fundingport - Terms and Conditions

Terms and Conditions

Preamble

FUNDINGPORT GmbH (hereinafter referred to as "FUNDINGPORT") operates an online Platform for financing and similar products and services (hereinafter referred to as "Platform") under the name FUNDINGPORT.

The Platform is aimed at companies, project companies (i.e.S. Special Purpose Vehicle) and investors registered on the Platform (hereinafter referred to as "Users"), consultants authorised by a User and registered on the Platform (hereinafter referred to as "Third-Party Users") as well as banks, investors, other capital Providers, electricity consumers, due diligence Providers and law firms registered on the Platform (hereinafter referred to as "Providers").

On the Platform, Users can indicate their financing needs and request suitable financing. Authorised Third-Party Users can also post financing requests for Users. FUNDINGPORT forwards the requests to selected Providers registered on the Platform. The Providers then have the opportunity to submit non-binding offers (hereinafter referred to as "Term Sheets"). The User or Third-Party User can view the Term Sheets on the Platform, compare them with each other and initiate a contract conclusion with selected Providers via the Platform. In this respect FUNDINGPORT acts as messenger of the respective participating Users, Third-Party Users and Providers.

§1 Inclusion of the general terms and conditions

1. Users, Third-Party Users and Providers must agree to these Terms and Conditions including the Data Processing Agreement in Annex A (hereinafter referred to as "Terms") in order to register on the Platform. Without this consent, neither the Platform nor other services of FUNDINGPORT can be used.

2. Users, Third-Party Users and Providers consent to the Terms by clicking a checkbox before completing registration (opt-in procedure). The valid version of the Terms can be accessed here.

§2 General information

1. The Terms regulate the rights and obligations of the parties with regard to the use of the Platform.

2. Other general terms and conditions shall only apply if the parties (FUNDINGPORT on the one hand and Users, Third-Party Users or Providers on the other hand) have expressly agreed to this in writing or in text form.

3. Only entrepreneurs (according to § 14 German Civil Code (BGB)) may register on the Platform as Users, Third-Party Users or Providers. Other persons, especially consumers (according to § 13 German Civil Code (BGB)), are not permitted to use the Platform. In addition, sanctioned parties are prohibited from accessing the platform:

3.1. Persons and associations of persons are excluded from using the Platform to the extent that they are sanctioned parties.

3.2. For the purposes of this regulation, sanctioned parties are all of the following:

a. Consumers, legal entities and other associations of persons who are resident or domiciled in a state or region against which the United States, the European Union or the Federal Republic of Germany have issued measures that are considered comprehensive sanctions ("Comprehensive Sanctions");

b. Consumers, legal entities and other associations of persons against whom the United States, the European Union or the Federal Republic of Germany have imposed economic sanctions measures.

c. Person or associations of person in which a sanctioned party referred to in a.) or b.) holds at least 50% of the shares or voting rights; in which a sanctioned party referred to in a.) or b.)has the right to determine the majority of the members of the management, the board of directors or a comparable governing body; or which is otherwise under the control of a party referred to in a.) or b.).

3.3. In addition, for reasons of business policy and to protect the general reputation of the Platform, persons and associations of persons domiciled in a high-risk country shall be excluded from using the Platform. For the same reasons, loans may not be brokered to persons and associations of persons if they are domiciled in a high-risk country. High-risk countries in this sense are all third countries with high risk identified by the Commission in the applicable delegated act pursuant to Art. 9 of Directive (EU) 2015/849 (or any successor regulation thereto), as well as the following countries:

Democratic Republic of Korea (North Korea)
Iran
Crimea
Cuba
Sudan/ South Sudan
Syria
Lebanon
Syria
Belarus

3.4. The exclusions set forth in 3.1. and 3.3. shall not apply to the extent that this constitutes a violation of Regulation (EC) No. 2271/96 or a prohibited boycott within the meaning of Section 7 AWV.

§3 Scope of services and compensation

1. FUNDINGPORT provides funding on the Platform under the URL https://app.fundingport.com where Users or authorised Third-Party Users can request financing in the form of non-profit participating and non-qualified subordinated loans, similar products and services as well as investment products within the meaning of § 1 para. 2 Investment Products Act (VermAnlG) for their respective commercial purposes.

2. By the financing request, the User or Third-Party User asks the Provider to submit Term Sheets without obligation. Only complete requests (all mandatory fields are filled in) can be processed. FUNDINGPORT presents Users or Third-Party Users with suitable Providers registered on the Platform for their request. FUNDINGPORT presents the selection according to the tender criteria that FUNDINGPORT has previously determined from the Provider(s). Such criteria are, for example, the type of financing or investment products, the customer groups or the investment volume for which the Providers wish to receive financing requests. The Users or Third-Party Users themselves choose the Providers to whom their enquiry is to be forwarded from the selection presented by FUNDINGPORT.

3. The Providers selected by the User or Third-Party User are then given the opportunity to submit Term Sheets suitable for the financing request within a time period defined by the User or Third-Party User.

