for the licensing
of cloud services
- Object of agreement
- The quality and specification of the cloud service is based on the respective program description, available at https://www.cloudiax.com/price-list/ and the order confirmation of the Provider.
- The Provider shall provide the Customer the possibility to use the cloud service by remote access via Internet during the term of the contract. The required cloud service and computer performance as well as the required storage space for cloud software data shall be made available by the Provider or by a colocation center assigned by the Provider. The system area allocated to the Customer shall be protected against third-party access.
- The Provider shall transfer the access data required for identification and authentication purposes which is required for the usage of the cloud service to the Customer. The Customer is not authorized to pass the access data to third parties, unless the third party is an additional user which has been authorized and registered by the Provider and that has been considered in the remuneration. The Customer shall be obliged to report additional users to the Provider before performing any activities so the adjustment of the remuneration can be conducted.
- All other services of the Provider that are carried out by request of the Customer (in particular preparation for use, demonstration, education, training and consultation) will be charged separately according to the effort required.
- Conditions for use
- It is necessary for the Customer to have Internet access to use the cloud service. The Internet access of the Customer is not part of this contract. The Customer shall bear sole responsibility for the operability of his Internet access (including transmission channels) as well as his own computer.
- Further technical requirements for the use of the cloud service shall be published in the program description or the release notes of the cloud service.
- Service Level
- The Provider shall provide the cloud service with an availability of 99.5 % within the operational period. The operational period is 24 hours on 365 days a year and 366 days on leap-years. Except of the following maintenance windows which shall not be deemed as a period of operation and shall not be included in the calculation of availability.
- Every first Sunday a month from 00:00 to 04:00 CET/CEST. This is a general maintenance window.
- One hour per week for the Customer individual systems. This maintenance window shall be determined by the Customer before go live.
- Any maintenance window for maintenance work which could not be postponed as long as the Provider has informed the Customer at least one week in advance. The information is provided on the status page https://status.cloudiax.com/.
- Availability shall be measured and calculated based on a calendar month. Availability shall be calculated using the following formula:
- Removal of incidents of the cloud service
- The Provider warrants that the cloud service meets the agreed specifications according to Section 1.1 within the operational period if applied as specified. Cloud service defects (hereinafter referred to as “incidents”) shall be removed by the Provider within the reaction time defined in Section 4.2 et seq. after a corresponding notification of the incident by the Customer. The same shall apply for all other incidents of the potential usability of the cloud software.
- The Provider shall accept incident reports by the Customer and assign them to the agreed incident categories. Based on this categorization, the agreed steps for analysis and removal of the incidents. Incident management shall not include any services associated with the use of cloud service in non-approved operational environments or with modifications of the cloud service implemented by the Customer or third parties.
- During the operational period the Provider shall accept incident reports from the Customer and assign it with an identifier. On request of the Customer the Provider shall confirm the receipt of an incident report and provide the assigned identifier.
- Unless otherwise agreed the Provider will assign the received incident reports to one of the following categories after an initial inspection:
- Major incident: The incident is based on an error in the cloud service which makes it impossible or severely limited to use the cloud service. The Customer is not able to circumvent this issue in a reasonable way and is not able to execute unpostponable tasks as a result of the incident.
- Miscellaneous incidents: The incident is based on an error in the cloud service, which significantly limits the use of the cloud service for the Customer without being a major incident.
- Miscellaneous reports: Incident reports that cannot be classified into the categories of the Sections 4.4.1 and 4.4.2 shall be allocated to miscellaneous reports. The Provider shall treat miscellaneous reports according to the agreed conditions for this category.
- In the case of reports of major incidents and miscellaneous incidents, the Provider shall immediately initiate appropriate measures corresponding to the circumstances communicated by the Customer in order to initially locate the cause of the incident. If the reported incident is not deemed as an error of the cloud service after the first analysis, the Provider shall immediately communicate this to the Customer. Otherwise, the Provider shall take appropriate measures to further analysis and eliminate the reported incident or – in the case of third-party components – communicate the incident report along with its analysis results to the seller or manufacturer of the components with the request for assistance. The Provider shall, within a reasonable deadline, provide the Customer with measures available to him in order to work around or remove the error of the cloud service, for example instructions for action. The Customer shall immediately take such measures in order to work around or remove incidents and again report any remaining incidents to the Provider during use of the software without undue delay. The Customer shall only claim for defects if the reported defects are reproducible or otherwise traceable by the Customer.
