- United Kingdom
- United States
- Rest of World
General Terms and Conditions for Adjust GmbH
1. Scope of Application
1.1 The following General Terms and Conditions including the Annexes (“Agreement”) apply to all contracts and services rendered between and/or by Adjust GmbH (“Adjust”) and its customers (“Customer”) with regard to the use of Adjust products and Adjust services (hereinafter collectively “Services”). This Agreement constitutes a material part of each agreement unless expressly agreed otherwise in writing.
1.2 This Agreement and Conditions apply to any future business transaction between Adjust and the Customer, even without express reference thereto.
1.3 Any deviating terms and conditions of the Customer as well as any deviations and/or amendments to this Agreement shall only become part of this Agreement if they have been expressly acknowledged by Adjust in writing (email is sufficient). This Agreement also apply exclusively if Adjust has not explicitly objected any contrary terms and conditions.
1.4 Adjust reserves the right to modify this Agreement with effect for the future at any time. In this case, Adjust will notify the Customer of these changes. The changes shall be deemed to be accepted if the Customer does not object within three weeks after receipt of the amendment notification. Adjust will inform the Customer in its amendment notification about the Customer’s right to object and the effects of a lack of objection. If the Customer rejects the changes, Adjust has the right to terminate this Agreement.
2. Offer and Conclusion of a Contract
2.1 The subject matter of this Agreement are the Services as offered in the current service description at the time this Agreement is executed (see: https://www.adjust.com/pricing/). To ensure the proper functioning of the Services, Adjust reserves the right to make technical changes and improvements to the Services within a reasonable scope.
2.2 This Agreement between Adjust and the Customer is either executed upon signature of an individual order (“Order Form”) by the Customer or, regarding the Free Subscription Period (as defined below in item 2.2 b)) only, by accepting the terms of this Agreement online.
a) Order Form
In order to execute this Agreement by means of an Order Form, the Customer must send the signed Order Form to Adjust by mail or by email (“Acceptance”). In addition to any provisions contained in the Order Form, this Agreement shall apply and in case of a conflict between the Order Form and this Agreement the terms of the Order Form shall prevail.
b) Free Subscription Period
Insofar as a Customer qualifies for a Free Subscription Period (Adjust Base or Trial), as determined by Adjust at its sole discretion, the following shall apply in addition to the other terms set out in this Agreement:
- The duration of the Free Subscription Period and the scope/limits of the included Services are determined by Adjust at its sole discretion.
- Once a) the Free Subscription Period has expired or b) the limits of the included Services have been reached, the Customer is obliged to upgrade to a paid plan to be able to continue using the Services.
- Either Party can terminate the Free Subscription Period at any time, with immediate effect and without giving any reason.
In case of discrepancies between these specific Free Subscription Period terms and the rest of this Agreement, these specific Free Subscription Period terms shall prevail.
2.3 An upgrade of the chosen package/volume leads to a new start of the current Term (as defined below in Section 8.1). A downgrade during the current Term is not possible. If the Customer wishes to downgrade the chosen package/volume with the start of the next Term, the Customer must inform Adjust of its intent to downgrade at least 45 days prior to the start date of the next Term.
2.4 The Customer represents and warrants that all data relevant for the conclusion and execution of this Agreement (contact information etc.) provided by the Customer is complete and correct. The Customer is obliged to promptly inform Adjust about any changes to this data and/or to update altered data in its user account.
2.5 The Customer is aware that contractual declarations (e.g. confirmation email as well as other notifications) may be sent via email. They are deemed to have been received when they can be retrieved in the email inbox which was specified by the Customer during the registration.
2.6 If the Customer has chosen a package with an unlimited number of attributions/data points/monthly active users, it shall be prohibited from adding any of its subsidiaries, affiliates, group companies, other acquired companies, etc. (together referred to as 'Affiliates') to its account.
3.1 With its Services, Adjust offers the Customer software that aids in the analysis and optimization of mobile advertising campaigns and user activities on the internet.
3.2 Adjust shall render the contractual Services in accordance with the respective service description in effect at the time this Agreement is executed. Unless expressly specified otherwise in the respective service description, Adjust ensures the provision of the Services with an availability customary within the industry.
3.3 In case of unforeseen events, Adjust is entitled to suspend the Services for maintenance or repair purposes if this is necessary to ensure the proper operation of the Services.
3.4 Adjust is entitled to use the assistance of third parties in order to fulfill its contractual obligations.
4. Customer’s Rights and Obligations
4.1 The Customer is entitled to use the Services and the software provided by Adjust only for analysis and optimization of mobile advertising campaigns and user activities on the internet. If the Customer is provided with personal data whilst using the Services, the Customer may only process and use this data as far as this is legally permissible. The Customer also assures that the transfer of personal data from Adjust to the Customer is legally permissible within the agreed extent.
