GAIA Terms of Use
(including Data Processing Terms)

(1) This terms of services (“Terms”) are applicable to all services provided by GAIA Technolo- gies GmbH, a limited liability company under the laws of the Federal Republic of Germany, registered with the commercial register of the local court of Berlin (Charlottenburg) under registration No. HRB 226489 B (“GAIA”, you and GAIA collectively the “Parties”)

(2) GAIA is operating a SaaS software solution (the “Application”) that helps companies to manage their legal affairs and their legal work, like creating and signing contracts, managing legal data and handling their stakeholders. GAIA is not providing any legal or tax advice.

(3) GAIA offers the temporary use of this software application via a telecommunication connection as well as the possibility to store application data in return for a usage fee. By sign- ing up or accessing the App you agree to the Terms.

‍1. How to get access to the Application

1.1. Prior to using the Application the Customer and GAIA have to sign an offer (the “Offer”) which contains the commercial terms under which the Customer may use the App and to which this Terms of Use including the details in Annex A shall be attached (together, the “Agreement”).

1.2. The Application is offered in different plans with different pricing. The Customer may use the parts of the Application as agreed upon in the Offer once the Offer has been signed and the payment of the agreed price has been made.

1.3. The provision of the Application includes the Customer’s rights to use the Application and the provision of storage space for the data required to use or generated by the Customer in using the Application (collectively, the “Application Data”), all set out in the Offer and, in further detail, in Annex A.

‍2. Services

2.1. The Application enables the Customer to create, sign and store legal documents and man- age legal data. It enables the Customer to integrate legal data into different other third party applications. GAIA provides legal content through the Application (“Legal Content”).

2.2. In certain parts of the Application GAIA uses capabilities of large language models developed by third party (“AI Models”). GAIA shall not be held responsible or liable in any way for any inaccuracies, errors, incompleteness, bias or illegality in content created by the AI Models. The AI Models shall not constitute legal advice but shall only be used to help with research within legal data.

2.3. The functionalities of the Application will change from time to time and GAIA will add new capabilities to the Application. If new capabilities are being added GAIA in its sole discretion may decide to include this in the current plan of the Customer or make access to the additional capabilities subject to the payment of an additional price.

‍3. Agreement Duration

If not stated otherwise in the Offer the Agreement has a fixed term of twelve (12) months (“Minimum Contract Period”). If the contract is not terminated with a notice period of at least six weeks prior to the end of the Minimum Contract Period it is automatically extend by the Minimum Contract Period (“Renewal Period”) and can then be terminated 6 weeks prior to the end of each such Renewal Period.

‍4. Provision of Application

4.1. GAIA shall keep the Application available, as agreed in the Offer and, in further detail, in Annex A, in its respective current version on one or several central data processing system(s) (collectively, the “Server”) for use in accordance with the following regulations as of the time agreed upon in the Offer and, in further detail, in Annex A.

4.2. GAIA shall provide the Customer with the number of accesses agreed in the Offer and, in further detail, in Annex A. Usernames and user passwords are assigned by the Customer.

4.3. GAIA shall ensure that the Application always corresponds to the proven state of the art. If and to the extent that the provision of an update or a new version of, or a change in the Application is accompanied by a significant change in essential functionalities of the Application, essential work processes of the Customer supported by the Application and/or significant restrictions in the usability of previously generated Application Data, GAIA shall notify the Customer in text form no later than two (2) weeks before the relevant update, new version or change takes effect. If the Customer does not object to the update, new version or change in text form within a period of one (1) week from receipt of the change notification, the update, new version or change shall become part of the Agreement.

4.4. GAIA shall provide storage space on the Server for the Application Data to the extent and from the time of operational provision agreed the Offer and, in further detail, in Annex A.

4.5. The Application and the Application Data shall be backed up by GAIA or its service provider on the Server on a regular basis, at least once every calendar day. The Customer is solely responsible for the compliance with commercial and tax retention periods.

4.6. The transfer point for the Application and the Application Data is the router output of the data center of the service provider of GAIA.

5. Technical availability of the Application

5.1. GAIA shall procure the availability of the Application and the Application Data at the delivery point as agreed in Annex A. By availability, the Parties understand the technical usability of the Application and the Application DATA at the delivery point for use by the Customer.

5.2. All details on availability, in particular the technical parameters and procedures for measur- ing and determining availability, are set out in Annex A.