- Service Center
- The Provider shall set up a service center for the Customer. The service center shall process the requests of the Customer in regard with the technical operating requirements and conditions of the cloud service as well as the specific functional aspects. The service center shall not provide any services that are related to the use of cloud service in non-approved operational environments or to changes of the cloud service which has been conducted by the Customer or a third party.
- For the receipt and processing of requests by the Provider it is required that the Customer names the members of his staff which are technically and professionally qualified and have been maintained internally with the processing of requests of the users of the cloud service to the Provider. The Customer shall be obliged to place requests via the service center exclusively through the staff members that have been named to the Provider and to use only the forms which have been made available by the Provider. The service center shall accept these requests via https://portal.cloudiax.com and in case of Major Incidents also via phone call.
- The service center shall process proper requests during its normal course of business and answer them as far as possible. The service center has the possibility to refer to documentations which are already available for the Customer and to other training materials for the cloud service.
- If it is not possible to either answer the request in general or to answer it in a timely manner via the service center the Provider shall forward the request for processing unless expressly agreed. This particularly takes effect for requests concerning components of the cloud service that has not been produced by the Provider.
- Further services of the service center, such as different response times and response deadlines as well as on-call services or on-site operations of the Provider shall be expressively agreed in advance.
- Term of contract
- The term of contract shall begin with the submission of the access data for the cloud service to the Customer. The term of the Contract shall be one year, if no other term is accepted in the order confirmation by the Provider and shall be extended automatically by one year unless one of the parties has not terminated the Contract at least one month before the end of the contract term.
- Furthermore, the contract is also terminated, if the Customer does not meet the payment obligation (see also section 7.2) before the start of the contract renewal.
- Furthermore, both the Provider and the Customer shall be able to terminate the contract due to important reasons without notice.
- Notices of termination shall only be valid in written form.
- The remuneration for the licensing and use of the cloud service shall be agreed by both parties within the order documents of the Provider.
- The remuneration for the agreed period is due in advance and shall be invoiced to the Customer by the Provider.
- In the event that the customer is financially unable to fulfil his obligations to the provider, the provider shall be entitled to end existing exchange contracts with the customer by means of withdrawal or to end continuing obligations by termination without notice, even in the event of the customer pleading insolvency.
- Usage rights of the cloud service and protection against unauthorized use
- A non-exclusive right to use the cloud service and the documentation by remote access within his own business purposes shall be granted to the Customer during the term of the contract.
- Further use shall be contractually agreed prior to its use. The remuneration shall be based on the scope of the right of use.
- The Provider is entitled to take appropriate technical measures as a protection against use that is not in line with the provisions of the Contract.
- The Provider shall be entitled to revoke the Customer’s right of use if the latter significantly contravenes any restrictions on use or any other regulations ensuring protection against unauthorized use (see also Section 1.3 and Section 10.4). Prior to this, the Provider shall set a period of grace for the Customer to remedy the situation. In case of recurrence and particular circumstances, which justify immediate revocation, after taking both parties mutual interests into consideration, the Provider shall be entitled to revoke the Contract without a period of grace. After the revocation the Customer is obliged to confirm the abandon of use to the Provider in written form. The Provider shall grant the right of use to the Customer again after the Customer has assured and explained in writing that infringements against the right of use are no longer present and previous infringements and their consequences have been removed.
- Engagement of subcontractors
- The Provider is free to use subcontractors to fulfill its obligations. The Customer already declares his consent to this. A list of subcontractors is available at https://www.cloudiax.com/privacy-policy/.
- Obligations of the Customer
- The Customer shall ensure that professional staff is available for the support of the Provider and the use of the cloud service during the term of Contract.
- The Customer shall provide support to the Provider in remedying deficiencies if necessary. In particular, the Customer is obliged to describe the deficiencies in detail and in written form and provide all relevant data, documents and information if requested by the Provider.
