between

Customer (the one who creates a customer account with Flea Software UG)

- Client -

and

Flea Software UG (limited liability)
Winterfeldtstraße 21, 10781 Berlin

- Contractor –

1. General

(1) The Contractor processes personal data on behalf of the Client within the meaning of Art. 4 No. 8 and Art. 28 of the General Data Protection Regulation (GDPR). This contract regulates the rights and obligations of the parties in relation to the processing of personal data.

(2) If the term "data processing" or "processing" (of data) is used in this contract, the definition of "processing" as per Art. 4 No. 2 GDPR shall apply.

2. Subject of the Order

The subject of processing, nature and purpose of processing, the type of personal data, and the categories of affected persons are specified in Appendix 1 to this contract.

3. Rights and Obligations of the Client

(1) The Client is the controller within the meaning of Art. 4 No. 7 GDPR for the processing of data on behalf of the Contractor. The Contractor has the right according to section 4 para. 3 to inform the Client if, in its opinion, a legally impermissible data processing is subject to the order and/or an instruction.

(2) The Client is responsible as the controller for upholding the rights of the data subjects. The Contractor will inform the Client without delay if data subjects assert their rights against the Contractor.

(3) The Client has the right to issue additional instructions regarding the nature, scope, and procedure of data processing to the Contractor at any time. Instructions must be given in text form (e.g., email).

(4) Provisions regarding any compensation for additional expenses incurred by the Contractor due to the Client's additional instructions remain unaffected.

(5) The Client may designate authorized individuals. If authorized individuals are to be designated, they will be named in Appendix 1. If there are changes to the authorized individuals at the Client, the Client will notify the Contractor in text form.

(6) The Client informs the Contractor without delay if it discovers errors or irregularities related to the processing of personal data by the Contractor.

(7) In the event that there is an obligation to inform third parties under Art. 33, 34 GDPR or any other applicable statutory reporting obligation for the Client, the Client is responsible for compliance with it.

4. General Obligations of the Contractor

(1) The Contractor processes personal data exclusively within the framework of the agreements made and/or in compliance with any additional instructions issued by the Client. Exceptions to this are statutory provisions that may require the Contractor to process data otherwise. In such cases, the Contractor informs the Client of these legal requirements before processing, unless the relevant law prohibits such notification due to a significant public interest. The purpose, nature, and scope of the data processing shall otherwise be governed exclusively by this contract and/or the Client's instructions. Any deviation from this data processing is prohibited for the Contractor unless the Client has given written consent.

(2) The Contractor will primarily conduct the data processing on behalf in Member States of the European Union (EU) or the European Economic Area (EEA). The Contractor is also permitted to process data outside of the EU or EEA if corresponding subcontractors in the third country are engaged in compliance with the conditions of section 9 and the requirements of Arts. 44-48 GDPR are met or if there is an exception under the meaning of Art. 49 GDPR.

(3) The Contractor will inform the Client without delay if any instruction issued by the Client appears to violate legal provisions. The Contractor is entitled to suspend the execution of the relevant instruction until it is confirmed or changed by the Client. If the Contractor can demonstrate that processing based on the Client's instruction could lead to liability under Art. 82 GDPR, the Contractor has the right to suspend further processing until liability between the parties is clarified.

(4) The Contractor may name the individual(s) authorized to receive instructions from the Client. If persons authorized to receive instructions are to be named, they will be listed in Appendix 1. If changes occur regarding the persons authorized to receive instructions at the Contractor, the Contractor will inform the Client of this in text form.

5. Data Protection Officer of the Contractor

(1) The Contractor is currently not required to appoint a Data Protection Officer under Art. 37 GDPR in conjunction with Section 38 BDSG, as the statutory threshold values are not met. Therefore, no Data Protection Officer is appointed.

(2) The Contractor undertakes to appoint a Data Protection Officer as soon as the statutory requirements for this arise.

