automatically terminates this contract. Isolated termination of this contract is excluded.

    13. Liability

        1. The liability exclusions and limitations under the main contract apply to the Processor's liability under this contract. If third parties assert claims against the Processor due to a culpable breach of this contract or any of its obligations as the data controller by the Client, the Client shall indemnify the Processor against such claims upon first request.

        2. The Client also agrees to indemnify the Processor against any fines imposed on the Processor to the extent that the Client shares responsibility for the breach penalized by the fine.

    14. Final Provisions

        1. Applicable law is determined by the main contract.

        2. The place of jurisdiction is determined by the main contract.

        3. In the event of contradictions between this contract and other agreements between the parties, especially the main contract, the provisions of this contract shall prevail.

        4. Should individual provisions of this contract be or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The parties agree to replace the invalid provision with a legally permissible provision that comes closest to the purpose of the invalid provision and meets the requirements of Art. 28 GDPR.

        5. This data processing agreement is part of the main contract and becomes effective upon its conclusion.

    Appendix 1: Purpose of Data Processing

    Purposes of Data Processing

    Personal data of the Client will be processed under this data processing agreement for the following purposes:

    • Software-as-a-Service (SaaS) services.

    Types and Categories of Data

    The types and categories of personal data processed under this data processing agreement include:

    • Master data.

    • Contact data.

    • Content data.

    • Image and/or video recordings.

    • Contract data.

    • Payment and billing data.

    • Location data.

    • Log data.

    • Employee data.

    • Applicant data.

    • Business information.

    Categories of Affected Individuals

    The categories of individuals affected by the processing of personal data under this data processing agreement include:

    • Website visitors.

    • Software users.

    • Prospective customers.

    • Consumers.

    • Business customers.

    • Business partners.

    • Employees.

    • Applicants.

     

    Sources of Processed Data

    The data processed under this data processing agreement are collected or otherwise received from the following sources or within the procedures specified below:

    • Collection from the data subjects themselves.

    • Entries or information provided by the Client.

    • Entries or information provided by the Processor.

    • Collection during the use of software, applications, websites, and other online services.

    • Collection via interfaces to other providers’ services.

    • External databases and data collections.

    • Reception through transmission or other communication by or on behalf of the Client.

    Appendix 2: Technical and Organizational Measures

    An appropriate level of protection, consistent with the risk for the rights and freedoms of natural persons affected by the processing, is guaranteed for the specific data processing and the personal data processed within its framework. This especially takes into account the objectives of confidentiality, integrity, availability, and resilience of systems and services in relation to the nature, scope, circumstances, and purpose of processing, so that appropriate technical and organizational remedial measures contain the risk sustainably.

    Organizational Measures

    Organizational measures have been implemented to ensure an adequate level of data protection and its maintenance.

    • The Processor has implemented an appropriate data protection management system or data protection concept and ensures its implementation.

    • A suitable organizational structure for data security and data protection exists, and information security is integrated into company-wide processes and procedures.

    • Internal security guidelines have been defined and communicated internally as binding rules to employees.

    • The development of technology, as well as developments, threats, and security measures, are continuously monitored and appropriately adapted to the Processor's security concept.

    • A concept exists to ensure the protection of data subject rights by the Client (particularly concerning access, correction, deletion, or restriction of processing, data transfer, revocations & objections). This concept includes employee information on duties towards the Client, establishment of implementation procedures, designation of responsible persons, and regular monitoring and evaluation of implemented measures.

    • A concept exists to ensure a prompt response to threats and breaches in the protection of personal data that complies with legal requirements. This concept includes employee information on duties towards the Client, establishment of implementation procedures, designation of responsible persons, and regular monitoring and evaluation of implemented measures.

    • The protection of personal data considers the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons, already in the development or selection of hardware, software, and procedures, following the principle of data protection by design and by default.