4.2 Customer must choose the correct settings for use of the Services and software if their services are directed to children.
4.3 The Customer agrees to keep the passwords and login data provided by Adjust for access to the Services confidential and to inform Adjust immediately as soon as the Customer becomes aware of unauthorized third parties gaining access to these passwords. If, due to the Customer’s fault, unauthorized third parties use any Services provided by Adjust by using the passwords, the Customer is liable to Adjust for usage fees and damages. The Customer must also obtain any necessary authorization to provide Adjust with login data containing personal data relating to their staff.
4.4 The Customer shall not make the Services provided by Adjust available to any third parties. In addition, the Customer shall not
- modify, translate, reverse engineer, decompile, disassemble or otherwise create derivative works from the Adjust software or documentation, of the Services or binary-code part of the Service, or otherwise attempt to discover its underlying code, structure, implementation or algorithms. Information pursuant to Section 69e of the German Copyright Act (“UrhG”) which is required to achieve interoperability with other programs created independently can be purchased from Adjust for a fee based on the current price list upon request;
- transfer, lend, rent, lease, distribute the software provided by Adjust or the Services, or use them for providing services to a third party, or grant any rights in and to the Adjust software or documentation to a third party in any form, without adjust’s express prior written and unless all respective fees have been paid and all of Adjust’s other conditions have been met; or
- remove, modify or make illegible the labels, markers or designations regarding copyrights and other intellectual property rights of the Adjust software or documentation or Services.
4.5 Customer may not perform or attempt to perform any of the following in connection with the Services:
• Breaching the security of the Services, identifying, probing or scanning any security vulnerabilities in the Services,
• Accessing data not intended for Customer;
• Interfering with, circumventing, manipulating, overloading, impairing or disrupting the operation, or the functionality of the Services;
• Working around any technical limitations in the Service;
• Using any tool to enable features or functionalities that are otherwise disabled, inaccessible or undocumented in the Services.
Insofar as Customer breaches the foregoing term, Adjust reserves the right to take any immediate reasonable measures it deems necessary to mitigate the effects of such a breach. Adjust shall notify the Customer and Customer shall remedy such breach without any delay, however, latest within 30 days of the notice, and shall ensure that no such breach is repeated. If the breach continues or is repeated, Adjust reserves the right to take permanent measures to mitigate the effects of such breach.
4.6 The Customer is aware that the product “Audience Builder” does not generate completely error-free segments in all cases. If the Customer transfers a segment generated this way to a chosen advertising partner, the Customer carries the risk that this segment corresponds content-related to the Customer’s expectations. Adjust is not liable for any defective segments, regardless of whether the error is within the responsibility of Adjust or not.
4.8 If Adjust has protected its Services by technical means (e.g. security codes, firewalls, etc.), the Customer is not allowed to circumvent or remove such security measures.
4.9 The Customer is obliged to protect its own data by taking appropriate measures and by regularly making backups of its data.
4.10 The Customer must follow Adjust’s instructions as well as the protocols and specifications as requested by adjust with regard to the telecommunication/data transmission.
4.11 During usage of the Services, Customer shall be prohibited from setting up Customer postbacks to any third party (including, but not limited to networks) with the exception of Customer postbacks to the Customer itself. Customer shall be solely liable to the fullest extent for any claims arising out of a violation of the foregoing.
5. Fees, Payment
5.1 The fees for the Services that the Customer makes use of are set out in the applicable Order Form and/or Adjust’s current valid price list. Unless explicitly stated otherwise, all fees are quoted exclusive of the statutory value-added tax (VAT) applicable at the time.
5.2 The Customer shall pay the fee for the whole Term in advance within 30 days of receipt of the invoice (prepayment). The Parties may agree on deviating payment provisions in the Order Form. If the Customer upgrades to a higher package/volume during the Term, the Customer shall be required to pay the difference between the prepayment of the current package and the prepayment of the upgraded package within 30 days of the receipt of the respective invoice. Additional attributions/data points/monthly active users will be invoiced separately.
5.3 If the Customer makes a payment via credit card, the fee will be debited with the creation of the invoice.
5.4 The fee may increase by 5% with each renewal Term.
5.5 Invoices will be sent to the Customer via email, unless expressly agreed otherwise.
5.6 Customer is responsible for paying all fees applicable to the subscription to the Services, whether or not Customer actively used, accessed or otherwise benefited from the Service. In the event of the Customer’s default of payment, Adjust is allowed to charge default charges up to EUR 5,00 or USD 5,00 as well as default interest in accordance with the statutory provisions. Adjust reserves the right to prove and assert greater damages due to default. If the Customer’s payments are considerably delayed, Adjust reserves the right to suspend the provision of any further Services, in particular the Customer’s access to the Services, at the expense of the Customer until all due payments have been made. In the event of suspended Services, the Customer is nevertheless obliged to pay the agreed fees. After having set the Customer a reasonable deadline and expiration of that deadline, Adjust has the right to terminate this Agreement with immediate effect. In case of returned direct debits or unpaid checks, the Customer shall reimburse Adjust for the costs incurred to the extent that the Customer was responsible for the event given rise to these costs. Further claims and rights to which adjust may be entitled in this respect shall remain unaffected.
