Master Subscription Services Agreement for the InLoox Cloud

  The contractual terms will depend on your contract partner.

If your contract partner is InLoox GmbH based in Munich, Germany, the General Terms and Conditions for the Use of the Online Services in the InLoox Cloud of InLoox GmbH will apply.

If your contract partner is InLoox, Inc. based in San Francisco, USA, the InLoox, Inc. Master Subscription Services Agreement will apply.

General Terms and Conditions for the Use of the Online Services in the InLoox Cloud

The following General Terms and Conditions of InLoox GmbH, Walter-Gropius-Strasse 17, 80807 München, (hereinafter referred to as "InLoox") apply to the use of the online services in the InLoox Cloud (hereinafter referred to as "Online Services").

1. Scope of application

Our General Terms and Conditions (hereinafter referred to as "T&C") apply exclusively; we do not acccept contrary conditions or conditions of the customer that deviate from our Terms and Conditions unless we explicitly approve of their application in writing.

2. Subject matter of the Agreement

2.1. These T&C govern the Online Services provided by InLoox. Through the Online Services InLoox provides the customer with the technical possibility and authorisation to access services, which are operated on central servers of InLoox, via the Internet under app.inloox.com directly in the web browser and/or through apps and to use the functionalities of the Online Services in connection with this Agreement.

2.2. The use of the apps by the customer subject to a separate, independent end-user licence agreement. In connection with the installation of the apps the customer agrees to the terms and conditions of the end-user licence agreement. They can be found on www.inloox.com/end-user-license-agreement at any time and are provided to the customer upon installation.

3. Services

3.1. The kind and scope of the Online Services are conclusively described on www.inloox.com/inlooxcloud. The contractual services are based on the customer's order.

3.2. Unless otherwise agreed in the order, the Online Service is available 24/7 ("Operation Hours"). The average availability during the Operation Hours amounts to a monthly average of 99.5 % with regard to the scope of responsibility of InLoox. The regular maintenance windows of the system, which can be found at www.inloox.com/support/inlooxcloud/maintenance, are not included in the calculation of the availability ("Maintenance Times"). During the aforementioned times, the application might still be available, but may also be subject to interruptions and limitations; however, there is no claim for use. If maintenance works are required during the Operation Hours and the application is hence not available, InLoox will, if possible, inform the customer about this in due time.

3.3. During the term of Agreement, InLoox offers a support service to the customer, free of charge, including the supply of new versions, upgrades or updates. The details of the support service can be found at www.inloox.com/support/inlooxcloud.

3.4. Besides, and unless otherwise agreed in the order, InLoox is not obliged to any further services. In particular, InLoox is not obliged to provide services with regards to the installation, equipment, advice, adjustment and/or training as well as with regard to the development and supply of individual programming and/or additional programmes.

3.5. The customer can choose to nominate one of InLoox´ distribution partners as a supporter of the customer´s account within 30 days following the conclusion of contract for initial acquisition of Online Services. In the event of nomination, the distribution partner has to provide customer with free of charge first level support during the term of contract. For the details of support service we refer to the respective terms and conditions of distribution partner. Within the scope of accounting the required customer information will be transmitted to the distribution partner for specific use only. For further details we refer to our privacy policy and to the notice given with the process of nomination.

4. Right of use

4.1. During the term of this Agreement, InLoox grants, against payment, to the customer the non-exclusive, non-assignable, non-sublicensable right to access the Online Services on InLoox' server via the Internet and to use the functionalities linked to the Online Services through a web browser or a desktop software in accordance with this Agreement. The customer does not receive any additional rights, in particular with reference to the software. The software is not handed over to the customer.

4.2. The customer is not entitled to use the Online Services beyond the use permitted in accordance with this Agreement or to make them available to third parties - no matter in which way and whether free of charge or against payment. In particular, the customer is not entitled to reproduce or sell the Online Service wholly or in parts or to permit the use for a certain period; the customer is in particular not entitled to rent or lend it.

4.3. The customer may only use the Online Services for his own business activities through own staff and/or authorised third parties who use the Online Services on behalf of him ("Authorised Users"). The customer ensures that the Authorised Users use the Online Services only within the scope of and pursuant to these T&Cs.

4.4. For each case, in which the customer culpably enables third parties to use the Online Services, the customer has to pay a penalty in the amount of the sixfold regular remuneration; any such payment shall become due immediately. InLoox reserves the right to assert further damages. In any such case penalty will be credited against the claim for damages.

4.5. To the extent InLoox provides the customer with new versions, updates or upgrades of the Online Services during the term of this Agreement, the aforementioned right of use applies accordingly.

4.6. In the case of an unauthorised permit of use, the customer shall immediately and upon request provide InLoox with any information for the assertion of claims against the user, in particular his/her name and address.

4.7. If the contractual use of the Online Services is affected by IP rights of third parties without InLoox' fault, InLoox is entitled to refuse rendering the services affected by this. InLoox will inform the customer about this immediately and will grant him/her access to his/her data in an appropriate way. In any such case the customer is not obliged for payment. Any other claims or rights of the customer shall remain unaffected.

5. Test version, beta version

5.1. If the customer has signed up for a test version or beta version of the Online Services, he can use it free of charge for a period of 30 days in accordance with the provisions of this Agreement. For this period InLoox does not guarantee or warrant and is not liable for damages incurred by the use of the test version, except for wilful acts and gross negligence.

5.2. Any customer data is deleted by InLoox after the 30-day test period, unless the customer decides to enter into an agreement on the use of the Online Services against payment before the expiry of said 30-day test period.

5.3. Customer data, which was created and/or inserted via beta version, cannot be transferred to a production version; they will be deleted by InLoox after the expiry of the beta period.

6. Obligations of the customer / indemnification

6.1. The customer will protect the authorisations for use and access as well as the identification and authentication protections assigned to him and/or the users from the access by third parties and the customer will not forward this information to unauthorised users. As soon as the customer gets aware that the authorisations for use and access have been obtained by a third party in an illegal way or that they might be misused, the customer is obliged to immediately inform InLoox for the purposes of mitigating the damage.

6.2. The customer will not use the Online Services in any way constituting a misuse, or have them used in any such way; in particular, the customer will not transmit any illegal contents. Moreover, the customer will also refrain from any attempt to illegally retrieve information or data itself or via non-authorised third parties or to intervene into programmes operated by InLoox, or arrange for such intervention, or to intrude into data networks of InLoox in an illegal way.

6.3. The customer will immediately report any errors of the contractual services to InLoox in writing, stating how and under which circumstances the error and/or the defect occurs and the customer will actively support InLoox with the troubleshooting.

6.4. The customer will secure the data transmitted to InLoox on a regular basis and appropriately to possible risks and create own backups in order to be able to restore the data and information in the case of loss.

6.5. When using the Online Services as well as the contractual services, the customer will comply with all applicable laws and other legal provisions. In particular, the customer is not entitled to upload any data or contents infringing legal provisions or other IP rights or copyrights or any other rights of third parties. The customer alone is responsible for the data and contents supplied by him. InLoox neither reviews the contents as to their lawfulness nor as to their correctness.

6.6. The customer indemnifies InLoox from any claims of third parties which are based on an illegal use of the Online Services by him or occur with his approval or which, in particular, result from data protection law disputes, copyright law disputes or any other legal disputes connected to the use of the Online Services. If the customer realises, or has to realise, that any such infringement is imminent, he is obliged to immediately inform InLoox.

7. Use contrary to the Agreement / blocking of access

7.1. If there are specific aspects to the effect that the customer infringes and/or has infringed any material obligation set forth in this Agreement, any statutory provision or any right of third parties or if InLoox has any other justified interest, InLoox is entitled:

• to delete, to deactivate or to change the respective data;
• to take any other appropriate measures, such as issuing a warning to the customer,
• to immediately block the customer's access to the Online Services.

7.2. When deciding on a measure to be taken, InLoox will take into consideration the justified interests of the customer, in particular if the infringement was not the customer's fault. In any case, InLoox will inform the customer by email prior to blocking the account.

7.3. The access will only be restored when the infringement of the respective material obligation has been permanently removed and/or the risk of repetition is excluded. In very serious or repeated culpable cases of infringement, InLoox is entitled to block the customer's access to the Online Services permanently.

8. Remuneration / payment terms

8.1. The remuneration agreed upon for the contractual services are based on the customer's order. The invoicing period (1 or 12 months) is based on the customer's order.

8.2. All remunerations and prices are exclusive of respective valid statutory VAT. VAT will be invoiced separately in addition to the remuneration.

8.3. The remuneration contractually agreed on is due in advance of an invoicing period by way of credit card or by direct debit. Irrespective of the payment method chosen, the customer has to keep the data provided for invoicing updated at any time and has to immediately inform InLoox about any changes hereof.

