Customer Service Agreement

§ 1 | Scope |

(1) These General Terms and Conditions (hereinafter: “GTC”) apply to all contracts between Thalox AG, represented by the Executive Board, Erwin Marc Arnold, Schießhausstraße 155, 86633 Neuburg a.d. Donau, Germany (hereinafter: “Provider” or “Thalox”) and its customers (hereinafter: “Customer”), which have as their object the temporary provision of the software solution “thalox for  marketers” (hereinafter: “Software” or “Application”) as Software as a Service or extensions or further services thereto, even if this is not separately agreed again. Insofar as the application merely relies on services of third parties, in particular HubSpot Inc., HubSpot, Inc. 25 First Street, Cambridge, MA 02141 USA (hereinafter “HubSpot”) or is capable of cooperating with them, the services of third parties are not the subject of performance and are not covered by this agreement.

(2) Unless expressly agreed otherwise, these GTC shall apply exclusively in the version valid at the time of conclusion of the contract.

By accepting the offer, at the latest by registering an account on https://go.thalox.com, the customer expressly agrees to these GTC and waives the assertion of his own deviating terms and conditions or terms and conditions of purchase and payment. Other terms and conditions do not apply even if Thalox does not expressly object to them in individual cases. Deviating terms and conditions of the customer shall only apply if they have been agreed separately, expressly and in writing. If the customer does not agree with this, he must immediately inform the supplier of this in writing.

(3) Customers within the meaning of these GTC are exclusively entrepreneurs, i.e. any natural or legal person or partnership with legal capacity who, when concluding the contract, acts in the exercise of their commercial or independent professional activity. Conclusion of a contract with consumers is excluded.

(4) Individual agreements made with the Customer in individual cases, in particular within the framework of the “Enterprise” variant (including ancillary agreements, supplements and amendments) shall in all cases take precedence over these GTC. Subject to proof to the contrary, a written contract or written confirmation by the Provider shall be authoritative for the content of such agreements.

(5) Thalox is entitled to make changes to the service descriptions or these general terms and conditions and other conditions. Thalox will only make these changes for valid reasons, in particular due to new technical developments, changes in case law or other equivalent reasons. If the amendment significantly disturbs the contractual balance between the parties, the amendment shall not be made. Otherwise, changes require the consent of the customer

§ 2 | Subject matter of performance |

(1) The subject matter of the contract is the provision of the application as well as the technical facilitation of the use of the application by means of browser access and the granting or procurement of rights of use to the application as well as the provision of storage space for the data generated by the customer through the use of the application and/or the data required for the use of the application (hereinafter: application data) by the provider to the customer against payment of the agreed fee.

(2) The application establishes an interface to the third-party provider HubSpot and enables the evaluation of customer communication. This includes in particular

• The creation of probability calculations regarding the reaction to the customer’s marketing measures (“engagement score”).
• Evaluations of the customer segments in relation to the engagement score
• Making proposals to increase the engagement score
• Creation of graphical evaluations

The object of the application is exclusively the evaluation of customer communication. The application itself does not select any marketing measures or content to be transmitted to customers. The application does not check the correctness or completeness of the content of the customer entries or any third-party data included. The calculated engagement score, reports, visualizations and other presentations are not advisory services or recommendations for action, but non-binding reports which the client can include at his own discretion as part of his planning. The remuneration listed in § 9 is paid exclusively for the technical provision or granting of rights of use to the software and does not constitute a consultancy fee.

(3) The application is offered in four variants:

(a) thalox for marketers Free (free of charge)

(b) thalox for marketers StartUp (free of charge)

(c) thalox for marketers Business

(d) thalox for marketers Enterprise

The content and scope of services of the respective variant as well as the permissible number of users can be found on the provider’s website at https://thalox.com/customer-segmentation-tool-pricing/.

(4) The provision of third party services is not the subject of the service. Thalox does not assume any warranty for the functionality and maintenance of third-party services, in particular HubSpot or other platforms operated by third parties.

(5) Insofar as the booking of the chargeable service is preceded by a free phase, the customer cannot assert any claims in this respect beyond the statutory liability claims. Multiple use of the test phase is excluded.

§ 3 | Registration and conclusion of contract |

(1) Use of the application requires prior registration. There is no entitlement to the opening of a customer account. Only persons with unlimited legal capacity who are acting in the exercise of their commercial or independent professional activity are entitled to register. At the Provider’s request, the Customer must send the Provider proof of identity (e.g. a copy of his identity card) or state his VAT identification number and document his registration. Within the scope of registration, the Provider shall request the Customer’s data. The data required to create the user account must be provided by the customer completely and truthfully. After providing the data, the customer receives a verification code to the e-mail address provided by the customer. After confirmation of the e-mail address, registration for the application takes place by entering the deposited e-mail address and the password assigned by the customer himself. The customer is obliged to keep his password secret and not to disclose it to third parties under any circumstances.

(2) After registration, the customer may use the software in the “Free” variant free of charge for 30 days.

(3) Prior to the expiry of the 30-day period pursuant to para. 2, the customer shall be informed of the impending end of the free-of-charge usage period and shall be offered the option of switching to a paid variant. For this purpose, the customer will be requested to provide a billing address and a means of payment. During the ordering process, the process can be cancelled at any time by clicking on the “back” symbol (“< “). Once the information has been entered in full, the customer is shown an order overview. The contract is concluded by clicking on “Sign Up”.

(4) Insofar as the customer’s personal or company details change, the customer himself is responsible for updating them. All changes must be communicated to the Provider via the input mask in the personal area or in text form.

