General Terms and Conditions for adjust GmbH & adjust KK
1. Scope of Application
1.1 The following General Terms and Conditions apply to all contracts and services rendered between and/or by adjust GmbH, adjust Inc. or adjust KK (“adjust”) and its customers with regard to the use of adjust products and adjust services (hereinafter collectively “adjust Services”). These General Terms and Conditions constitute a material part of each agreement unless expressly agreed otherwise in writing.
1.2 These General Terms and Conditions apply to any future business transaction between adjust and the customer, even without express reference thereto.
1.3 Any deviating terms and conditions of the customer as well as any deviations and/or amendments to these General Terms and Conditions shall only become part of the agreement if they have been expressly acknowledged by adjust in writing (email is sufficient). These General Terms and Conditions shall also apply exclusively if adjust has not explicitly objected any contrary terms and conditions.
1.4 adjust reserves the right to modify these General Terms and Conditions with effect for the future at any time. In this case, adjust will notify the customer of these changes. The changes shall be deemed to be accepted if the customer does not object within three weeks after receipt of the amendment notification. adjust will inform the customer in its amendment notification about the customer’s right to object and the effects of a lack of objection. If the customer rejects the changes, adjust has the right to terminate the agreement.
2. Offer and Conclusion of a Contract
2.1 Offers by adjust are subject to change. The subject matter of the contract are the adjust products and services as offered in the current service description at the time the contract is concluded. adjust reserves the right to make technical changes and improvements to its products and services within a reasonable scope.
2.2 The agreement between adjust and the customer is either concluded upon signature of an individual order (“Insertion Order”) by adjust and the customer or online via adjust’s Self Service portal.
a) Insertion Order In order to conclude an agreement by means of an Insertion Order, the customer must send the countersigned Insertion Order to adjust by fax or by email (“Acceptance”). In addition to any provisions contained in the Insertion Order, these General Terms and Conditions shall apply.
b) Self Service In order to conclude an agreement online via adjust’s Self Service portal, the customer must register itself online with adjust. The registration needs to be confirmed by adjust by sending a confirmation email to the email address that was provided by the customer. A right to claim registration does not exist; adjust expressly reserves the right to reject a registration without stating reasons. The customer’s adjust user account will be activated by the user by clicking on the activation link. The user account is non-transferable. The customer must keep the password secret and protect it against any wrongful use by unauthorized third parties.
The customer can order adjust’s products and services via its user account. adjust offers different packages for its adjust Services. The details for all available packages can be found in the customer’s account.
Fee-based packages: To order a fee-based package, the customer must choose a package and click on the button “Buy” in order to make a binding offer to order the adjust package. adjust will confirm the receipt of such order via email. However, such confirmation does not constitute an acceptance of the offer. The agreement between the customer and adjust will be concluded by adjust’s acceptance of the customer’s offer in writing, via email or by making the adjust Software available. adjust is not obliged to accept the customer’s offer.
The customer can change the chosen package via its user account at any time. If the customer reduces its package to a cheaper package, the monthly fee will be reduced accordingly as per beginning of the next billing cycle. If the customer chooses to upgrade its package to a more expensive package, the monthly fee will instantly be increased accordingly.
2.3 The customer represents and warrants that all personal information as well as other relevant contractual data provided by customer during the conclusion of the agreement is complete and correct. The customer is obliged to promptly inform adjust about any changes to this data and/or to update altered data in its user account. In the event of a culpable breach of this obligation, adjust is entitled to suspend the contractual services upon giving prior notice.
2.4 The customer is aware that contractual declarations (e.g. confirmation emails, amendments to the General Terms and Conditions as well as other notifications) may be sent via email. They are deemed to have been received when they can be retrieved in the email inbox which was specified by the user during the registration under normal circumstances.
3. adjust Services
3.1 With its adjust Services, adjust offers the customer software that analyzes and optimizes mobile advertising campaigns.
3.2 adjust shall render the contractual service in accordance with the respective service description in effect at the time the contract was concluded. Unless expressly specified otherwise in the respective service description, adjust ensures the provision of the adjust Services with an availability customary within the industry.