8.4. If the customer provides InLoox with a respective direct debit authorisation for payment, the amount due for the invoicing period is debited from the account referred to in the direct debit authorisation 7 days after receipt of the invoice. The customer has to make sure that there is sufficient coverage on his account at any time. The customer has to refund any costs arising from the fact that a direct debit is not redeemed and if the customer is responsible for this. The customer is free to prove that the costs have not arisen or have not arisen in the asserted amount.

8.5. The customer may only set off costs against receivables that were determined in a legally final and binding way or that are uncontested or he may assert a right of retention.

9. Delay

9.1. In the case of a delay in payment, InLoox is entitled to invoice default interest in the amount of 8 percentage points above‎ the respectively valid basic interest rate vis-à-vis companies and in the amount of 5 percentage points above the respectively valid basic interest rate vis-à-vis consumers. The right to assert further damage shall remain reserved.

9.2. When the consumer is in delay of payment regarding a considerable amount, InLoox is entitled to block the access to the Online Services. In any such cases the customer shall remain obliged to pay the remuneration.

9.3. If the customer is in delay of payment with respect to

a) the remuneration and/or a considerable part of the remuneration for two consecutive invoicing periods or

b) the fees in the amount which corresponds to the amount of fees for two invoicing periods in a period which extends to more than two invoicing periods,

InLoox is entitled to terminate the Agreement without notice and to claim liquidated damages in the amount of a quarter of the remaining monthly prices until the end of the regular term of the Agreement; this amount is due immediately as one sum.

9.4. The amount of damage has to be increased or decreased if InLoox provides evidence for a higher damage or the customer provides evidence for a lower damage.

9.5. InLoox reserves the right to assert further claims for delay of payment.

9.6. If InLoox is in delay with providing operational Online Services, liability is determined in accordance with clause 10. The customer is only entitled to withdraw from the Agreement if InLoox does not comply with a reasonable grace period set by the customer.

10. Liability

10.1. In the case of wilful act, InLoox is unlimitedly liable for any and all damage caused by it and its legal representatives or vicarious agents.

10.2. In the case of slight negligence, InLoox is only liable for any damage caused by it and its legal representatives or vicarious agents as a result of the infringement of a material contractual obligation. Contractual obligations are considered material if required to duly execute the Agreement and on which InLoox regularly relies on and may rely on. In this case, liability shall be limited to the compensation of the foreseeable, typically occurring damage.

10.3. InLoox' liability for indirect losses and lost profits is excluded.

10.4. InLoox' strict liability for damages (Sec. 536a para. 1 German Civil Code(Bürgerliches Gesetzbuch, BGB)) as a result of defects existing at the time of the conclusion of the Agreement is excluded.

10.5. The liability pursuant to the product liability act shall remain unaffected.

10.6. Insofar as InLoox's liability is excluded or limited, such exclusion or limitation applies mutatis mutandis to the personal liability of its employees, members of staff, representatives and vicarious agents of InLoox.

11. Data protection and data security

11.1. The data uploaded by the customer will be saved on servers in Germany in data centers in Frankfurt am Main and Magdeburg. The basis for data processing is the agreement on data processing attached to these conditions, which is expressly agreed between the parties by acceptance of these conditions.

11.2. InLoox does not collect, process or use any personal data on behalf of the customer in connection with rendering the services pursuant to this Agreement except as the data stored by customer as defined in clause 11.1 above; InLoox does not have access to any such data either.

11.3. If the customer collects, processes or uses personal data, he is responsible for being entitled to do so pursuant to the applicable provisions, in particular pursuant to data protection provisions; in the case of an infringement, he indemnifies InLoox from claims of third parties. If contrary to clause 11.2. the customer uploads personal data onto InLoox' server without the consent of InLoox, the customer indemnifies InLoox from any claims of third parties.

11.4. As part of the "Customer Experience Improvement Program" (CEIP), InLoox will gather anonymized usage statistics and error reports. Customer can turn off this feature at any time. More information can be found at www.inloox.com/ceip.

12. Force majeure

12.1. InLoox is released from the obligation to render services arising from this Agreement if and insofar the non-performance of services can be attributed to the occurrence of conditions of force majeure after the conclusion of the Agreement.

12.2. Circumstances of force majeure include for example war, strike, riot, expropriation, fundamental legal changes, storm, floods and other natural disasters as well as any other circumstances for which InLoox is not responsible, in particular water ingress, blackouts and cut-offs or destruction of data cables.

12.3. Each contractual party has to immediately inform the respective other contractual party in writing about the occurrence of a case of force majeure.

13. Secrecy

The contractual parties undertake to treat as confidential any business and trade secrets which they - including their vicarious agents - have obtained on the occasion of entering into the Agreement or fulfilling the Agreement. These obligations do not apply to information, knowledge and experiences which

(a) are publicly known as can be verified without infringing this secrecy obligation,

(b) the parties already verifiably knew prior to receipt of this information, knowledge and experience

(c) were received by a third party which is not subject to a secrecy obligation or

(d) were verifiably gained through independent work.

14. Term of Agreement, termination

14.1. The Agreement is entered into for the contractual term as agreed upon in the order (minimum term). The Agreement is extended by the same period of time as the minimum term (extension term), unless one of the contractual parties terminates the Agreement prior to the end of the minimum term or the respective extension term.

14.2. The right of termination for good cause shall remain unaffected. In addition to clause 8.2., InLoox is, in particular, entitled to extraordinarily terminate the Agreement if the customer

14.2.1. infringes material provisions of this Agreement or does not fulfil main duties arising out of the Agreement and does not remedy this breach of duty despite a written warning within a reasonable deadline;

14.2.2. fails to make payments due under this Agreement and the default is not temporary;

or

14.2.3. ceases its business operations on a more than temporary basis, whether based on its own decision or by court order.

14.3. The customer's right to extraordinarily terminate the Agreement without notice is excluded if the contractual use of the Online Services, whether wholly or in parts, is not granted in time or is blocked again (Sec. 543 para. 2 item 1 BGB).

14.4. If the customer extraordinarily terminates the Agreement, InLoox refunds to the customer the remuneration already paid in advance.

14.5. If InLoox extraordinarily terminates the Agreement for a reason for which the customer is responsible, the customer has to pay the outstanding remuneration until the end of the minimum term.

14.6. All notices of extraordinary termination pursuant to this Agreement have to be made in writing. The point in time of receipt of the termination letter is decisive for adhering to the notice periods.

15. Obligations upon and after termination of the Agreement

15.1. During the term of the Agreement and within 30 days after the termination of the Agreement the customer's data saved on InLoox' servers are available for download by the customer, provided that the customer has not finally deleted the respective data from the server.

15.2. For these purposes, InLoox provides the customer with a download application within the Online Services. Customer data can be downloaded as a file in the SQL format; documents and enclosures can be downloaded in their original format.

15.3. After expiry of 30 days after termination of the Agreement, the customer does not have any claim for transmission of the data saved by him. InLoox will separately point this out to the customer after receipt of the termination.

16. Final provisions

16.1. In the case of deviations and/or contradictions of the provisions of this Agreement and the provisions of the exhibits, the provisions of this Agreement shall prevail.

16.2. The customer can only transfer the rights and obligations out of this Agreement to third parties upon written consent of InLoox. However, InLoox is entitled to transfer the rights and obligations out of this Agreement to an allied company within the meaning of Secs. 15 et seqq. German Stock Corporation Act (Aktiengesetz). InLoox will inform the customer about this in writing; in any such case, the customer is entitled to extraordinarily terminate the Agreement.

16.3. Amendments or supplements to the contract and its appendices must be made in text form, unless a special written form is agreed in this agreement.

16.4. This Agreement shall be governed by the laws of the Federal Republic of Germany under exclusion of the UN Convention on the International Sale of Goods (CISG) and international law (in particular German laws of conflict).

16.5. As far as the customer is not a consumer in the sense of § 13 BGB, the place of jurisdiction for all disputes arising from this contract including its appendices is Munich. The same applies if the customer has no general place of jurisdiction in Germany or his place of residence or usual abode is not known at the time the action is filed.

16.6. If individual clauses of the present Agreement are invalid wholly or in part, any possibly invalid provision shall be reinterpreted, supplemented or replaced in a way that the economic purpose that was originally intended with the invalid provision is achieved. The same shall apply if this Agreement contains any gaps.

16.7. The contract language shall be German. These General Terms and Conditions are available in German and in English. The German version only is decisive and binding for the interpretation of individual provisions and/or if there are any contradictions between the language versions.