§ 4 | Provision of the application |

(1) The Provider shall keep the application in the version current at the time of conclusion of the contract available for use in accordance with the following provisions from the time of conclusion of the contract (§ 3) on one or more central data processing systems which it rents from third parties (hereinafter: server).

(2) The Provider shall ensure that the provided application is

• is suitable for the purposes resulting from the respective current service description,
• is free of defects during the entire term of the contract,
• in particular, is free of viruses and similar malware that would render the application unsuitable for use in accordance with the contract

whereby the provider owes the care customary in the industry. In determining whether the provider is at fault, it must be taken into account that software cannot technically be created completely free of errors.

(3) The security measures to be observed by the customer result from § 8 of these GTC.

(4) Insofar as the Provider produces the application itself, it shall ensure that it always corresponds to the proven state of the art. If the Provider obtains parts of the application (e.g. plug-ins, etc.) from third parties, it shall keep the latest version of the respective part of the application that is generally available on the market at the time of conclusion of the contract ready for use by the Customer for no later than three months after the general market release by the manufacturer.

Insofar as the provision of a new version or any other change results in the functionalities of the application, work processes of the Customer supported by the application and/or restrictions in the usability of previously generated data being impaired, the Provider shall notify the Customer of this in writing at least six weeks before such a change takes effect. If the Customer does not object to the change in writing within a period of two weeks from receipt of the change notification, the change shall become part of the contract. The Provider shall draw the Customer’s attention to the aforementioned deadline and the legal consequences of its expiry in the event of failure to exercise the option to object whenever changes are announced.

(5) The Provider shall provide storage space on the server for storing the application data from the time the application is made available for operation.

(6) The application and the application data are backed up on the server regularly, at least daily. The customer is responsible for compliance with any retention periods under commercial and tax law.

(7) The transfer point for the application and the application data is the router exit of the data centre of the hosting provider commissioned by the Provider.

(8) The Customer shall keep the Mozilla Firefox or Google Chrome browsers in the current version, or at least the previous version of the current version, ready for accessing the application. For changes to the Provider’s technical system, the objection solution of para. 4 subpara. 2 shall apply accordingly. The Provider shall not be responsible for the quality of the required hardware and software on the part of the Customer or for the telecommunications connection between the Customer and the Provider up to the transfer point.

§ 5 | Availability of the application |

(1) The Provider owes the availability of the Application and the Application Data at the Delivery Point as agreed below. The contractual partners understand availability to mean the technical usability of the application and the application data at the delivery point for use by the customer.

(2) The Provider shall make the application available to the Customer from the time of registration, but this shall exclude the agreed times of announced unavailability.

(3) The available use shall also include the periods during

• disruptions in or due to the condition of parts of the technical infrastructure required for the execution of the application, including third-party services, which are not to be provided by the Provider or its vicarious agents (§ 2 para. 4);
• disruptions or other events that are not (partly) caused by the Provider or one of its vicarious agents, e.g. exceeding an agreed permitted load of the application;
• insignificant reduction of the suitability for the contractual use;

(4) Announced unavailability

(a) Thalox is entitled during periods of announced unavailability to maintain, service, backup or otherwise work on the Application and/or servers. The Customer hereby agrees that there will be a scheduled unavailability every Wednesday from 8:00 p.m. to 11:00 p.m. throughout the term of the Agreement. In all other respects, announced unavailability and their expected duration shall be announced at least 7 days in advance. This period may be shortened in justified exceptional cases.

(b) Use of the application during periods of announced unavailability

If and to the extent that the customer can use the application during periods of announced unavailability, there shall be no legal claim to this. If the use of an application during times of announced unavailability results in a reduction or cessation of performance, the customer shall have no claim to liability for defects or damages. This shall also apply insofar as the customer uses a browser other than that specified in § 4 para. 8 or a version other than that recommended therein.

(5) Troubleshooting

Unless response and recovery times have been agreed separately, in the event of unplanned unavailability of the application the Provider shall ensure that the fault rectification is initiated within a reasonable time and that the Customer is informed of this. The Provider shall also ensure that the reported or noticed technical malfunction is remedied within a period of time appropriate to the extent of the malfunction.

§ 6 | Other Services of the Provider |

(1) During the term of the contract, an electronic user manual for the application shall be available to the Customer for retrieval at https://thalox.com/knowledge-base/. If the application is updated, the user manual shall be adapted accordingly.

(2) If the Provider provides third-party software as an application and no documentation in German/English is generally available from this third party, the Provider shall be entitled to provide only the documentation accessible to it.

The customer shall be entitled to save, print and reproduce the documentation provided in reasonable numbers for the purposes of this contract, while maintaining existing property right notices. In all other respects, the restrictions on use of the documentation set out in §§ 7-8 of these GTC for the application shall apply mutatis mutandis.

(3) Thalox provides customer support via a contact form. Thalox reserves the right to adjust the availability times and channels of the customer support. If the contractual partners agree on support response and recovery times in a service level agreement (SLA), this shall become part of the contract.

(4) Further services of the Provider can be agreed at any time. In particular, support services can be agreed subsequently. Unless otherwise agreed, such further services shall be provided against reimbursement of the proven expenditure at the Provider’s general hourly rates.

§ 7 | Rights of use to and use of the application |

(1) The customer shall receive simple (non-sublicensable and non-transferable) rights of use to the application, limited to the term of the respective contract, in accordance with the following provisions.

(2) The customer uses the application exclusively on the server. The application shall not be physically transferred to the customer. The customer may only use the application for its own business activities by its own personnel.