5.7 Any complaints relating to an invoice must be submitted to Adjust in writing or by email to email@example.com within four weeks upon receipt of the invoice. If no such complaint has been made within four weeks upon receipt of invoice, the invoice is deemed to be accepted. Adjust will inform the Customer in the invoice about the consequences of failing to submit a timely complaint.
6. Grant of Rights, Ownership, Third Party Rights
6.1 Upon execution of this Agreement, Adjust grants the Customer the non-exclusive, non-transferable and non-sublicensable right to use the Services during the term of this Agreement, insofar as this is necessary to use the Services according to the respective Order Form or, if applicable, the respective order placed via the Self Service portal. The right of use shall expire once the Customer defaults with any payments due.
6.2 Adjust shall retain all intellectual property rights as well as any other property rights in and to the software, the Services as well as other services that are provided under this Agreement, including, patents, trademarks, source codes, databases, hardware and/or any other material (e.g. documentations, developments, functions, report templates, preparatory material, etc.).
6.3 The Customer undertakes to not violate any applicable laws, in particular third party rights (e.g. copyrights, personality rights, intellectual property rights) or the terms of this Agreement while using the Services. Insofar, the Customer shall indemnify and hold Adjust harmless from any and all third party claims (including but not limited to all costs and expenses, incl. reasonable attorney’s fees) that are being asserted against Adjust upon first request.
6.4 Unless otherwise agreed between the Parties, Adjust is entitled to refer to the collaboration with the Customer and the contractual product and to depict the Customer’s logo for self-promotional purposes.
7.1 Adjust shall be responsible that the Services correspond to their intended use. Adjust does not assume any liability for any damages resulting from a usage other than the intended use. The same applies to any damages resulting from a usage that is not in accordance with Adjust’s instructions and recommendations or any other unauthorized usage.
7.2 If the Customer experiences a Service disturbance or outage, the Customer shall notify Adjust without undue delay, providing all necessary information that may assist Adjust to restore the Service.
7.3 Adjust does not assume any liability for any disturbances, limitations, interruptions or disruptions of the Services which are caused by circumstances beyond Adjust’s area of responsibility.
7.4 No provision in the Agreement shall limit or exclude either party's liability (1) for contractual guarantees and service schedules, or (2) for personal injury or death, or (3) for damages arising from intent or gross negligence, or (4) for damages under the German Product Liability Act (“Produkthaftungsgesetz”), or, (5) except as stipulated in Section 7.5, for contractual obligations protecting material interests of the other party under the Agreement (“Cardinal Obligations”), i.e. obligations that characterize the Agreement and on which the other party may rely.
7.5 Either party’s liability for violations of Cardinal Obligations shall be limited to typical damages foreseeable at the time the Agreement was concluded and shall become time-barred within one year upon occurrence of the damage. Such liability shall be limited to the amount payable by the Customer in the 12-month preceding the event leading to the liability or € 200,000.00 aggregate, whichever is higher.
7.6 The aforementioned provisions shall apply accordingly to the parties’ employees and agents.
7.7 The Customer shall indemnify Adjust from any third-party claims arising from the Customer unlawfully using the Service provided by Adjust. In addition, the Customer shall indemnify Adjust from any third-party claims arising from the Customer's breach of the obligations set out in 10.3.
7.8 The Adjust Systems shall be available at least 99.8% of the annual mean. Adjust points out that the services may be interrupted or disrupted by circumstances beyond Adjust’s area of responsibility, including but not limited to acts of third parties that do not act on Adjust’s behalf, technical conditions of the internet that Adjust cannot influence, or force majeure. If such circumstances interfere with the availability or functionality of the Services provided by Adjust, this has no effect on the contractual conformity of the Services provided by Adjust.
7.9 After the provision of the Services, Adjust will provide or make available to the Customer the “Output Data” which means the various reports, analytics, and other types of information and data that the Service may generate.
Adjust has no responsibility or liability, regarding Customer’s reliance upon, or use of, the Output Data, Customer’s actions or omissions in connection with the Output Data, or any consequences resulting therefrom.
Customer assumes sole and exclusive responsibility to carry out such actions as it deems appropriate as a result of the Output Data.