Date: 2022-10-31

Order Processing Contract in accordance with Art. 28 GDPR

Version: January 29, 2021

Agreement

between the

customer of InLoox GmbH
- Party responsible - hereinafter referred to as the Client -

and

InLoox GmbH, Walter-Gropius-Strasse 17, D-80807 München
- Order processor - hereinafter referred to as the Contractor -

1. Subject matter and duration of the order

(1) The subject matter of the order depends on the respective order of the customer and the general terms and conditions referenced therein, which are referred to altogether here (hereinafter referred to as “Service Agreement”).

(2) The duration of this order (term) is the same as the term of the Performance Agreement.

2. Specification of the order content

(1) The type and purpose of the processing of personal data by the Contractor for the Client are described specifically in the Service Agreement. The Contractor will provide the following services in particular for the Client within the framework of the Service Agreement:

• installation of a project management software in computer systems operated by the Client;
• provision of maintenance services in computer systems operated by the Client;
• installation, operation and maintenance of a project management software on servers of the named subcontractor of the Contractor.

The provision of the contractually agreed data processing will be carried out by the Contractor itself exclusively in a member state of the European Union or in another contracting country of the Agreement on the European Economic Area. Any other relocation to a third country requires the prior permission of the Client and may only take place if the specific requirements in accordance with Art. 44 et seqq. GDPR are fulfilled. This consent can be granted for individual processing cases named in this Contract for one specific third country at a time, even with regards to subcontracting relationships. Where expressly indicated in Appendix 1 - Technical and Organisational Measures - individual processing operations take place outside a Member State of the European Union or in another Contracting State to the Agreement on the European Economic Area; in these cases, however, the appropriate level of protection is always guaranteed in the third country (see Appendix 2) and ensured by the measures specified in Appendix 1. Any other transfer to a third country requires the prior consent of the Client and may only take place if the special requirements of Art. 44 et seqq. GDPR are fulfilled. Such consent may be granted for individual processing operations referred to in this contract for a specific third country, including in respect of subcontracting relationships.

(2) The subject matter of the processing of personal data is the following data types/categories (list/description of the data categories):

• Personal master data
• Communication data (e.g. phone number, email address)
• Address details
• Contract master data (contractual relationship, product and contractual interests)
• Customer history
• Contract billing and payment data
• Planning and management data, including resources
• Other data, if entered by the customer (e.g. date of birth, proficiencies)

(3) The categories of the persons concerned by the processing include:

• Employees
• Suppliers and external service providers
• Customers
• Business partners
• Interested parties
• Other contact persons, if entered by the customer

3. Technical and organisational measures

(1) Before beginning the processing, the Contractor must document the implementation of the necessary technical and organisational measures specified before the placing of the order, in particular with regards to the specific order performance, and hand the documentation over to the Client for verification. Upon acceptance by the Client, the documented measures will form the basis of the order. If the verification/an audit by the Client results in a need for adjustment, this must be carried out mutually.

(2) The Contractor must establish the security in accordance with Art. 28(3)(c) and Art. 32 GDPR in particular in connection with Art. 5(1) and (2) GDPR. Altogether, the measures to be executed are measures for data protection and to guarantee a protection level appropriate to the risk in terms of the confidentiality, integrity, availability and capacity of the systems. The technical sophistication, the implementation costs and, and the type, extent and purpose of the processing, and the different likelihood of occurrence and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32(1) GDPR must thereby be considered. The particular technical and organisational measures taken are listed in Appendix 1.

(3) The technical and organisational measures are subject to the technical progress and the further development. In this respect, the Contractor is permitted to implement alternative adequate measures. The security level of the set measures may thereby not fall below the minimum requirement. Significant changes must be documented.

4. Amendment, restriction and deletion of data

(1) The Contractor may not amend or delete data that is processed in the order, or restrict its processing, on its own authority, but may only do so after receiving documented instructions from the Client, if no statutory requirements oblige the Contractor to take action independently. Should a person concerned contact the Contractor directly in this respect, the Contractor will forward this solicitation immediately to the Client.

(2) If included in the scope of the service, the deletion plan, right to be forgotten, correction, data portability and information must be ensured directly by the Contractor after receiving documented instruction from the Client.

5. Quality assurance and other duties of the Contractor

In addition to compliance with the regulations of this order, the Contractor also has statutory duties in accordance with Art. 28 to Art. 33 GDPR; in this respect, it guarantees adherence to the following standards in particular:

a) Written order of a data protection officer that carries out its activities in accordance with Art. 38 and Art. 39 GDPR. The contact details of the data protection officer must be shared with the Client upon contract conclusion. Changes of the data protection officer must be reported to the Client immediately.

b) The safeguarding of confidentiality in accordance with Art. 28(3)(2)(b), Art. 29 and Art. 32(4) GDPR. When carrying out its work, the Contractor will only use employees who are bound to confidentiality and have been familiarised beforehand with the data protection provisions relevant to them. The Contractor and any person subordinate to the Contractor who has access to personal data may only process this data in accordance with the instructions of the Client, including the authorisations granted in this Contract, unless they are legally obliged to process the data.

c) The implementation of and compliance with all technical and organisational measures necessary for this order in accordance with Art. 28(3)(2)(c) and Art. 32 GDPR. The details are listed in Appendix 1.

d) The Client and the Contractor will work together with the supervisory authority, upon request, in the performance of their tasks.

e) The immediate informing of the Client about control actions and measures by the supervisory authorities, if they relate to specific and fundamental assignments and if such information is not prohibited by law. This also applies if a competent authority is carrying out an investigation of the order processing by the Contractor in relation to the processing of personal data, within the framework of administrative offence or criminal proceedings.

f) If the Client is subject in turn to an examination by the supervisory authority, administrative offence or criminal proceedings, the liability claim of a person concerned or a third party, or another claim in connection with the order processing by the Contractor, the Contractor must support it to the best of its abilities, to the extent legally permitted.

g) The Contractor will regularly control the internal processes, as well as the technical and organisational measures, in order to guarantee that the processing within its area of responsibility takes place in accordance with the requirements of the applicable data protection law, and that the protection of the rights of the person concerned is guaranteed.

h) Verifiability of the technical and organisational measures for the Client within the framework of its control authorisation in accordance with Figure 7 of this Contract.

6. Subcontracting relationships

(1) Subcontracting relationships within the meaning of this rule are such services that relate directly to the provision of the main service. These do not include secondary services that the Contractor uses, e.g. in the form of telecommunications services, post/transport services, maintenance and user services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and capacity of hardware and software of data processing systems. However, the Contractor is obliged to also use appropriate and lawful contractual agreements and control measures to guarantee the data protection and data privacy of the Client’s data in the case of outsourced secondary services.

(2) The Contractor may only assign subcontractors (other order processors) after receiving prior explicit written permission or documented permission from the Client.

a) The Client agrees to the tasking of the subcontractors named in Appendix 2 under the condition of a contractual arrangement in accordance with Art. 28(2-4) GDPR.

b) Changes of the existing subcontractor are permitted provided that:

• the Contractor notifies the Client of such outsourcing to subcontractors 14 days in advance at the latest, in writing or in text form, and
• the Client does not send the Contractor an objection, in writing or in text form, to the planned outsourcing by the time of the transfer of the data, and
• a contractual agreement in accordance with Art. 28(2-4) GDPR is set as a basis.

(3) If the subcontractor provides the agreed service outside the EU/EEA, the Contractor will ensure legitimacy under data protection law by corresponding measures. The same applies if service providers within the meaning of Sect. 1(2) are used.

(4) Any further outsourcing by the subcontractor requires the explicit permission of the main client (text form at least). All contractual regulations in the contract chain must also be imposed on the other subcontractor. The technical and organisational measures of subcontractors must comply with the technical and organisational measures defined herein and may only fall below the level agreed herein in justified circumstances.

7. Control rights of the Client

(1) The Client has the right, in consultation with the Contractor, to carry out reviews or have reviews carried out by examiners named on a case-by-case basis. It has the right to convince itself of the adherence to this Agreement by the Contractor in its business operations by means of random sample controls that must generally be announced in a timely manner and 14 days beforehand at the latest.

(2) The Contractor will ensure that the Client can be convinced of the adherence to the obligations of the Contractor in accordance with Art. 28 GDPR. The Contractor is obliged to share with the Client, upon request, the required information and in particular demonstrate the implementation of the technical and organisational measures.

(3) The demonstration of such measures that do not just concern the specific order can take place by:

• the adherence to approved rules of conduct in accordance with Art. 40 GDPR;
• the certification in accordance with an approved certification process in accordance with Art. 42 GDPR;
• current attestations, reports or report extracts of independent entities (e.g. auditors, audits, data protection officers, IT security departments, data protection auditors, quality auditors);
• suitable certification by IT security or data protection audits (e.g. in accordance with BSI Grundschutz).