(3) The Contractor ensures through operational regulations that the processing of personal data complies with the statutory provisions as well as the regulations of this contract.

6. Reporting Obligations of the Contractor

(1) The Contractor is obliged to inform the Client immediately (within less than 24 hours) of any violation of data protection regulations or breach of the contractual agreements made and/or instructions from the Client that has occurred in the course of processing data by itself or others involved in the processing. The same applies to any infringement of the protection of personal data that the Contractor processes on behalf of the Client.

(2) Furthermore, the Contractor will inform the Client without delay if a supervisory authority takes action against the Contractor under Art. 58 GDPR and this may also involve a review of the processing provided by the Contractor on behalf of the Client.

(3) The Contractor is aware that a reporting obligation may exist for the Client under Art. 33, 34 GDPR, which requires reporting to the supervisory authority within 72 hours of becoming aware. The Contractor will assist the Client in implementing the reporting obligations. The Contractor shall inform the Client without delay of any unauthorized access to personal data processed on behalf of the Client upon becoming aware of such access. The Contractor's report to the Client must include particularly the following information:

• a description of the nature of the personal data breach, if possible indicating the categories and approximate number of affected persons, the affected categories, and the approximate number of affected personal data records;

• a description of the measures taken or proposed by the Contractor to remedy the breach of personal data protection and any measures to mitigate its possible adverse effects.

7. Cooperation Obligations of the Contractor

(1) The Contractor assists the Client in its obligation to respond to requests for the assertion of data subjects' rights under Arts. 12-23 GDPR. The regulations of section 12 of this contract apply.

(2) The Contractor collaborates in the creation of directories of processing activities by the Client. It must provide the Client with the necessary information in an appropriate manner.

(3) The Contractor supports the Client, taking into account the nature of the processing and the information available to him, in complying with the duties specified in Arts. 32-36 GDPR.

8. Regulations for Mobile Workstations

(1) The Contractor may allow its employees assigned to process personal data for the Client to process personal data at mobile workstations outside the premises of the Contractor.

(2) The Contractor must ensure that compliance with the contractually agreed technical and organizational measures is also guaranteed when utilizing mobile workstations by the Contractor's employees. Deviations from specific contractually agreed technical and organizational measures must be coordinated in advance with the Client and approved by him in writing.

(3) The Contractor particularly ensures that, when processing personal data at mobile workstations, the storage locations are configured so that local storage of data on IT systems is excluded. If this is not possible, the Contractor must ensure that local storage is only performed in an encrypted manner and other persons present at the respective mobile workstation do not have access to this data.

(4) The Contractor is obliged to ensure that effective control of the processing of personal data on behalf at mobile workstations by the Client is possible. The personal rights of the employees must be adequately considered.

9. Control Powers

(1) The Client has the right to check the compliance with the data protection laws and/or the compliance with the contractual regulations made between the parties and/or the compliance with the instructions of the Client by the Contractor to the necessary extent.

(2) The Contractor is obliged to provide the Client with information to the extent necessary for the execution of the control as per paragraph 1.

(3) The Client may perform the control as per paragraph 1 at the Contractor's place of business during usual business hours after prior notice with sufficient notice. The Client will ensure that the controls are only carried out to the necessary extent so as not to disproportionately disturb the Contractor's operational processes. The parties assume that a control is only necessary once a year. Further examinations must be justified by the Client by stating the reason. In the case of on-site controls, the Client will reimburse the Contractor for the incurred expenses, including personnel costs for the support and accompaniment of the control persons on-site to a reasonable extent. The Contractor will inform the Client of the basis for calculating costs before the control is conducted.

(4) At the Contractor's option, the proof of compliance with the technical and organizational measures can, instead of an on-site control, also be provided by presenting an appropriate, current certificate, reports, or excerpts of reports from independent bodies (e.g., auditors, revision, data protection officers, IT security department, data protection auditors, or quality auditors) or an appropriate certification if the audit report allows the Client to reasonably verify compliance with the technical and organizational measures according to Appendix 3 to this contract. Should the Client have justified doubts about the suitability of the audit document per sentence 1, an on-site control may be conducted by the Client. The Client is aware that on-site controls in data centers are not feasible or only possible in justified exceptional cases.