- The Customer shall acknowledge that the cloud service including the operating instructions and all other related documents – including future versions – are copyrighted.
- The Customer specifies a security manager in writing with his first and last name, telephone number and e-mail address. The security manager is responsible for all security-relevant questions and decisions. One of the security-relevant decisions is, among other things, to grant access rights to Customer data or to delete data from the Customer.
- The Customer shall not carry out any action which could aid unauthorized usage. The Customer is obliged to inform the Provider without delay if he has any reason to suspect unauthorized access.
- Defect claims of the Customer
- For warranty claims the defect regulating provisions of leasing law shall apply. Cloud service defects shall be remedied by the Provider as described in Section 4. The Customer shall not enforce a reduction in payment by deduction from the agreed remuneration. Related claims for enrichment or compensation shall remain unaffected.
- The Customer’s right of termination to the failure to grant use in accordance with the agreement, unless the contractually agreed use is deemed as failure.
- The Provider ensures warranty for the contractually agreed purpose of the provided services. Defects of quality cannot be claimed for insignificant deviation of the contractually agreed services. Claims for defects shall also be invalid in the case of improper use, software defects which are not reproducible or otherwise provable by the Customer, or in the case of damages arising from particular external influences not foreseen in the terms of the contract software defects which are not reproducible or otherwise provable by the Customer, or in the case of damages arising from particular external influences not foreseen in the terms of the contractdefects that are not reproducible or otherwise provable by the Customer, or in case of damages arising particular external influences not foreseen in the terms of the contract. This shall also apply in case of subsequent changes or remedial maintenance carried out by the Customer or a third party, unless it does complicate the analysis and the removal of the defect. In addition to this, Section 13 et seq. shall apply to claims for compensation of damages and expenditure.
- The period of limitation for any claims arising from material defect shall be one year. The processing of the Customer’s report of a defect shall lead only to suspension of the period of limitation, insofar as the legal prerequisites for this exist. The period of limitation shall not recommence as a result of this. A subsequent rectification (new delivery or repair) shall effect exclusively the period of limitation of the defect which led to the subsequent rectification.
- The Provider can insist on remuneration of his effort as (1) he carried out any activities on the basis of a report without a defect existing, unless the Customer was unable to recognize with reasonable effort that no defect existed, or (2) a reported defect is not reproducible, or (3) additional expenses accrue due to improper performance of the Customer’s obligations (also see Section 10 et seq.).
- Defects of title
- The Provider shall only be liable for infringements of third party rights through the delivery of its service insofar as the service is used in conformity with the contract and especially in the operating environment described in the contract. The Provider shall only be liable for the infringements of third party rights at the place of contractual use of the service.
- If a third party asserts against the Customer that a service provided by the Provider infringes its rights, the Customer shall inform the Provider without delay. The Provider and, if appropriate, its sub-contractors are entitled but not obliged to defend unjustified claims at their own expense. The Customer shall not be entitled to assert third-party claims before he has appropriately given the Provider the opportunity to repel third-party rights by any other means.
- If third-party rights are infringed by any service, the Provider shall proceed as follows at his own choice and costs and (1) shall provide the Customer with the right to use the service, or (2) provide the service without infringing any rights, or (3) if the Provider cannot achieve another remedy given a reasonable amount of effort, the Provider shall withdraw the service and refund the Customer the remuneration paid by it (less an appropriate usage fee). The interests of the Customer shall be appropriately taken into consideration.
- Customer claims due to defects of title expire by limitation in accordance to Section 11.4. Section 13 et seq. shall additionally apply for all Customer claims of damage or compensation. Section 11.5 shall additionally apply for additional effort and expenses of the Provider.
- General liability of the Provider
- The Provider shall be liable to the Customer (1) for damages he or his legal representatives or assistants have caused either purposely or by culpable negligence, and (2) for damages deriving from the loss of life, bodily injury or harm to health that the Provider, his legal representatives or vicarious agents are responsible for.