8. Reporting of violations by the Contractor

(1) The Contractor will support the Client in the compliance with the duties for the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations, named in Articles 32 to 36 GDPR. This includes, inter alia:

a) Ensuring a suitable protection level by means of technical and organisational measures that consider the circumstances and purpose of the processing and the forecasted probability and severity of a possible rights violation by security flaws, and enable immediate detection of relevant incidents of violation;

b) the obligation to immediately report breaches of personal data to the Client;

c) the obligation to support the Client within the framework of its obligation to provide information to the party concerned, and provide it with all relevant information in this regard immediately:

d) immediately forwarding solicitation from people concerned, e.g. right to information, to the Client;

e) supporting the Client in its data protection impact assessment;

f) supporting the Client within the framework of prior consultation with the supervisory authority.

(2) For support services that are not included in the service description or cannot be traced back to misconduct of the Contractor, the Contractor may claim a compensation. The basis for the calculation of the remuneration is the Service Agreement or the general remuneration rates of the Contractor for comparable activities.

9. Authority of the Client to issue instructions

(1) The Client will confirm verbal instructions immediately (text form at least).

(2) The Contractor must inform the Client immediately if it is of the opinion that an instruction violates data protection regulations. The Contractor is entitled to discontinue the implementation of the corresponding instruction until it is confirmed or changed by the Client.

10. Deletion and return of personal data

(1) Copies or duplicates of data will not be produced without the knowledge of the Client. Exceptions are backup copies, if they are necessary to guarantee proper data processing, and data that is necessary in terms of adherence to statutory retention obligations.

(2) After the completion of the contractually agreed work or earlier upon request by the Client – upon the termination of the Service Agreement at the latest – the Contractor must hand over all documents, processing and use results produced, and databases, that it obtains possession of in connection with the contractual relationship, to the Client or destroy them in accordance with data protection law after obtaining prior permission. The same applies for test and scrap material. The determination of the termination of the service agreement requires notification by the Client. With the declaration that the contractual relationship is to be terminated, the deletion period with regard to documents subject to retention shall also commence.

(3) Documentation that proves proper data processing that is suitable for the order must be stored by the Contractor in accordance with the respective retention periods beyond the end of the Contract. It may transfer it to the Client for its relief at the end of the Contract.

11. Other

The point of contact on the part of the Client, and also for data protection, is generally the point of contact named as the billing contact; this can be changed or added to at any time by the Client. The point of contact on the part of the Contractor is its respective data protection officer, which can be reached at inloox@ws-datenschutz.de.

Appendix 1 – Technical and Organisational Measures

A. Contractor:

1. Confidentiality (Art. 32(1)(b) GDPR)

• Access control
  There is a difference between access control for the InLoox sites, access control for the secure areas within the InLoox sites and access control for the external data centres.
  • Access control, InLoox sites:
    • Locking systems (physical keys, chip cards or tokens)
    • Authorisation assignment (key management and general access authorisation)
    • Visitor control
    • Clean desk regulations
    • Access by third-party personnel (e.g. cleaning staff) to individual buildings or rooms is documented
  • Access control for secure areas within the InLoox sites:
    • Second, independent locking system (physical keys, fingerprint readers, chip cards or tokens)
    • Authorisation assignment (key management and general access authorisation)
    • Limited group of users
    • General visitor prohibition
  • Access control, data centres:
    There is a difference between data centres that InLoox operates within the framework of InLoox now!, data centres that InLoox operates for internal use, e.g. administration, development, marketing and data centres for customer support.
    • Data centres for the operation of InLoox now!:
      • InLoox does not operate its own data centres within the framework of InLoox now!, but has hired data centres in Microsoft Cloud  Germany. These data centres have different certification, including ISO 27001.
      • The data centres are in Frankfurt am Main and Magdeburg, and are subject to German law. In addition, data access is controlled by a German data custodian, currently T-Systems International GmbH, a subsidiary company of Deutsche Telekom AG.
      • The access authorisation for the data centres is personalised and restricted to a documented group of people.
      • The details about access control for the data centres are in Appendix 2 in the “Subcontractor Microsoft Cloud Germany” section.
      • The system notifies users that are stored in the project platform by e-mail about actions of other users. These e-mails are sent via SendGrid. SendGrid is located in the United States of America, with the same level of protection for these data centers being recognised by Privacy Shield or standard contractual clauses. For details see Appendix 2 in the "Subcontractor SendGrid Inc." section.
    • Data centres for internal use at InLoox:
      • InLoox has hired data centres in Microsoft Azure. These data centres have different certification, including ISO 27001.
      • The data centres are in the European Union and in the United States of America. If personal data about citizens of the EU is placed in data centres outside the European Union, acknowledgement of the same protection level by Privacy Shield or standard contractual clauses exists for this data centre.
      • The access authorisation for the data centres is personalised and limited to a documented group of personnel.
      • Details about access control for the data centres are in Appendix 2, in the “Subcontractor Microsoft Azure” section.
    • Data centres for customer support:
      • InLoox uses Freshdesk, a software operated by Freshworks Inc., for support requests from customers submitted by e-mail or via a web form.
      • The use of a data centre in Frankfurt am Main, Germany, and a data processing agreement that conforms to data protection regulations are contractually regulated.
      • Details about access control for the data centres are in Appendix 2, in the “Subcontractor Freshworks Inc.” section.
• Access control
  There is a difference between access control for the data centres, access control for the data centres for customer support, access control for the InLoox sites, access control via the internet, and general access control.
  • General access control:
    • Access authorisation is set up as necessary (principle of operational necessity)
    • Differentiation according to specialist area, and between normal, privileged and external accounts (group and role concept)
    • Authorisation approval and withdrawal process (documented processes when issuing/withdrawing authorisation)
    • There is a guideline for the blocking of computers.
    • Timeouts are configured in accordance with the technical possibilities.
    • The data carriers of stationary computers, laptops/notebooks and mobile data carriers are encrypted.
    • All access is secured with user names and passwords.
    • There are password complexity requirements.
    • Electronic and paper-bound information is deleted in accordance with data protection standards.
  • Access control via the internet:
    • Access to the data protection systems is generally protected with hardware firewalls.
    • Access to the data protection systems is protected by means of user names and passwords.
    • Access to data processing systems takes place by means of VPN technology and personal access data.
    • Remote access to the data processing systems is only permitted for a limited group of users.
    • Remote access to data protection relevant systems requires two-factor authentication.
    • Data protection relevant core systems are only available via the company network.
  • Access control at the InLoox sites:
    • Access to the in-house data processing systems is also protected via boot passwords specific to the specialist area.
    • There are clean desk regulations.
  • Access control in the data centres:
    • Remote maintenance access to the systems in the data centres is limited to certain IP address areas and InLoox sites (reduced access points).
    • Remote maintenance access to the systems in the data centres is reserved for special roles (minimised user group).
    • The security level for the data centres is within the scope of responsibility of Microsoft. As well as the physical security, this also includes the security of the environment and access control guidelines. Details about the access control of data centres is in Appendix 2, in the “Subcontractor Microsoft Cloud Germany” and “Subcontractor Microsoft Azure” sections.
  • Access control in the data centres for customer support:
    • Remote maintenance access to the systems in the data centres is limited to certain IP address areas and InLoox sites (reduced access points).
    • Remote maintenance access to the systems in the data centres is reserved for special roles (minimised user group).
    • The security level for the data centres is within the scope of responsibility of Freshworks. As well as the physical security, this also includes the security of the environment and access control guidelines. Details about the access control of data centres is in Appendix 2, in the “Subcontractor Freshworks Inc.” section.
• Access and entry control
  In practice, access authorisation is often coupled with entry authorisation, so the measures for entry also have indirect effects on access.
  • Access authorisation is configured depending on necessity (principle of operational necessity).
  • Differentiation according to specialist area, and between normal, privileged and external accounts (group and role concept).
  • Authorisation approval and withdrawal process (documented processes when issuing/withdrawing authorisation).
  • There are password complexity requirements.
  • Electronic and paper-bound information is deleted in accordance with data protection standards.
• Separation control
  • Separation of test and production systems (sandboxing)
  • Separate storage in different systems:
    • CRM / general customer data
    • ERP / accounting-relevant data
    • Service and support data
    • Production data of customers of InLoox now!
  • Additional features for production data of customers of InLoox now!:
    • Each user account is thus implemented in its own isolated database schema (SQL schema separation).
    • Logical client separation
    • Definition of database rights
    • Multi-level authorisation concept: Different users have different rights to enter, change and delete data in the user interface.