(3) The customer shall only use the application to the extent of the booked variant. The Provider reserves the right to assert claims in the event of additional use beyond the agreed use.

(4) The customer is not entitled to make changes to the application. This does not apply to changes that are necessary for the correction of errors if the Provider is in default with the correction of the error, refuses to correct the error or is unable to correct the error due to the opening of insolvency proceedings.

(5) If the Provider makes new versions, updates, upgrades or other new deliveries with regard to the application during the term, the above rights shall also apply to these.

(6) The customer is not entitled to any rights not expressly granted to the customer above. In particular, the customer is not entitled to use the application beyond the agreed use or to have it used by third parties or to make the application accessible to third parties. Expecialy is not permitted to reproduce, sell or provide the application for a limited period of time, in particular not to rent or lend it.

§ 8 | Client’s obligations for safe use |

(1) The customer shall take the necessary precautions to prevent the use of the application by unauthorized persons; in particular, the customer shall ensure that the passwords used contain at least 8 characters and are composed of upper case letters, lower case letters and numbers.

(2) The customer is liable for ensuring that the application is not used for racist, discriminatory, pornographic purposes, purposes that endanger the protection of minors, politically extreme purposes or purposes that otherwise violate the law or official regulations or requirements, or that corresponding data, in particular application data, are created and/or stored on the server.

(3) It is the responsibility of the customer to comply with the restrictions/obligations with regard to the rights of use pursuant to § 7, in particular he shall

(a) not to retrieve or cause to be retrieved any information or data without authorization or to interfere or cause to be interfered with any programs operated by Thalox or to intrude or facilitate any such intrusion into Thalox’s data networks without authorization;

(b) not misuse the exchange of electronic messages possible within the framework of the contractual relationship and/or using the application for the unsolicited sending of messages and information to third parties for advertising purposes;

(c) indemnify Thalox against claims by third parties based on his unlawful use of the application or arising from data protection, copyright or other legal disputes caused by the customer that are connected with the use of the application;

(d) oblige the Authorized End Users to comply in turn with the provisions of this Agreement applicable to them;

(e) ensure that (e.g. when transmitting texts/data of third parties to the Provider’s server) he observes all rights of third parties to material used by him;

(f) obtain the required consent of the respective data subject in accordance with Section 10 (2), insofar as he or she collects, processes or uses personal data when using the application and no statutory element of permission applies;

(g) check data and information for viruses before sending them to Thalox and use state-of-the-art virus protection programs;

(h) if it transmits data to generate application data using the Provider’s application, back it up regularly and in accordance with the significance of the data and make its own back-up copies to enable the reconstruction of the data and information in the event of loss;

(i) if and insofar as the technical possibility to do so is made available to him by mutual agreement, regularly back up the application data stored on the server by download; the obligation of the Provider to back up data pursuant to Section 4 (6) remains unaffected.

(4) Violation of the provisions under paras. 1 to 3 by the customer

(a) If the customer violates the provisions in paragraph 1, – 3 for reasons for which he is responsible, Thalox may block the customer’s access to the application or the application data if the violation can be demonstrably remedied.

(b) If the customer unlawfully violates paragraph 2 or 3, Thalox is entitled to delete the data or application data affected thereby. In the event of an unlawful violation by the user, the customer must immediately provide Thalox, upon request, with all information necessary to assert claims against the user, in particular the user’s name and address.

If the customer continues to violate or repeatedly violates the provisions in paragraphs 1 to 3 despite a corresponding written warning from the provider, and if the customer is responsible for this, the provider may terminate the contract extraordinarily without observing a notice period.

(c) In the event of breaches of duty by the Customer, Thalox may claim damages in accordance with § 12, unless the Customer is not responsible for the breach of duty

(5) If and to the extent that a database, databases, a database work or database works are created on the Provider’s server during the term of the respective contract, in particular by compiling application data, as a result of activities of the Customer permitted under the contract, all rights thereto shall belong to the Customer. The customer shall remain the owner of the databases or database works even after the end of the contract.

(6) The Customer is not entitled to transfer the software to third parties, in particular to sell or sublet it, without the Provider’s permission. Dependent use by the customer’s employees or other third parties subject to the customer’s right to issue instructions within the scope of the intended use and compliance with the agreed number of users is permitted.

(7) The customer shall take suitable precautions to protect the application from unauthorised access by third parties. The contractually agreed number of users may not be exceeded. In particular, user accounts may not be used by several employees at the same time.

§ 9 | Charges |

(1) The Provider shall charge a monthly flat fee for the services to be rendered for the granting of use with regard to the application and the provision of storage space, including data backup

(2) Unless the Parties have reached an individual agreement on the remuneration within the framework of the “Enterprise” variant, the remuneration shall result from the overview available at https://thalox.com/pricing/.

(3) The respective lump sum shall accrue for each monthly billing period from operational provision and shall be due in advance on the first working day of the billing period. If the customer has justifiably terminated the contract extraordinarily, the flat rate shall be repaid pro rata temporis.

(4) System changes to third party services (§ 2 para. 4) after conclusion of the contract (§ 3) shall not lead to the discontinuation of the obligation to pay remuneration.

(5) Other services shall be provided by the Supplier on a time and material basis at the Supplier’s general list prices applicable at the time of the order.

(6) Any separate remuneration shall be due 10 days after receipt of the invoice.

(7) Remuneration shall be owed plus VAT at the statutory rate applicable from time to time.

(8) The Customer agrees to the issuance of invoices in an electronic format and their electronic transmission (electronic invoices). Thalox is entitled to use payment service providers for the processing of payments and the issuing of invoices.