- The Provider shall not be liable in the case of slight negligence, unless it has breached an essential contractual obligation, whose fulfilment enables the proper implementation of the contract and whose observance is regularly trusted and should be presumable by the Customer. This liability shall be limited to damages that are foreseeable and typical of the contract, this shall also apply to lost profit and cost savings failing to occur. Liability for other remote subsequent damage is excluded. For a single claim, the liability shall be limited to the contractual value and in the case of current payments to the value for one contractual month. Section 11.4 shall apply to the limitation accordingly. Liability according to Section 13.1 shall remain unaffected by this paragraph.
- The Provider shall only be liable for compensation of damages arising from a warranty if this is expressly adopted in the warranty. In case of slight negligence this liability shall apply according to the limitations of Section 13.2.
- In the case of loss of data, the Provider shall only be liable for the expenditure which is necessary to restore the data in the case of the Customer having made a proper data backup (see Section 14.2).
- Data protection and copies of Customer data
- As far as the Provider can access data, and especially personal data, that is stored on the Customer’s system, he shall only be active as an order data processor and only process and utilize this data for the purpose of Contract fulfilment. The Provider shall follow to the Customer’s instructions for handling this data. The Customer shall be liable for any disadvantageous results of such instructions for fulfilment of the Contract.
- The Customer remains both generally in the order relationship as well as in the data protection law meaning the person responsible. If the Customer processes personal data in connection with the contract (including collection and use), he shall guarantee that he is entitled to do so in accordance with the applicable provisions, in particular data protection provisions, and releases the Provider of claims of third parties in the event of a breach.
For the relationship between Provider and Customer, the following applies to the data subject: The Customer bears the responsibility for the processing (including collection and use) of personal data, unless the Provider is responsible for any claims of the data subject due to a breach of duty attributable to him. The Customer will responsibly examine, process and respond to any inquiries, requests and claims of the data subject. This also applies to a claim of the Provider by the data subject. The Provider will support the Customer as part of his duties. However, the Provider is at no time jointly responsible for the processing of personal data of the Customer in relation to §26 GDPR.
- The Provider ensures that data of the Customer will be stored exclusively in the territory of the Federal Republic of Germany, in a member state of the European Union or in another Contracting State of the Agreement on the European Economic Area, unless otherwise agreed.
- The Customer will download the electronic copy of the Customer’s data encrypted by the Provider once a calendar month from the Provider, store it and keep it safe as his own backup.
- At the end of the contractual period of use, the Provider shall provide the backup of the last day of this contractual period of use within 48 hours. The Customer has the right to download this backup, as stated in Section 14.2, within 10 days. Subsequently, the Provider shall irrevocably delete all data of the Customer.
- The Provider processes data on behalf of the Customer (All common and relevant data that are stored in ERP (especially SAP) and related sub-systems. In particular, this includes the following data: Customers, suppliers and those interested with data concerning contact persons. Personal data (applicants, employees, trainees, interns, retirees, etc.). Data on recording working time, equipment access control and scheduling. Data for communication as well as carrying out and monitoring transactions as well as technical systems, emergency contact data; other groups of individuals.) This includes activities that have been specified in the service description (Operation of SAP and sub-systems Consultation on optimizing and using SAP and sub-systems; Configuration and provision of SAP and sub-systems; Troubleshooting and data correction in SAP and sub-systems; Transfer and processing of data to load in the SAP system and sub-systems. On request of the Customer, processing of data for the transfer to third parties; e.g. personal data to billing systems; electronic transaction forms to banks, data bases to software manufacturers (e.g. SAP) for further error analysis and correction in SAP and sub-systems). Within the scope of this contract, the Customer is solely responsible for complying with the legal regulations of the data protection law, particularly for the lawfulness of passing on data to the Provider as well as for the lawfulness of data processing.
- Initially, the instructions will be defined through the Contract and can afterwards be changed, amended or replaced by individual instructions by the Customer in written form or text form (individual instructions). Instructions that go beyond the service agreed upon within the scope of the Contract shall be treated as a request for a service change.