2. Integrity (Art. 32(1)(b) GDPR)

• Transfer control
  • All employees are contractually bound to confidentiality and secrecy.
  • All employees are contractually bound to § 88 TKG [Telecommunications Act].
  • The data carriers of stationary computers, laptops/notebooks and mobile data carriers are encrypted.
  • Web interfaces use secured connections (TLS/SSL) with key lengths that correspond to the current state of technology.
  • InLoox sites and remote connections to InLoox sites are secured via virtual private network (VPN) tunnels.
  • Access to the data entry systems is generally secured with hardware firewalls.
  • The deletion periods of the transferred data meet the statutory requirements and are established in the internal deletion concept.
  • For communication with external business partners, customers and service providers, state-of-the-art encryptions are used, if the communication partner wishes. The signatures used in the encryption are validated against the certification body.
• Entry control
  There is a difference between the entry control of data that InLoox uses internally, e.g. for the management, development, support and marketing, and the entry control of production data of customers of InLoox now! and general entry controls.
  • General entry control:
    • Access takes place by means of individual user names and passwords.
    • A multi-level authorisation plan ensures that different users have different rights to enter, change and delete data in the user interface.
  • InLoox internal entry control:
    • Versioning of internal documents (document management).
    • Versioning of source codes (source code management).
    • Logging of support tickets (customer service management).
  • Entry control of production data of customers of InLoox now!:
    • Datasets include an issue, change and deletion label.

3. Availability and capacity (Art. 32(1)(b) GDPR)

• Availability control
  There is a difference between the availability control of data that InLoox uses internally, e.g. for administration, development and marketing, the availability control of customer support data and the availability control of production data of customers of InLoox now!
  • Availability control of InLoox internal data:
    There is a difference between data processing systems that InLoox operates itself within the sites and data processing systems in external data centres that InLoox has hired.
    • Data processing systems within the InLoox sites:
      • Fire safety equipment (fire extinguishers, smoke and fire detectors), smoking ban
      • Uninterrupted power supply (UPS)
      • Air conditioning system
      • Use of RAID systems in the servers
      • Use of anti-virus
      • Data backup by replication of data at different InLoox sites and in external data centres.
    • Data processing systems in external data centres:
      • InLoox has hired data centres in Microsoft Azure. These data centres have different certification, including ISO 27001.
      • Details about the availability control of the data centres are in Attachment 2 in the “Subcontractor Microsoft Azure” section.
  • Availability control of customer support data:
    • Details about the availability control of the data centres are in Attachment 2 in the “Subcontractor Freshworks Inc.” section.
  • Availability control of production data of customers of InLoox now!:
    • InLoox does not operate its own data centres within the framework of InLoox now!, but has hired data centres in Microsoft Cloud Germany. These data centres have different certification, including ISO 27001.
    • The data centres are in Frankfurt am Main and Magdeburg, and are subject to German law. In addition, data access is controlled by a German data custodian, currently T-Systems International GmbH, a subsidiary company of Deutsche Telekom AG.
    • Simultaneous provision in systems that are independent of one another (“hot spare” principle).
    • Daily, fully-automated backups of the project databases. The retention time is 7 days (InLoox now! Professional) or 30 days (InLoox now! Enterprise).
    • Backup opportunity via the customer (self-service backup)
    • Quickly recoverability by support staff
    • Geo-redundant document storage
    • Details about the availability control of the data centres are in Attachment 2 in the “Subcontractor Microsoft Cloud Germany” section.

4. Procedure for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)

• Data protection management:
  • Audit planning and implementation of internal and external audits
  • Implementation of awareness-raising measure/regular staff training
  • Reporting
  • Risk management and analysis
  • Implementation of penetration tests
  • Data protection impact assessment and measure planning for new and changed sequences as a standard process
• Process for handling data protection incidents:
  • Reporting obligation/reporting process
  • Regular staff training
• Data protection friendly default settings:
  • Guidelines for private end devices used for business purposes (BYOD)
  • Guidelines for company end devices
  • Group and network security guidelines (domain policy)
• Order control:
  No order data processing within the meaning of Art. 28 GDPR without corresponding instruction of the Client by
  • clear contract arrangement
  • formalised order management
  • strict selection and monitoring of the respective service provider/subcontractor

B. Subcontractors:

See also the references to the current state of the measures for each respective subcontractor in Appendix 2.

1. Microsoft Corporation, as of April 2018

General practice. Microsoft has taken the following security measures for the online services, and will maintain and follow them. In connection with the security obligations in the OST, these security measures represent the individual responsibility of Microsoft in relation to the security of customer data:

• Organisation of information security:
  • Responsibility for security
    • Microsoft has appointed one or more security representatives who are responsible for the coordination and monitoring of the security provisions and procedures.
  • Roles and responsibilities in relation to security
    • Employees of Microsoft with access to customer data are subject to confidentiality obligations.
  • Risk management programme
    • Microsoft has carried out a risk assessment before the processing of customer data or the introduction of the service for online services. 
    • Microsoft stores its security documents in accordance with their storage requirements after they are no longer valid.
• Inventory management:
  • Inventory creation
    • Microsoft maintains a stock inventory of all media in which customer data is stored. Access to the stocks of this media is reserved for Microsoft employees who have been authorised in writing to have this access.
  • Handling of stock
    • Microsoft splits customer data into categories in order to make identification easier and enable an appropriate restriction of access to customer data.
    • Microsoft imposes restrictions for the printing of customer data and has procedures for the disposal of printed materials that contain customer data.
    • Microsoft staff must receive permission from Microsoft before they store customer data on portable devices, access customer data remotely or process customer data outside the facilities of Microsoft.
• Security in human resources:
  • Security training
    • Microsoft informs its employees about relevant security procedures and their respective tasks. Microsoft also informs its employees about possible consequences of violations of the security provisions and procedures. Microsoft only uses anonymous data in training.
• Physical security and security of the environment:
  • Physical access to facilities
    • Microsoft restricts access to facilities, in which its information systems that process customer data are located, to named authorised personnel.
  • Physical access to components
    • Microsoft keeps documents about the incoming and outgoing media that contain customer data, including the type of media, authorised senders/recipients, date and time, quantity of the media and the type of customer data they contain.
  • Protection against disruptions
    • Microsoft uses different systems according to the industry standard to prevent the loss of data due to power outages or line failures.
  • Disposal of components
    • Microsoft uses procedures according to the industry standard to delete customer data when it is no longer needed.
• Communication and operations management:
  • Operative guideline
    • Microsoft keeps security documents in which the security measures and the relevant processes and responsibilities of its employees who have access to customer data are described.
  • Data recovery process
    • Microsoft creates multiple current copies of customer data that can be reproduced, on an ongoing basis but no less than once per week in any case (unless no customer data is updated in that time period), and stores it.
    • Microsoft keeps copies of customer data and data recovery processes at a different location to the place in which the primary computer devices that process the customer data are located.
    • Microsoft has certain processes that regulate access to copies of customer data.
    • Microsoft reviews the data recovery process at least every six months, with the exception of the process for Azure services for administration, which are reviewed every twelve months.
    • Microsoft logs data recovery measures, including the person responsible and the description of the recovered data; if necessary the person responsible and which data (if necessary) must be entered manually during the data recovery process.
  • Malware
    • Microsoft has anti-malware controls in order to prevent malware from receiving unauthorised access to customer data, including malware from public networks.
  • Cross-border data
    • Microsoft encrypts customer data that is transferred via public networks, or enables customers to do so.
    • Microsoft restricts access to customer data in media that leave its facilities.
  • Event logging
    • Microsoft records access to and the use of information systems that contain customer data by registering the access ID, access time, granted or denied authorisation, and corresponding activity, or enables the customer to do so.
• Access control:
  • Access guideline
    • Microsoft keeps documents about the security authorisations of individual people who access customer data.
  • Access authorisation
    • Microsoft keeps and updates documents about the employees who are authorised to access Microsoft systems that contain customer data.
    • Microsoft deactivates login details that have not been used for a period of time that may not exceed six months.
    • Microsoft names the employees who are entitled to grant, change or revoke authorised access to data and resources.
    • If multiple people have access to the systems in which customer data is contained, Microsoft ensures that these people have separate identifications/login details.
  • Minimal authorisation
    • Technical support staff are only allowed to access customer data when this is necessary.
    • Microsoft restricts access to customer data to only people who need this access to carry out their professional activity.
    • Integrity and confidentiality
    • Microsoft instructs its employees to deactivate administration sessions when they leave facilities under the control of Microsoft or when computers are otherwise left unattended.
    • Microsoft stores passwords in such a way that they are not legible during the time of validity.
  • Authentication
    • Microsoft uses processes according to the industry standard to identify and authenticate users who attempt to access information systems.
    • If the authentication processes are based on passwords, Microsoft stipulates that the passwords must be replaced regularly.
    • If the authentication processes are based on passwords, Microsoft stipulates that passwords must contain at least eight characters.
    • Microsoft ensures that deactivated or expired identifications are not issued to any other people.
    • Microsoft monitors repeated attempts to establish access to the information systems with invalid passwords, or it enables the customers to do so.
    • Microsoft has processes according to the industry standard to deactivate passwords that are corrupted or mistakenly disclosed.
    • Microsoft uses processes according to the industry standard to protect passwords, including processes that are intended to safeguard the confidentiality and integrity of passwords, if they are allocated and distributed, and during storage.
  • Network design
    • Microsoft has controls to prevent people, who accept access rights that have not been allocated to them, from gaining access to customer data without being authorised to do so.
• Management of information security incidents:
  • Incident reaction procedure
    • Microsoft keeps documents about security breaches by stating a description of the breach, the time frame, the consequences of the breach, the name of the person who reported the incident and the person to whom the incident was reported, as well as the process used to recover the data.
    • For each security breach that is classified as a “security incident”, a corresponding report must be sent to Microsoft immediately and in any case within 5 working days (as in the above section, [“reporting security incidents”]).
    • Microsoft investigates the disclosure of customer data, asking what data has been disclosed, to whom and at what point in time it was disclosed, or it will put the customer in a position to do so.
  • Service monitoring
    • The security staff of Microsoft check logs at least every six months, in order to suggest measures for improvement, if necessary.
• Business continuity management:
  • Microsoft keeps emergency plans for the facilities in which Microsoft information systems that process customer data are located.
  • The redundant storage facilities of Microsoft and their data recovery processes are designed in such a way that attempts are made to reconstruct customer data in its original or last replicated condition before the time of loss of destruction.

