FUNDINGPORT GmbH (hereinafter referred to as "FUNDINGPORT") operates an online Platform for financing and similar products and services (hereinafter referred to as "Platform") under the name FUNDINGPORT.
The Platform is aimed at companies, project companies (i.e.S. Special Purpose Vehicle) and investors registered on the Platform (hereinafter referred to as "Users"), consultants authorised by a User and registered on the Platform (hereinafter referred to as "Third-Party Users") as well as banks, investors, other capital Providers, electricity consumers, due diligence Providers and law firms registered on the Platform (hereinafter referred to as "Providers").
On the Platform, Users can indicate their financing needs and request suitable financing. Authorised Third-Party Users can also post financing requests for Users. FUNDINGPORT forwards the requests to selected Providers registered on the Platform. The Providers then have the opportunity to submit non-binding offers (hereinafter referred to as "Term Sheets"). The User or Third-Party User can view the Term Sheets on the Platform, compare them with each other and initiate a contract conclusion with selected Providers via the Platform. In this respect FUNDINGPORT acts as messenger of the respective participating Users, Third-Party Users and Providers.
1. Users, Third-Party Users and Providers must agree to these Terms and Conditions including the Data Processing Agreement in Annex A (hereinafter referred to as "Terms") in order to register on the Platform. Without this consent, neither the Platform nor other services of FUNDINGPORT can be used.
2. Users, Third-Party Users and Providers consent to the Terms by clicking a checkbox before completing registration (opt-in procedure). The valid version of the Terms can be accessed here.
1. The Terms regulate the rights and obligations of the parties with regard to the use of the Platform.
2. Other general terms and conditions shall only apply if the parties (FUNDINGPORT on the one hand and Users, Third-Party Users or Providers on the other hand) have expressly agreed to this in writing or in text form.
3. Only entrepreneurs (according to § 14 German Civil Code (BGB)) may register on the Platform as Users, Third-Party Users or Providers. Other persons, especially consumers (according to § 13 German Civil Code (BGB)), are not permitted to use the Platform. In addition, sanctioned parties are prohibited from accessing the platform:
3.1. Persons and associations of persons are excluded from using the Platform to the extent that they are sanctioned parties.
3.2. For the purposes of this regulation, sanctioned parties are all of the following:
a. Consumers, legal entities and other associations of persons who are resident or domiciled in a state or region against which the United States, the European Union or the Federal Republic of Germany have issued measures that are considered comprehensive sanctions ("Comprehensive Sanctions");
b. Consumers, legal entities and other associations of persons against whom the United States, the European Union or the Federal Republic of Germany have imposed economic sanctions measures.
c. Person or associations of person in which a sanctioned party referred to in a.) or b.) holds at least 50% of the shares or voting rights; in which a sanctioned party referred to in a.) or b.)has the right to determine the majority of the members of the management, the board of directors or a comparable governing body; or which is otherwise under the control of a party referred to in a.) or b.).
3.3. In addition, for reasons of business policy and to protect the general reputation of the Platform, persons and associations of persons domiciled in a high-risk country shall be excluded from using the Platform. For the same reasons, loans may not be brokered to persons and associations of persons if they are domiciled in a high-risk country. High-risk countries in this sense are all third countries with high risk identified by the Commission in the applicable delegated act pursuant to Art. 9 of Directive (EU) 2015/849 (or any successor regulation thereto), as well as the following countries:
3.4. The exclusions set forth in 3.1. and 3.3. shall not apply to the extent that this constitutes a violation of Regulation (EC) No. 2271/96 or a prohibited boycott within the meaning of Section 7 AWV.
1. FUNDINGPORT provides funding on the Platform under the URL https://app.fundingport.com where Users or authorised Third-Party Users can request financing in the form of non-profit participating and non-qualified subordinated loans, similar products and services as well as investment products within the meaning of § 1 para. 2 Investment Products Act (VermAnlG) for their respective commercial purposes.
2. By the financing request, the User or Third-Party User asks the Provider to submit Term Sheets without obligation. Only complete requests (all mandatory fields are filled in) can be processed. FUNDINGPORT presents Users or Third-Party Users with suitable Providers registered on the Platform for their request. FUNDINGPORT presents the selection according to the tender criteria that FUNDINGPORT has previously determined from the Provider(s). Such criteria are, for example, the type of financing or investment products, the customer groups or the investment volume for which the Providers wish to receive financing requests. The Users or Third-Party Users themselves choose the Providers to whom their enquiry is to be forwarded from the selection presented by FUNDINGPORT.