- The Provider may process data of data subjects only in the context of the order and the instructions of the Customer, except there is an exceptional case within the meaning of Article 28 para. 3a) of the General Data Protection Regulation. The Provider informs the Customer immediately if he believes that a directive violates applicable laws. The Provider may suspend the implementation of the instruction until it has been confirmed or changed by the Customer.
- Within its sphere of responsibility, the Provider shall design the in-house organization in such a way that it meets special data protection requirements. He shall take technical and organizational measures for the adequate protection of the Customer’s data that meet the requirements of the Data Protection Law. These measures concern: (1) Entry control, (2) Admission control, (3) Access control, (4) Transfer control, (5) Input control, (6) Order control, (7) Availability, and (8) Separation. The security measures carried out by the Provider are specified in the following. The Contractor reserves the right to change of the safety measures involved, whereby it must however be ensured that the protection level that has been contractually agreed on is not exceeded.
- Entry control
In particular, the Provider shall execute the following measures in order to prevent unauthorised individuals access to data processing systems with which data is processed or utilised (entry control): (1) Introduction and maintenance of graduated access rights for employees and third parties; (2) Regulation and limiting access rights, handing out related keys or key cards; (3) Regular inspection and update of keys or key cards; (4) Identification and validation of all persons with access rights; (5) Keeping a log of visitors that have access to data processing systems
- Admission control
In particular, the Provider shall execute the following measures in order to prevent data processing systems to be used by unauthorised individuals (admission control): (1) Operation of central data processing systems (servers) only in specially secured rooms to which only select employees (administrators) and service providers have access that are obligated to diligence and secrecy; (2) Creation and implementation of rules of conduct for the use of mobile terminal equipment that obligates the employees, among other things, not to leave these devices unattended during travel; (3) Logical (e.g. passwords) and physical (e.g lockable or otherwise secured containers) protection of all data storage media (external hard drives, USB sticks, CD-ROMs, DVDs etc.).
- Access control
In particular, the Provider shall execute the following measures in order to ensure that those authorised to use a data processing system only have access rights to data regarding their authorization, and that data cannot be read, copied, modified or deleted during processing, usage and after saving (access control): (1) Creation and implementation of usage guidelines regulating the collection, reading, modifying and deletion of data; (2) Usage of the data processing systems only after identification and authentication of the user; (3) Blocking of user accounts provided that these have not been used for a period of longer than 30 days; usage of secure passwords; (4) Regularly changing passwords; (5) Blocking passwords after having entered them incorrectly several times; (6) Limiting of user rights for employees that are not administrators; separation of testing and productive systems.
- Transfer control
In particular, the Provider shall execute the following measures in order to ensure that data can’t be read, copied, changed or removed without authorization during electronic transfer, transportation or saving on data carriers, and that it can be tracked and verified, at which points a transmission of data by appliances for data transfer is designated (transfer control): (1) Creation and execution of a guideline of use which regulates the transfer and transport of data; (2) Usage of data processing appliances only after identification and authentication by the user; (3) Creation of documentations for all programs that encrypt, send or receive data; (4) Monitoring of all interfaces (Ports) of the data processing appliance to the internet, and blocking of all interfaces usually not needed (e.g. ports which are used for file-sharing applications or chat applications); (5) Monitoring of local company sites, insofar as those send or receive data.
- Input control
In particular, the Provider shall execute the following measures in order to ensure that it can retroactively be tracked and verified, if and by whom data has been entered in, changed or removed from data processing systems (input control): (1) Creation and execution of a guideline which regulates the recording, reading, changing and removing of data; (2) Usage of the data processing appliance only after identification and authentication of the user; (3) logging of relevant accesses to data.
- Order control
In particular, the Provider shall execute the following measures in order to ensure that data, which is processed by order, will only be processed according to the instruction of the Customer (order control): (1) Usage of the data processing appliance only after identification and authentication by the user; logging of relevant access to data.
In particular, the Provider shall execute the following measures in order to ensure that data is protected against coincidental destruction or loss (availability): (1) Creation of backups at least once within 24 hours on two different systems minimum; (2) Storage of backups in flame-proofed containers or a data centre separated by open ground.
In particular, the Provider shall execute the following measures in order to ensure that various data, which has been gathered for different purposes, will be processed separately (separation): Logistical separation of the data from the Customer and other data.