3.3 In case of unforeseen events, adjust is entitled to suspend the adjust Services for maintenance or repair purposes if this is necessary to ensure the proper operation of the adjust Services.
3.4 adjust is entitled to use the assistance of third parties in order to fulfill its contractual obligations.
4. Customer’s Rights and Obligations
4.1 The customer is entitled to use the adjust Services and the software provided by adjust only to the extent described hereafter. The data is used to analyze the in-app behavior of the customer's app users and to optimize advertising and marketing campaigns. If the customer is provided with personal data whilst using the Services, the customer may only process and use this data as far as this is legally permissible. The customer also assures that the transfer of personal data from Adjust to the customer is legally permissible within the agreed extent.
4.2 Customer must choose the correct settings for use of the adjust Services and Software if their services are directed to children.
4.3 The customer agrees to keep the passwords and login data provided by adjust for access to the adjust Services confidential and to inform adjust immediately as soon as the customer becomes aware of unauthorized third parties gaining access to these passwords. If, due to the customer’s fault, unauthorized third parties use any services provided by adjust by using the passwords, the customer is liable to adjust for usage fees and damages.
4.4 The customer shall not make the software provided by adjust available to any third parties. In addition, the customer shall not
- modify, translate, reverse engineer, decompile, disassemble or otherwise create derivative works from the adjust software or documentation. Information pursuant to Section 69e of the German Copyright Act (“UrhG”) which is required to achieve interoperability with other programs created independently can be purchased from adjust for a fee based on the current price list upon request;
- transfer, lend, rent, lease, distribute the software provided by adjust or the adjust Services, or use them for providing services to a third party, or grant any rights in and to the adjust software or documentation to a third party in any form, without adjust’s express prior written and unless all respective fees have been paid and all of adjust’s other conditions have been met; or
- remove, modify or make illegible the labels, markers or designations regarding copyrights and other intellectual property rights of the adjust software or documentation.
4.5 The Customer is aware that the product “Audience Builder” does not generate completely error-free segments in all cases. If the Customer transfers a segment generated this way to a chosen advertising partner, the Customer carries the risk that this segment corresponds content-related to the Customer’s expectations. Adjust is not liable for any defective segments, regardless of whether the error is within the responsibility of Adjust or not.
4.7 If adjust has protected its adjust Services by technical means (e.g. security codes, firewalls, etc.), the customer is not allowed to circumvent or remove such security measures.
4.8 The customer is obliged to protect its own data by taking appropriate measures and by regularly making backups of its data.
4.9 The customer must follow adjust’s instructions as well as the protocols and specifications as requested by adjust with regard to the telecommunication/data transmission.
5. Fees, Payment
5.1 The fees for the adjust Services that the customer makes use of are set out in the applicable Insertion Orders/order forms and/or adjust’s current valid price list. Unless explicitly stated otherwise, all fees are quoted exclusive of the statutory value-added tax (VAT) applicable at the time. If the customer places an order via its customer account in the Self Service portal, adjust accepts the payment methods as shown in the customer account (e.g. payment by credit cards). When paying by credit card, the credit card on file will be charged with the amount as indicated in the agreed order. Customers choosing Basic or Business Packages are obliged to conduct monthly payments via credit card. Basic and Business Customers may choose a different type of payment method (invoicing) only if they make a pre-payment of the agreed fees of at least 6 months.
5.2 Invoices will be sent to the customer via mail or in electronic form, unless expressly agreed otherwise.
5.3 The payment of the invoices shall be due within 30 days of the invoice date. In the event of the customer’s default of payment, adjust is allowed to charge default charges up to EUR 5,00, USD 5,00 or JPY 700,00 respectively as well as default interest in accordance with the statutory provisions. adjust reserves the right to prove and assert greater damages due to default. If the customer’s payments are considerably delayed, adjust reserves the right to suspend the provision of any further services, in particular the customer’s access to the adjust Services, at the expense of the customer until all due payments have been made. In the event of suspended services, the customer is nevertheless obliged to pay the agreed fees. After having set the customer a reasonable deadline and expiration of that deadline, adjust has the right to terminate the agreement with immediate effect. In case of returned direct debits or unpaid checks, the customer shall reimburse adjust for the costs incurred to the extent that the customer was responsible for the event given rise to these costs. Further claims and rights to which adjust may be entitled in this respect shall remain unaffected. Even if the customer does not use the provided adjust Services, the customer is still obliged to pay the agreed fees.