§ 10 | Data security, data protection |

(1) The contracting parties shall observe the applicable data protection provisions, in particular those valid in Germany (in particular the Basic Data Protection Regulation and the Federal Data Protection Act) and shall oblige their employees deployed in connection with the contract and its performance to maintain data secrecy, insofar as they are not already generally obliged to do so.

(2) If the customer collects, processes or uses personal data, he guarantees that he is entitled to do so in accordance with the applicable provisions, in particular those relating to data protection law, and in the event of a breach he indemnifies Thalox against claims by third parties.

(3) The Provider shall collect and use personal data of the Customer only to the extent required for the performance of this Agreement. The customer agrees to the collection and use of such data to this extent.

(4) The obligations under paragraphs 1 to 3 shall continue to exist as long as application data are within the sphere of influence of the Provider, even beyond the end of the contract.

(5) Insofar as the transmitted data also contain personal data, the contracting parties shall conclude a commissioned data agreement in accordance with Art. 28 DSGVO. In the event of contradictions between these GTC and the agreement on commissioned data processing, the latter shall take precedence over the former.

§ 11 | Secrecy |

(1) The Supplier undertakes to treat as confidential both itself and its employees and other vicarious agents with respect to all information obtained within the scope of the respective contractual relationship and designated as confidential or to be regarded as confidential under the circumstances.

(2) The confidentiality obligation shall continue to apply after termination of the respective contract.

(3) The duty of confidentiality shall not apply to such information which is

• do not qualify as business secrets within the meaning of the GeschGehG
• were demonstrably known to or made available to the provider before the customer became aware of them;
• are demonstrably disclosed to the Provider in a lawful manner by third parties who are not subject to a duty of confidentiality after being informed by the Customer;
• were in the public domain as a result of publications or for any other reason, or became so after they were brought to the public’s attention.

(4) Notwithstanding the aforementioned provisions, the Provider shall be entitled to fulfil its statutory obligations to provide information also with regard to the information provided to it.

(5) Provided that the customer gives prior consent in text form, Thalox is entitled to name the customer as a reference customer vis-à-vis third parties and to include the customer’s name and logo on its own Internet pages for the purpose of providing references. The authorisation exists beyond the termination of the contractual relationship until revoked by the customer.

§ 12 | Liability |

(1) In the event of intent or gross negligence, the Provider shall be liable without limitation for all damage caused by it and its legal representatives or vicarious agents.

(2) In the event of slight negligence, the Provider shall be liable without limitation in the event of injury to life, limb or health.

(3) In all other respects, the Provider shall only be liable if it has breached a material contractual obligation. Material contractual obligations are those obligations which are of particular importance for the achievement of the purpose of the contract, as well as all those obligations which, in the event of a culpable breach, may lead to the achievement of the purpose of the contract being jeopardized. In these cases, liability is limited to compensation for the foreseeable, typically occurring damage. In this respect, it is again stated that according to § 2 para. 2 – 4 neither the provision and maintenance of third party services, nor the verification of input by the customer or other third parties are contractual obligations.  The provider’s strict liability for damages for defects existing at the time of conclusion of the contract is excluded; paras. 1 and 2 remain unaffected.

(4) Insofar as data backup is not included in the Provider’s contractual catalogue of services, the Customer shall be responsible for regularly backing up its data. In the event of a loss of data for which the Provider is responsible, the Provider shall therefore be liable exclusively for the costs of restoring the service on the basis of and with the status of the Customer’s backup copy.

(5) Thalox is not liable for an infringement of the rights of third parties by the customer, if and to the extent that this infringement results from a transgression of the rights of use granted under these GTC. In this case, the Customer shall indemnify Thalox upon first request against all claims of third parties.

(6) Liability under the Product Liability Act and other mandatory statutory provisions shall remain unaffected.

§ 13 | Term, Termination |

(1) The respective contractual relationship begins with the conclusion of the contract (§ 3). Unless otherwise agreed, paid variants of the application have a term of one month, beginning with the respective booking.

(2) The contractual relationship shall be automatically extended by a further month unless terminated by one of the parties at the end of the respective term.

(3) The right to terminate for good cause remains unaffected. Good cause shall be deemed to exist in particular if the respective other contracting party grossly breaches its contractual obligations in breach of contract and despite written warning and/or setting of a deadline. Good cause shall be deemed to exist in particular if the customer is in default with the payment of fees or significant parts thereof and does not pay the fees within a reasonable period of time even after a reminder or if an application for the opening of insolvency proceedings against the customer’s assets has been filed and/or such insolvency proceedings have been opened.

(4) If the contractual relationship is terminated extraordinarily by the Provider due to a culpable breach of duty by the Customer, the Customer undertakes to compensate the Provider for the damage resulting from the extraordinary termination.

(5) If notice of termination is not given via the button provided for this purpose in the customer profile, it must be given in text form.

(6) After termination, access to the customer account will be blocked. Unless otherwise agreed, all customer data will be deleted one month after termination of the contract. It is the responsibility of the customer to save his customer data to his local system in a timely manner. Thalox is prepared to provide the customer with his data in electronic form within one month after termination of the contract. The expenses incurred as a result of this will be invoiced separately to the customer.

(7) The customer is solely responsible for compliance with statutory retention obligations (e.g. due to tax regulations) with regard to his customer data.

(8) Any use of the software after termination of the contractual relationship is not permitted.