7.10 With regard to the product Fraud Prevention Suite Adjust assumes no guarantee and accepts no liability whatsoever (neither express nor implied) for the success of the Fraud Prevention Suite with respect to the prevention of illegitimate installs and purchases.
8. Term, Termination
8.1 The term of this Agreement is determined in the Order Form or, if applicable, the order form in the Self Service portal.
8.2 In case the Customer has chosen a fee-based package in accordance with Section 2.2 b) ii) above, the term of this Agreement shall be concluded for twelve (12) consecutive months and extended for (twelve 12) months on a rolling basis (every twelve months hereinafter referenced as a “Term”). Each Party has the right to terminate a Term by giving notice at least 45 days prior to the end of each Term. The termination must be made in writing and be submitted via mail or email (firstname.lastname@example.org).
The right to immediate termination for cause shall remain unaffected. In particular, Adjust has the right to immediately terminate this Agreement
- if the Customer breaches its obligations pursuant to Section 4.2, 4.3, 4.4, 4.5, 4.7, 4.8, 6.3 or 9 of these Terms and Conditions,
- if the Customer is in default of payment and does not settle the outstanding payment upon receipt of a warning letter with a deadline for payment and expiration of that deadline to no avail,
- if the Customer publishes racist, pornographic, immoral or illegal content on its website and/or content which glorifies or trivializes violence,
- if the Customer is insolvent, subject to insolvency proceedings, insolvency proceedings have been commenced or the commencement of insolvency proceedings is dismissed due to lack of assets,
- if the Customer violates the provisions of this Agreement and fails to remedy this violation upon receipt of a written request with an adequate deadline. No such request is necessary if it has no prospect of success or if the violation is so serious that adjust cannot be reasonably expected to adhere to this Agreement. A violation is also be deemed serious if the Customer has received notices of warnings several times because of similar violations.
8.3 The Parties will renegotiate the commercial details (fees and volume included) of this Agreement and/or the applicable Order Form if the account of the Customer shows an abnormally high amount of tracked Data Points (“Misuse”). Data Points are the sum of all sessions (which include but are not limited to installs, attributions and reattributions), events, impressions and clicks which are tracked on behalf of the Customer.
Indications for a Misuse include but are not limited to : i) abnormally high amount of clicks and irregularly low conversion rate (“Click Spamming”) or ii) abnormally high amount of impressions or custom events.
In the event that i) the Customer fails to remedy the Misuse within three (3) working days upon Adjust's first written request; ii) the Parties fail to reach an agreement on the adjustment of this Agreement and/or the Order Form iii) the Parties reach an agreement, but the Customer’s account shows repeated/continuous Misuse of the Services, Adjust reserves the right to terminate this Agreement and the Order Form extraordinarily upon providing a 14-days notice to the Customer.
8.4 Upon termination of this Agreement, the Customer is obliged to delete all copies of the codes that were provided by Adjust.
8.5 The notice of termination is excluded prior to the end of the Term. If the Customer terminates this Agreement disregarding such exclusion, then the Customer shall be subject to a contractual penalty in the amount of the outstanding payments.
9.1 The parties shall keep all documents, information and data which have been disclosed during the course of the cooperation strictly confidential during the term of this Agreement and for 3 years thereafter. The parties undertake to use the same degree of care in safeguarding the documents, information and data of the other party that is used for its own confidential information, but a least with the due care of a prudent business man. All such documents, information and data shall be used exclusively to perform the contractual services.
9.2 These confidentiality obligations also apply to documents, information and data that relate to companies affiliated with the parties, other cooperation partners or contractors and to documents, information and data about customers and sales representatives of the parties.
9.3 These confidentiality obligations do not apply to documents, information and data that are in the public domain or later become part of the public domain through no breach of contract by a party, is required to be disclosed by operation of law, court or administrative order or that has been subsequently exempted from this confidentiality obligation by an agreement in writing, per fax or via email.
10. Data Protection
10.1 The Customer is obliged to comply with the applicable data protection law when using the Services and software and any requirements provided by the Apple App Store and/ or Google Play Store.
10.2 Pursuant to art. 28 European General Data Protection Regulation (“GDPR”), the processing of personal data by Adjust on behalf of the Customer requires a written agreement (“Data Processing Agreement”). The Customer hereby commissions Adjust to process personal data on its behalf by concluding a separate agreement in accordance with the scope and the conditions of the annex “Contractual Terms and Conditions for Data Processing”.
10.3 The Customer is responsible to obtain and maintain valid consents from all their end-users, as may be necessary under applicable law (including data protection or data processing laws and regulations) to process their personal data in the manners and for the purposes set forth in this Agreement. Consent from all of the Customer’s its end-users is required if the Customer uses the product “Audience Builder".
10.4 The Customer must choose the correct settings for use of the Services and software if their services are directed to children. Specifically, the Customer must limit the collection and processing of personal data regarding children and obtain any necessary consent where required by law including art. 8 GDPR and the US Children’s Online Privacy Protection Act (“COPPA").