4. The Term Sheets submitted by the Provider(s) are immediately and continuously displayed to the User or Third-Party User in a personal login area on the Platform. In individual cases, the User or Third-Party User may receive the Term Sheets via FUNDINGPORT in a separate way, e.g. by e-mail. If the User or Third-Party User wishes to contact a Provider, the User or Third-Party User must use the corresponding function of the Platform. If the User or Third-Party User has selected a Provider to contact, FUNDINGPORT will transmit the contact data provided by the User or Third-Party User to the Provider.

5. The Term Sheets of the Providers are not binding. Therefore, the terms and conditions displayed in the Term Sheet may still change. In addition, a concrete creditworthiness and/or project assessment may only be carried out by the Provider after the Provider has been selected. The result of this assessment can lead to changed conditions or, if applicable, to the rejection of the financing.

6. The Provider provides the User or Third-Party User with contractual documents after successful creditworthiness and/or project assessment. The conclusion of the financing contract between the Provider and User does not take place via the Platform. Accordingly, the selection of a Provider by a User or Third-Party User does not yet lead to the conclusion of a contract.

7. FUNDINGPORT is not obliged to check the data provided by the User or Third-Party User on the Platform, in particular regarding the company and/or the project or financing plan. Furthermore, FUNDINGPORT is not obliged to check the Term Sheets submitted by the Providers, possibly subject to conditions. FUNDINGPORT assumes no liability for the content of the Term Sheets, contractual documents and all other information provided by the User, Third-Party User or Provider.

8. FUNDINGPORT provides a data room on the Platform where Users, Third-Party Users and Providers can provide documents necessary or useful for the conclusion of the financing as well as access such documents of the respective other parties concerned and use a question and answer (Q&A) function. Users, Third-Party Users and Providers are solely responsible for deciding which data to upload, delete and which of this data is only made available for inspection or also for download. As far as personal data are processed or uploaded in this data room, FUNDINGPORT will act as a Data Processor by providing the technical infrastructure of the data room. The Users, Third-Party Users and Providers are responsible for data processing in the data room in accordance with the General Data Protection Regulation (DSGVO). FUNDINGPORT processes personal data strictly in accordance with the instructions of the respective responsible party. The Data Processing Agreement, which is in Appendix A to these Terms, shall become part of this contract with the consent of the User, Third-Party User and Provider to these Terms.

9. FUNDINGPORT is not liable to Users, Third-Party Users and Providers for the effective conclusion, execution or termination of a financing contract between Provider and User. FUNDINGPORT merely acts as a technical service Provider in order to simplify communication between Users, Third-Party Users and Providers and to facilitate the conclusion of a financing contract between Users and Providers. In this respect, FUNDINGPORT undertakes to pass on to the selected Providers as messengers the financing requests created by the User or Third-Party User, which are suitable for this purpose, and to store the Term Sheets submitted by the Providers in the login area of the User or Third-Party User in accordance with these Terms.

10. FUNDINGPORT does not warrant that the Platform will be available at all times. Maintenance work, software updates as well as events beyond the control of FUNDINGPORT (e.g. force majeure, third party negligence) may lead to temporary unavailability of the Platform. If FUNDINGPORT can foresee that downtimes for maintenance and software updates will last longer than 12 hours, FUNDINGPORT will inform User, Third-Party User and Provider of this fact by e-mail, taking due account of all mutual, including commercial, interests.

11. Compensation

The use of the Platform is free of charge for Users, Third-Party Users and Providers.

If a financing contract between a Provider and a User is concluded, the Provider is obliged to pay a commission to FUNDINGPORT. The commission paid to FUNDINGPORT by the Provider may be included in part or in full in the Provider's offer conditions. Further details are agreed in the service contract between FUNDINGPORT and the Provider.

Users, Third-Party Users and Providers undertake vis-à-vis FUNDINGPORT to refrain from any actions aimed at circumventing the commission claim.

§4 Registration

1. The use of the Platform and the related services of FUNDINGPORT requires registration by the respective User, Third-Party User and Provider. In this context, both the relevant commercial data of the Users, Third-Party Users and Providers as well as the contact data of the natural persons who carry out the registration for the User, Third-Party User or Provider (hereinafter referred to as "Individuals") must be recorded. All relevant data must be provided completely and truthfully. The mandatory data must be filled in for registration. The Individual must select a user name and password. After confirming the selected password and clicking the checkbox to agree to these Terms, the User, Third-Party User or Provider completes the registration by clicking the "Register” button. During and after registration, further authentication measures may be required for security reasons.

2. Registration as a User, Third-Party User or Provider is permitted to legal entities or partnerships in the context of their commercial activities. As an Individual, any natural person with unlimited legal capacity is permitted to carry out a registration, who is authorized to do so by the respective User, Third-Party User or Provider. FUNDINGPORT may at any time demand proof of the registration data provided and of the Individual's entitlement. However, FUNDINGPORT is not obliged to verify such data. Furthermore, FUNDINGPORT may contact an Individual at any time in connection with the operation of the Platform. Contact may be established by e-mail, telephone or post. It is not permitted to create multiple registrations for the same User, Third-Party User or Provider.