5.4 Any complaints relating to an invoice must be submitted to adjust in writing or by email to email@example.com within four weeks upon receipt of the invoice. If no such complaint has been made within four weeks upon receipt of invoice, the invoice is deemed to be accepted. adjust will inform the customer in the invoice about the consequences of failing to submit a timely complaint.
6. Grant of Rights, Ownership, Third Party Rights
6.1 Upon conclusion of the agreement, adjust grants the customer the non-exclusive, non-transferable and non-sublicensable right to use the adjust Services during the term of the agreement, insofar as this is necessary to use the adjust Services according to the respective Insertion Order or the respective order placed via the Self Service portal. The right of use shall expire once the customer defaults with any payments due.
6.2 adjust shall retain all intellectual property rights as well as any other property rights in and to the adjust software, the adjust Services as well as other services that are provided under this contract, including source codes, databases, hardware and/or any other material (e.g. documentations, developments, functions, report templates, preparatory material, etc.).
6.3 The customer undertakes to not violate any applicable laws, in particular third party rights (e.g. copyrights, personality rights, intellectual property rights) or the terms of this agreement while using the adjust Services. Insofar, the customer shall indemnify and hold adjust harmless from any and all third party claims (including but not limited to all costs and expenses, incl. reasonable attorney’s fees) that are being asserted against adjust upon first request.
6.4 Unless otherwise agreed between the parties, adjust is entitled to refer to the collaboration with the customer and the contractual product and to depict the Customer’s logo for self-promotional purposes.
7.1 adjust shall be responsible that the adjust Services correspond to their intended use. adjust does not assume any liability for any damages resulting from a usage other than the intended use. The same applies to any damages resulting from a usage that is not in accordance with adjust’s instructions and recommendations or any other unauthorized usage.
7.2 Upon receipt of the services, the customer is obliged to immediately notify adjust of any obvious defects in writing whereas timely dispatch shall suffice to keep the term. The customer will provide adjust with all documents necessary for the analysis and debugging attempts and will provide adjust with access to the customer’s servers, if necessary.
7.3 adjust does not assume any liability for any disturbances, limitations, interruptions or disruptions of the adjust Services which are caused by circumstances beyond adjust’s area of responsibility.
7.4 adjust shall only be liable for any damages which can be attributed to a willful or gross negligent violation of a duty by adjust, its legal representatives or employees, as a result of grave organizational neglect or which are based on defects of a warranted quality of the adjust Products, pursuant to the statutory provisions. This limitation shall not apply to any damages resulting from injury of life, body or health.
7.5 Irrespective of the legal grounds, adjust shall only be liable for damages that have been caused by the culpable breach of a cardinal contractual obligation by its legal representatives or vicarious agents. Liability in this regard shall be limited to the typical damages that were reasonably foreseeable at the time the contract was concluded, however to a maximum of EUR 25.000,00 per incident of damage and to a maximum of EUR 50.000,00 per contract. Liability pursuant to the German Product Liability Act (“Produkthaftungsgesetz”) shall remain unaffected. adjust’s liability for indirect damages, in particular loss of profit, is hereby excluded.
7.6 The aforementioned liability provisions shall apply accordingly to adjust’s employees and agents.
7.7 Any claims for damages arising from a slight negligence by adjust shall become time-barred within one year upon occurrence of the damage. This limitation shall not apply to any damages resulting from injury of life, body or health. All other claims for damages shall become time-barred within the statutory period.
