General Terms of Use for the use of the Platform

1. Subject of the contract

1.1 With the service, aqua Cloud GmbH (“we“, “us”) offers a browser-based software solution (“Platform“) for the customer (“you”, “User”) to record and report visual bugs. With the built-in annotation tools, customers can capture screenshots or videos, add shapes and tags and include a descriptive title. Capture creates a detailed bug report with information on history of actions, environment, cookies, and network transfers that can be downloaded or stored in the customer’s account on

1.2 The use of the basic functionalities of the Platform is unlimited in time and free of charge, regardless of the number of Users and data volume. If you use functions of the Platform, which are subject to payment, the costs will be incurred in accordance with the current price list.  

1.3 Paid function of the Platform may only be used commercially or in the context of a freelance professional activity. Private use by consumers is not permitted. 

1.4 These Terms of Use apply to any use of the Platform regardless of whether you use free or paid features of the Platform. 

2. Changes in performance

2.1 We are continuously developing the Platform in order to constantly improve your user experience. In this respect, we are entitled to change or supplement our services or parts thereof at any time.

2.2 Unless the respective change in performance is merely an improvement or extension, we will notify you of the change in writing or by email no later than four (4) weeks before it takes effect. 

2.3 If the change results in the loss of essential features of our service, you have the right to object the change in writing or by email within a period of four (4) weeks from receipt of the change notification. If you do not object, the changes or supplements will become part of the agreement with you. We will inform you in the change notification of your right to object, the consequences thereof and the consequences of failure to object. If you object in due time, the contract with you will be deemed terminated by us in due time at the next possible date.

3. Availability and data backup

3.1 We provide the Platform with reasonable availability at the network exit point of the data center we use. We are not responsible for the telecommunication connection between the network exit point of the data center used by us and the systems you use. In particular, we do not assume any warranty for the availability of the common Internet. You are responsible for the connection of your systems to the Internet.

3.2 The evaluation of the availability of the Platform within the meaning of clause 3.1 shall be carried out at the network exit point of the data center used by us. 

3.3 You are entitled and obliged to regularly back up your data processed on the Platform with the care of a diligent businessman. This is possible in particular via downloading the capture screenshots and videos from your account. We are liable only to a limited extent for the loss of data in accordance with Section 12.4 of these Terms and Conditions.

4. Rights of use

4.1 We grant you the right to use the functions of the Platform (in its respective current version) in compliance with the following provisions for the term of the agreement under these Terms of Use. This also applies to any updates (new versions of the Platform without new functionality) or upgrades (new versions of the Platform with additional functionality) provided by us during the term of the agreement. 

4.2 We expressly reserve all rights beyond the foregoing. Rights of use under copyright law, e.g. for downloading, copying or modifying the software, are not required for the intended use and are expressly not granted (subject to the following section 4.3). 

4.3 It may be necessary to install software locally in addition to the Internet browser in order to use certain functions of the platform. To the extent that such software (e.g. software clients or add-ons) is not generally available, we will make it available to you for download (“Client Software”). You are entitled to install and operate the Client Software on your system to the extent necessary to use the Platform. No further rights are granted to you, in particular no editing right, distribution right or right to grant public access to third parties.

5. Collaboration on the Platform

5.1 User accounts can be set up for commercially operating natural persons and/or for legal entities. 

5.2 You are entitled to invite third parties to use the Platform at any time. However, you are obliged to refrain from illicit advertising. You are responsible for the contractual relationship with users invited by you. In this respect, please observe your obligations towards us pursuant to Section 7.5. 

5.3 Without our consent, you are not entitled to allow third parties to access the Platform via your user account or to enable its use in any other way. The transfer of your user account to a third party is possible with our consent. A third party is any natural person or legal entity other than the person of the user specified during registration. 

6. Technical requirements for using the Platform

6.1 To use the Platform, you need in particular a terminal device, Chrome Internet browser and an Internet connection. You are responsible for providing the necessary technical requirements.

6.2 Particularly due to the continuous development of information technology (e.g., the standard Internet browsers), the hardware and software requirements for using the Platform may change. It is therefore possible that you will have to adapt your IT systems to such changed requirements over time.