3. The Providers selected by the User or Third-Party User are then given the opportunity to submit Term Sheets suitable for the financing request within a time period defined by the User or Third-Party User.
4. The Term Sheets submitted by the Provider(s) are immediately and continuously displayed to the User or Third-Party User in a personal login area on the Platform. In individual cases, the User or Third-Party User may receive the Term Sheets via FUNDINGPORT in a separate way, e.g. by e-mail. If the User or Third-Party User wishes to contact a Provider, the User or Third-Party User must use the corresponding function of the Platform. If the User or Third-Party User has selected a Provider to contact, FUNDINGPORT will transmit the contact data provided by the User or Third-Party User to the Provider.
5. The Term Sheets of the Providers are not binding. Therefore, the terms and conditions displayed in the Term Sheet may still change. In addition, a concrete creditworthiness and/or project assessment may only be carried out by the Provider after the Provider has been selected. The result of this assessment can lead to changed conditions or, if applicable, to the rejection of the financing.
6. The Provider provides the User or Third-Party User with contractual documents after successful creditworthiness and/or project assessment. The conclusion of the financing contract between the Provider and User does not take place via the Platform. Accordingly, the selection of a Provider by a User or Third-Party User does not yet lead to the conclusion of a contract.
7. FUNDINGPORT is not obliged to check the data provided by the User or Third-Party User on the Platform, in particular regarding the company and/or the project or financing plan. Furthermore, FUNDINGPORT is not obliged to check the Term Sheets submitted by the Providers, possibly subject to conditions. FUNDINGPORT assumes no liability for the content of the Term Sheets, contractual documents and all other information provided by the User, Third-Party User or Provider.
8. FUNDINGPORT provides a data room on the Platform where Users, Third-Party Users and Providers can provide documents necessary or useful for the conclusion of the financing as well as access such documents of the respective other parties concerned and use a question and answer (Q&A) function. Users, Third-Party Users and Providers are solely responsible for deciding which data to upload, delete and which of this data is only made available for inspection or also for download. As far as personal data are processed or uploaded in this data room, FUNDINGPORT will act as a Data Processor by providing the technical infrastructure of the data room. The Users, Third-Party Users and Providers are responsible for data processing in the data room in accordance with the General Data Protection Regulation (DSGVO). FUNDINGPORT processes personal data strictly in accordance with the instructions of the respective responsible party. The Data Processing Agreement, which is in Appendix A to these Terms, shall become part of this contract with the consent of the User, Third-Party User and Provider to these Terms.
9. FUNDINGPORT is not liable to Users, Third-Party Users and Providers for the effective conclusion, execution or termination of a financing contract between Provider and User. FUNDINGPORT merely acts as a technical service Provider in order to simplify communication between Users, Third-Party Users and Providers and to facilitate the conclusion of a financing contract between Users and Providers. In this respect, FUNDINGPORT undertakes to pass on to the selected Providers as messengers the financing requests created by the User or Third-Party User, which are suitable for this purpose, and to store the Term Sheets submitted by the Providers in the login area of the User or Third-Party User in accordance with these Terms.
10. FUNDINGPORT does not warrant that the Platform will be available at all times. Maintenance work, software updates as well as events beyond the control of FUNDINGPORT (e.g. force majeure, third party negligence) may lead to temporary unavailability of the Platform. If FUNDINGPORT can foresee that downtimes for maintenance and software updates will last longer than 12 hours, FUNDINGPORT will inform User, Third-Party User and Provider of this fact by e-mail, taking due account of all mutual, including commercial, interests.
11. Compensation
The use of the Platform is free of charge for Users, Third-Party Users and Providers.
If a financing contract between a Provider and a User is concluded, the Provider is obliged to pay a commission to FUNDINGPORT. The commission paid to FUNDINGPORT by the Provider may be included in part or in full in the Provider's offer conditions. Further details are agreed in the service contract between FUNDINGPORT and the Provider.
Users, Third-Party Users and Providers undertake vis-à-vis FUNDINGPORT to refrain from any actions aimed at circumventing the commission claim.