Information security guideline for online services
For Microsoft Azure core services and Microsoft Cloud App Security, a written data security guideline (“Information Security Guideline”) applies, containing the control standards and framework conditions of ISO 27007, inter alia. You will find information about further certification at https://www.microsoft.com/de-de/TrustCenter/Compliance/ISO-IEC-27001.

Checking of online services by Microsoft
For every online service, Microsoft carries out the following checks regarding computer security, data processing environments and physical data centres that it uses to process customer data (including personal data):

• If there is a standard or framework provisions for tests, a review of this control standard or the framework provisions will be initiated at least once a year per online service.
• Each check will be carried out in accordance with the standards and rules of the supervisory or accreditation bodies for the individual applicable control standards or framework provisions.
• Each check will be carried out by qualified, independent third-party security examiners that are selected by Microsoft and for which Microsoft will bear the costs.

For each test, a test report will be created (“Microsoft test report”), which will count as confidential information of Microsoft. The Microsoft test report will clearly disclose the significant findings of the examiner. Microsoft will immediately rectify all problems detected in a Microsoft test report, to the satisfaction of the examiner.

Upon request by the customer, Microsoft will provide the customer with the individual Microsoft test reports, so that the customer can convince itself of Microsoft’s compliance with the security obligations under the terms of the DPT. The Microsoft test report is subject to the confidentiality and distribution restrictions of Microsoft and the examiner.

2. SendGrid Inc., as of April 2018

1. Network-Level Controls

a) SendGrid will use host-based firewall(s) to protect hosts/infrastructure handling Personal Data. The firewall(s) must be able to effectively perform thefollowing functions: stateful inspection, logging, support for strong encryption and hashing, ICMP and SNMP based monitoring and antispoofing.

b) SendGrid will have network-based security monitoring for the segment(s) on which hosts handling Personal Data are logically located.

c) SendGrid will assess network-level vulnerabilities and address critical vulnerabilities within 30 days.

d) SendGrid will employ change management standards for network/infrastructure components handling Personal Data.

2. Hosting Level Controls

a) SendGrid will implement operating system hardening for hosts/infrastructure handling Personal Data. Operating system hardening includes, but is not limited to, the following configurations: strong password authentication/use of keys, inactivity time-out, disabling or removal of unused or expired accounts and services, turning off unused ports, and log management. In addition, SendGrid will implement access control processes and restrict access to operating system configurations based on the least privilege principle.

b) SendGrid will perform patch management on systems that host or handle Personal Data.
SendGrid will implement critical patches within vendor recommended timeframes on systems that host or handle Personal Data, not to exceed 30 days after the patch is identified.

c) SendGrid will implement specific controls to log activities of users with elevated access to systems that host or handle Personal Data.

d) SendGrid will, at a minimum, assess system-level vulnerabilities on a monthly basis and address critical vulnerabilities within 30 days.

e) SendGrid will employ a comprehensive antivirus or endpoint security solution for endpoints which handle Personal Data.

f) Physical servers will be protected with appropriate physical security mechanisms, including but not limited to badged access, locked cages, secure perimeter, cameras, alarms, and enforced user provisioning controls.

3. Application-Level Controls

a) SendGrid will maintain documentation on overall application architecture, process flows, and security features for applications handling Personal Data.

b) SendGrid will employ secure programming guidelines and protocols in the development of
applications processing or handling Personal Data.

c) SendGrid will regularly perform patch management on applications that host or handle Personal Data. SendGrid will implement critical patches within vendor recommended timeframes on all applications that host or handle Personal Data, not to exceed 30 days.

d) SendGrid will, at a minimum, assess application-level vulnerabilities on a monthly basis and address critical vulnerabilities within 30 days.

e) SendGrid will perform code review and maintain documentation of code reviews performed for applications that host or handle Personal Data.

f) SendGrid will employ change management standards for applications hosting or handling
Personal Data.

4. Data-Level Controls

SendGrid will use strong encryption (TLS) for transmission of Personal Data that is considered Confidential Information. Data backups of Personal Data will be encrypted at rest and while in transit; however due to the dynamic nature of data in SendGrid’s production environment, Personal Data in SendGrid’s production databases will not be encrypted at rest.

5. End User Computing Level Controls

a. SendGrid will employ an end point security or antivirus solution for end user computing devices that handle Personal Data.

b. SendGrid will ensure that end user computing devices that handle Personal Data are encrypted.

6. Compliance Controls

a. SendGrid will make a good faith effort to operate within the parameters of SendGrid’s then-current Information Security Policy. This Policy will be provided to Customer in soft copy format upon request.

b. Notwithstanding any of the foregoing, SendGrid will adopt appropriate physical, technical and organizational security measures in accordance with industry standards, including but not limited to, building access control, employee education and personnel security measures.

3. Freshworks Inc., as of April 2019

Information Security Program 

• Freshdesk, hereinafter referred to as “Processor”, has appointed one or more security officers responsible for coordinating and monitoring security policies and procedures.
• Processor personnel with access to personal data are subject to confidentiality obligations.
• Processor performs a risk assessment before processing personal data.
• Processor provides security training ensuring his personnel are informed of security policies, procedures, and their respective roles.
• Processor informs personnel of the possible consequences resulting from not following security policies and procedures.

Physical Access Control

• Processor limits access to facilities where information systems that process personal data are located with badge-controlled access for authorized personnel.
• Processor premises are monitored 24x7 by a security force utilizing CCTV or similar methods at all entry points.
• Visitors to Processors’ premises must be accompanied by authorized personnel at all times and visits are logged in a visitor register.
• Processor uses industry best practice security measures to protect against loss of data due to environmental disruptions such as loss of power or other interferences.

System Access Control

• Processor maintains and updates a list of all authorized users that have access to personal data.
• Processor has implemented measures to prevent unauthorized personnel from accessing data processing systems.
• Processor may only grant access to personal data to any third party (except personnel and approved sub-contractors) with prior approval from Controller.
• Processor ensures that access control is supported by an authentication system.

Data Access Control

• The access rights of personnel to personal data is restricted to the necessary minimum required for their job functions.
• Processor has measures in place to prevent use/installation of unauthorized hardware and/or software.
• Processor has established rules for the safe and permanent destruction of data that are no longer required.

Transmission Control

• Personal data is encrypted when transmitted over Processor’s internal network.
• Personal data is encrypted when transmitted over public networks.

Input Control

• Processor has established logging mechanisms that record data entry and deletion.
• Processor is logging all activities in the area of data input as for example:
  • Unsuccessful access attempts;
  • Authority exceptions;
  • Privilege changes;
  • Data object owner changes;
  • Out of working hours access.
• Processor is ensuring that logs are regularly inspected for security incidents.

Availability Control

• Processor has business continuity plans and is regularly testing the business continuity concepts.
• Processor implements backup processes and other measures are that ensure rapid restoration of business critical systems as and when necessary.
• Processor is using uninterrupted power supplies (for example: UPS, batteries, generators, etc.) to ensure power availability to the data centers.
• Processor has sufficient capacity for data storage.
• Processor has a disaster recovery plan in place and is regularly testing it.