7. General obligations of the User and special provisions for Project Owners

7.1 You are obliged, 

7.1.1 To provide only true and non-misleading information and to use your real name (no pseudonyms or pen names) when registering and in context of your activities within a project. You additionally have the option to use a pseudonym (recognizable as such) on the public part of the Platform;

7.1.2 To observe all applicable legal provisions and laws as well as the rights of third parties within the scope of your use of the Platform. In particular, the following is prohibited:

(a) Use of content protected by law (e.g. by copyright, trademark, patent, design patent or utility patent law) without being authorized to do so, or advertising, offering and/or distribution of goods or services protected by law, also without being authorized to do so;

(b) Use of insulting or defamatory content, regardless of whether this content concerns other users or other persons or companies;

(c) Use of pornographic, violence glorifying, abusive, immoral content or content violating youth protection laws as well as advertising, offering and/or distribution of goods or services with pornographic, violence glorifying, abusive, immoral content or content violating youth protection laws;

(d) Unreasonable harassment of other users, in particular through spam or unauthorized advertising (cf. Section 7 of the German Unfair Competition Act – UWG);

(e) Engaging in or promoting actions that violate competition law;

7.1.3 To take all measures appropriate according to the current state of affairs in order to prevent data with malware, such as viruses or Trojans, from getting onto the Platform. In particular, all data uploaded by you to the Platform must be checked for malware with an state-of-the-art virus scanner beforehand.

7.2 We are not obligated to make content/information provided by you available to other Users if such content/information does not comply with Section 7.1. We are entitled to remove such content/information from the Platform without prior notice.

7.3 If a third party asserts claims against us based on the infringement of its intellectual property rights by your use of the Platform, you are obligated to defend us against the third party’s claims and indemnify us against them as follows: 

7.3.1 You will provide legal defense against such third-party claims at your own expense.

7.3.2 We commit ourselves in this context:

(a) To inform you without undue delay of the assertion of the relevant claim by the third party; and

(b) To grant you reasonable control over the legal defense and to act only in agreement with you in the context of negotiations to settle the respective claim.

7.4 You grant us the right to use the content posted by you as part of the use of the Platform for the duration of the contract in the manner required for the provision of the Platform with its full functionality. In particular, you grant us the right to keep the content available in a database for retrieval by other Users who are working with you/for you on the respective project. 

7.5 To the extent that you act as a Project Owner with respect to individual projects created on the Platform, the following applies in addition to Sections 7.1-7.4:

(a) You are obligated to regularly and comprehensively check the information/content posted via the Platform in the course of the respective project for compatibility with Section 7.1, regardless of whether you post this information/content yourself or not (monitoring obligation) and to remove incompliant information/content (removal obligation);

(b) You are obligated under Section 7.3 to defend and indemnify us against claims by third parties to the extent that you fail to comply with your monitoring and/or removal obligations and, as a result, information/content, which is not compliant with Section 7.1, is posted in the context of your project; and

(c) As Project Owner, you must conclude the necessary agreements with Project Participants working on your projects in your own name and on your own responsibility and, in particular, ensure that you hold the necessary rights of use with regard to the work results.

8. Warranty for defects

8.1 We exclusively warrant that the Software will have the essential quality agreed upon in these Terms of Use during the term of this Agreement. No other quality than the one agreed upon herewith is promised. You bear the risk whether or not the Platform is suitable for your intended use. We are not responsible for operating errors and for errors due to IT systems used by you that are inadequate in accordance with clause 6.

8.2 You are obligated to notify us immediately of any defects of the Platform as well as any malfunctions occurring during its use. As far as the performance of our contractual obligations has become impossible or significantly more difficult due to a missing or delayed notice on your part, we shall be released from our obligation to perform.

9. Force majeure

9.1 Any failure to perform or non-performance shall not be deemed a breach of contract to the extent that it is due to unavoidable events, in particular epidemics, earthquakes, floods, water ingress, fires, explosions, power failures, embargoes, government restrictions, riots, terrorist attacks, wars or other military actions, civil unrest, rebellions, vandalism, sabotage, strikes in own or supplying factories or other reasons beyond the control of the respective party (“Force Majeure“). The obligations of the affected party shall be suspended to the extent affected by Force Majeure, provided that the affected party (a) promptly notifies the other party with a precise statement of the reasons, (b) endeavors to find reasonable temporary bridging measures or alternatives.    