3. There is no right to registration. FUNDINGPORT is entitled to refuse registration without giving reasons. FUNDINGPORT is also entitled not to activate or subsequently block the account of a User, Third-Party User or Provider or the registration of a Individual if required proof is missing. Furthermore, FUNDINGPORT may at any time refuse or cancel the processing of a financing request without stating reasons and delete the financing request if there are indications that the use of the Platform is contrary to the legitimate interests of the other Users, Third-Party Users or Providers. In the event of false information or other discrepancies, FUNDINGPORT has the right to permanently exclude the User, Third-Party User or Provider concerned from using the Platform and to cancel and delete financing requests (including retrospectively).

§5 Use of the Platform by Third-Party Users / right to exemption

1. A Third-Party User may post financing requests for Users on the Platform if and to the extent that he is entitled to do so vis-à-vis the User concerned. A link between User and Third-Party User shall be established at the latest when the Third-Party User creates a financing requestfor the User on the Platform.

2. The Third-Party User assures FUNDINGPORT that he/she has been authorised by the User to do so by submitting a financing request for a User. Upon request, the Third-Party User shall provide FUNDINGPORT with proof of sufficient authorisation by the User. However, FUNDINGPORT is not obliged to verify this. The Third-Party User shall indemnify FUNDINGPORT from all claims, in particular those of the User, asserted against FUNDINGPORT due to the non-existence or exceeding of an authorisation.

3. By submitting a financing request for a User, the Third-Party User further assures FUNDINGPORT that he/she has all necessary official and other permits and licenses. The Third-Party User shall indemnify FUNDINGPORT from all claims asserted against FUNDINGPORT due to the absence or exceeding of any required permit or license.

§6 Obligations of the User, Third-Party User and the Provider / release from banking secrecy / right to exemption

1. The User, Third-Party User and Provider shall bear sole responsibility for the correctness and completeness of all information, content (e.g. documents, files), links and other data that he/she records on the Platform (hereinafter referred to as "Data").

2. Users, Third-Party Users and Providers warrant in particular that they are entitled to pass on the Data to FUNDINGPORT and that FUNDINGPORT is entitled to pass on the Data to the respective other parties.

3. Users, Third-Party Users and Providers are also obliged to design their Data in such a way that it does not violate legal or official regulations or offend common decency.

4. The use of the data room is made available exclusively for the following purposes:

a. Recording, verification, exchange and storage of financially relevant information

b. Upload, download, exchange and storage of finance-related documents

5. Users, Third-Party Users and Providers may use the Platform and the data room exclusively in accordance with these Terms and the purposes regulated therein. The use of the Platform, the data room and the provided functions may not be used in an abusive manner and/or outside the intended contractual purpose. Data and information which are generated or uploaded to the data room by Users, Third-Party Users and Providers on the Platform or may not violate the respective applicable laws of the Federal Republic of Germany.

6. Users, Third-Party Users and Providers shall ensure that they check all stored data for compliance with the requirements of paragraphs 1 to 5 before each new financing request and, where necessary, correct or make them available again in accordance with these conditions.

7. FUNDINGPORT is entitled to request evidence of the data provided.

8. Users, Third-Party Users and Providers are obliged to keep the access data to the Platform (user name and password) secret and to protect them from access by third parties. Users, Third-Party Users and Providers shall ensure that the access data cannot be spied out by third parties when they are entered. If a User, Third-Party User or Provider is aware or suspects that a third party has obtained knowledge of the access data of the User, Third-Party User or Provider in question, the User, Third-Party User or Provider is obliged to change his access data without undue delay (according to §121 German Civil Code (BGB)). If this is not possible, FUNDINGPORT must be informed immediately and the further procedure must be agreed with FUNDINGPORT.

9. User, Third-Party User and Provider have the obligation to inform FUNDINGPORT in case of a conclusion of financing contract in the sense of § 3 para. 1 between User and Provider within five banking days after conclusion of the contract. User, Third-Party User and Provider are also obliged to inform FUNDINGPORT in the event of the final failure to conclude a financing contract initiated via the Platform. The information can be provided via the Platform, by e-mail, by telephone or by post. FUNDINGPORT shall be entitled to contact the User, Third-Party User and/or Provider at any time for queries regarding the contractual status. The User authorises the Provider to inform FUNDINGPORT in the event of a conclusion of a contract within the meaning of § 3 para. 1 about the conclusion of the financial product, the volume and the time of the provision and/or first partial payment as well as in the event of failure to conclude a financing contract, to also inform FUNDINGPORT about this and releases the Provider from banking secrecy in this respect. FUNDINGPORT shall use the contractual data provided exclusively for invoicing the Provider.

10. Users, Third-Party Users and Providers shall indemnify FUNDINGPORT from all claims of third parties and/or other parties that are asserted against FUNDINGPORT due to incorrect, incomplete and/or illegal data and/or unauthorized data transfer. This also includes cases in which the User, Third-Party User or Provider has not sufficiently checked automatically completed data fields.