§ 14 | Force majeure |

Neither of the contracting parties shall be obliged to fulfil the contractual obligations in the event of and for the duration of force majeure. In particular, the following circumstances shall be considered as force majeure in this sense:

• fire/explosion for which the contracting party is not responsible,
• Pandemics,
• Flooding,
• War, mutiny, blockade, embargo,
• industrial dispute lasting more than 6 weeks and not culpably brought about by the contractual partner,
• technical problems of the internet that cannot be influenced by a contractual partner.

Each contracting party shall immediately notify the other in writing of the occurrence of a case of force majeure.

§ 15 | Final Provisions |

(1) German substantive law shall apply to all contractual relationships with Thalox to the exclusion of the UN Convention on Contracts for the International Sale of Goods.

(2) The possible invalidity of individual provisions of these GTC shall not affect the validity of the remaining content of the contract.

(3) If, in the practical application of the respective contract or these GTC, gaps arise which the contracting parties have not provided for, or if the ineffectiveness of a provision is established in a legally binding manner or by both contracting parties in agreement, they undertake to fill or replace this gap or ineffective provision in a factual and appropriate manner oriented to the economic purpose of the contract.

(4) Insofar as these GTC or other contractual documents are also translated into other languages, this shall only serve as a reading aid. In the event of disputes or questions of interpretation, only the German version shall be used.

(5) The exclusive place of jurisdiction for all contracts with Thalox is the district court responsible for 86633 Neuburg a.d. Donau, unless a norm mandatorily orders a different place of jurisdiction.

— Status: December 2022 —

Contract on commissioned processing

between

the

_______________________

_______________________

_______________________

_______________________

as the responsible person (herein referred to as the “Principal“)

and the

Thalox AG

represented by the Executive Board, Erwin Arnold,

as contact person for data protection

Schießhausstraße 155

86633 Neuburg a.d.Donau

 (herein referred to as “Contractor“)

Preamble

The Client uses the SaaS solution “thalox for  marketers” operated by the Contractor. The Client wishes to commission the Contractor with the services specified in § 3. In the course of the performance of the contract, personal data may be processed. In particular, Art. 28 DSGVO imposes certain requirements on such commissioned processing. In order to comply with these requirements, the Parties enter into the following agreement, the performance of which shall not be remunerated separately unless this is expressly agreed.

§ 1 | Definitions |

(1) Pursuant to Art. 4 (7) DSGVO, the controller is the body which alone or jointly with other controllers determines the purposes and means of the processing of personal data.

(2) Pursuant to Article 4 (8) of the GDPR, a processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller.

(3) Pursuant to Article 4(1) of the GDPR, personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(4) Personal data requiring special protection are personal data pursuant to Art. 9 GDPR revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership of data subjects, personal data pursuant to Art. 10 GDPR on criminal convictions and offences or related security measures, and genetic data pursuant to Art. 4 (13) GDPR. 10 GDPR on criminal convictions and offences or related security measures as well as genetic data pursuant to Art. 4 (13) GDPR, biometric data pursuant to Art. 4 (14) GDPR, health data pursuant to Art. 4 (15) GDPR and data on the sex life or sexual orientation of a natural person.

(5) According to Article 4 (2) of the GDPR, processing is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(6) Pursuant to Article 4 (21) of the GDPR, the supervisory authority shall be an independent state body established by a Member State pursuant to Article 51 of the GDPR.

§ 2 | Indication of the competent data protection supervisory authority |

(1) The competent supervisory authority for the principal shall be determined by the principal’s registered office.

(2) The competent supervisory authority for the Contractor is the Bavarian State Commissioner for Data Protection.

(3) The contracting authority and the contractor and, where appropriate, their representatives shall cooperate, on request, with the supervisory authority in the performance of their duties.

§ 3 | Formation of the contract, subject matter of the contract |

(1) This agreement shall enter into force upon confirmation by the client in electronic form. For this purpose, the client shall set a corresponding check mark in the course of setting up his user account and thereby confirm the conclusion of the contract. The contract ends with the termination of the main contractual relationship.

(2) The Contractor shall provide services for the Client in the form of making available a software platform on server capacities rented from third parties for use via the Internet. In doing so, the contractor may obtain access to personal data and process these exclusively on behalf of and according to the instructions of the client. The scope and purpose of the data processing by the contractor are set out in the main contract (and the associated service description). The Client shall be responsible for assessing the permissibility of the data processing.

(3) The Parties conclude the present Agreement to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this agreement shall take precedence over the provisions of the main contract.

(4) The provisions of this contract shall apply to all activities which are connected with the main contract and in the course of which the contractor and its employees or persons commissioned by the contractor come into contact with personal data originating from the client or collected for the client.

(5) The term of this contract shall be based on the term of the main contract, insofar as no further obligations or rights of termination arise from the following provisions.

§ 4 | Right to issue instructions I

(1) The contractor may only collect, process or use data within the framework of the main contract and in accordance with the client’s instructions; this applies in particular with regard to the transfer of personal data to a third country or to an international organisation. If the Contractor is obliged to carry out further processing by the law of the European Union or of the Member States to which it is subject, it shall inform the Client of these legal requirements prior to the processing.

(2) The Client’s instructions shall initially be determined by this contract and may thereafter be amended, supplemented or replaced by the Client in writing or in text form by individual instructions (individual instructions). The Client is entitled to issue corresponding instructions at any time. This includes instructions with regard to the correction, deletion and blocking of data. Unless otherwise agreed, the data protection officer of the Client shall be the person authorised to issue instructions. In the event of a change or a longer-term prevention of the appointed persons, the successor or representative shall be named to the contractual partner in text form without delay.