11. Export Control
11.1 For the purposes of this section the following definitions shall apply:
“Export Control Law” means all applicable export control laws, regulations, orders or decisions of any government agency or court, such as national, international, EU, and U.S. export control laws, embargoes, sanctions, or other restrictions, affecting any business or transaction such as export, import, supply, sale or purchase, provision or receiving of services or technical support, investments, or payments between adjust and the Customer or any third party. An Export Control Law is only applicable insofar as compliance with this law does not result in a violation of Section 7 of the German Foreign Trade Ordinance (Aussenwirtschaftsverordnung), EU Council Regulation (EC) No 2271/96 of 22 November 1996, or any other German or EU anti-boycott law.
“Sanctioned Person” means any natural or legal person, entity or body with which the conduct of any business or transaction is restricted or prohibited by Export Control Law.
“Necessary License” means any license or permission required by Export Control Law to perform services or any other act.
11.2 The Customer warrants to comply with Export Control Law in all respects as regards the performance of this Agreement. Where Export Control Law requires the Customer to apply for Necessary Licenses, the Customer warrants to obtain all Necessary Licenses related to the performance of this Agreement.
11.3 The Customer confirms that the Services and software provided by Adjust and any related technology will not be used directly or indirectly for any purpose or in any way which contravenes Export Control Law.
11.4 The Customer confirms that it is not a Sanctioned Person. The Customer immediately informs Adjust if it becomes a Sanctioned Person. The Customer ensures that Adjust never has any direct or indirect contact with a Sanctioned Person.
11.5 Adjust has the right to terminate the Agreement at any time if the Export Control Law precludes the performance of the Agreement, in particular if a Necessary License is not granted or Sanctioned Persons are involved in the performance of the Agreement.
11.6 If the Customer breaches the above obligations, it shall – without prejudice to other provisions – bear all damages, expenses and other disadvantages incurred by Adjust as a result thereof. This does not apply if the Customer is not responsible for the breach of its obligations.
12. Final Provisions
12.1 Place of performance and exclusive place of jurisdiction for all disputes between the parties shall be Berlin if the Customer is a merchant, a legal entity under public law or a special fund under public law. Berlin shall also be the exclusive place of jurisdiction if the Customer does not have a general place of jurisdiction in Germany, if the Customer, once it has concluded the contract, moves its domicile out of Germany or whose domicile is unknown at the time the lawsuit is filed.
12.2 If any provision of this Agreement or part thereof is invalid or becomes invalid at a later time, the validity of the remaining provisions shall remain unaffected. The relevant provision shall be replaced by a provision that as closely as possible reflects the economic purpose of the invalid provision. The foregoing shall apply analogously if any provision has inadvertently been omitted.
12.3 Unless expressly agreed otherwise, the legal relationship between Adjust and the Customer shall be governed by and construed in accordance with German law.
12.4 Adjust has the right within the scope of the contractual purpose to process the data that was provided in accordance with applicable data protection law, or to commission third parties.
12.5 In case of a merger or acquisition, the Customer is nevertheless obliged to fulfil all of its obligations under this Agreement. Termination shall only be possible in accordance with section 8 of this Agreement.
Annex “General Terms and Conditions for Data Processing”
1. Scope of Application
The Contractual Terms for Data Processing (“Contractual Terms”) contain the Parties’ obligations with regard to data protection, which arise in connection with the commission of Adjust GmbH (hereinafter “Processor”) by the contracting party (hereinafter “Controller”) pursuant to article 28 Regulation (EU) 679/2016 (“GDPR”). The scope covers all tasks pursuant to the service description of these Contractual Terms during which the Processor’s employees or third parties commissioned by the Controller come into contact or could come into contact with personal data.
2. Service Description
2.1. The Processor processes data on behalf on the Controller. Data Processing is the collection, use, retention, alteration, transmission, blocking or deletion of personal data by the Processor on behalf of the Controller. For this purpose, device and connection data are read out when visiting a website and when interacting with online advertisements and are stored for the recognition of a user as well as for tracking his usage behavior.
2.2. The purpose of the collection of this data is the processing of data for analyzing the user activities of end-users and thus optimizing the advertising campaigns of the Controller. The Data Processing includes the following data:
- IP addresses
- MAC addresses
- Device IDs including all advertising IDs
- HTTP Header including Processor’s SDK version and user agent (country, language, local settings, (version of the) operating system) as well as the app-version
- User device and web activity information
- App and event token.
The Controller may send additional data about its customers and users to the Processor. If applicable, the data will also be passed on to third parties if the Controller instructs the Processor to do so.