1. The use of the Platform and the related services of FUNDINGPORT requires registration by the respective User, Third-Party User and Provider. In this context, both the relevant commercial data of the Users, Third-Party Users and Providers as well as the contact data of the natural persons who carry out the registration for the User, Third-Party User or Provider (hereinafter referred to as "Individuals") must be recorded. All relevant data must be provided completely and truthfully. The mandatory data must be filled in for registration. The Individual must select a user name and password. After confirming the selected password and clicking the checkbox to agree to these Terms, the User, Third-Party User or Provider completes the registration by clicking the "Register” button. During and after registration, further authentication measures may be required for security reasons.
2. Registration as a User, Third-Party User or Provider is permitted to legal entities or partnerships in the context of their commercial activities. As an Individual, any natural person with unlimited legal capacity is permitted to carry out a registration, who is authorized to do so by the respective User, Third-Party User or Provider. FUNDINGPORT may at any time demand proof of the registration data provided and of the Individual's entitlement. However, FUNDINGPORT is not obliged to verify such data. Furthermore, FUNDINGPORT may contact an Individual at any time in connection with the operation of the Platform. Contact may be established by e-mail, telephone or post. It is not permitted to create multiple registrations for the same User, Third-Party User or Provider.
3. There is no right to registration. FUNDINGPORT is entitled to refuse registration without giving reasons. FUNDINGPORT is also entitled not to activate or subsequently block the account of a User, Third-Party User or Provider or the registration of a Individual if required proof is missing. Furthermore, FUNDINGPORT may at any time refuse or cancel the processing of a financing request without stating reasons and delete the financing request if there are indications that the use of the Platform is contrary to the legitimate interests of the other Users, Third-Party Users or Providers. In the event of false information or other discrepancies, FUNDINGPORT has the right to permanently exclude the User, Third-Party User or Provider concerned from using the Platform and to cancel and delete financing requests (including retrospectively).
1. A Third-Party User may post financing requests for Users on the Platform if and to the extent that he is entitled to do so vis-à-vis the User concerned. A link between User and Third-Party User shall be established at the latest when the Third-Party User creates a financing requestfor the User on the Platform.
2. The Third-Party User assures FUNDINGPORT that he/she has been authorised by the User to do so by submitting a financing request for a User. Upon request, the Third-Party User shall provide FUNDINGPORT with proof of sufficient authorisation by the User. However, FUNDINGPORT is not obliged to verify this. The Third-Party User shall indemnify FUNDINGPORT from all claims, in particular those of the User, asserted against FUNDINGPORT due to the non-existence or exceeding of an authorisation.
3. By submitting a financing request for a User, the Third-Party User further assures FUNDINGPORT that he/she has all necessary official and other permits and licenses. The Third-Party User shall indemnify FUNDINGPORT from all claims asserted against FUNDINGPORT due to the absence or exceeding of any required permit or license.
1. The User, Third-Party User and Provider shall bear sole responsibility for the correctness and completeness of all information, content (e.g. documents, files), links and other data that he/she records on the Platform (hereinafter referred to as "Data").
2. Users, Third-Party Users and Providers warrant in particular that they are entitled to pass on the Data to FUNDINGPORT and that FUNDINGPORT is entitled to pass on the Data to the respective other parties.
3. Users, Third-Party Users and Providers are also obliged to design their Data in such a way that it does not violate legal or official regulations or offend common decency.
4. The use of the data room is made available exclusively for the following purposes:
a. Recording, verification, exchange and storage of financially relevant information
b. Upload, download, exchange and storage of finance-related documents
5. Users, Third-Party Users and Providers may use the Platform and the data room exclusively in accordance with these Terms and the purposes regulated therein. The use of the Platform, the data room and the provided functions may not be used in an abusive manner and/or outside the intended contractual purpose. Data and information which are generated or uploaded to the data room by Users, Third-Party Users and Providers on the Platform or may not violate the respective applicable laws of the Federal Republic of Germany.
6. Users, Third-Party Users and Providers shall ensure that they check all stored data for compliance with the requirements of paragraphs 1 to 5 before each new financing request and, where necessary, correct or make them available again in accordance with these conditions.