7.8. The customer is obliged to indemnify adjust from any third party claims that may have arisen as a result of the customer unlawfully using the data provided by Adjust. The indemnity obligation does not apply insofar as the claim is based on a gross negligent or intentional breach of a duty by adjust. In addition, Customer indemnifies adjust from any third-party claims arising on first demand arising from Customer's breach of the obligations set out in 10.3.
7.9. The adjust Systems shall be available at least 99,8 % of the annual mean. adjust points out that the services may be interrupted or disrupted by circumstances beyond adjust’s area of responsibility, including but not limited to acts of third parties that do not act on adjust’s behalf, technical conditions of the internet that adjust cannot influence or force majeure. If such circumstances interfere with the availability or functionality of the services provided by adjust, this has no effect on the contractual conformity of the services provided by adjust.
8. Term, Termination
8.1 The term of the agreement is determined in the Insertion Orders or the order form in the Self Service portal. Each party has the right to terminate the agreement at any time by giving 30 days notice to the next billing period. The termination must be made in writing and be submitted via mail or fax.
8.2 In case the Customer has chosen a fee-based package in accordance with Section 2.2 b) ii) above, the term of the agreement shall be concluded for twelve (12) consecutive months and extended for (twelve 12) months on a rolling basis unless terminated by either party (every twelve months hereinafter referenced as a “Term”). Each Party has the right to terminate a Term by giving 30 days notice to the end of each Term. The termination must be made in writing and be submitted via mail. In case the Customer chooses to upgrade the chosen package, the parties agree that an upgrade shall not lead to an extension of the Term but shall instead roll into the existing Term.
The right to immediate termination for cause shall remain unaffected. In particular, adjust has the right to immediately terminate the agreement
- if the customer breaches its obligations pursuant to Section 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 6.3 or 9 of these Terms and Conditions,
- if the customer is in default of payment and does not settle the outstanding payment upon receipt of a warning letter with a deadline for payment and expiration of that deadline to no avail,
- if the customer publishes racist, pornographic, immoral or illegal content on its website and/or content which glorifies or trivializes violence,
- if the customer is insolvent, subject to insolvency proceedings, insolvency proceedings have been commenced or the commencement of insolvency proceedings is dismissed due to lack of assets,
- if the customer violates the provisions of these Terms and Conditions and fails to remedy this violation upon receipt of a written request with an adequate deadline. No such request is necessary if it has no prospect of success or if the violation is so serious that adjust cannot be reasonably expected to adhere to the agreement. A violation is also be deemed serious if the customer has received notices of warnings several times because of similar violations.
8.3 Upon termination of the agreement, the customer is obliged to delete all copies of the codes that were provided by adjust.
8.4 The notice of termination is excluded prior to the end of the Term. If the Customer terminates the Agreement disregarding such exclusion, then the Customer shall be subject to a contractual penalty in the amount of the outstanding payments.
9.1 The parties shall keep all documents, information and data which have been disclosed during the course of the cooperation strictly confidential during the term of the agreement and for 3 years thereafter. The parties undertake to use the same degree of care in safeguarding the documents, information and data of the other party that is used for its own confidential information, but a least with the due care of a prudent business man. All such documents, information and data shall be used exclusively to perform the contractual services.
9.2 These confidentiality obligations also apply to documents, information and data that relate to companies affiliated with the parties, other cooperation partners or contractors and to documents, information and data about customers and sales representatives of the parties.
9.3 These confidentiality obligations do not apply to documents, information and data that are in the public domain or later become part of the public domain through no breach of contract by a party, is required to be disclosed by operation of law, court or administrative order or that has been subsequently exempted from this confidentiality obligation by an agreement in writing, per fax or via email.
10. Data Protection
10.1 The customer is obliged to comply with the applicable data protection law when using the adjust Services and adjust Software.
10.2 Pursuant to art. 28 European General Data Protection Regulation (“GDPR”), the processing of personal data by adjust on behalf of the customer requires a written agreement (“Data Processing Agreement”). The customer hereby commissions adjust to process personal data on its behalf by concluding a separate agreement in accordance with the scope and the conditions of the annex “Contractual Terms and Conditions for Data Processing”.