(5) The Contractor is obliged to provide the necessary information to the Client in the event of measures taken by the supervisory authority against the Client under Art. 58 GDPR, particularly regarding information and control obligations, and to allow the competent supervisory authority to conduct an on-site control. The Client must be informed by the Contractor of such planned measures.

(6) The parties agree that the control measures regarding the processing of personal data at mobile workstations to safeguard the personal rights of further persons at these mobile workstations will primarily be conducted through overseeing the implementation of measures that the Contractor is to take according to section 8 para. 2 and 3. Occasion-related, the Client must also be allowed to oversee the mobile workstations of employees by the Contractor.

10. Subcontracting Relationships

(1) The Contractor is entitled to use the subcontractors specified in Appendix 2 to this contract for processing data on behalf. The change of subcontractors or the commissioning of further subcontractors is permissible under the conditions mentioned in paragraph 2.

(2) The Contractor must carefully select the subcontractor and check before commissioning that this subcontractor can comply with the agreements made between the Client and the Contractor. The Contractor must particularly regularly check that the subcontractor has taken the technical and organizational measures required to protect personal data as per Art. 32 GDPR. The Contractor will inform the Client in text form in a timely manner, but at the latest 4 weeks before the change or commissioning of a new subcontractor (“Information”). The Client has the right to object to the change or commissioning of the subcontractor in text form with a statement of reasons within four weeks of receiving the “Information”. The objection can be withdrawn by the Client at any time in text form. In the case of an objection, the Contractor may terminate the contractual relationship with the Client with a notice period of at least 14 days until the end of a calendar month. The Contractor will adequately consider the Client's interests regarding the notice period. If no objection from the Client is received within three weeks of the receipt of the “Information,” this is deemed to be the Client's consent to the change or commissioning of the relevant subcontractor.

(3) The Contractor is obliged to ensure that the subcontractor confirms that it has appointed a Data Protection Officer in accordance with Art. 37 GDPR if the subcontractor is legally obliged to appoint a Data Protection Officer.

(4) The Contractor must ensure that the provisions agreed in this contract and any additional instructions from the Client also apply to the subcontractor.

(5) The Contractor must conclude a data processing agreement with the subcontractor that meets the requirements of Art. 28 GDPR. Furthermore, the Contractor must impose the same obligations on the subcontractor for the protection of personal data that are established between the Client and the Contractor. The agreement for the processing of data on behalf must be provided to the Client upon request in copy.

(6) The Contractor is particularly obliged to ensure through contractual provisions that the Client's and supervisory authorities' control powers (section 9 of this contract) also apply to the subcontractor and that corresponding control rights of the Client and supervisory authorities are established. Additionally, it must be contractually regulated that the subcontractor is obliged to tolerate these control measures and any on-site controls.

(7) Services that the Contractor obtains from third parties as mere ancillary services to exercise its commercial activity shall not be considered as subcontracting relationships within the meaning of paragraphs 1 to 6. This includes, for example, cleaning services, pure telecommunications services without a specific reference to services that the Contractor provides for the Client, postal and courier services, transport services, security services. However, the Contractor is still obliged to ensure that appropriate precautions and technical and organizational measures have been taken to ensure the protection of personal data, even for ancillary services provided by third parties. The maintenance and servicing of IT systems or applications represent a subcontracting relationship requiring consent and data processing under Art. 28 GDPR when the maintenance and inspection involve IT systems that are also used in connection with the provision of services for the Client and personal data that is processed on behalf of the Client can be accessed during maintenance.

11. Confidentiality Obligations

(1) The Contractor is obliged to maintain confidentiality regarding data received in connection with the order during data processing for the Client.