§7 Security / Communication / Platform

1. Subject to the provisions on liability in §8, FUNDINGPORT shall ensure with the care that is customarily exercised in its own affairs (according to § 277 German Civil Code (BGB)) that all Data on the Platform and communication via the Platform are protected against unauthorised access by third parties.

2. FUNDINGPORT undertakes to comply with all data protection regulations concerning FUNDIGPORT in their respective applicable version. When processing personal data, FUNDINGPORT will only employ personnel or third parties who have been committed to confidentiality in the handling of personal data and who have been appropriately familiarized with the requirements of data protection. FUNDINGPORT undertakes, in the event of the involvement of third parties, to oblige such third parties to comply with all provisions of data protection law.

3. FUNDINGPORT processes Data provided by the User, Third-Party User or Provider in accordance with the legal requirements and the Data Processing Agreement in Annex A. Irrespective of this, Users, Third-Party Users or Providers are obliged to secure the Data provided by them outside the Platform in a suitable form.

4. FUNDINGPORT reserves the right to change the Platform. In doing so, FUNDINGPORT will take into account the legitimate concerns of Users, Third-Party Users and Providers and inform them of any impending change at an early stage if and to the extent that the change is likely to affect their legitimate concerns.

§8 Liability / Statute of limitations

1. FUNDINGPORT shall only be liable for slight negligence in case of breach of material contractual obligations. Material contractual obligations are all obligations whose fulfilment is essential for the proper execution of the contract and on whose compliance a User, Third-Party User and Provider may regularly rely. Otherwise the pre-contractual, contractual and non-contractual liability of FUNDINGPORT is limited to intent and gross negligence. This limitation of liability shall also apply in the event of fault of a vicarious agent (according to § 278 German Civil Code (BGB)) of FUNDINGPORT.

2. If the breach of a material contractual obligation is not due to gross negligence or intent, the liability of FUNDINGPORT shall be limited to such typical damages or such typical extent of damages that was reasonably foreseeable at the time of the conclusion of the contract.

3. The exclusions/limitations of liability according to paragraphs 1 and 2 do not apply to liability for injury to life, body or health or according to the Product Liability Act (ProdHaftG).

4. Warranty claims shall become statute-barred within a period of one year from the start of the statutory limitation period. This shall not affect the statute of limitations with regard to liability for damages based on an intentional or grossly negligent breach of duty by FUNDINGPORT or a legal representative or vicarious agent (according to § 278 German Civil Code (BGB)) of FUNDINGPORT as well as the statute of limitations with regard to liability for damages resulting from injury to life, body or health or under the Product Liability Act (ProdHaftG). In this respect the statutory period of limitation shall apply in each case.

§9 Offsetting

Users, Third-Party Users and Providers may only offset counterclaims against claims of FUNDINGPORT if such counterclaims have been legally established in a non-appealable manner, are undisputed or have been acknowledged by FUNDINGPORT. The same applies to any rights of retention of Users, Third-Party Users and Providers. Furthermore, Users, Third-Party Users and Providers are only entitled to exercise a right of retention to the extent that the respective counterclaim is based on the same contractual relationship.

§10 Non-disclosure agreement

1. Users and Third-Party Users must treat the Confidential Information of the Providers, Providers must treat the Confidential Information of the Users and Third-Party Users as confidential. FUNDINGPORT shall treat the Confidential Information of Users, Third-Party Users and Providers made available as confidential.

Regardless of the medium in which it is contained, "Confidential Information" shall be deemed to include in particular all financial, technical, technological, economic, strategic, legal, fiscal, business and business process related or other information (including products, manufacturing processes, know-how, trade secrets, business relationships, business strategies, business plans, financial planning, personnel matters) which relates to Users, Third-Party Users or Providers or companies affiliated with them within the meaning of §§ 15 ff. Stock Corporation Act (AktG). This also includes other information within the meaning of § 2 Law on Trade Secrets (GeschGehG), which is neither generally known nor readily accessible, is of commercial value and is subject to confidentiality measures.

2. Users, Third-Party Users and Providers each remain the owner (within the meaning of § 2 No. 2 GeschGehG) of the Confidential Information exchanged between them in the course of using the Platform and retain (unless otherwise agreed) all rights to use and exploit this Confidential Information.

3. Users, Third-Party Users and Providers shall not forward the Confidential Information of the respective other party received via the Platform to unauthorized third parties or make it accessible to such third parties and shall take appropriate secrecy measures to protect the Confidential Information from access by third parties.

§11 Place of performance / Place of jurisdiction / Applicable law

1. The place of performance (according to § 29 Code of Civil Procedure (ZPO)) for the obligations of Users, Third-Party Users and Providers as well as on the part of FUNDINGPORT under these Terms is the registered office of FUNDINGPORT.

2. Berlin is agreed as the exclusive - also international - place of jurisdiction for all disputes arising from or in connection with these Terms. FUNDINGPORT has the right to sue at the domicile of the User, Third-Party User or Provider concerned or before other courts competent under national or foreign law. Priority statutory provisions, in particular regarding exclusive jurisdiction, shall remain unaffected.