9.2 As long as the condition of Force Majeure persists, the time of performance is extended by the duration of the delay due to Force Majeure. Your payment obligations for the affected, contractual services shall be suspended for the duration of Force Majeure.

10. Remuneration

10.1 As far as you use paid functions of the Platform (see above section 1.2), you will automatically receive an electronic invoice by email. The list of paid functions, the corresponding prices and billing modalities can be found here

10.2 Payment obligations arise when you upgrade your user account to a paid status and/or use paid features. This also applies if this is done only once or for a short time within the respective billing period. If you discontinue the use of paid functions, any payment obligations already incurred in the respective billing period remains unaffected. 

10.3 If you fail to meet your payment obligations on time, we reserve the right to assert our statutory rights to refuse performance and, for example, to block access to the Platform (in whole or in part).

10.4 You may only assign our claims against you if your counterclaim is a mutual/dependent claim in relation to the claim you wish to assign or if you are assigning a claim which is undisputed or has been finally adjudicated or is ready for adjudication.

10.5 You may only assert rights of retention or other rights to refuse performance against claims to which we are entitled insofar as the counterclaim is also based on the contract on the use of the Platform. 

10.6 All prices are net prices. You are obliged to pay the applicable VAT in addition to the stated prices.

11. Prices and price adjustment

11. 1 With regard to paid functions, a contract for the respective service is concluded by your use in the billing period, for which the respective current price list and any additional conditions apply. 

11.2 In all other respects, we may adjust the terms and conditions of the payable functions as well as the corresponding prices at our reasonable discretion and in line with the development of the costs that are decisive for the price calculation. The following shall apply to such price adjustments:

11.2.1 A price increase or decrease may be considered if, for example, the cost of procuring hardware, software and energy, the use of communications networks or labor costs rise or fall, or if other changes in the economic or legal environment lead to a change in the cost situation.

11.2.2 We will notify you of any intended price adjustment by sending you a text message at least four weeks before it takes effect.

11.2.3 If you do not agree with the adjusted price, you may change your use of the Platform in accordance with Section 10.2 before the price adjustment takes effect in such a way that no payment obligation is triggered under the new price. 

12. Limitations of liability

12.1 As far as we make functions of the Platform available to you free of charge (i.e. free of charge and also otherwise without consideration), we shall only be liable for intent and gross negligence. In the case of gross negligence, our liability is limited to the typical foreseeable damage.

12.2 As far as you use paid functions, the following applies: 

12.2.1 We shall be liable without limitation for damages arising from injury to life, limb or health that are based on an intentional or negligent breach of duty on our part or on the part of our vicarious agents. We shall also be liable without limitation for other damages based on intentional breaches of duty on our part or on the part of our vicarious agents. 

12.2.2 For other damages based on a grossly negligent breach of duty on our part or on the part of our vicarious agents, our liability shall be limited to the typical and foreseeable damage.

12.2.3 For damages due to simple negligent breaches of such obligations, which are fundamental for the proper execution of the contract and on the fulfillment of which you may accordingly rely and trust (cardinal obligations), we are liable only limited to the typical and foreseeable damage. 

12.3 Irrespective of whether a breach of duty is related to a free or paid functionality of the Platform, the following shall apply (in each case subject to Sections 12.1 and 12.2):

12.3.1 The typical and foreseeable damage shall not exceed the sum of the remuneration paid in the last twelve (12) months prior to the damaging event or EUR 5,000, whichever is higher.

12.3.2 We are liable for the loss of data only up to the amount that would have been incurred to restore the data if it had been properly and regularly backed up. 

12.3.3 Other claims for damages are excluded without prejudice to the following clause 12.3.5. In particular, we are not liable regardless of fault due to defects that were already present at the time the contract was concluded.

12.3.4 As far as our liability is limited or excluded, the limitations or exclusions shall also apply to the personal liability of our employees, legal representatives and vicarious agents.

12.3.5 The limitations and exclusions of liability pursuant to this Clause 12 shall not affect our liability under the mandatory statutory provisions of the German Product Liability Act, due to fraudulent concealment of a defect and the assumption of a guarantee for the quality of an item. 