(2) The Contractor has made its employees aware of the applicable data protection regulations and has obligated them to confidentiality.

(3) The obligation of employees under paragraph 2 must be demonstrated to the Client upon request.

12. Upholding Data Subjects' Rights

(1) The Client is solely responsible for upholding the rights of data subjects. The Contractor is obliged to assist the Client in its duty to process requests from data subjects under Arts. 12-23 GDPR. The Contractor must ensure that the necessary information is promptly provided to the Client so that he can particularly comply with his obligations under Art. 12 para. 3 GDPR.

(2) To the extent that the Contractor's cooperation is necessary for the Client to uphold data subjects' rights - particularly for access, rectification, restriction, or deletion - the Contractor will take the necessary measures as instructed by the Client. The Contractor will support the Client, where possible, with the appropriate technical and organizational measures in fulfilling his obligation to respond to requests for the exercise of data subjects' rights.

(3) Provisions regarding any compensation for additional expenses arising from participation in the assertion of data subjects' rights against the Client remain unaffected.

13. Duties of Confidentiality

(1) Both parties agree to treat all information received in connection with the execution of this contract as confidential indefinitely and to use it only to fulfill the contract. No party is entitled to use this information in whole or in part for any purposes other than those mentioned or to disclose this information to third parties.

(2) The above obligation does not apply to information that either party has demonstrably obtained from third parties without being obliged to confidentiality or that is publicly known.

14. Compensation

Any provisions regarding compensation for services shall be agreed upon separately between the parties.

15. Technical and Organizational Measures for Data Security

(1) The Contractor undertakes to comply with the technical and organizational measures required for compliance with the applicable data protection regulations. This includes particularly the requirements from Art. 32 GDPR.

(2) The state of the technical and organizational measures existing at the time of contract conclusion is attached as Appendix 3 to this contract. The parties agree that adjustments to technical and legal circumstances may necessitate changes to the technical and organizational measures. Substantial changes that may impair the integrity, confidentiality, or availability of personal data will be discussed in advance with the Client. Measures that only bring about minor technical or organizational changes and do not negatively impact the integrity, confidentiality, and availability of personal data may be implemented by the Contractor without consulting the Client. The Client may request a current version of the technical and organizational measures taken by the Contractor once a year or upon justified occasions.

(3) The Contractor will regularly and also as needed control the effectiveness of the technical and organizational measures taken by him.

16. Duration of the Contract

(1) The contract serves as an appendix to the main contract and commences upon its signing. It runs for the duration of the main contract existing between the parties regarding the use of the Contractor’s services by the Client.

(3) The Client may terminate the contract at any time without notice if there is a serious breach by the Contractor against applicable data protection regulations or obligations arising from this contract, if the Contractor cannot or will not carry out an instruction from the Client, or if the Contractor unlawfully refuses the Client or the competent supervisory authority access.

17. Termination

(1) Upon termination of the contract, the Contractor must return all documents, data, and created processing or usage results that have come into its possession in connection with the contractual relationship, at the Client's choice, or delete them. Deletion is to be documented appropriately.

(2) The Contractor may store personal data processed in connection with the order beyond the termination of the contract if and to the extent that a legal obligation to retain such data applies to the Contractor. In such cases, the data may only be processed for the purposes of implementing the applicable statutory retention obligations. After the retention period has expired, the data must be deleted without delay.

18. Right of Retention

The parties agree that the objection of the right of retention by the Contractor in accordance with § 273 BGB regarding the processed data and the associated data carriers is excluded.

19. Final Provisions

(1) If the Client's property is endangered at the Contractor by measures of third parties (e.g., by seizure or confiscation), by insolvency proceedings, or by other events, the Contractor must inform the Client without delay. The Contractor will promptly inform the creditors that the data involved are being processed on behalf.

(2) Any side agreements must be made in writing.

(3) Should individual parts of this contract be ineffective, this shall not affect the effectiveness of the remaining provisions of the contract.