3. These Terms are subject to the law of the Federal Republic of Germany.

§12 Severability Clause / Changes / Amendments

1. Should one of the provisions of these Terms be or become legally invalid or void in whole or in part, the validity of the remaining provisions shall not be affected thereby. Rather, the parties undertake to participate in an agreement which, in economic terms, corresponds as closely as possible to the original intention of the parties. The same applies to loopholes in the regulations of these Terms.

2. Changes or amendments to these Terms may be made by means of an offer by FUNDINGPORT via the Platform and acceptance by the User, Third-Party User or Provider by activating a corresponding button or checkbox on the Platform. In addition, changes or amendments to these Terms may also be agreed by FUNDINGPORT offering the amended Terms to Users, Third-Party Users and Providers in text form no later than six weeks before the proposed date of their entry into force and the consent of a User, Third-Party User or Provider shall be deemed to have been given if the User, Third-Party User or Provider has not indicated its rejection before the proposed date of entry into force of the changes or amendments. FUNDINGPORT will make special reference to the intended significance of the other parties´ behavior in the offer.

3. Oral subsidiary agreements to these Terms have not been made. Changes or amendments to these Terms outside of this procedures in accordance with paragraph 2, including their cancellation, must be made in writing; this also applies to the changes or amendment of the written form clause.

Appendix A: Data Processing Agreement

Data Processing Agreement according to Art. 28 General Data Protection Regulation (DSGVO) between the User, Third-Party User or Provider within the meaning of the Terms hereinafter referred to as "Data Controller" in each case and Fundingport GmbH, Heidestraße 8, 10557 Berlin, Germany, hereinafter referred to as 'Data Processor'.

Preamble

There is a contractual relationship between the Data Controller and the Data Processor within the meaning of Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "DSGVO").

This Data Processing Agreement for processing orders including all annexes (hereinafter jointly referred to as "Agreement") specifies the data protection obligations of the parties arising from the Terms, in particular in accordance with Sections 3 (8), 6 (4) (5) of the Terms (hereinafter referred to as "Terms and Conditions"). Insofar as reference is made to the provisions of the German Federal Data Protection Act (Bundesdatenschutzgesetz, "BDSG"), this refers to the Act on the Adaptation of Data Protection Law to Regulation (EU) 2016/679 and on the Implementation of Directive (EU) 2016/680 in the version applicable as of 25 May 2018.

The Data Processor undertakes to the Data Controller to perform the Terms and Conditions and this Agreement in accordance with the following provisions:

§ 1 Scope of application and definitions

1. The following provisions shall apply to all data processing services within the meaning of Art. 28 DSGVO which the Data Processor provides to the Data Controller on the basis of the Terms and Conditions.

2. In so far as the term "data processing" or "processing" of data is used in this Agreement, it is generally understood to mean the use of personal data. Data processing or the processing of Data means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3. Reference is made to the further definitions in Art. 4 DSGVO.

§ 2 Object and duration of data processing

1. The Data Processor shall process personal data on behalf of and in accordance with the instructions of the Data Controller.

2. The object of the Agreement is the provision of the technical infrastructure of a data room on the Platform by the Data Processor for use by the Data Controller, in particular by recording, verification, exchange and storage of financially relevant information and / or upload, download, exchange and storage of finance-related documents and using the question and answer function (Q&A) within the the Terms and Conditions.

3. The duration of this Agreement corresponds to the duration of the Terms.

§ 3 Nature and purpose of data processing

The nature and purpose of the processing of personal data by the Data Processor are specified in the Terms and Conditions. The Terms and Conditions covers the following activity(ies) and purpose(s):

The Data Processor operates a Platform through which Data Controllers can initiate the conclusion of financing contracts and acts as a technical service Provider to facilitate communication between the Data Controllers concerned.
By providing the technical infrastructure of a data room on the Platform, the Data Processor enables the Data Controller to independently record, organize, store and make available documents necessary or useful for the conclusion of the financing contract for inspection or download by the other Data Controllers concerned, to erase such documents and to collect, consult, use and, if necessary, store such documents of the other Data Controllers concerned and provides a question and answer function (Q&A) for Data Controllers.

§ 4 Categories of data subjects

Under this Agreement, personal data of the following categories of data subjects will be processed:

Personnel of a Data Controller
Individuals or other contact persons of a Data Controller
Other natural persons who have a connection to the financing project and/or whose Data are necessary or useful for the conclusion of the financing contract and/or whose Data are recorded by a Data Controller

§ 5 Nature of personal data

The following data types are affected by data processing:

Personal master data (name, form of address)
Contact details (e-mail address, telephone number, address)
Contract data (contract details, services, customer number)
Other data recorded by a Data Controller

§ 6 Rights and duties of the Data Controller

1. The Data Controller alone is responsible for assessing the permissibility of the data processing and for safeguarding the rights of the data subjects and is therefore controller in the sense of Art. 4 para. 7 DSGVO.