7. FUNDINGPORT is entitled to request evidence of the data provided.
8. Users, Third-Party Users and Providers are obliged to keep the access data to the Platform (user name and password) secret and to protect them from access by third parties. Users, Third-Party Users and Providers shall ensure that the access data cannot be spied out by third parties when they are entered. If a User, Third-Party User or Provider is aware or suspects that a third party has obtained knowledge of the access data of the User, Third-Party User or Provider in question, the User, Third-Party User or Provider is obliged to change his access data without undue delay (according to §121 German Civil Code (BGB)). If this is not possible, FUNDINGPORT must be informed immediately and the further procedure must be agreed with FUNDINGPORT.
9. User, Third-Party User and Provider have the obligation to inform FUNDINGPORT in case of a conclusion of financing contract in the sense of § 3 para. 1 between User and Provider within five banking days after conclusion of the contract. User, Third-Party User and Provider are also obliged to inform FUNDINGPORT in the event of the final failure to conclude a financing contract initiated via the Platform. The information can be provided via the Platform, by e-mail, by telephone or by post. FUNDINGPORT shall be entitled to contact the User, Third-Party User and/or Provider at any time for queries regarding the contractual status. The User authorises the Provider to inform FUNDINGPORT in the event of a conclusion of a contract within the meaning of § 3 para. 1 about the conclusion of the financial product, the volume and the time of the provision and/or first partial payment as well as in the event of failure to conclude a financing contract, to also inform FUNDINGPORT about this and releases the Provider from banking secrecy in this respect. FUNDINGPORT shall use the contractual data provided exclusively for invoicing the Provider.
10. Users, Third-Party Users and Providers shall indemnify FUNDINGPORT from all claims of third parties and/or other parties that are asserted against FUNDINGPORT due to incorrect, incomplete and/or illegal data and/or unauthorized data transfer. This also includes cases in which the User, Third-Party User or Provider has not sufficiently checked automatically completed data fields.
1. Subject to the provisions on liability in §8, FUNDINGPORT shall ensure with the care that is customarily exercised in its own affairs (according to § 277 German Civil Code (BGB)) that all Data on the Platform and communication via the Platform are protected against unauthorised access by third parties.
2. FUNDINGPORT undertakes to comply with all data protection regulations concerning FUNDIGPORT in their respective applicable version. When processing personal data, FUNDINGPORT will only employ personnel or third parties who have been committed to confidentiality in the handling of personal data and who have been appropriately familiarized with the requirements of data protection. FUNDINGPORT undertakes, in the event of the involvement of third parties, to oblige such third parties to comply with all provisions of data protection law.
3. FUNDINGPORT processes Data provided by the User, Third-Party User or Provider in accordance with the legal requirements and the Data Processing Agreement in Annex A. Irrespective of this, Users, Third-Party Users or Providers are obliged to secure the Data provided by them outside the Platform in a suitable form.
4. FUNDINGPORT reserves the right to change the Platform. In doing so, FUNDINGPORT will take into account the legitimate concerns of Users, Third-Party Users and Providers and inform them of any impending change at an early stage if and to the extent that the change is likely to affect their legitimate concerns.
1. FUNDINGPORT shall only be liable for slight negligence in case of breach of material contractual obligations. Material contractual obligations are all obligations whose fulfilment is essential for the proper execution of the contract and on whose compliance a User, Third-Party User and Provider may regularly rely. Otherwise the pre-contractual, contractual and non-contractual liability of FUNDINGPORT is limited to intent and gross negligence. This limitation of liability shall also apply in the event of fault of a vicarious agent (according to § 278 German Civil Code (BGB)) of FUNDINGPORT.
2. If the breach of a material contractual obligation is not due to gross negligence or intent, the liability of FUNDINGPORT shall be limited to such typical damages or such typical extent of damages that was reasonably foreseeable at the time of the conclusion of the contract.
3. The exclusions/limitations of liability according to paragraphs 1 and 2 do not apply to liability for injury to life, body or health or according to the Product Liability Act (ProdHaftG).
4. Warranty claims shall become statute-barred within a period of one year from the start of the statutory limitation period. This shall not affect the statute of limitations with regard to liability for damages based on an intentional or grossly negligent breach of duty by FUNDINGPORT or a legal representative or vicarious agent (according to § 278 German Civil Code (BGB)) of FUNDINGPORT as well as the statute of limitations with regard to liability for damages resulting from injury to life, body or health or under the Product Liability Act (ProdHaftG). In this respect the statutory period of limitation shall apply in each case.