(3) All instructions issued shall be documented by both the Client and the Contractor. Instructions that go beyond the performance agreed in the main contract shall be treated as a request for a change in performance.

(4) If the Contractor is of the opinion that an instruction of the Client violates data protection provisions, it shall notify the Client thereof without delay. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client. The Contractor may refuse to carry out an instruction that is obviously unlawful.

§ 5 | Type of data processed, group of data subjects |

(1) In the course of the performance of the main contract, the contractor may receive access to the following data, which is not mandatory but potentially personal:

• Log files
• Data of the client, in particular e-mail address, first and last name, company name, managing director/owner, address and telephone number
• Data of the client’s customers, in particular first and last name, address, telephone number, e-mail address, as well as

– contract data, if applicable

– Communication content.

(2) The persons concerned by the processing of personal data under this Agreement may include:

• Users of the service, esp. employees or other vicarious agents of the Principal within the meaning of Section 26 (8) BDSG
• Clients of the principal

(3) In the course of the performance of the Main Contract, the Contractor may have access to special categories of personal data. These are:

Insofar as it comes about in the above-mentioned ways, in particular insofar as it is contained in the communication content, the data may include personal data from which the racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership, health data or data relating to the sex life or sexual orientation of a natural person are present, whereby their processing by the Principal is carried out in accordance with Article 9 (3) of the GDPR. These are:

• Information on the existence of a disability
  • Information on hearing and visual aids
  • Allergies
  • Shoe and dress size

§ 6 | Protective Measures of the Contractor |

(1) The Contractor is obliged to observe the statutory provisions on data protection and not to disclose information obtained from the Client’s domain to third parties or expose it to their access. Documents and data shall be secured against access by unauthorised persons, taking into account the state of the art.

(2) The Contractor shall organise the internal organisation in its area of responsibility in such a way that it meets the special requirements of data protection. It shall take all necessary technical and organisational measures for the adequate protection of the Client’s data pursuant to Art. 32 DSGVO, in particular:

• Measures to ensure the ability to ensure the confidentiality (Art. 32(1)(b) GDPR), integrity (Art. 32(1)(b) GDPR), availability and resilience of systems and services (Art. 32(1)(b) GDPR) in relation to processing on an ongoing basis:
  • Use of encryption technologies: Data transmission via HTTPS (TLS) or FTPS/SFTP
  • Access control through the use of secure passwords
• Measures to ensure the ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident (Art. 32(1)(c) GDPR).
  • Regular creation of backups
• A procedure for regularly reviewing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of processing (Art. 32(1)(d), Art. 25(1) GDPR).
• Standard assurance that all systems are properly operational, including resilience checks, by hosting with an ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 9001:2015 and CSA STAR CCM v3.0.1 certified host.

The Contractor reserves the right to change the security measures taken, while ensuring that the contractually agreed level of protection is not undercut.

(3) The Contractor has appointed as contact person for data protection: Erwin Arnold, privacy@thalox.com. The Contractor shall publish the contact details of the contact person for data protection on its website.

(4) The persons employed by the Contractor for data processing are prohibited from collecting, processing or using personal data without authorisation. The Contractor shall oblige all persons entrusted by it with the processing and fulfilment of this contract (hereinafter referred to as employees) accordingly (obligation to confidentiality, Art. 28 Para. 3 lit. b DSGVO) and ensure compliance with this obligation with due care. These obligations must be formulated in such a way that they remain in force even after the termination of this contract or the employment relationship between the employee and the contractor. Evidence of the obligations shall be provided to the Client in an appropriate manner upon request.

§ 7 | Information Duties of the Contractor |

(1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Contractor, suspected security-related incidents or other irregularities in the processing of personal data by the Contractor, by persons employed by the Contractor within the scope of the contract or by third parties, the Contractor shall inform the Client immediately in writing or text form. The same shall apply to audits of the Contractor by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:

1. a description of the nature of the personal data breach, including, where possible, the categories and number of individuals concerned, the categories concerned and the number of personal data records concerned;
2. a description of the measures taken or proposed by the Contractor to remedy the breach and, where applicable, measures to mitigate its possible adverse effects.

(2) The Contractor shall immediately take the necessary measures to secure the data and to mitigate possible adverse consequences of the data subjects, inform the Client thereof and request further instructions.

(3) The Contractor shall furthermore be obliged to provide the Client with information at any time insofar as the Client’s data is affected by a breach pursuant to paragraph 1.

(4) Should the Client’s data at the Contractor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Client thereof without delay, unless it is prohibited from doing so by court or official order. In this context, the Contractor shall inform all competent bodies without delay that the decision-making authority over the data lies exclusively with the Client as the “responsible party” within the meaning of the GDPR.

(5) The Contractor shall inform the Client without delay of any significant changes to the security measures pursuant to § 6 para. 2.

(6) The Client shall be informed immediately of any change in the person of the contact person for data protection.

(7) The Contractor and, if applicable, its representative shall keep a register of all categories of processing activities carried out on behalf of the Principal, which shall contain all information pursuant to Art. 30 (2) of the GDPR. The directory shall be made available to the Client upon request.

(8) The contractor shall cooperate to a reasonable extent in the preparation of the procedure directory by the principal. He shall inform the principal of the respective required information in an appropriate manner.