2. The Data Controller is entitled to issue instructions on the nature, scope and procedures of data processing. Oral instructions must be confirmed by the Data Controller in writing or in text form (e.g. by e-mail) without undue delay at the request of the Data Processor.

3. If the Data Controller considers it necessary, persons authorized to give instructions may be named. The Data Controller shall inform the Data Processor of these in writing or in text form. In the event that these persons authorised to give instructions change at the Data Controller's premises, the Data Processor shall be notified of this in writing or in text form, naming the new person in each case.

4. The Data Controller shall inform the Data Processor without undue delay whenever errors or irregularities relating to the processing of personal data by the Data Processor are detected.

§ 7 Obligations of the Data Processor

1. Data processing

The Data Processor will process personal data exclusively in accordance with this Agreement and/or the underlying Terms and Conditions and in accordance with the instructions of the Data Controller.

2. Rights of data subjects

a. The Data Processor will assist the Data Controller in the fulfillment of the rights of the data subjects, in particular as regards rectification, restriction of processing and erasure, notification and access to of information, within the limits of his possibilities. If the Data Processor processes the personal data referred to in Section 5 of this Agreement on behalf of the Data Controller and if these data are the subject of a request for data portability pursuant to Art. 20 DSGVO, the Data Processor shall provide the Data Controller with the relevant data set in a structured, common and machine-readable format within a reasonably set period of time, otherwise within seven working days.

b. The Data Processor shall, on the instructions of the Data Controller, rectify, erase or restrict the processing of the personal data referred to in Section 5 of this Agreement which are processed on behalf of the Data Controller. The same applies if this Agreement provides for the rectification, erasure or restriction of the processing of Data.

c. Where a data subject directly contacts the Data Processor for the purpose of rectifying, erasing or restricting the processing of personal data referred to in Section 5 of this Agreement, the Data Processor shall transmit this request to the Data Controller without delay upon receipt.

3. Control obligations

a. The Data Processor shall ensure through appropriate checks that the personal data processed under this Agreement are processed solely in accordance with this Agreement and/or the Terms and/or the relevant instructions.

b. The Data Processor shall design his company and his operating procedures in such a way that the Data which he processes on behalf of the Data Controller are secured to the extent necessary in each case and protected from unauthorized access by third parties.

c. The Data Processor confirms that it has appointed a data protection officer in accordance with Art. 37 DSGVO and, if applicable, in accordance with §38 BDSG, and that it monitors compliance with the provisions on data protection and data security with the involvement of the data protection officer. The data protection officer of the commissioned Data Processor is currently

ISiCO Data Protection GmbH
At Hamburger Bahnhof 4
10557 Berlin
berlin@isico-datenschutz.de

4. Information requirements

a. The Data Processor shall immediately inform the Data Controller if, in his opinion, an instruction issued by the Data Controller violates legal regulations. The Data Processor shall be entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Data Controller.

b. The Data Processor shall assist the Data Controller in complying with the obligations set out in Articles 32 to 36 DSGVO, taking into account the nature of the processing and the information available to him.

5. Place of data processing

The processing of the data takes place in the territory of the Federal Republic of Germany, in a member state of the European Union or in another state that is a party to the Agreement on the European Economic Area. Any relocation to a third country may only take place if the special requirements of Art. 44 et seq. DSGVO are fulfilled.

6. Erasure of personal data after completion of the Agreement

After termination of the Terms and Conditions, the Data Processor will either erase or return all personal data processed under the Agreement, at the choice of the Data Controller, provided that the erasure of such data does not conflict with any statutory storage obligations of the Data Processor. The erasure in accordance with data protection regulations must be documented and confirmed to the Data Controller upon request.

§ 8 Rights of control of the Data Controller

1. The Data Controller is entitled, after prior notification in good time during normal business hours without disrupting the business operations of the Data Processor or endangering the security measures for other Data Controller and at his own expense, to inspect compliance with the regulations on data protection and the contractual agreements to the necessary extent himself or through third parties. The controls can also be carried out by accessing existing customary industry certifications of the commissioned Data Processor, current certificates or reports of an independent authority (such as auditor, external data protection officer or external data protection auditor) or self-reports. The Data Processor will provide the necessary support to carry out the checks.

2. The Data Processor shall inform the Data Controller of the implementation of the supervisory authority's control measures, insofar as the measures may concern the processing of data which the Data Processor carries out for the Data Controller.

§ 9 Subcontracting relationships

1. The Data Controller authorizes the Data Processor to use the services of other processors in accordance with the following paragraphs in § 9 of this agreement. This authorisation constitutes a general written authorisation within the meaning of Art. 28 para. 2 DSGVO.

2. In the performance of the Agreement, the Data Processor shall currently cooperate with the subcontractors designated in Appendix 2, to whose assignment the Data Controller consents.

3. The Data Processor is entitled to commission further processors or to replace those already commissioned. The Data Processor shall inform the Data Controller in advance of any intended change regarding the appointment or replacement of a further processor. The Data Controller may object to an intended change.