Users, Third-Party Users and Providers may only offset counterclaims against claims of FUNDINGPORT if such counterclaims have been legally established in a non-appealable manner, are undisputed or have been acknowledged by FUNDINGPORT. The same applies to any rights of retention of Users, Third-Party Users and Providers. Furthermore, Users, Third-Party Users and Providers are only entitled to exercise a right of retention to the extent that the respective counterclaim is based on the same contractual relationship.
1. Users and Third-Party Users must treat the Confidential Information of the Providers, Providers must treat the Confidential Information of the Users and Third-Party Users as confidential. FUNDINGPORT shall treat the Confidential Information of Users, Third-Party Users and Providers made available as confidential.
Regardless of the medium in which it is contained, "Confidential Information" shall be deemed to include in particular all financial, technical, technological, economic, strategic, legal, fiscal, business and business process related or other information (including products, manufacturing processes, know-how, trade secrets, business relationships, business strategies, business plans, financial planning, personnel matters) which relates to Users, Third-Party Users or Providers or companies affiliated with them within the meaning of §§ 15 ff. Stock Corporation Act (AktG). This also includes other information within the meaning of § 2 Law on Trade Secrets (GeschGehG), which is neither generally known nor readily accessible, is of commercial value and is subject to confidentiality measures.
2. Users, Third-Party Users and Providers each remain the owner (within the meaning of § 2 No. 2 GeschGehG) of the Confidential Information exchanged between them in the course of using the Platform and retain (unless otherwise agreed) all rights to use and exploit this Confidential Information.
3. Users, Third-Party Users and Providers shall not forward the Confidential Information of the respective other party received via the Platform to unauthorized third parties or make it accessible to such third parties and shall take appropriate secrecy measures to protect the Confidential Information from access by third parties.
1. The place of performance (according to § 29 Code of Civil Procedure (ZPO)) for the obligations of Users, Third-Party Users and Providers as well as on the part of FUNDINGPORT under these Terms is the registered office of FUNDINGPORT.
2. Berlin is agreed as the exclusive - also international - place of jurisdiction for all disputes arising from or in connection with these Terms. FUNDINGPORT has the right to sue at the domicile of the User, Third-Party User or Provider concerned or before other courts competent under national or foreign law. Priority statutory provisions, in particular regarding exclusive jurisdiction, shall remain unaffected.
3. These Terms are subject to the law of the Federal Republic of Germany.
1. Should one of the provisions of these Terms be or become legally invalid or void in whole or in part, the validity of the remaining provisions shall not be affected thereby. Rather, the parties undertake to participate in an agreement which, in economic terms, corresponds as closely as possible to the original intention of the parties. The same applies to loopholes in the regulations of these Terms.
2. Changes or amendments to these Terms may be made by means of an offer by FUNDINGPORT via the Platform and acceptance by the User, Third-Party User or Provider by activating a corresponding button or checkbox on the Platform. In addition, changes or amendments to these Terms may also be agreed by FUNDINGPORT offering the amended Terms to Users, Third-Party Users and Providers in text form no later than six weeks before the proposed date of their entry into force and the consent of a User, Third-Party User or Provider shall be deemed to have been given if the User, Third-Party User or Provider has not indicated its rejection before the proposed date of entry into force of the changes or amendments. FUNDINGPORT will make special reference to the intended significance of the other parties´ behavior in the offer.
3. Oral subsidiary agreements to these Terms have not been made. Changes or amendments to these Terms outside of this procedures in accordance with paragraph 2, including their cancellation, must be made in writing; this also applies to the changes or amendment of the written form clause.
Data Processing Agreement according to Art. 28 General Data Protection Regulation (DSGVO) between the User, Third-Party User or Provider within the meaning of the Terms hereinafter referred to as "Data Controller" in each case and Fundingport GmbH, Heidestraße 8, 10557 Berlin, Germany, hereinafter referred to as 'Data Processor'.
There is a contractual relationship between the Data Controller and the Data Processor within the meaning of Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "DSGVO").
This Data Processing Agreement for processing orders including all annexes (hereinafter jointly referred to as "Agreement") specifies the data protection obligations of the parties arising from the Terms, in particular in accordance with Sections 3 (8), 6 (4) (5) of the Terms (hereinafter referred to as "Terms and Conditions"). Insofar as reference is made to the provisions of the German Federal Data Protection Act (Bundesdatenschutzgesetz, "BDSG"), this refers to the Act on the Adaptation of Data Protection Law to Regulation (EU) 2016/679 and on the Implementation of Directive (EU) 2016/680 in the version applicable as of 25 May 2018.