- The Provider ensures that employees engaged in the processing of the Customer’s data and other persons acting on behalf of the Provider are prohibited by obligation from processing the data outside of the instructions. Furthermore, the Provider guarantees that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory confidentiality obligation. The duty of confidentiality / confidentiality remains valid even after completion of the assignment.
- The Provider shall inform the Customer about severe infringements by the Provider without any delay, as well if persons hired by the Provider within the scope of the order infringe upon the regulations to protect the data of the Customer or the determinations of the present Contract. He shall take required measures to secure data and to reduce possibly adverse consequences to those involved and shall immediately seek agreement with the Customer regarding the matter. The Provider shall provide support to the Customer to meet the information requirements.
- The Provider shall appoint a contact person for the Customer regarding data protection issues within the scope of the present Contract.
- The Provider shall not use the provided data for any other purposes than for fulfilment of the Contract.
- The Provider guarantees his obligations under Art. 32 para. 1 lit. d to comply with the General Data Protection Regulation, to establish a procedure for the periodic review of the effectiveness of the technical and organizational measures to ensure the safety of the processing. The Provider rectifies, deletes or blocks the contractual data if the Customer so instructs. The data protection compliant destruction of data carriers and other materials takes over the Provider on the basis of an individual commissioning by the Customer, if not already agreed in the contract. In special, to be determined by the Customer cases, there is a storage or transfer.
- In the case of test and scrap material, an individual order is not required.
- If additional costs accrue due to deviating requirements when handing over or deleting the data, these shall be carried by the Customer.
- The Customer must immediately and fully inform the Provider if he determines errors or irregularities regarding data-protection-related regulations in the order results.
- If, on account of applicable data protection laws, the Customer is obligated toward an individual to provide information on the collection, processing or utilisation of data of this person, the Provider shall thereby provide the Customer with support to make this information available. This assumes that the Customer has made a request in written or text form and the Customer reimburses the Provider the costs that have arisen due to this support. The Provider shall not answer any requests for information and, in this respect, shall refer the affected person to the Customer.
- If an affected party contacts the Provider with claims for correction, deletion or blocking, the Provider will refer the person concerned to the Customer.
The Provider proves to the Customer compliance with the obligations laid down in this contract upon request by appropriate means. As proof the examination result of the annual data protection audit of the technical & organizational measures (TOM) according to §32 GDPR by an external data protection officer is valid.
- Insofar as inspections by the Customer or an inspector commissioned by the Customer are required in individual cases, these shall be carried out during normal business hours without disrupting the operation after registration, taking into account a reasonable lead time. The Provider may make these dependent on prior notification with reasonable lead time and on the signing of a confidentiality agreement regarding the data of other Customers and the technical and organizational measures that have been set up. If the examiner commissioned by the Customer is in a competitive relationship with the Provider, the Provider has a right of appeal against this. For the support during the execution of an inspection the offerer may demand an expense allowance. The cost of an inspection is always limited to one day per calendar year for the Provider. The same applies if a data protection authority or other sovereign supervisory authority of the Customer should carry out an inspection. A signing of a confidentiality obligation is not required if this regulatory authority is subject to a professional or legal confidentiality, in which a violation under the Criminal Code is punishable.
- The Customer agrees that the Provider for the fulfillment of his contractually agreed services affiliated companies of the Provider to fulfill the performance or subcontract companies with the listed services.
- If the Provider issues orders to a sub-contractor, the Provider shall undertake to transfer its obligations deriving from the present Contract to the sub-contractor. Sentence 1 shall particularly apply to requirements concerning confidentiality, data protection and data security between the contractual parties of the present Contract and is carried out in accordance with §28 Abs.4 GDPR. A possible inspection on behalf of the Customer at the sub-contractor’s place of business shall only take place in coordination with the Provider.
- Upon written request, the Customer shall be entitled to receive information from the Provider on data-protection-relevant obligations of the sub-contractor as well as insight into relevant contractual documents if required.
- A sub-contracting relationship subject to approval shall not be deemed valid if the Provider commissions a third party within the scope of a supplementary service to the primary service, such as in the case of external personnel, postal and shipping services or maintenance.