13. Privacy

13.1 The security of your data, in particular personal data, is our top priority. As a service provider established in the European Economic Area (EEA), we comply with the data protection rules applicable to us, in particular the rules of the European Data Protection Regulation (“GDPR“). Particularly, the technical and organizational measures we take meet these high standards.

13.2 You are the controller of the processing of your personal data on the Platform in accordance with the rules of applicable data protection law (in particular those of the “GDPR“, as applicable). For this reason, we enter into a contract with you for commissioned processing pursuant to Article 28 of the GDPR in accordance with Annex 13.1 (Additional Processor Agreement), unless the GDPR does not apply to the processing of personal data by means of the Platform (because you do no have an establishment in the EEA and do not offer goods or services in the EEA or monitor the behavior of persons in the EEA by means of the Platform). If you are subject to different or additional obligations under the laws applicable to you, you are obliged to ensure that these requirements are met before using the Platform to process personal data. 

13.3 We would like to point out that you must provide the data subjects whose personal data you process via the Platform with privacy policies in accordance with Articles 13, 14 GDPR, and that these must also take into account data processing by means of the Platform. You can find more details on such data processing in our privacy policy.

13.4 We are entitled to process data that you process via the Platform for our own purposes, in particular for troubleshooting and billing purposes, as well as to continuously develop and market our services. You can find details on this data processing in our privacy policy

14. Contract duration and termination

14.1 The usage contract is valid for an indefinite period. To benefit from favorable rate options, you have the option to conclude fixed terms with us.

14.2 You can stop using the Platform at any time. Section 10 (Remuneration) shall remain unaffected, i.e. payments made shall not be refunded and any remuneration claims that have arisen shall remain unaffected. You may also terminate the usage agreement at the end of the agreed fixed term. If no fixed term has been agreed, you may terminate the contract at any time.

14.3 We may terminate the contract with two (2) months’ notice. 

14.4 We are entitled to terminate the contract with you without notice for good cause and to terminate your access to the Platform. Good cause shall be deemed given particularly if 

(a) You have not accessed our services for twelve (12) consecutive months;

(b) The fulfillment of the contract becomes legally or factually impossible or economically unreasonable for reasons we are not responsible for;

(c) You repeatedly violate your contractual obligations (in particular these Terms of Use) despite prior warning; or

(d) The fulfillment of your obligations under the contract is at risk due to a deterioration of your assets. A deterioration of assets shall be deemed given, in particular, if you are repeatedly in default with your performance for more than ten (10) days, or if an enforcement attempt on your part has been unsuccessful.

14.5 If the contract ends, you are obliged to export and save your data beforehand via the corresponding function of the Platform. In the event of a termination for good cause by us, we will give you the opportunity to export your data before deleting it. A retention of your data beyond the end of the contract requires a special agreement in text form, e.g. by booking a corresponding fee-based archiving service.

14.6 All notices of termination must be in text form (email is sufficient).

15. Changes to these Terms of Use

15.1 We reserve the right to change these Terms of Use unless the change is unacceptable to you. Unacceptable are in particular changes of essential contractual obligations that are disadvantageous for you. Acceptabe changes can result in particular from a change in the legal situation or the highest court rulings, technical changes or further developments, gaps in the Terms of Use, changed market conditions or other equivalent reasons. 

15.2 We will notify you by email at least four (4) weeks before the changes take effect. The changes will take effect if you do not object in writing or by email within the period of four (4) weeks (from receipt of the change notification) and we have pointed out this legal consequence to you in the change notification. If you object in due time, the contract with you shall be deemed terminated by us in due time at the next possible date.

16. Applicable law and place of jurisdiction

16.1 All legal issues in connection with this contract, including its formation, shall be governed exclusively by German law, excluding the conflict of laws rules and the United Nations Convention on Contracts for the International Sale of Goods (CISG).

16.2 Cologne is agreed as the exclusive place of jurisdiction for all disputes arising from or in connection with this contract. This shall also apply to disputes concerning tortious or other non-contractual claims. Overriding statutory provisions, in particular regarding exclusive jurisdiction, remain unaffected.

17. Miscellaneous

17.1 All changes and amendments with regard to this contract must be documented in writing. Verbal collateral agreements do not exist. 