§ 8 | Control rights of the client |

(1) The Client shall satisfy itself of the technical and organisational measures of the Contractor prior to the commencement of data processing and regularly thereafter. For this purpose, it may, for example, obtain information from the Contractor, have existing test certificates from experts, certifications or internal audits presented to it or personally inspect the Contractor’s technical and organisational measures after timely coordination during normal business hours or have them inspected by a competent third party, provided that this third party is not in a competitive relationship with the Contractor. The Client shall only carry out inspections to the extent necessary and shall not disproportionately disrupt the Contractor’s operating processes.

(2) The Contractor undertakes to provide the Client, upon the Client’s verbal or written request and within a reasonable period of time, with all information and evidence required to carry out a check of the Contractor’s technical and organisational measures.

(3) The Client shall document the inspection results and inform the Contractor thereof. In the event of errors or irregularities discovered by the Client, in particular during the inspection of order results, the Client shall inform the Contractor without delay. If facts are found during the inspection, the future avoidance of which requires changes to the ordered procedure, the Client shall inform the Contractor of the necessary procedural changes without delay.

(4) The Contractor shall provide the Client, at the Client’s request, with a comprehensive and up-to-date data protection and security concept for the commissioned processing as well as on persons authorised to access the data.

(5) The Contractor shall provide the Client with evidence of the obligation of the employees pursuant to § 6 para. 4 upon request.

§ 9 | Use of subcontractors |

(1) The contractually agreed services or the partial services described below shall be performed with the involvement of the subcontractors listed below:

Within the scope of its contractual obligations, the Contractor is authorised to establish further subcontracting relationships with subcontractors (“subcontractor relationship”). It shall inform the Client thereof without delay. The Contractor is obliged to carefully select subcontractors according to their suitability and reliability. When engaging subcontractors, the Contractor shall oblige them in accordance with the provisions of this Agreement and shall ensure that the Client can also exercise its rights under this Agreement (in particular its inspection and monitoring rights) directly against the subcontractors. If subcontractors in a third country are to be involved, the Contractor shall ensure that an appropriate level of data protection is guaranteed at the respective subcontractor (e.g. by concluding an agreement based on the EU standard data protection clauses). Upon request, the Contractor shall provide the Client with evidence of the conclusion of the aforementioned agreements with its subcontractors.

(2) A subcontractor relationship within the meaning of these provisions does not exist if the contractor commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, telecommunications services without any specific reference to services provided by the Contractor for the Client and security services. Maintenance and testing services constitute subcontractor relationships subject to approval insofar as they are provided for IT systems that are also used in connection with the provision of services for the principal.

§ 10 | Requests and rights of data subjects |

(1) The Contractor shall support the Client as far as possible with suitable technical and organisational measures in the fulfilment of the Client’s obligations pursuant to Articles 12-22 as well as 32 and 36 of the GDPR.

(2) If a data subject asserts rights, such as the right to information, correction or deletion with regard to his/her data, directly against the Contractor, the Contractor shall not react independently, but shall immediately refer the data subject to the Client and await the Client’s instructions.

§ 11 | Liability |

(1) In the internal relationship with the contractor, the client alone shall be responsible to the data subject for compensation for damages suffered by a data subject due to inadmissible or incorrect data processing or use within the scope of the commissioned processing in accordance with the data protection laws.

(2) The parties shall each release themselves from liability if a party proves that it is not responsible in any respect for the circumstance by which the damage occurred to an affected person.

§ 12 | Extraordinary Right of Termination |

The Client may terminate the main contract in whole or in part without notice if the Contractor fails to fulfil its obligations under this contract, violates provisions of the GDPR with intent or gross negligence or is unable or unwilling to carry out an instruction of the Client. In the case of simple – i.e. neither intentional nor grossly negligent – violations, the Client shall set the Contractor a reasonable deadline within which the Contractor can remedy the violation.

§ 13 | Termination of the Main Contract |

(1) The Contractor shall return to the Client after termination of the main contract or at any time upon the Client’s request all documents, data and data carriers provided to the Contractor or – at the Client’s request, unless there is an obligation to store personal data under Union law or the law of the Federal Republic of Germany – delete them. This also applies to any data backups at the Contractor. The Contractor shall provide documented proof of the proper deletion of any data still in existence. Documents to be disposed of shall be destroyed using a document shredder in accordance with DIN 32757-1. Data carriers to be disposed of shall be destroyed in accordance with DIN 66399.

(2) The Client shall have the right to control the complete and contractually compliant return or deletion of the data at the Contractor in an appropriate manner.

(3) The Contractor shall be obliged to treat as confidential any data of which it becomes aware in connection with the main contract, even after the end of the main contract. The present agreement shall remain valid beyond the end of the main contract for as long as the contractor has personal data at its disposal which were forwarded to it by the client or which it has collected for the client.

§ 14 | Final Provisions |

(1) The Parties agree that the defence of the right of retention by the Contractor within the meaning of § 273 BGB is excluded. § Section 273 of the German Civil Code (BGB) with regard to the data to be processed and the associated data carriers is excluded.

(2) Amendments and supplements to this agreement must be made in text form. This also applies to the waiver of this formal requirement. The priority of individual contractual agreements remains unaffected.

(3) Should individual provisions of this agreement be or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions in each case.

(4) Insofar as these GTC or other contractual documents are also translated into other languages, this shall only serve as a reading aid. In the event of disputes or questions of interpretation, only the German version shall be used.

(5) This agreement is subject to German law. The exclusive place of jurisdiction is Neuburg an der Donau.

Status: December 2022

This acceptable use policy covers the products, services, and technologies (collectively referred to as the “Products”) provided by Thalox AG under any ongoing agreement. It’s designed to protect us, our customers, and the general Internet community from unethical, irresponsible, and illegal activity.