10.4 The customer must choose the correct settings for use of the adjust Services and Software if their services are directed to children. Specifically, Customer must limit the collection and processing of personal data regarding children and obtain any necessary consent where required by law including art. 8 GDPR and the US Children’s Online Privacy Protection Act (“COPPA").
11. Final Provisions
11.1 Place of performance and exclusive place of jurisdiction for all disputes between the parties shall be Berlin if the customer is a merchant, a legal entity under public law or a special fund under public law. Berlin shall also be the exclusive place of jurisdiction if the customer does not have a general place of jurisdiction in Germany, if the customer, once it has concluded the contract, moves its domicile out of Germany or whose domicile is unknown at the time the lawsuit is filed.
11.2 Any modifications and or amendments of offers and these General Terms and Conditions must be made in writing (email is sufficient). This also applies in case of a nullification of the written form requirement.
11.3 If any provision of these General Terms and Conditions or part thereof is invalid or becomes invalid at a later time, the validity of the remaining provisions shall remain unaffected. The relevant provision shall be replaced by a provision that as closely as possible reflects the economic purpose of the invalid provision. The foregoing shall apply analogously if any provision has inadvertently been omitted.
11.4 Unless expressly agreed otherwise, the legal relationship between adjust and the customer shall be governed by and construed in accordance with German law.
11.5 adjust has the right within the scope of the contractual purpose to process the data that was provided in accordance with applicable data protection law, or to commission third parties.
Annex “General Terms and Conditions for Data Processing”
1. Scope of Application
The Contractual Terms for Data Processing (“Contractual Terms”) contain the parties’ obligations with regard to data protection, which arise in connection with the commission of adjust GmbH (hereinafter “Processor”) by the contracting party (hereinafter “Controller”) pursuant to article 28 Regulation (EU) 679/2016 (“GDPR”). The scope covers all tasks pursuant to the service description of these Contractual Terms during which the Processor’s employees or third parties commissioned by the Controller come into contact or could come into contact with personal data.
2. Service Description
2.1. The Processor processes data on behalf on the Controller. Data Processing is the collection, use, retention, alteration, transmission, blocking or deletion of personal data by the Processor on behalf of the Controller. For this purpose, device and connection data are read out when visiting a website and when interacting with online advertisements and are stored for the recognition of a user as well as for tracking his usage behavior.
2.2. The purpose of the collection of this data is the processing of data for analyzing the in-app behavior of end-users and thus optimizing the advertising campaigns of the Controller. The Data Processing includes the following data:
- IP addresses
- MAC addresses
- Device IDs including all advertising IDs
- HTTP Header including Processor’s SDK version and user agent (country, language, local settings, (version of the) operating system) as well as the app-version.
The data will also be passed on to third parties if the Controller instructs the Processor to do so.
2.3 The undertaking of the contractually agreed processing of data shall be carried out exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Each and every transfer of data to a State which is not a Member State of either the EU or the EEA requires the prior agreement of the Controller and shall only occur if the specific conditions of article 44 et seq. GDPR have been fulfilled. This does not include transfers to customer's servers which are located outside of the EEA.
3. Affected Persons (Data Subjects), Responsibility
3.1. The group of data subjects affected by the processing of their data within this commission includes in particular the users who visit the Controller’s app/website, therefore clients and prospective clients.
3.2. The Controller shall be solely responsible for compliance with the applicable data protection laws, in particular regarding the data transfer to the Processor and the data processing. Due to this responsibility, the Controller shall be entitled to request the deletion or return of the data during and after the term of the agreement.
4. Controller’s Rights and Obligations
4.1. The Controller and the Processor are each responsible for compliance with the applicable data protection laws regarding the data to be processed.
4.2. The Controller shall promptly inform the Processor if he discovers any errors and/or irregularities with regard to the applicable data protection laws during his control of the results of such data processing.