17.2 Should any provision of this contract be invalid in whole or in part, this shall not affect the validity of the remaining contract; in this case, the parties shall immediately agree on a valid provision that comes as close as possible to the economic purpose of the invalid agreement. This shall also apply to any loopholes in the contract.


Annex 12.1

As far as you (hereinafter “Controller“) process personal data using the Platform of aqua Cloud GmbH (hereinafter “Processor“), the following shall apply:

1. Processing description

The Processor processes personal data of the Controller on the Controller’s behalf. The processing is described as follows:

1.1 Object, type and purpose of the processing

The object, purpose and subject matter of the Processing is the development of software or other project deliverables by the Project Owner and Project Participants in a dynamic and structured manner on the Platform as further specified in the Terms of Use.

1.2 Processing duration

The duration of the processing corresponds to the term of the Terms of Use (see in particular clause 14 of the Terms of Use).

1.3 Type of data

The following data types/categories are affected by the processing:

  • Profile data (especially name, e-mail address, role of users on the Platform)
  • Usage data (information on the use of the Platform by users)
  • Content Data (content of information that users enter/upload during your use of the Platform – depending on which feature of the Platform is used). 

The following categories of data subjects are affected by the processing:

  • Users of the Platform 
  • Other persons about whom users upload personal data on the Platform
2. General duties of the Controller

2.1 The Controller is responsible for compliance with its statutory obligations, in particular for the assessment of whether the data processing is permissible and the protection ofif the data subjects’ rights are protected. 

2.2 The Controller shall inform the Processor in writing without undue delay if it detects any errors or irregularities in the performance of the commissioned processing.

3. Instructions

3.1 Processing by the Processor shall only take place on the documented instructions of the Controller. An exception to this applies if the Processor is required by German or European law to transfer data to a third country; in this case, the Processor shall notify the Controller of these legal requirements prior to the processing (unless the relevant law prohibits such notification due to an important public interest). In principle, this processor agreement contains the instructions of the Controller; however, the Controller reserves a comprehensive right to issue instructions on the type, scope and procedure of data processing, which it may specify by means of individual instructions. Instructions not included in the contract shall be treated as change requests and may be subject to costs. 

3.2 Individual instructions and any resulting amendments of the object of processing or the processing itself shall be issued in text form or be documented accordingly. Orally issued instructions shall be confirmed in writing by the Controller without undue delay.

3.3 The processing of personal data shall take place in the territory of the Federal Republic of Germany, in a member state of the European Union or of the signatories of the EEA Agreement and also in third countries, subject to compliance with the legal requirements for a corresponding data transfer (e.g. conclusion of the EU standard contractual clauses). If another processor is to be engaged, these requirements shall apply in addition to the provisions in Section 6. 

3.4 The Processor shall immediately notify the Controller in writing (email sufficient) in the event it deems that an instruction issued by the Controller violates statutory provisions. The Processor shall have the right to suspend implementation of the respective instruction until it is either confirmed in writing or amended by the Controller. 

3.5 As a matter of principle, the Processor processes the data only for the purposes of the processing and within the scope of the instructions. An exception applies to the data analyses described in section 12.3 of the Terms of Use. Copies and duplicates of the personal data shall not be created without the knowledge of the data Controller. This does not apply to backup copies, insofar as they are necessary to ensure proper data processing, and to data that is required with regard to compliance with statutory retention obligations.

4. Confidentiality of persons authorized to process the data

4.1 The Processor undertakes to treat the data as confidential. The Processor confirms that it is familiar with the applicable data protection provisions. 

4.2 The Processor warrants that is has informed and instructed the persons it authorizes to process the personal data or persons subordinated to it (in particular its employees) with respect to applicable regulations and obligations under data protection rules and that it has bound them to confidentiality and to observing its instructions, or that such persons are subject to statutory confidentiality obligations. The Processor shall monitor compliance with data protection regulations.