2.3 If applicable, for the the Fraud Prevention Suite feature the following data will be processed in addition to the data mentioned in section 2.2:
- sensory data,
- soft keyboard events,
- other data provided by the Controller.
The purpose of the processing of this data is the provision of a platform for detecting fraudulent activities made by users of Controller’s service, including maintenance, support, enhancement, and deployment of the same.
2.4 If applicable, for the Automate Enterprise Product (formerly known as Acquired.io ), the following data will be processed:
- IP address, Country, Region of users of customers’ products
- User’s device specification
- Device identifier (Google Advertising ID (GAID) on Android devices and Identity for Advertisers (IDFA) for iOS), Advertising Id
- Full Name and registered email, telephone number
- Account information for third party services (including, but not limited to any advertising channels), including login and password
- Customer’s spend and revenue collected the from third party services (including, but not limited to any advertising channel)
- Creatives (image and video files)
Data collected from accounts in third party services (including, but not limited to any advertising channels), which includes the following:
- Behavioral Data: Time and count of ad-related and in-app events; amount of user spend.
- Personal Data: IP address, country, region of users of customers’ products; user’s device specification; Google Advertising ID, iOS Identity for Advertisers (IDFA)
3. Affected Persons (Data Subjects), Responsibility
3.1. The group of data subjects affected by the processing of their data within this commission includes in particular the users who visit the Controller’s app/website, therefore clients and prospective clients and for the Automate Enterprise Product, the employees of the Controller who make use of the Services set out in the Service Agreement.
3.2. The Controller shall be solely responsible for compliance with the applicable data protection laws, in particular regarding the data transfer to the Processor and the data processing. Due to this responsibility, the Controller shall be entitled to request the deletion or return of the data during and after the term of the agreement.
4. Controller’s Rights and Obligations
4.1. The Controller and the Processor are each responsible for compliance with the applicable data protection laws regarding the data to be processed.
4.2. The Controller shall promptly inform the Processor if he discovers any errors and/or irregularities with regard to the applicable data protection laws during his control of the results of such data processing.
4.3. The Controller has audited the proper processing of his data as well as the technical and organizational measures taken by the Processor on site, and shall continue to audit the compliance of such measures and document the results of such audits in writing during the term of the agreement. Proof of such measures, which concerns not only the specific contract, may be provided by certificates, reports or report extracts of independent instances (e.g. auditor, revision, data protection officer, IT security department, data protection auditors, quality auditors) or by a suitable certification by IT security or data protection audits.
4.5. Upon the expiration of the agreement, the Controller shall be obliged to decide whether the data is to be returned or deleted within a reasonable time period set by the Processor.
4.6. Controller shall be obliged to keep a record of processing activities in accordance with art. 30 GDPR with Processor mentioned as the recipient of data set forth in 2.2, 2.3. and/or 2.4.
5. Processor’s Obligations
5.1. The Processor shall process data only within the scope of the Controller’s instructions as contractually agreed (art. 28 para. 3 GDPR). Instruction shall mean the written instruction issued by the Controller to the Processor that directs the Processor to perform a specific action with regard to personal data. Such instructions are specified within the scope of these Contractual Terms and can thereafter be modified, amended or substituted by the Controller by separate written instructions (“Individual Instruction”). Verbal instructions are immediately confirmed by the Controller (at least in text form).
5.2. Where a data subject directly addresses the Processor, the Processor shall immediately forward this request to the Controller. Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by the Processor in accordance with documented instructions from the Controller without undue delay.
5.3. Processor shall promptly inform the Controller pursuant to art. 28 para. 3 subpara. 2 GDPR if he believes that an Instruction is in violation of data protection law.
5.4. The Processor shall design its internal corporate organization to ensure compliance with the specific requirements of data protection within the Processor’s area of responsibility and the protection of the rights of the data subjects affected. In particular, the Processor shall implement the technical and organizational measures as stipulated in Section 6 herein to adequately protect the data from misuse and loss in accordance with art. 28 para. 3, art. 32 GDPR.
5.5. The Processor has chosen a data privacy officer in writing, who carries out its activities pursuant to art. 38 and 39 GDPR. Prof. Dr. Christoph Bauer, Große Bleichen 21, 20354 Hamburg, +49 40 609451 810, email@example.com is appointed as external data protection officer. A change of the data protection officer shall be communicated to the Controller without delay.
5.6. The Processor entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. The Processor and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Controller, which includes the powers granted in this contract, unless required to do so by law
5.7. The Processor shall promptly inform the Controller in the event of a serious interruption of the operating schedule, suspicion of data protection breaches or any other irregularity related to the processing of the Controller’s data.
5.8. The Processor and the Controller shall cooperate with the supervisory authority on request in carrying out their tasks. Insofar as the Controller is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a data subject or by a third party or any other claim in connection with the order or contract data processing by the Processor, the Processor shall make every effort to support the Controller.