4.3. The Controller has audited the proper processing of his data as well as the technical and organizational measures taken by the Processor on site, and shall continue to audit the compliance of such measures and document the results of such audits in writing during the term of the agreement. Proof of such measures, which concerns not only the specific contract, may be provided by certificates, reports or report extracts of independent instances (e.g. auditor, revision, data protection officer, IT security department, data protection auditors, quality auditors) or by a suitable certification by IT security or data protection audits.
4.5. Upon the expiration of the agreement, the Controller shall be obliged to decide whether the data is to be returned or deleted within a reasonable time period set by the Processor.
5. Processor’s Obligations
5.1. The Processor shall process data only within the scope of the Controller’s instructions as contractually agreed (art. 28 para. 3 GDPR). Instruction shall mean the written instruction issued by the Controller to the Processor that directs the Processor to perform a specific action with regard to personal data. Such instructions are specified within the scope of these Contractual Terms and can thereafter be modified, amended or substituted by the Controller by separate written instructions (“Individual Instruction”). Verbal instructions are immediately confirmed by the Controller (at least in text form).
5.2. Where a data subject directly addresses the Processor, the Processor shall immediately forward this request to the Controller. Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by the Processor in accordance with documented instructions from the Controller without undue delay.
5.3. Processor shall promptly inform the Controller pursuant to art. 28 para. 3 subpara. 2 GDPR if he believes that an Instruction is in violation of data protection law.
5.4. The Processor shall design its internal corporate organization to ensure compliance with the specific requirements of data protection within the Processor’s area of responsibility and the protection of the rights of the data subjects affected. In particular, the Processor shall implement the technical and organizational measures as stipulated in Section 6 herein to adequately protect the data from misuse and loss in accordance with art. 28 para. 3, art. 32 GDPR.
5.5. The Processor has chosen a data privacy officer in writing, who carries out its activities pursuant to art. 38 and 39 GDPR. Prof. Dr. Christoph Bauer, Große Bleichen 21, 20354 Hamburg, +49 40 609451 810, firstname.lastname@example.org is appointed as external data protection officer. A change of the data protection officer shall be communicated to the Controller without delay.
5.6. The Processor entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. The Processor and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Controller, which includes the powers granted in this contract, unless required to do so by law
5.7. The Processor shall promptly inform the Controller in the event of a serious interruption of the operating schedule, suspicion of data protection breaches or any other irregularity related to the processing of the Controller’s data.
5.8. The Processor and the Controller shall cooperate with the supervisory authority on request in carrying out their tasks. Insofar as the Controller is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a data subject or by a third party or any other claim in connection with the order or contract data processing by the Processor, the Processor shall make every effort to support the Controller.
5.9. All data carriers provided to Processor as well as any copies thereof remain the Controller’s property. The Processor shall store such data carriers with diligence and protect them against unauthorized access by third parties. The Processor shall be obliged to inform the Controller about its data and records at any time.
5.10. The Processor shall be obliged to delete any test and scrap material in accordance with the applicable data protection laws upon an instruction issued by the Controller on a case-by-case basis. In specific cases the Processor shall hand over such material to the Controller or store on the Controller’s behalf upon request of the Controller.
5.11. Upon the expiry of this agreement, the Processor shall be obliged to hand over to the Controller all personal data that was provided with regard to the commission that has not been processed or deleted yet or to provide proof of their proper deletion.
5.12. The Processor shall assist the Controller in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in articles 32 to 36 of the GDPR. These include ensuring an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events, the obligation to report a personal data breach immediately to the Controller, the duty to assist the Controller with regard to the Controller’s obligation to provide information to the Data Subject concerned and to immediately provide the Controller with all relevant information in this regard, supporting the Controller with its data protection impact assessment, supporting the Controller with regard to prior consultation of the supervisory authority.
5.13. The Processor may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of the Processor.
6. Technical and Organizational Measures
6.1. Before the commencement of processing, the Processor shall document the execution of the necessary technical and organizational measures, set out in advance of the awarding of the order or contract, specifically with regard to the detailed execution of the contract, and shall present these documented measures to the Controller for inspection. Upon acceptance by the Controller, the documented measures become the foundation of the contract. Insofar as the inspection/audit by the Controller shows the need for amendments, such amendments shall be implemented by mutual agreement.