5. Technical and organizational measures

5.1 The Processor shall comply with the principles of lawful data processing and warrants that, with respect to its processing of the Controller’s personal data pursuant to this agreement, it will implement all respective measures as agreed hereunder. The Processor furthermore warrants that the data will be processed separately from data belonging to other controllers. It shall implement appropriate technical and organizational measures as contractually agreed and prescribed by law to ensure that the processing is performed in compliance with statutory requirements and that the rights of the data subjects are protected. The measures to be taken are especially aimed to ensure data safety and to ensure a level of adequate safety pursuant to the risk regarding confidentiality, integrity, availability and resilience of the systems. To achieve this, the state of the art, costs for implementation and the type, scope and purpose of the data processing as well as the varying likelihood of occurrence and the severity of the risk for the rights and freedom of natural persons must be considered. Subject to Section 5.3, the technical-organizational measures may be adapted to the technical and organizational further development by the Processor in the course of the contractual relationship.

5.2The parties agree to take the following technical and organizational measures: 

  • Access control by means of username and password
  • Data centers in the EEA operated in accordance with recognized IT security standards
  • Encrypted connection establishment of the users with the Platform via the HTTPS communication protocol.
  • State-of-the-art firewalls and virus protection

5.3 The Processor is permitted to adapt the measures taken and, for example, implement alternative adequate measures. In doing so, the security level of the defined measures must not be undercut. Significant changes must be documented and made available to the Controller; the Controller has a right of objection in the event of significant doubts about the suitability or permissibility of the measures. 

5.4 The Processor shall review the technical and organizational measures taken and provide evidence of these to the Controller before awarding the contract and regularly thereafter. For this purpose, the Processor may submit current test certificates, reports or report excerpts from independent bodies (e.g., auditors, auditing, data protection officers, IT security department, data protection auditors, quality auditors) or suitable certification by IT security or data protection audit (e.g. according to the baseline security of the Federal Office for Information Security (BSI))..

6. Other processors

6.1 The engagement of other Processors with the whole or partial performance by the Processor is permitted only in compliance with the requirements below. 

6.2 The Controller grants the Processor general consent to the engagement of further Processors. The Processor shall inform the Controller in good time in advance of the use, change or replacement of an additional Processor; in such cases, the Controller has the right to object on justified grounds within a reasonable period of time; otherwise, the consent shall be deemed granted. If the Controller objects to the use, modification or replacement of another Processor, the Controller shall be entitled to terminate this Agreement without sanctions by submitting a written notice of termination at least three (3) weeks prior to the planned use, modification or replacement, including the reasons for its objection. 

6.3 The Processor shall draft the contractual provisions of the subcontract with another/other processor(s) in correspondence with the data protection provisions under this contractual relationship between the Controller and the Processor. This shall also include the Controller’s right to obtain, upon its written request, information from the Processor regarding the essential content of the subcontract and the inclusion therein of relevant data protection obligations; where required, the Controller shall also have the right to inspect the respective contractual documents.

6.4 The Processor shall be responsible for the other processor’s compliance with the Processor’s contractual and statutory obligations vis-à-vis the Controller as well as for the monitoring and supervision of such other processor.

6.5 If the additional Processor provides the agreed service outside the EU/EEA, Section 3.3 shall apply. 

7. Rights of the data subjects

7.1 The Controller shall exclusively be responsible for the fulfillment of the data subjects’ rights, in particular the right to information, disclosure, deletion and/or marking/blocking of data as well as the right to data portability. Unless accordingly instructed by the Controller, the Processor shall not be entitled to decide on any requests submitted to him by data subjects or to fulfill the respective requests.

7.2 The Processor shall immediately notify the Controller of any requests from data subjects received by it.

7.3 The Processor shall be obliged to assist the Controller with respect to the fulfillment of the data subjects’ rights, in particular by providing respective information and by implementing appropriate technical and organizational measures, in order to ensure that the Controller is able to comply with its obligation to respond to requests by data subjects wishing to exercise their rights or, upon respective instruction, to perform the respective acts as requested by the data subjects.

8. Support of the responsible person in his legal duties

8.1 To the extent required, the Processor shall assist the Controller in the evaluation of potential risks in connection with the data processing, in particular by providing information only available to the Processor, as well as in the implementation of appropriate and required counter-measures, including the principles of data protection by design and by default, and with respect to any prior consultations and/or data protection impact assessments.

8.2 The Processor shall inform the Controller immediately and in writing (email is sufficient) of any monitoring activities or other measures by the data protection authorities, in particular in connection with investigations regarding the violation of data protection provisions.