Thalox AG customers found engaging in activities prohibited by this acceptable use policy can be liable for service suspension and account termination. In extreme cases, we may be legally obliged to report such customers to the relevant authorities.

This policy was last reviewed on December 2022.

Fair use

We provide our facilities with the assumption your use will be “business as usual”, as per our offer schedule. If your use is considered to be excessive, then additional fees may be charged, or capacity may be restricted.

We are opposed to all forms of abuse, discrimination, rights infringement, and/or any action that harms or disadvantages any group, individual, or resource. We expect our customers and, where applicable, their users (“end-users”) to likewise engage our Products with similar intent.

Customer accountability

We regard our customers as being responsible for their own actions as well as for the actions of anyone using our Products with the customer’s permission. This responsibility also applies to anyone using our Products on an unauthorized basis as a result of the customer’s failure to put in place reasonable security measures.

By accepting Products from us, our customers agree to ensure adherence to this policy on behalf of anyone using the Products as their end users. Complaints regarding the actions of customers or their end-users will be forwarded to the nominated contact for the account in question.

If a customer — or their end-user or anyone using our Products as a result of the customer — violates our acceptable use policy, we reserve the right to terminate any Products associated with the offending account or the account itself or take any remedial or preventative action we deem appropriate, without notice. To the extent permitted by law, no credit will be available for interruptions of service resulting from any violation of our acceptable use policy.

Prohibited activity

Copyright infringement and access to unauthorized material

Our Products must not be used to transmit, distribute or store any material in violation of any applicable law. This includes but isn’t limited to:

• any material protected by copyright, trademark, trade secret, or other intellectual property right used without proper authorization, and
• any material that is obscene, defamatory, constitutes an illegal threat or violates export control laws.

The customer is solely responsible for all material they input, upload, disseminate, transmit, create or publish through or on our Products, and for obtaining legal permission to use any works included in such material.

SPAM and unauthorized message activity

Our Products must not be used for the purpose of sending unsolicited bulk or commercial messages in violation of the laws and regulations applicable to your jurisdiction (“spam”). This includes but isn’t limited to sending spam, soliciting customers from spam sent from other service providers, and collecting replies to spam sent from other service providers.

Our Products must not be used for the purpose of running unconfirmed mailing lists or telephone number lists (“messaging lists”). This includes but isn’t limited to subscribing e-mail addresses or telephone numbers to any messaging list without the permission of the e-mail address or telephone number owner, and storing any e-mail addresses or telephone numbers subscribed in this way. All messaging lists run on or hosted by our Products must be “confirmed opt-in”. Verification of the address or telephone number owner’s express permission must be available for the lifespan of the messaging list.

We prohibit the use of e-mail lists, telephone number lists or databases purchased from third parties intended for spam or unconfirmed messaging list purposes on our Products.

This spam and unauthorized message activity policy applies to messages sent using our Products, or to messages sent from any network by the customer or any person on the customer’s behalf, that directly or indirectly refer the recipient to a site hosted via our Products.

Unethical, exploitative, and malicious activity

Our Products must not be used for the purpose of advertising, transmitting, or otherwise making available any software, program, product, or service designed to violate this acceptable use policy, or the acceptable use policy of other service providers. This includes but isn’t limited to facilitating the means to send spam and the initiation of network sniffing, pinging, packet spoofing, flooding, mail-bombing, and denial-of-service attacks.

Our Products must not be used to access any account or electronic resource where the group or individual attempting to gain access does not own or is not authorized to access the resource (e.g. “hacking”, “cracking”, “phreaking”, etc.).

Our Products must not be used for the purpose of intentionally or recklessly introducing viruses or malicious code into our Products and systems.

Our Products must not be used for purposely engaging in activities designed to harass another group or individual. Our definition of harassment includes but is not limited to denial-of-service attacks, hate-speech, advocacy of racial or ethnic intolerance, and any activity intended to threaten, abuse, infringe upon the rights of, or discriminate against any group or individual.

Other activities considered unethical, exploitative, and malicious include:

1. Obtaining (or attempting to obtain) services from us with the intent to avoid payment;
2. Using our facilities to obtain (or attempt to obtain) services from another provider with the intent to avoid payment;
3. The unauthorized access, alteration, or destruction (or any attempt thereof) of any information about our customers or end-users, by any means or device; 
4. Using our facilities to interfere with the use of our facilities and network by other customers or authorized individuals; 
5. Publishing or transmitting any content of links that incite violence, depict a violent act, depict child pornography, or threaten anyone’s health and safety; 
6. Any act or omission in violation of consumer protection laws and regulations; 
7. Any violation of a person’s privacy.

Our Products may not be used by any person or entity, which is involved with or suspected of involvement in activities or causes relating to illegal gambling; terrorism; narcotics trafficking; arms trafficking or the proliferation, development, design, manufacture, production, stockpiling, or use of nuclear, chemical or biological weapons, weapons of mass destruction, or missiles; in each case including any affiliation with others whatsoever who support the above such activities or causes.

Unauthorized use of Thalox AG property

We prohibit the impersonation of Thalox AG, the representation of a significant business relationship with Thalox AG, or ownership of any Thalox AG property (including our Products and brand) for the purpose of fraudulently gaining service, custom, patronage, or user trust.

About this policy

This policy outlines a non-exclusive list of activities and intent we deem unacceptable and incompatible with our brand.

We reserve the right to modify this policy at any time by publishing the revised version on our website. The revised version will be effective from the earlier of:

• the date the customer uses our Products after we publish the revised version on our website; or
• 30 days after we publish the revised version on our website.