The Data Processor undertakes to the Data Controller to perform the Terms and Conditions and this Agreement in accordance with the following provisions:
1. The following provisions shall apply to all data processing services within the meaning of Art. 28 DSGVO which the Data Processor provides to the Data Controller on the basis of the Terms and Conditions.
2. In so far as the term "data processing" or "processing" of data is used in this Agreement, it is generally understood to mean the use of personal data. Data processing or the processing of Data means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. Reference is made to the further definitions in Art. 4 DSGVO.
1. The Data Processor shall process personal data on behalf of and in accordance with the instructions of the Data Controller.
2. The object of the Agreement is the provision of the technical infrastructure of a data room on the Platform by the Data Processor for use by the Data Controller, in particular by recording, verification, exchange and storage of financially relevant information and / or upload, download, exchange and storage of finance-related documents and using the question and answer function (Q&A) within the the Terms and Conditions.
3. The duration of this Agreement corresponds to the duration of the Terms.
The nature and purpose of the processing of personal data by the Data Processor are specified in the Terms and Conditions. The Terms and Conditions covers the following activity(ies) and purpose(s):
Under this Agreement, personal data of the following categories of data subjects will be processed:
The following data types are affected by data processing:
1. The Data Controller alone is responsible for assessing the permissibility of the data processing and for safeguarding the rights of the data subjects and is therefore controller in the sense of Art. 4 para. 7 DSGVO.
2. The Data Controller is entitled to issue instructions on the nature, scope and procedures of data processing. Oral instructions must be confirmed by the Data Controller in writing or in text form (e.g. by e-mail) without undue delay at the request of the Data Processor.
3. If the Data Controller considers it necessary, persons authorized to give instructions may be named. The Data Controller shall inform the Data Processor of these in writing or in text form. In the event that these persons authorised to give instructions change at the Data Controller's premises, the Data Processor shall be notified of this in writing or in text form, naming the new person in each case.
4. The Data Controller shall inform the Data Processor without undue delay whenever errors or irregularities relating to the processing of personal data by the Data Processor are detected.
1. Data processing
The Data Processor will process personal data exclusively in accordance with this Agreement and/or the underlying Terms and Conditions and in accordance with the instructions of the Data Controller.
2. Rights of data subjects
a. The Data Processor will assist the Data Controller in the fulfillment of the rights of the data subjects, in particular as regards rectification, restriction of processing and erasure, notification and access to of information, within the limits of his possibilities. If the Data Processor processes the personal data referred to in Section 5 of this Agreement on behalf of the Data Controller and if these data are the subject of a request for data portability pursuant to Art. 20 DSGVO, the Data Processor shall provide the Data Controller with the relevant data set in a structured, common and machine-readable format within a reasonably set period of time, otherwise within seven working days.
b. The Data Processor shall, on the instructions of the Data Controller, rectify, erase or restrict the processing of the personal data referred to in Section 5 of this Agreement which are processed on behalf of the Data Controller. The same applies if this Agreement provides for the rectification, erasure or restriction of the processing of Data.
c. Where a data subject directly contacts the Data Processor for the purpose of rectifying, erasing or restricting the processing of personal data referred to in Section 5 of this Agreement, the Data Processor shall transmit this request to the Data Controller without delay upon receipt.
3. Control obligations
a. The Data Processor shall ensure through appropriate checks that the personal data processed under this Agreement are processed solely in accordance with this Agreement and/or the Terms and/or the relevant instructions.
b. The Data Processor shall design his company and his operating procedures in such a way that the Data which he processes on behalf of the Data Controller are secured to the extent necessary in each case and protected from unauthorized access by third parties.
c. The Data Processor confirms that it has appointed a data protection officer in accordance with Art. 37 DSGVO and, if applicable, in accordance with §38 BDSG, and that it monitors compliance with the provisions on data protection and data security with the involvement of the data protection officer. The data protection officer of the commissioned Data Processor is currently
ISiCO Data Protection GmbH
At Hamburger Bahnhof 4
10557 Berlin
berlin@isico-datenschutz.de
4. Information requirements
a. The Data Processor shall immediately inform the Data Controller if, in his opinion, an instruction issued by the Data Controller violates legal regulations. The Data Processor shall be entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Data Controller.
b. The Data Processor shall assist the Data Controller in complying with the obligations set out in Articles 32 to 36 DSGVO, taking into account the nature of the processing and the information available to him.