- The Provider shall make agreements with this third party at the scope required in order to ensure adequate data protection.
- In case the data of the Customer become endangered in the possession of the Provider due to seizure or confiscation, insolvency or settlement proceedings, or because of other events or measures taken by third parties, the Provider must inform the Customer about this immediately. The Provider shall immediately inform all those responsible in this respect that the sovereignty and ownership of the data exclusively lies within the scope of the Customer as a responsible authority.
- Rights of the software vendor
- The Customer shall make notice that the Provider must regularly present to software vendors like SAP or Microsoft or any other used in the environment reports about his Customers – this also includes the Customer. For this purpose, the Customer shall agree that the Provider will transmit the following information to the software vendor (1) order number for the Customer; (2) Name of the Customer; (3) Customer address (street, postal code, city, country); (4) DUNS number of the Customer (Dun & Bradstreet’s number for the purpose of clear identification of the company); (5) Status of the Customer (basic terms of the Contract/cancellation deadline, number and type of the Customer’s users); and (6) other details regarding the Customer as requested from the Provider by the software vendor in accordance with their contractual agreement.
- The Customer shall treat the sensitive information from the software vendor at least as confidentially as the information of the Provider in accordance with Section 16 et seq., and ensure that its defined users do the same.
- The Customer shall grant the software vendor the right (as a true right to the benefit of third parties) to assert damage compensation claims in the case of the Customer’s infringement upon the rights of the software vendor regarding intellectual property.
- Furthermore, the Customer is obliged to ensure that the software vendor can carry out tests – in accordance with applicable data protection laws –, in order to (1) comply with licencing provisions for the software, (2) calculate fees between the Provider and the software vendor, and/or (3) verify the accuracy and completeness of the reports made by the Provider to the software vendor, and to obtain the required consent for receiving such verifications of individuals that work for the Customer.
- Subject to legal limitations, and without collecting content or other confidential information and transferring this to the software vendor, the software vendor shall be permitted, (1) to set up the software in such a way that each system generates the required information for an inspection, thereby transferring it to the software vendor, and (2) to remotely access the software and the equipment it is installed on to examine its use.
- Each party shall treat as confidential all sensitive information, protected information, and business secrets of the other party that may be obtained in connection with the present Contract. Each party shall treat this Contract and its terms as confidential information. The parties shall provide their employees or third parties with confidential information only as far as this is required to fulfil their obligations within the scope of the present Contract and only under the conditions that these individuals are subject to a corresponding duty of professional secrecy.
- Confidential information does not include any information that: (1), without fault of the receiving party, are generally known or publicly accessible; (2) was in the possession of the recipient party without infringing upon an obligation to secrecy before receiving it from the disclosing party, or the information was known or acquired in physical form; (3) was independently developed by the recipient party without using the confidential information; (4) was properly disclosed to the recipient party by third parties who are not subject to any secrecy obligation with reference to the information; (5) was disclosed by the recipient party having received previous written consent from the disclosing party; (6) according to legal or regulatory provisions, must be disclosed if the disclosing party is informed without undue delay of this obligation and the extent of the disclosure shall be limited to the furthest extent possible or information that must be disclosed due to a court ruling if the disclosing party is informed of this ruling without undue delay and there is no possibility to make an appeal against the ruling.
- The aforementioned confidentiality obligations shall continue even after ending this Contract.
- The Customer shall respect self-dependently the applicable import and export regulations for the services. In case of transboundary services, the Customer shall be responsible for incurring customs, fees and other dues. The Customer shall process self-dependently legal or governmental procedures concerning transboundary services, except when otherwise and explicitly agreed.
- German law applies. The application of the United Nations Convention on Contracts for the International Sale of Goods (CISG) is not permitted.
- The acceptance of services by the Customer applies as acknowledgement for the general conditions of contract by the Provider. Other conditions are only binding if the Provider acknowledged them in writing.
- Changes and amendments of this contract shall be made in written form.
- The place of jurisdiction is the domicile of the Provider. The Provider can also sue the Customer in whose domicile.