4. The objection to the intended change must be made to the Data Processor within 2 weeks after receipt of the information about the change. In the event of an objection, the Data Processor may, at his own discretion, either provide the service without the intended change or propose an alternative further processor and agree this with the Data Controller. If the performance of the service without the intended change is unreasonable for the Data Processor - for example, because of disproportionate expenses for the Data Processor - or if the coordination of an alternative processor fails, the Data Controller and the Data Processor may terminate this Agreement and the Terms and Conditions with one month's notice to the end of the month.

5. Whenever a further processor is engaged, a level of protection comparable to that of this Agreement must always be guaranteed. The Data Processor shall be responsible to the Data Controller for all acts and omissions of the other processors employed by him.

§ 10 Confidentiality

1. The Data Processor shall be bound to confidentiality when processing data on behalf of the Data Controller.

2. In fulfilling the Agreement, the Data Processor undertakes to employ only employees or other vicarious agents (according to § 278 German Civil Code (BGB)) who are committed to confidentiality in the handling of personal data provided and who have been made familiar with the requirements of data protection in a suitable manner. Upon request, the Data Processor shall prove to the Data Controller that the obligations have been fulfilled.

3. Insofar as the Data Controller is subject to other secrecy protection rules, he shall inform the Data Processor correspondingly. The Data Processor shall oblige his employees to comply with these secrecy protection rules in accordance with the requirements of the Data Controller.

§ 11 Technical and organisational measures

1. The technical and organisational measures described in Appendix 1 are agreed as appropriate. The Data Processor may update and modify these measures, provided that the level of protection is not significantly reduced by such updates and/or modifications.

2. The Data Processor shall observe the principles of proper data processing pursuant to Art. 32 in conjunction with Art. 5 para. 1 DSGVO. He shall guarantee the contractually agreed and legally required data security measures. He shall take all necessary measures to secure the Data or the security of the processing, in particular also taking into account the state of the art, and to mitigate possible adverse consequences for the data subjects. The measures to be taken include in particular measures to protect the confidentiality, integrity, availability and resilience of the systems and measures to ensure the continuity of processing after incidents. In order to be able to guarantee an adequate level of security of the processing at all times, the Data Processor will regularly evaluate the measures implemented and make adjustments where necessary.

§ 12 Liability/exemption

1. The Data Processor shall be liable to the Data Controller in accordance with the statutory provisions for all damage caused by culpable breaches of this Agreement and of the statutory data protection provisions applicable to him by the Data Processor, his employees or those commissioned by him to implement the Agreement in the performance of the contractual service. The Data Processor shall not be obliged to pay compensation if the Data Processor can prove that it has processed the Data of the Data Controller provided to it exclusively in accordance with the instructions of the Data Controller and that it has complied with its obligations under the DSGVO specifically imposed on the processors.

2. The Data Controller shall indemnify the Data Controller from all claims of third parties which are asserted against the Data Controller due to a culpable breach of the obligations arising from this Agreement or applicable data protection regulations by the Data Controller.

§ 13 Miscellaneous

1. In case of contradictions between the provisions of this agreement and the provisions of the Terms and Conditions, the provisions of this agreement shall prevail.

2. Amendments and changes to this Agreement shall require the mutual consent consent in writing, including in electronic form of the contracting parties with specific reference to the provision of this Agreement to be changed or amended. Verbal collateral agreements do not exist and are also excluded for future changes or amendments of this Agreement.

3. This Agreement is subject to German law.

4. If the access to the data which the Data Controller has transmitted to the Data Processor for data processing is endangered by measures of third parties (e.g. measures of an insolvency administrator, seizure by tax authorities, etc.), the Data Processor shall immediately notify the Data Controller thereof.

Annex directory

Appendix 1 to Annex A: Technical and organisational measures to ensure the security of data processing

Appendix 2 to Annex A: Subcontracting relationships pursuant to § 9 of the Agreement

Appendix 1 to Annex A: Technical and organisational measures to ensure the security of processing

The Data Processor warrants that it has taken the following technical and organisational measures:

A. Measures for pseudonymisation

Measures that reduce the direct reference to the data subject during processing in such a way that it is only possible to identify a specific data subject by consulting additional information. The additional information must be kept separate from the pseudonym by means of suitable technical and organisational measures.

B. Encryption measures

Measures or processes in which a clearly readable text / information is converted with the aid of an encryption method (cryptosystem) into an unreadable, i.e. not easily interpretable character string (ciphertext):

256-bit Advanced Encryption Standard (AES-256)

C. Measures to ensure confidentiality

1. Access control

There is no physical storage or processing of Data by the Data Processor. Measures that physically deny unauthorized persons access to IT systems and data processing equipment used to process personal data, as well as to confidential files and data carriers:

Controlled access via personalised mobile phones or, chip card
Door security (electronic door opener, etc.)
Doorman
Monitoring equipment (alarm systems, video)
Secure server room
Control system for visitors.