5. Place of data processing
The processing of the data takes place in the territory of the Federal Republic of Germany, in a member state of the European Union or in another state that is a party to the Agreement on the European Economic Area. Any relocation to a third country may only take place if the special requirements of Art. 44 et seq. DSGVO are fulfilled.
6. Erasure of personal data after completion of the Agreement
After termination of the Terms and Conditions, the Data Processor will either erase or return all personal data processed under the Agreement, at the choice of the Data Controller, provided that the erasure of such data does not conflict with any statutory storage obligations of the Data Processor. The erasure in accordance with data protection regulations must be documented and confirmed to the Data Controller upon request.
1. The Data Controller is entitled, after prior notification in good time during normal business hours without disrupting the business operations of the Data Processor or endangering the security measures for other Data Controller and at his own expense, to inspect compliance with the regulations on data protection and the contractual agreements to the necessary extent himself or through third parties. The controls can also be carried out by accessing existing customary industry certifications of the commissioned Data Processor, current certificates or reports of an independent authority (such as auditor, external data protection officer or external data protection auditor) or self-reports. The Data Processor will provide the necessary support to carry out the checks.
2. The Data Processor shall inform the Data Controller of the implementation of the supervisory authority's control measures, insofar as the measures may concern the processing of data which the Data Processor carries out for the Data Controller.
1. The Data Controller authorizes the Data Processor to use the services of other processors in accordance with the following paragraphs in § 9 of this agreement. This authorisation constitutes a general written authorisation within the meaning of Art. 28 para. 2 DSGVO.
2. In the performance of the Agreement, the Data Processor shall currently cooperate with the subcontractors designated in Appendix 2, to whose assignment the Data Controller consents.
3. The Data Processor is entitled to commission further processors or to replace those already commissioned. The Data Processor shall inform the Data Controller in advance of any intended change regarding the appointment or replacement of a further processor. The Data Controller may object to an intended change.
4. The objection to the intended change must be made to the Data Processor within 2 weeks after receipt of the information about the change. In the event of an objection, the Data Processor may, at his own discretion, either provide the service without the intended change or propose an alternative further processor and agree this with the Data Controller. If the performance of the service without the intended change is unreasonable for the Data Processor - for example, because of disproportionate expenses for the Data Processor - or if the coordination of an alternative processor fails, the Data Controller and the Data Processor may terminate this Agreement and the Terms and Conditions with one month's notice to the end of the month.
5. Whenever a further processor is engaged, a level of protection comparable to that of this Agreement must always be guaranteed. The Data Processor shall be responsible to the Data Controller for all acts and omissions of the other processors employed by him.
1. The Data Processor shall be bound to confidentiality when processing data on behalf of the Data Controller.
2. In fulfilling the Agreement, the Data Processor undertakes to employ only employees or other vicarious agents (according to § 278 German Civil Code (BGB)) who are committed to confidentiality in the handling of personal data provided and who have been made familiar with the requirements of data protection in a suitable manner. Upon request, the Data Processor shall prove to the Data Controller that the obligations have been fulfilled.
3. Insofar as the Data Controller is subject to other secrecy protection rules, he shall inform the Data Processor correspondingly. The Data Processor shall oblige his employees to comply with these secrecy protection rules in accordance with the requirements of the Data Controller.
1. The technical and organisational measures described in Appendix 1 are agreed as appropriate. The Data Processor may update and modify these measures, provided that the level of protection is not significantly reduced by such updates and/or modifications.
2. The Data Processor shall observe the principles of proper data processing pursuant to Art. 32 in conjunction with Art. 5 para. 1 DSGVO. He shall guarantee the contractually agreed and legally required data security measures. He shall take all necessary measures to secure the Data or the security of the processing, in particular also taking into account the state of the art, and to mitigate possible adverse consequences for the data subjects. The measures to be taken include in particular measures to protect the confidentiality, integrity, availability and resilience of the systems and measures to ensure the continuity of processing after incidents. In order to be able to guarantee an adequate level of security of the processing at all times, the Data Processor will regularly evaluate the measures implemented and make adjustments where necessary.