Data Separation Control

• Using technical capabilities (multi-tenancy) to achieve data separation between Personal Data from one and any other customer.
• Due to multi-tenant/shared SaaS model no dedicated instances for each Customer.
• Processor’s customers (including their affiliates) have access only to their respective own customer data and transactions.

Workstation Security

• Freshworks contains the storage and processing of customer data to AWS Data Center.
• A password protected keyboard/screen lock that is automatically activated by a period of inactivity is set. The inactivity time interval is no more than 30 minutes.
• The password associated with a computer access user ID is the primary means of verifying Identity and subsequently allowing access to the computer and to the information. Identity verification password is kept secret and not shared with anyone else.
• Identity verification passwords must not be trivial or predictable and must:
  • Be at least 8 positions in length
  • Contain a mix of alphabetic and non-alphabetic characters (numbers, punctuation or special characters) or a mix of at least two types of non-alphabetic characters.
  • Not contain the user ID as part of the password
• The password must be changed at least once every three months (90 days). Digital keys based dual authentication are used for authentication.

Information Security Incident Management

Processor maintains a record of security incidents with a description of the incident, the time period, the consequences, the name of the reporter or service, to whom the incident was reported, and the remediation.

Evaluation and certifications

Processor has obtained ISO 27001 certification regarding its data security and/or data protection systems and organization.

Appendix 2 – Approved subcontracting contracts

The order processers below are considered approved upon signing the Agreement:

Name of the order processor:

Microsoft Corporation

Subject of performance:

Microsoft Azure data centres that InLoox hires for internal use, e.g. for administration, development, support and marketing

Company head office and country:

One Microsoft Way, Redmond, Washington 98052, USA

Appropriate protection level (Art. 44 et seqq. GDPR):

Standard data protection clauses (Art. 46 (2)(c) and (d) GDPR):

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “1. Microsoft Corporation”

Name of the order processor:

Microsoft Ireland Operations Limited Subject of performance:

Microsoft Cloud Germany data centres that InLoox hires within the framework of InLoox now!

Company head office and country:

One Microsoft Place, South County Business Park, Leopardstown, Dublin, D18 P521, Ireland

Data processing location:

EU only

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “1. Microsoft Corporation”

Name of the order processor:

SendGrid Inc.

Subject of performance:

E-mail notifications from InLoox now! to users stored in the project platform about actions of other users, as well as e-mail notifications from InLoox support and other administrative systems, such as the InLoox Online Store.

Company head office and country:

1801 California St., Suite 500, Denver, Colorado 80202, USA

Appropriate protection level (Art. 44 et seqq. GDPR):

Adequacy decision of the Commission (Art. 45(3) GDPR) via the EU-U.S. Privacy Shield

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “2. SendGrid Inc.”

Name of the order processor:

Freshworks Inc.

Subject of performance:

Customer support requests

Company head office and country:

1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA

Appropriate protection level (Art. 44 et seqq. GDPR):

Adequacy decision of the Commission (Art. 45(3) GDPR) via the EU-U.S. Privacy Shield and agreed standard contractual clauses

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “3. Freshworks Inc.”

InLoox, Inc. Master Subscription Services Agreement

IF CUSTOMER DOES NOT AGREE TO THESE TERMS, CUSTOMER MAY NOT ACCESS OR USE THE SERVICE. 

This Master Subscription Services Agreement (“Agreement”) is between InLoox Inc., a Delaware corporation (InLoox), and the entity or individual agreeing to these terms (Customer).

1) ONLINE SUBSCRIPTION SERVICES. This Agreement provides Customer access to a proprietary web-based subscription service, as specified on the order. Details of the available InLoox services are located at: www.inloox.com/inlooxnow

InLoox will provide this functionality through inlooxnow.com within a hosted server environment under the terms below (Service) and through InLoox software that acts as the interface to the Service (this software will be contracted for under an End User License Agreement provided as part of the installation of that software). This Agreement contemplates one or more orders for the Services, which orders are governed by the terms of this Agreement and will describe the Services ordered in more detail (these orders may be provided electronically online or via written order forms). 

• Customer may allow its employees and contractors to access the Services in compliance with the terms of this Agreement, which access must be for the sole benefit of Customer.
• Customer is responsible for the compliance with this Agreement by its employees and contractors.

2) USE OF SERVICES.

a) Trial Period and Beta Program. If Customer has registered for a trial or beta use of the Services, Customer may access the Services for a 30-day time period free of charge. The Service is provided AS IS, with no warranty during this time period. For trial accounts, the Customer data will be deleted after the trial period (unless Customer converts its account to the paid Service). For beta accounts, the account and Customer data will be deleted after the beta period.

b) Customer support. The Customer can choose to nominate one of InLoox’s distribution partners as a supporter of the Customer´s account within 30 days following the conclusion of this Agreement for initial purchase of Online Services (hereinafter referred to as “Initial Purchase”). In the event of nomination of one of InLoox’s distribution partners, the distribution partner has to provide Customer with free of charge first level support during the term of this Agreement. For the details of support service please refer to distribution partner’s terms and conditions. Customer information will be provided to the distribution partner only with regard to accounting purposes. For further details with respect to InLoox’s privacy policy, please refer to our privacy policy and to the notice given with the process of nomination.

c) InLoox Responsibilities. InLoox must (i) use commercially reasonable efforts to make the Services available, except for scheduled outages, unavailability caused by force majeure or Customer technology issues, and (ii) provide customer support for the Services as further detailed at: www.inloox.com/support

d) Customer Responsibilities. Customer (i) is solely responsible for Customer Data, (ii) must use commercially reasonable efforts to prevent unauthorized access to the Services, and notify InLoox promptly of any such unauthorized access, and (iii) may use the Services only in accordance with its user guide and applicable law.

Customer may not (i) sell, resell, rent or lease the Services, (ii) use the Services to store or transmit infringing, unsolicited marketing emails, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party rights, (iii) interfere with or disrupt the integrity or performance of the Services, or (iv) attempt to gain unauthorized access to the Services or their related systems or networks.

e) Customer Experience Improvement Program (CEIP). The InLoox software will automatically send anonymized usage statistics and error reports to InLoox. Customer can turn off this feature at any time. More information is located at: www.inloox.com/ceip

3) PAYMENT TERMS. Customer must pay all fees (US$) with a credit card. If the credit card is not valid or the payment is not otherwise made, Customer must pay the amount owed upon receipt of an invoice. Customer is responsible for sales, use, VAT and other similar taxes. All fees may be changed on 30 days advance notice, unless otherwise described below. All amounts that are not paid within 30 days of receipt of an invoice will accrue late charges of the lesser of 1% per month, or the maximum rate permitted by law, from the original due date until the date InLoox receives payment.

a) Credit Card. Customer agrees to provide InLoox with updated credit card, and authorizes InLoox to charge Customer’s credit card for amounts owed InLoox. If 

• Customer’s credit card information changes,
• Customer’s credit card information expires, or
• Customer is notified by InLoox of an unsuccessful attempt by InLoox to charge Customer’s credit card, 

then Customer must update its account with valid credit card information as soon as possible, but in no event later than 5 days. If the credit card number is revoked, disputed or not valid for any reason (including without limitation expiration of a credit card), InLoox may suspend or terminate Customer’s use of the Services upon notice to Customer via email (using the then current account email address in the Service). 

4) DISCLAIMER. INLOOX DISCLAIMS ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, ANY WARRANTY THAT SERVICES WILL BE UNINTERRUPTED, ERROR FREE OR WITHOUT DELAY, AND THE IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE AND FITNESS FOR A PARTICULAR PURPOSE. THE SERVICE MAY NOT BE ERROR FREE OR PERFORM WITHOUT DELAY.

5) MUTUAL CONFIDENTIALITY.

a) Definition of Confidential Information. Confidential Information means all non-public information disclosed by a party (Discloser) to the other party (Recipient), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure (Confidential Information). InLoox’s Confidential Information includes without limitation the Services.

b) Protection of Confidential Information. The Recipient must use the same degree of care that it uses to protect the confidentiality of its own confidential information (but in no event less than reasonable care) not to disclose or use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement. The Recipient must make commercially reasonable efforts to limit access to Confidential Information of Discloser to those of its employees and contractors who need such access for purposes consistent with this Agreement and who have signed confidentiality agreements with Recipient no less restrictive than the confidentiality terms of this Agreement.

c) Exclusions. Confidential Information excludes information that: (i) is or becomes generally known to the public without breach of any obligation owed to Discloser, (ii) was known to the Recipient prior to its disclosure by the Discloser without breach of any obligation owed to the Discloser, (iii) is received from a third party without breach of any obligation owed to Discloser, or (iv) was independently developed by the Recipient without use or access to the Confidential Information. The Recipient may disclose Confidential Information to the extent required by law, but will attempt to provide Discloser with advance notice to seek a protective order.