     

15. Deployed software and hardware are always kept up to date, and software updates are carried out without delay within a reasonable period, considering the risk level and any need for verification. No software or hardware that is no longer updated by the providers regarding data protection and data security concerns (e.g., expired operating systems) is used.

16. Standard software and corresponding updates are only sourced from trusted sources.

17. A "paperless office" is maintained, meaning that records are generally stored only digitally and are kept in paper form only in exceptional cases.

18. Documents are kept in paper format only if no adequate digital copy is available for the purpose of data processing and its purpose or the interests of the individuals affected by the contents of the documents, or if storage has been agreed upon with the client or is required by law.

19. A deletion and disposal concept is in place that meets data protection requirements and the state of the art for data processing. The physical destruction of documents and data carriers is carried out in compliance with data protection laws and according to legal requirements, industry standards, and state-of-the-art industry standards (e.g., DIN 66399). Employees have been informed about legal requirements, deletion deadlines, and, where applicable, instructions for data or device destruction by service providers.

20. Access Control

    Measures for physical access control have been implemented to prevent unauthorized individuals from physically accessing systems, data processing facilities, or procedures where personal data are processed.

    • Apart from workplace computers and mobile devices, no data processing systems are maintained on the company premises. The client’s data is stored with external server providers in compliance with data processing requirements.

    • Access to data processing facilities is further secured and only accessible to authorized employees.

    • Windows, ducts, and similar access points that could offer potential access (e.g., ground floor windows) are secured against unauthorized entry.

    • Access is secured by an electronic lock system with security locks.

    • Documents (files, documents, etc.) are stored securely, e.g., in filing cabinets or other adequately secured containers, and are adequately protected against unauthorized access.

    • Data carriers are stored securely and adequately protected against unauthorized access.

    Access Control

    Electronic access control measures are in place to ensure that access (i.e., the possibility of use, application, or observation) by unauthorized persons to systems, data processing facilities, or procedures is prevented.

    • A password policy requires that passwords meet a minimum length and complexity standard, in line with current technology and security requirements.

    • All data processing systems are password protected.

    • Passwords are generally not stored in plain text and are only hashed or encrypted when transmitted.

    • Password management software is used.

    • Login attempts on internal systems are limited to a reasonable number (e.g., account lockout after multiple failed attempts).

    • Up-to-date anti-virus software is used.

    • Hardware firewalls are used.

    • Software firewalls are used.

    • Backups are stored in encrypted form.

    Internal Access Control and Input Control (Authorization for User Rights to Access and Edit Data)

    Access control measures have been implemented to ensure that individuals authorized to use a data processing system can only access data within their permission scope, and that personal data is not read, copied, modified, or removed without authorization. Input control measures have also been implemented to ensure that it can later be verified and established whether, and by whom, personal data were entered, modified, removed, or otherwise processed in data processing systems.

    • An access and role concept ensures that access to personal data is limited to a group of individuals selected based on necessity and only to the required extent.

    • The access and role concept is regularly evaluated within a reasonable time frame and updated as needed, including when an event warrants (e.g., breaches of access restrictions).

    • Accesses to specific client files are logged.

    • The entry, modification, and deletion of individual client data are logged.

    • Logins to data processing systems or processing systems are logged.

    • Log files are protected from modification, loss, and unauthorized access.

    • Administrator activities are appropriately monitored and logged, within legally permissible limits and with a reasonable effort.

    • It is ensured that it is traceable which employees or agents had access to which data at which time (e.g., by logging software usage or inferring from access times and the access control concept).

    • The personal data processed under the contract are end-to-end encrypted when sent by email on the client’s instructions.

    Transmission Control

    Transmission control measures are in place to ensure that personal data is not read, copied, modified, or removed by unauthorized parties during electronic transmission, transport, or storage on data carriers, and that it is possible to verify and establish the destinations to which personal data are transferred by data transmission facilities.

    • The personal data processed under the contract are transmitted end-to-end encrypted, subject to different instructions from the client.