1. The Data Processor shall be liable to the Data Controller in accordance with the statutory provisions for all damage caused by culpable breaches of this Agreement and of the statutory data protection provisions applicable to him by the Data Processor, his employees or those commissioned by him to implement the Agreement in the performance of the contractual service. The Data Processor shall not be obliged to pay compensation if the Data Processor can prove that it has processed the Data of the Data Controller provided to it exclusively in accordance with the instructions of the Data Controller and that it has complied with its obligations under the DSGVO specifically imposed on the processors.
2. The Data Controller shall indemnify the Data Controller from all claims of third parties which are asserted against the Data Controller due to a culpable breach of the obligations arising from this Agreement or applicable data protection regulations by the Data Controller.
1. In case of contradictions between the provisions of this agreement and the provisions of the Terms and Conditions, the provisions of this agreement shall prevail.
2. Amendments and changes to this Agreement shall require the mutual consent consent in writing, including in electronic form of the contracting parties with specific reference to the provision of this Agreement to be changed or amended. Verbal collateral agreements do not exist and are also excluded for future changes or amendments of this Agreement.
3. This Agreement is subject to German law.
4. If the access to the data which the Data Controller has transmitted to the Data Processor for data processing is endangered by measures of third parties (e.g. measures of an insolvency administrator, seizure by tax authorities, etc.), the Data Processor shall immediately notify the Data Controller thereof.
Appendix 1 to Annex A: Technical and organisational measures to ensure the security of data processing
Appendix 2 to Annex A: Subcontracting relationships pursuant to § 9 of the Agreement
The Data Processor warrants that it has taken the following technical and organisational measures:
Measures that reduce the direct reference to the data subject during processing in such a way that it is only possible to identify a specific data subject by consulting additional information. The additional information must be kept separate from the pseudonym by means of suitable technical and organisational measures.
Measures or processes in which a clearly readable text / information is converted with the aid of an encryption method (cryptosystem) into an unreadable, i.e. not easily interpretable character string (ciphertext):
1. Access control
There is no physical storage or processing of Data by the Data Processor. Measures that physically deny unauthorized persons access to IT systems and data processing equipment used to process personal data, as well as to confidential files and data carriers:
Measures to prevent unauthorized persons from processing or using data protected by data protection laws:
Measures to ensure that those authorized to use the data processing procedures can only access the personal data subject to their access authorization, so that data cannot be read, copied, modified or removed without authorization during processing, use and storage:
2. Separation rule
Measures to ensure that data collected for different purposes are processed separately and kept separate from other data and systems in such a way as to prevent unplanned use of these data for other purposes:
1. Data integrity
Measures to ensure that stored personal data is not damaged by malfunctioning of the system:
2. Transfer check
Measures to ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment:
3. Transport control
Measures to ensure that the confidentiality and integrity of data are protected during the transmission of personal data and during the transport of data media:
4. Input control
Measures to ensure that it is possible to subsequently check and establish whether and by whom personal data have been entered, modified or removed from computer systems:
1. Availability control
Measures to ensure that personal data is protected against accidental destruction or loss. Data is stored on the Amazon Cloud (AWS). For details see: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
2. Rapid recover-ability
Measures to ensure the ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident:
3. Reliability
Measures that ensure that all functions of the system are available and that any malfunctions that occur are reported:
1. Review procedure
Measures to ensure that processing complies with data protection regulations and is secure:
2. Order Control
Measures to ensure that personal data processed under contract can only be processed in accordance with the instructions of the principal:
In the performance of the Agreement, the Data Processor is currently working with the following other processors, which the Data Controller agrees to commission
Name/Company: Amazon Web Services Inc.
Function/Activity: Data storage of the order Data Processor on servers of Amazon Web Services Inc.
Registered office: 410 Terry Avenue North, Seattle, Washington 98109, USA
Name/Company: A Hotjar Ltd
Function/Activity: Web analytics to better understand the needs of our users and to improve our services
Registered office: Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 3155, Malta
Name/Company: Fundingport Sofia EOOD
Function/Activity: Softwareentwicklung und Hosting der Fundingport Plattform
Registered office: ul. Galichitsa 22, 1407 Sofia, Bulgaria