5.9. All data carriers provided to Processor as well as any copies thereof remain the Controller’s property. The Processor shall store such data carriers with diligence and protect them against unauthorized access by third parties. The Processor shall be obliged to inform the Controller about its data and records at any time.
5.10. The Processor shall be obliged to delete any test and scrap material in accordance with the applicable data protection laws upon an instruction issued by the Controller on a case-by-case basis. In specific cases the Processor shall hand over such material to the Controller or store on the Controller’s behalf upon request of the Controller.
5.11. Upon the expiry of this agreement, the Processor shall be obliged to hand over to the Controller all personal data that was provided with regard to the commission that has not been processed or deleted yet or to provide proof of their proper deletion.
5.12. The Processor shall assist the Controller in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in articles 32 to 36 of the GDPR. These include ensuring an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events, the obligation to report a personal data breach immediately to the Controller, the duty to assist the Controller with regard to the Controller’s obligation to provide information to the Data Subject concerned and to immediately provide the Controller with all relevant information in this regard, supporting the Controller with its data protection impact assessment, supporting the Controller with regard to prior consultation of the supervisory authority.
5.13. The Processor may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of the Processor.
6. Technical and Organizational Measures
6.1. Before the commencement of processing, the Processor shall document the execution of the necessary technical and organizational measures, set out in advance of the awarding of the order or contract, specifically with regard to the detailed execution of the contract, and shall present these documented measures to the Controller for inspection. Upon acceptance by the Controller, the documented measures become the foundation of the contract. Insofar as the inspection/audit by the Controller shows the need for amendments, such amendments shall be implemented by mutual agreement.
6.2. The Processor shall establish the security in accordance with art. 28 para. 3 point c, and art. 32 GDPR in particular in conjunction with art. 5 para. 1, 2 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of art. 32 para. 1 GDPR must be taken into account.
6.3. The technical and organizational measures are subject to technical progress and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented. The technical and organizational measures to adequately protect the Controller’s data include:
a) Confidentiality (art. 32 para. 1 point b GDPR)
· Physical access control: The prevention of unauthorized parties gaining access to personal data processing systems. These measures include an electronic access control system with protocols, a documented key allocation to employees and colocation-customers for colocation racks, video surveillance of the entrances and exits and a 24/7 occupancy of the computer center at the subcontractor’s premises (LeaseWeb). In addition, there are guidelines on how to accompany and identify guests in the building.
· Logical access control: Measures that prevent the unauthorized use of the data processing systems. A password protected access is used that only authorized personnel can use.
· Data access control: Measures that ensure that people entitled to use the data processing systems can solely access data that they are entitled to access in accordance with their access rights, and that during the course of processing, use and after storage, personal data cannot be read, copied, modified or deleted without authorization. Audit-proof and binding authorization procedures have been implemented for the authorized employees.
· Separation control: Measures that ensure that data that was collected for different purposes can be processed separately. The data is physically or logically stored separately from other data and the data backups are made on systems that are logically and/or physically separate.
· Pseudonymisation (art. 32 para. 1 point a GDPR; art. 25 para. 1 GDPR) The processing of personal data in such a method/way, that the data cannot be associated with a specific data subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.
b) Integrity (art. 32 para. 1 point b GDPR)
· Data transfer control: Measures that ensure that during electronic transmission, transport or storage on data carriers personal data cannot be read, copied, modified or deleted without authorization, and that it can be established and verified to which entities a transfer of personal data by means of data transmission facilities is planned. All employees have undertaken to comply with the principle of data secrecy and there are capacities for encrypted data transmissions. Furthermore, the data is deleted in accordance with data protection laws after the end of the commission.
· Entry control: Measures that ensure the establishment of an audit trail to document whether and by whom personal data have been entered into, modified in or removed from the data processing systems.
c) Availability and Resilience (art. 32 para. 1 point b GDPR)
· Availability control: Measures that ensure that personal data are protected against accidental destruction or loss. Backup and recovery procedures with a daily mirroring of the data have been implemented. The technical availability is ensured by hard disk mirroring. In addition, there is uninterruptible power supply and a firewall system as well as port regulations are in place.
· Rapid Recovery (art. 32 para. 1 point c GDPR) Processor creates continuous backups, which are also continuously transferred to a remote site. With this back-up, Processor can restore data. There is a regular check to see if recovery works this way.
d) Procedures for regular testing, assessment and evaluation (art. 32 para. 1 point d GDPR; art. 25 para. 1 GDPR)
· Data protection management: All employees are demonstrably committed to data secrecy and receive a training at least once a year. The Processor and Leaseweb have both appointed a data protection officer.
For the Processor it’s Prof. Dr. Christoph Bauer
For Leaseweb it’s Christian May. Please contact firstname.lastname@example.org.