    • The transmission and processing of the client’s personal data over online services (websites, apps, etc.) are protected using TLS or an equally secure encryption method.

    • Files are encrypted before transmission to cloud storage services.

    Order Control, Purpose Limitation, and Separation Control

    Measures have been implemented to ensure that personal data processed under the contract are only processed according to the client’s instructions. These measures guarantee that personal data collected for different purposes are processed separately and that there is no merging, blending, or other processing of data contrary to the contract.

    • Careful selection of subcontractors and other service providers.

    • Compliance with the client’s instructions and permissible processing limits for personal data by employees and agents is reviewed at appropriate intervals.

    • Retention periods for the processing of the client’s personal data are documented within the processor’s deletion policy, separately if required.

    • Required evaluations and analyses of the client’s personal data processing are anonymized as far as possible and reasonable (i.e., without any personal reference) or pseudonymized per Article 4 No. 5 GDPR, making it impossible to attribute personal data to a specific individual without additional information, which is stored separately and subject to technical and organizational measures ensuring data cannot be attributed to an identifiable person.

    • The client’s personal data are processed separately from other processing procedures of the processor.

    • The client’s personal data are logically separated from other processing procedures, preventing unauthorized access or merging with other data (e.g., by storing in different databases or using appropriate attributes).

    • Production and test data are strictly separated in different systems. Production systems are operated independently of development and test systems.

    Ensuring Data Integrity, Availability, and Resilience of Processing Systems

    Measures have been taken to ensure that personal data is protected against accidental destruction or loss and can be quickly restored in emergencies.

    • Fault-tolerant server systems and services are used with redundancy.

    • The availability of data processing systems is continuously monitored, particularly for availability, errors, and security incidents.

    • Personal data is stored with external hosting providers. These providers are carefully selected and meet state-of-the-art standards regarding protection from damage caused by fire, moisture, power outages, disasters, unauthorized access, data backup, patch management, and building security.

    • Processing of personal data is carried out on data processing systems that are subject to regular and documented patch management, meaning they are updated periodically.

    • The server systems and services used for processing are subjected to regular load and hardware testing.

    • The server systems used for processing are equipped with protection against Denial of Service (DoS) attacks.

    • The server systems used for processing are equipped with uninterrupted power supply (UPS) systems, which are properly secured against outages, ensuring orderly shutdowns in emergencies without data loss.

    • Video surveillance at the server location.

    • Burglary and contact alarms at the server location.

    • The server systems used for processing are equipped with adequate fire protection (fire and smoke detection systems and appropriate fire extinguishing devices or equipment).

    • Servers are protected against moisture damage (e.g., moisture detectors).

    • Backup systems in different locations store current data to ensure an operational system is available even in the event of a disaster.

    • The client's datasets are protected from accidental modification or deletion by the system (e.g., through access restrictions, security prompts, and backups).

    • The server systems and services used have a reliable, controlled backup and recovery concept in place.

    Attachment 3: Subprocessors

    The data processor employs the following subprocessors for data processing on behalf of the client:

    Company, Address	Type of Processing	Purpose	Type of Data	Categories of Data Subjects
    Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg	Email Delivery, Hosting	Provision of online services, user experience; IT infrastructure (operation and provision of IT systems and devices); security measures.	Usage data (e.g., websites visited, content interest, access times); metadata, communication, and procedural data (e.g., IP addresses, timestamps, IDs, consent status); content data (e.g., form inputs).	Website users, customers; interested parties
    Google Ireland Limited Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA	Provision of map and location services for navigation and orientation.	Displaying maps, calculating routes, and showing location information.	IP addresses, location data	Software users, interested parties, customers
    GatewayAPI, Buchwaldsgade 50, 5000 Odense C, Denmark	SMS dispatching	Automated sending of SMS messages to clients	Contact data, communication data	Clients, customers, applicants