8.3 The Processor shall inform the Controller immediately and in writing (email sufficient) of (a) any breaches committed by it or its employees of obligations and/or stipulations under this agreement, (b) any unlawful transfers of personal data to third parties or other unlawful disclosures to third parties, (c) personal data breaches, (d) serious disruptions of operating procedures, suspicion of other personal data breaches, or other irregularities in the handling of the Controller’s personal data. A personal data breach must be notified without undue delay, i.e. no later than within 60 hours pon becoming aware of the breach.

8.4 The Processor is aware that, as a consequence of the incidents described under clause 8.3, the Controller may be under an obligation to notify the supervisory authorities and the data subjects. The Processor shall, after consultation with the Controller, take appropriate measures to secure the data and to mitigate possible adverse effects for the data subjects. The Processor shall support the Controller with respect to any notification obligations, which may arise, of the Controller vis-à-vis supervisory authorities and data subjects.

9. Return of data and deletion

9.1 The Controller’s data shall remain its property and it shall have sole right of disposal over such data. The Processor shall immediately notify the Controller if the Controller’s data are threatened by attachment, insolvency or settlement proceedings, or other incidents or third-party measures. In this respect, the Processor shall immediately inform all relevant third parties that the Controller is the sole proprietor of the data and has sole sovereignty over the data. 

9.2 After completion of the contractual performance, or earlier if so requested by the Controller, but no later than upon termination of the Main Contract, the Processor shall, upon request of the Controller, return to the Controller the personal data as well as all documents made available to it, all processing and use results, and all data stocks related to the contractual relationship.

9.3 Any data remaining with the Processor shall be deleted pursuant to data protection regulations, to the extent no contrary statutory or regulatory obligations of the Processor exist (e.g. retention obligations pursuant to the German Tax Code/German Commercial Code). The same shall apply to any testing materials and rejects. Upon request, a protocol of the deletion shall be made available. 

9.4 The Processor shall retain any documentation evidencing proper and contractual processing of the data beyond termination of the agreement according to the respective retention periods, to the extent no contrary instructions are issued by the Controller. Alternatively, the Processor may hand over any such documentation to the Controller upon termination of the agreement. 

10. Information and supervision

10.1 The Processor agrees that the Controller shall be entitled at all times to supervise, to the extent required, compliance with data protection regulations and the provisions of this agreement, in particular by obtaining respective information and by inspecting the stored data and the data processing systems and facilities. 

10.2 In this respect, the Processor shall, upon request, provide to the Controller all information the Controller requires to perform its supervisory obligations and to make available to it all respective evidence. The evidence can be obtained via compliance to the agreed code of conduct, an accredited certification, recently made attestation, reports or excerpts of reports by independent authorities (e.g. auditors, internal audit, data protection officer, etc.)

10.3 The Processor agrees that supervisors nominated by the Controller in the individual case and/or the competent supervisory authorities shall be entitled to perform on-site checks regarding the compliance with data protection regulations and the provisions of this agreement, within the required scope and after prior arrangement of a respective date [once a year] or for specific cause, to the extent these are of relevance for this agreement and a secrecy obligation exists in particular with respect to the data of other customers. The Processor shall be entitled to compensation for any costs incurred by it in connection with the checks commissioned by the Controller.

10.4 The Processor shall, upon request, provide to the Controller proof of compliance with its obligations under this agreement by suitable means. 

11. Data protection officer(s)/representative of the processor

The Processor confirms that it has appointed a data protection officer – insofar as it is required to do so by law. Upon request, the Processor shall inform the Controller of the contact details of the data protection officer – or, if no such officer is to be appointed, of a person responsible for data protection at the Processor.

12. Miscellaneous

12.1 In the event of a joint and several claim against one of the Parties by data subjects, the Parties shall support each other in defending against such claims. Each party shall be liable to the other pursuant to Art. 82 (5) GDPR. In the internal relationship between the Parties, the agreements on liability of the Terms of Use (in particular Section 12) shall apply.

12.2 No oral side agreements are enforceable. Any changes or amendments of this agreement shall require the written form to be valid. This shall also apply to an amendment of this written form requirement. 

12.3 Should a provision of this agreement be invalid or unenforceable, this shall not affect the validity or enforceability of the remaining provisions. The invalid or unenforceable provision shall be replaced by a provision that comes closest to the purpose and intent of the respective provision.