Measures to prevent unauthorized persons from processing or using data protected by data protection laws:

Only authorized personnel have access to the physical data centers. All employees who need access to a data center must first submit a request for access and provide a valid business justification. This request is granted based on the principle of least privilege, meaning that employees must specify in the request to which level of the data center and for how long they require access. The request is reviewed and approved by authorized personnel. Access is revoked after the requested period of time has expired. Employees with access to a computer center are restricted by their authorizations to certain areas.
Access by third parties must be requested by authorized employees, who must also provide a valid business justification for such access. This request is granted based on the principle of least privilege, i.e. employees must specify in the request to which level of the data center and for how long they require access. These requests are approved by authorized personnel. Access is withdrawn after the requested period of time has expired. Employees with access to a computer center are restricted by their authorizations to certain areas. Persons with a visitor badge must present it on arrival at the site and are registered and accompanied by authorized personnel.
Access to the computer centers is checked regularly. Access is automatically revoked as soon as an employee's file is deleted from the personnel system. In addition, access by employees or temporary workers is revoked after the approved period has expired, even if they continue to work as employees.
Electronic intrusion detection systems are installed on the data level, which detect security-relevant events and automatically alert the responsible employees. The entrances and exits of the server rooms are secured by devices on which personnel must pass through multi-factor authentication procedures before they can enter or leave the room. These devices trigger an alarm if the door is broken or held open without authorization. The door alarm systems are configured to detect when someone enters or leaves a data layer without multi-factor authorization. In this case, an alarm is immediately triggered and sent to the Security Operations Center for logging, analysis and response.
Password procedure, i.e. personal and individual user log-in when logging on to the system (including special characters, minimum length, regular password changes)
Automatic locking (e.g. password or pause circuit)
Setup of a user master record per user
Limitation of the number of authorised employees
Encapsulation of sensitive systems through separate network areas
Authentication procedure
Set up regularly updated antivirus and spyware filters

Measures to ensure that those authorized to use the data processing procedures can only access the personal data subject to their access authorization, so that data cannot be read, copied, modified or removed without authorization during processing, use and storage:

Authorization concepts (profiles, roles, etc.) and their documentation
Evaluation/logging
Archiving concept
Logging of accesses and attempted misuse

2. Separation rule

Measures to ensure that data collected for different purposes are processed separately and kept separate from other data and systems in such a way as to prevent unplanned use of these data for other purposes:

Personal data is stored in encrypted form (256-bit Advanced Encryption Standard (AES-256)
Test and production systems do not share any Data.

D. Measures to ensure integrity

1. Data integrity

Measures to ensure that stored personal data is not damaged by malfunctioning of the system:

Import of new releases and patches with release/patch management
Functional test during installation and releases/patches by IT department
Logging
Transport processes with individual responsibility

2. Transfer check

Measures to ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment:

Logging
Transport processes with individual responsibility
Checksums

3. Transport control

Measures to ensure that the confidentiality and integrity of data are protected during the transmission of personal data and during the transport of data media:

Transmission of Data via encrypted data networks or tunnel connections (VPN)
Transport processes with individual responsibility
Encryption methods that detect Data changes during transport
Comprehensive logging procedures

4. Input control

Measures to ensure that it is possible to subsequently check and establish whether and by whom personal data have been entered, modified or removed from computer systems:

Logging of all system activities and retention of these logs for at least three years
Protocol evaluation systems

E. Measures to ensure availability and resilience

1. Availability control

Measures to ensure that personal data is protected against accidental destruction or loss. Data is stored on the Amazon Cloud (AWS). For details see: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

Data backup procedure
Redundant server systems
Uninterruptible power supply
Fire alarm system
Air conditioning
Alarm system
Emergency plans
No water-carrying pipes above or next to server rooms

2. Rapid recover-ability

Measures to ensure the ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident:

Data backup procedure
Regular tests of the data recovery
Emergency plans

3. Reliability

Measures that ensure that all functions of the system are available and that any malfunctions that occur are reported:

Automatic monitoring
Emergency plans with responsibilities
IT emergency service 24/7
Regular tests of the data recovery

F. Measures for the regular evaluation of the security of data processing

1. Review procedure

Measures to ensure that processing complies with data protection regulations and is secure:

Data protection management
Regular re-certification
Formalized processes for data protection incidents
Instructions of the client are documented

2. Order Control

Measures to ensure that personal data processed under contract can only be processed in accordance with the instructions of the principal:

Instructions of the client are documented
Formalized order management

Appendix 2 to Annex A: Subcontractors in accordance with § 9 of the Agreement

In the performance of the Agreement, the Data Processor is currently working with the following other processors, which the Data Controller agrees to commission

Name/Company: Amazon Web Services Inc.

Function/Activity: Data storage of the order Data Processor on servers of Amazon Web Services Inc.

Registered office: 410 Terry Avenue North, Seattle, Washington 98109, USA

Name/Company: A Hotjar Ltd

Function/Activity: Web analytics to better understand the needs of our users and to improve our services

Registered office: Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 3155, Malta

Name/Company: Fundingport Sofia EOOD

Function/Activity: Softwareentwicklung und Hosting der Fundingport Plattform

Registered office: ul. Galichitsa 22, 1407 Sofia, Bulgaria

‍