· Incident response management: In the event of a data loss, notification to the relevant data protection authority will be happening immediately. In addition, the management and the data protection officer are informed immediately. Users and others may report any loss of data to email@example.com.
· Data protection by design and default (art. 25 para. 2 GDPR): The Processor only collects data that is mandatory to promote their product.
· Control of instructions: Measures that ensure that personal data that are being processed on behalf of the Controller are processed solely in accordance with the Controller’s instructions. The employees are instructed on the relevant data protection law on a regular basis, and they are familiar with the procedural requirements and user guidelines for data processing. The unambiguous wording of the contract ensures that the data may only be processed in accordance with the instructions issued by the Controller.
7. Correction, Blocking and Deletion of Data
7.1. Copies or duplicates of the data shall never be created without the knowledge of the Controller, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.
7.2. After conclusion of the contracted work, or earlier, upon request by the Controller, at the latest upon termination of this agreement the Processor shall hand over to the Controller or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner.
7.3. If a data subject contacts the Processor directly to request the correction or deletion of his data, the Processor shall promptly forward this request to the Controller. If, under the provisions of the data protection law, the Controller is obliged to provide an individual with information on the collection, processing or use of the personal data, the Processor shall assist him in the provision of this information provided the Controller has requested the Processor to do so in writing and shall reimburse the Processor for the costs incurred.
7.4. Documentation which is used to demonstrate orderly data processing in accordance with the order or contract shall be stored beyond the contract duration by the Processor in accordance with the respective retention periods. It may hand such documentation over to the Controller at the end of the contract duration to relieve the Processor of this contractual obligation.
8. Controller’s Right of Inspection
8.1. Upon prior timely notification, the Controller shall be entitled to assure himself of the adequateness of the technical and organizational measures taken by the Processor on the Processor’s premises during the regular business hours and without interrupting the business operations.
8.2. The Processor shall ensure that the Controller is able to verify the compliance of the Processor with the obligations pursuant to art. 28 GDPR. The Processor undertakes to give the contracting authority the necessary information on request and, in particular, to demonstrate the implementation of the technical and organizational measures. The Processor is entitled to claim compensation for the possibility of inspections by the Controller.
9.1. Subcontracting for the purpose of this agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Processor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Controller's data, even in the case of outsourced ancillary services.
9.2. The Processor shall be entitled to subcontract the Processor’s obligations to third parties. The Processor must inform the Controller prior to each deployment of a subcontractor and any intended change in relation to the involvement or replacement of any subcontractors. The Controller then has the right to oppose the use of such subcontractors within three weeks. The Processor may fulfill his obligation to inform the Controller by updating the list of subcontractors in this section. The Processor will initially use the following subcontractors:
• Leaseweb Germany GmbH, Kleyerstrasse 79, 60326 Frankfurt am Main, Germany
• Leaseweb Netherlands B.V. Hessenbergweg 95 1101 CX Amsterdam, The Netherlands
• Leaseweb USA, Inc., 9301 Innovation Drive, Suite 100, Manassas, VA 20110, USA
9.3. If the Processor engages subcontractors, the Processor is obliged to pass on the contractual obligations hereunder to such subcontractors. In particular, the contract with the subcontractor shall include audit and inspection rights for the Controller in accordance with the terms of this agreement. Upon the Controller’s written request, the Controller shall also be entitled to receive information about the essential terms of the contract and the implementation of the data protection obligations by the subcontractor, e.g. by reviewing the relevant agreement.
9.4. The transfer of personal data of the Controller to the subcontractor and its first-time action are only permitted if all the prerequisites for subcontracting are met. The term of this agreement as well as the right of termination are determined by the agreement between the parties pursuant to adjust’s General Terms and Conditions and the respective offer and/or assignment by the Processor.
The term of this agreement as well as the right of termination are determined by the agreement between the parties pursuant to adjust’s General Terms and Conditions and the respective offer and/or assignment by the Processor.
The compensation for all services to be rendered pursuant to these Contractual Terms is included in the compensation agreed upon between the parties within the offer and/or the assignment. The parties agree that the provisions on the limitation of liability as included in adjust’s General Terms and Conditions shall analogously apply.
12.1. In the event that the Controller’s data is endangered due to a levy of execution or confiscation, insolvency proceedings or any other events and/or third party measures, the Processor shall promptly notify the Controller. The Controller hall promptly notify all people who are responsible in this context of the Controller having retained ownership of these data.
12.2. If any provision of these Contractual Terms is invalid, the validity of the remaining provisions shall remain unaffected.
12.3. The legal relationship between the Controller and the Processor shall be governed by and construed in accordance with German law. Exclusive place of jurisdiction shall be the Processor’s domicile to the extent permitted by law.