6.2. The Processor shall establish the security in accordance with art. 28 para. 3 point c, and art. 32 GDPR in particular in conjunction with art. 5 para. 1, 2 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of art. 32 para. 1 GDPR must be taken into account.
6.3. The technical and organizational measures are subject to technical progress and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented. The technical and organizational measures to adequately protect the Controller’s data include:
a) Confidentiality (art. 32 para. 1 point b GDPR)
· Physical access control: The prevention of unauthorized parties gaining access to personal data processing systems. These measures include an electronic access control system with protocols, a documented key allocation to employees and colocation-customers for colocation racks, video surveillance of the entrances and exits and a 24/7 occupancy of the computer center at the subcontractor’s premises (LeaseWeb Deutschland GmbH). In addition, there are guidelines on how to accompany and identify guests in the building.
· Logical access control: Measures that prevent the unauthorized use of the data processing systems. A password protected access is used that only authorized personnel can use.
· Data access control: Measures that ensure that people entitled to use the data processing systems can solely access data that they are entitled to access in accordance with their access rights, and that during the course of processing, use and after storage, personal data cannot be read, copied, modified or deleted without authorization. Audit-proof and binding authorization procedures have been implemented for the authorized employees.
· Separation control: Measures that ensure that data that was collected for different purposes can be processed separately. The data is physically or logically stored separately from other data and the data backups are made on systems that are logically and/or physically separate.
· Pseudonymisation (art. 32 para. 1 point a GDPR; art. 25 para. 1 GDPR) The processing of personal data in such a method/way, that the data cannot be associated with a specific data subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.
b) Integrity (art. 32 para. 1 point b GDPR)
· Data transfer control: Measures that ensure that during electronic transmission, transport or storage on data carriers personal data cannot be read, copied, modified or deleted without authorization, and that it can be established and verified to which entities a transfer of personal data by means of data transmission facilities is planned. All employees have undertaken to comply with the principle of data secrecy and there are capacities for encrypted data transmissions. Furthermore, the data is deleted in accordance with data protection laws after the end of the commission.
· Entry control: Measures that ensure the establishment of an audit trail to document whether and by whom personal data have been entered into, modified in or removed from the data processing systems. The personal data is being anonymized before the Processor has access to such data.
c) Availability and Resilience (art. 32 para. 1 point b GDPR)
· Availability control: Measures that ensure that personal data are protected against accidental destruction or loss. Backup and recovery procedures with a daily mirroring of the data have been implemented. The technical availability is ensured by hard disk mirroring. In addition, there is uninterruptible power supply and a firewall system as well as port regulations are in place.
· Rapid Recovery (art. 32 para. 1 point c GDPR) Processor creates continuous backups, which are also continuously transferred to a remote site. With this back-up, Processor can restore data. There is a regular check to see if recovery works this way.
d) Procedures for regular testing, assessment and evaluation (art. 32 para. 1 point d GDPR; art. 25 para. 1 GDPR)
· Data protection management: All employees are demonstrably committed to data secrecy and receive a training at least once a year. Adjust and Leaseweb have both appointed a data protection officer. For Adjust it’s Prof. Dr. Christoph Bauer (email@example.com) For Leaseweb it’s Patrick Buchna (firstname.lastname@example.org)
· Incident response management: In the event of a data loss, notification to the relevant data protection authority will be happening immediately. In addition, the management, the CTO and the data protection officer are informed immediately. Users and others may report any loss of data to email@example.com.
· Data protection by design and default (art. 25 para. 2 GDPR): Adjust only collects data that is mandatory to promote their product.
· Control of instructions: Measures that ensure that personal data that are being processed on behalf of the Controller are processed solely in accordance with the Controller’s instructions. The employees are instructed on the relevant data protection law on a regular basis, and they are familiar with the procedural requirements and user guidelines for data processing. The unambiguous wording of the contract ensures that the data may only be processed in accordance with the instructions issued by the Controller.