6) PROPRIETARY RIGHTS

a) Reservation of Rights by InLoox. The software, workflow processes, user interface, designs, know-how and other technologies provided by InLoox as part of the Services are the proprietary property of InLoox and its licensors, and all right, title and interest in and to such items, including all associated intellectual property rights, remain only with InLoox. InLoox reserves all rights unless expressly granted in this Agreement.

b) Customer Restrictions. Customer may not: 

1. Use the Services or the Licensed Documentation (defined below) beyond its internal operations;
2. Reverse engineer the Services or the Licensed Documentation;
3. Remove or modify any proprietary marking or restrictive legends in the Service and Licensed Documentation; or
4. Access the Service to build a competitive product or service, or copy any feature, function or graphic of the Service for competitive purposes.

c) Customer Data. All data uploaded by Customer remains the sole property of Customer, as between InLoox and Customer (Customer Data), subject to the other terms of this Agreement. Customer grants InLoox a non-exclusive term license to use the Customer Data for purposes of InLoox performing under this Agreement. During the term of this Agreement, Customer may download its Customer Data from the Services, and select the location where its Customer Data will be stored. 

d) Licensed Documentation. The Services user guide, sample data, marketing materials, training material and other material provided through the Services or by InLoox, are licensed to Customer as follows: InLoox grants Customer a non-exclusive, license for the duration of the Services to such material for Customer’s internal use solely with the Services, with the right to make additional copies of the material for such duration and purpose (Licensed Documentation). 

7) EXCLUSION OF DAMAGES AND LIMITATION OF LIABILITY.

a) Exclusion of Certain Damages. INLOOX IS NOT LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, COSTS OF DELAY, LOST PROFIT, LOSS OF DATA OR INFORMATION, AND ANY FAILURE OF DELIVERY OF THE SERVICES).

b) Limitation of Liability. INLOOX’S LIABILITY FOR ALL DAMAGES RELATING TO THIS AGREEMENT (WHETHER IN CONTRACT, TORT OR OTHERWISE) DOES NOT EXCEED THE ACTUAL AMOUNT PAID BY CUSTOMER WITHIN THE PRECEDING 12 MONTHS UNDER THIS AGREEMENT

8) TERM, TERMINATION, RENEWAL, SUSPENSION OF SERVICE AND RETURN OF DATA.

a) Term. This Agreement continues until all orders are terminated (Term).

b) Automatic Renewal. UNLESS CANCELLED BY CUSTOMER, THE AGREEMENT WILL BE AUTOMATICALLY RENEWED AT THE END OF THE SUBSCRIPTION PERIOD. SERVICES WILL AUTOMATICALLY RENEW FOR A SUCCESSIVE SUBSCRIPTION PERIOD, WITHOUT PRIOR NOTICE, UNLESS AND UNTIL CUSTOMER CANCELS THE AGREEMENT, OR INLOOX TERMINATES IT. CUSTOMER MUST CANCEL THE AGREEMENT BEFORE IT RENEWS IN ORDER TO AVOID BEING BILLED FOR THE NEXT PERIOD AT THE THEN-CURRENT FEES.

c) Mutual Termination for Material Breach. If either party is in breach of any material term of this Agreement, the other party may terminate this Agreement by providing the other party with a written 30-day notice. Upon receipt of the 30-day notice by either party, the recipient may have to opportunity to cure the breach. In the event that the breach is not cured within the 30-day notice period, this Agreement shall be considered terminated. 

1. Actions upon Termination.
   1. Upon any termination as provided in 8(c) above by Customer, InLoox must refund any prepaid and unused fees covering the remainder of the Term.
   2. Upon any termination as provided in 8(c) above by InLoox, Customer must pay any unpaid fees, and destroy all InLoox property in customer’s possession. The Services will also be terminated. Customer upon request will confirm that it has complied with these requirements.

d) Return of Customer Data. 

• Before termination of this Agreement and within 30-days after termination, Customer may download its Customer Data. InLoox will provide Customer a data download feature (to the extent Customer has not already deleted such data from the Services). The Customer Data will only be provided in the following format: database content will be provided as a SQL file, and documents and attachments will be provided in their native format (this excludes the server configuration and file permissions which might have been set on documents and attachments).
• After such 30-day period, InLoox has no obligation to maintain the Customer Data.

e) Suspension of Service for Violations of Law. InLoox may immediately suspend the Services and remove applicable Customer Data, if it in good faith believes that, as part of using the Services, Customer may be in violation of any applicable federal or state laws. InLoox may try to contact Customer in advance, but it is not required to do so.

9) INDEMNITY.

a) Defense of Third Party Infringement Claims by InLoox. InLoox will defend or settle any third party claims against Customer alleging that the Service (other than related to the Customer Data) violates a copyright, patent, trademark or other intellectual property right, if Customer:

• Promptly notifies InLoox of the claim in writing;
• Cooperates with InLoox in the defense; and
• Allows InLoox to solely control the defense or settlement of the claim. 

InLoox will pay infringement claim defense costs, and InLoox negotiated settlement amounts, and court awarded damages.

Remedies. If such a claim appears likely, then InLoox may modify the Service, procure the necessary rights, or replace it with the functional equivalent. If InLoox determines that none of these are reasonable available, then InLoox may terminate the Service and refund any prepaid and unused fees.

Exclusions. InLoox has no obligation for any claim arising from:

• InLoox’s compliance with Customer’s designs, specification, instructions, or technical information;
• A combination of the Service with other technology where the infringement would not occur but for the combination; or

• Technology not provided by InLoox.

  This section contains Customer’s exclusive remedies and InLoox’s sole liability for intellectual property infringement claims.

b) By Customer. Customer must indemnify, defend, and hold harmless InLoox against all third-party claims (including without limitation by governmental agencies), demands, damages, costs, penalties, fines, and expenses (including reasonable attorneys’ fees and costs) arising out of or related to:

• Customer’s breach of any representation, warranty, obligation, covenant or agreement in this Agreement, or
•  any unauthorized use, access or distribution of the Services.

10) GOVERNING LAW, ARBITRATION AND LOCATION OF DISPUTES. THIS AGREEMENT IS GOVERNED BY THE LAWS OF THE STATE OF CALIFORNIA, WITHOUT REGARD TO CONFLICT OF LAWS PRINCIPLES. ANY DISPUTE BETWEEN CUSTOMER AND INLOOX ARISING OUT OF OR RELATED TO THIS AGREEMENT MUST BE DETERMINED BY BINDING ARBITRATION IN SAN FRANCISCO, CA (IN ENGLISH) UNDER THE THEN CURRENT COMMERCIAL OR INTERNATIONAL RULES (AS APPLICABLE) OF THE AMERICAN ARBITRATION ASSOCIATION. NOTHING IN THIS AGREEMENT PREVENTS EITHER PARTY FROM SEEKING INJUNCTIVE RELIEF IN A COURT OF COMPETENT JURISDICTION. THE PREVAILING PARTY IN ANY ARBITRATION OR LITIGATION IS ENTITLED TO RECOVER ITS ATTORNEYS’ FEES AND COSTS FROM THE OTHER PARTY.

11) MISCELLANEOUS TERMS.

a) Money Damages Insufficient. Any breach by a party of this Agreement or violation of the other party’s intellectual property rights could cause irreparable injury or harm to the other party. The other party may seek a court order to stop any breach or avoid any future breach.

b) Entire Agreement and Changes. This Agreement and the order constitute the entire agreement between the parties, and supersede all prior or contemporaneous negotiations, agreements and representations, whether oral or written, related to this subject matter. No modification or waiver of any term of this Agreement is effective unless both parties sign it.

c) No Assignment. Neither party may assign or transfer this Agreement or an order to a third party, except that this Agreement with all orders may be assigned as part of a merger, or sale of all or substantially all of the business or assets, of a party.

d) Independent Contractors. The parties are independent contractors with respect to each other.

e) Enforceability. If any term of this Agreement is invalid or unenforceable, the other terms remain in effect.

f) No Additional Terms. InLoox rejects additional or conflicting terms of any Customer form-purchasing document.

g) Order of Precedence. If there is an inconsistency between this Agreement and an order, the order prevails.

h) Survival of Terms and Force Majeure. Any terms that by their nature survive termination or expiration of this Agreement, will survive. Neither party is liable for force majeure events.

i) CISG Not Apply. The Convention on Contracts for the International Sale of Goods does not apply.

j) Customer Name. InLoox may use Customer’s name and logo in customer lists and related promotional materials describing Customer as a customer of InLoox, which use must be in accordance with Customer’s trademark guidelines and policies.

Date: 2017-02-14