7. Correction, Blocking and Deletion of Data
7.1. Copies or duplicates of the data shall never be created without the knowledge of the Controller, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.
7.2. After conclusion of the contracted work, or earlier, upon request by the Controller, at the latest upon termination of this agreement the Processor shall hand over to the Controller or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner.
7.3. If a data subject contacts the Processor directly to request the correction or deletion of his data, the Processor shall promptly forward this request to the Controller. If, under the provisions of the data protection law, the Controller is obliged to provide an individual with information on the collection, processing or use of the personal data, the Processor shall assist him in the provision of this information provided the Controller has requested the Processor to do so in writing and shall reimburse the Processor for the costs incurred.
7.4. Documentation which is used to demonstrate orderly data processing in accordance with the order or contract shall be stored beyond the contract duration by the Processor in accordance with the respective retention periods. It may hand such documentation over to the Controller at the end of the contract duration to relieve the Processor of this contractual obligation.
8. Controller’s Right of Inspection
8.1. Upon prior timely notification, the Controller shall be entitled to assure himself of the adequateness of the technical and organizational measures taken by the Processor on the Processor’s premises during the regular business hours and without interrupting the business operations.
8.2. The Processor shall ensure that the Controller is able to verify the compliance of the Processor with the obligations pursuant to art. 28 GDPR. The Processor undertakes to give the contracting authority the necessary information on request and, in particular, to demonstrate the implementation of the technical and organizational measures. The Processor is entitled to claim compensation for the possibility of inspections by the Controller.
9.1. Subcontracting for the purpose of this agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Processor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Controller's data, even in the case of outsourced ancillary services.
9.2. The Processor shall be entitled to subcontract the Processor’s obligations to third parties only upon having obtained the Controller’s written approval. The Controller agrees to the commissioning of adjust GmbH, Saarbrücker Str. 37a, 10405 Berlin, Germany, and Leaseweb Germany GmbH, Kleyerstraße 79, 60326 Frankfurt on the condition of a contractual agreement in accordance with art. 28 para. 2-4 GDPR.
9.3. If the Processor engages subcontractors, the Processor is obliged to pass on the contractual obligations hereunder to such subcontractors. In particular, the contract with the subcontractor shall include audit and inspection rights for the Controller in accordance with the terms of this agreement. Upon the Controller’s written request, the Controller shall also be entitled to receive information about the essential terms of the contract and the implementation of the data protection obligations by the subcontractor, e.g. by reviewing the relevant agreement.
9.4. The transfer of personal data of the Controller to the subcontractor and its first-time action are only permitted if all the prerequisites for subcontracting are met. The term of this agreement as well as the right of termination are determined by the agreement between the parties pursuant to adjust’s General Terms and Conditions and the respective offer and/or assignment by the Processor.
The term of this agreement as well as the right of termination are determined by the agreement between the parties pursuant to adjust’s General Terms and Conditions and the respective offer and/or assignment by the Processor.
The compensation for all services to be rendered pursuant to these Contractual Terms is included in the compensation agreed upon between the parties within the offer and/or the assignment. The parties agree that the provisions on the limitation of liability as included in adjust’s General Terms and Conditions shall analogously apply.
12.1. In the event that the Controller’s data is endangered due to a levy of execution or confiscation, insolvency proceedings or any other events and/or third party measures, the Processor shall promptly notify the Controller. The Controller hall promptly notify all people who are responsible in this context of the Controller having retained ownership of these data.
12.2. Any modifications and or amendments of these Contractual Terms must be made in writing (email is sufficient). This also applies in case of a nullification of the written form requirement.
12.3. If any provision of these Contractual Terms is invalid, the validity of the remaining provisions shall remain unaffected.
12.4. The legal relationship between the Controller and the Processor shall be governed by and construed in accordance with German law. Exclusive place of jurisdiction shall be the Processor’s domicile to the extent permitted by law.