5.3. As per Annex A, the Parties further agree on response times applicable in case of non- availability and/or in case of material defects regarding the Application and/or the Applica- tion Data, including any sanctions in case of non-compliance.

6. Non-fulfillment of main performance obligations

6.1. If GAIA does not comply with the agreed obligations under this Agreement in whole or in part after operational provision of the Application and/or the Application Data, the flat fee according to Sec. 9.1.1 and 9.2 shall be reduced pro rata temporis for the time during which the Application and/or the Application Data and/or the storage space are not available to the Customer to the extent agreed.

6.2. Ongoing usage fees according to Sec. 9.1.2 and 9.3, if any, are only due for business trans- actions which were carried out despite the restriction or discontinuation of the services using the Application.

7. Other services of GAIA‍

7.1. Upon termination of the Agreement, GAIA shall send to the Customer, at their written re-
quest, a complete copy of all Application Data on usual data carriers (backup).

7.2. GAIA does not owe any written documentation, including in relation to the Application and/or any Application Data.

8. Rights of use to the Application‍

8.1. The Customer shall be granted access rights to the Application that are limited in time to
the term of the Agreement.

8.2. Neither the Application nor the Application Data shall be physically transferred to the Customer. The Customer may use the Application and the Application Data only for its own business activities.

8.3. The Customer shall not be permitted to sell its access rights to the Application and to transfer them to any third parties, including renting, licensing, or lending them.

8.4. If GAIA makes new versions, updates, upgrades, or other new deliveries regarding the Ap- plication during the term of the Agreement, the mutual rights and obligations under the Agreement shall also apply to such new versions, updates, upgrades, or other new deliveries.

8.5. The Customer shall take all necessary precautions to prevent the use of the Application and/or the Application Data by any unauthorized persons.

8.6. If and to the extent that, during the term of the Agreement, a database or database work is created on the Server by entering the Customer’s Application Data, all rights thereto shall belong to GAIA. Upon termination of the Agreement, the Customer shall receive a copy of the relevant databases or database works.

8.7. Nothing in this Agreement shall restrict GAIA from using the Application and/or Application Data for its own data analysis during the term of the Agreement and thereafter. This shall include the automated analysis of the Application Data to obtain information therefrom about patterns, trends, and correlations. Prerequisite for these data analyses is that GAIA uses the Application Data only in anonymized form.

9. Liability for third party rights‍

9.1. GAIA will inform the Customer immediately about rights of third parties or their assertion and about a resulting impairment of the provision of agreed services and will appropriately enable the Customer to access the Application Data.

9.2. GAIA shall indemnify the Customer against all justified third-party claims which prevent the Customer from exercising their right to use the Application in accordance with the Agreement. The Parties will immediately notify each other in text from if third-party claims are asserted against them.

9.3. GAIA shall not be held liable for any infringement of any third-party rights by the Customer, if and to the extent the infringement results from a transgression of the Customer’s rights of use which are granted under the Agreement. In this case, the Customer shall indemnify GAIA on first demand from and in relation to any such third-party claims.

10. Remuneration‍

10.1. The remuneration for the provision of use regarding the Application, including all related
services such as the provision of storage space and data backups, shall consist of 10.1.1. a flat fee; and

10.1.2. a use-dependent fee(s),
all as set out in the Agreement, in particular in the Offer.

10.2. The flat fee agreed in the Agreement, in particular in the Offer, shall be payable from the date of operational provision of the Application, and as further set out in the Agreement, in particular in the Offer. Unless otherwise agreed, it shall be due in advance for each 12- months’ period of usage of the Application (annual flat fee); if the Agreement is terminated for cause during a 12-months’ period of usage of the Application, the flat fee be reduced and repaid pro rata temporis.

10.3. The usage-dependent fee(s), if any, regarding the Application (including related services such as the provision of storage space and data backups) shall become due and payable in accordance with the specifications set out in the Agreement, in particular in the Offer.

10.4. Any remuneration under the Agreement, including the flat fee and any use-dependent fee(s), shall be owed plus statutory value added taxes (VAT) at the statutory rate applicable from time to time.

11. Obligations of the Customer‍

11.1. The Customer shall fulfill all duties and obligations required for the proper execution of the
Agreement.

11.2. The Customer shall, in particular (without limitation):

11.2.1. keep secret the usage and access authorizations assigned to it or the users as well as agreed identification and authentication safeguards, protect them from access by third parties and do not pass them on to unauthorized users. These data are to be protected by suitable and usual measures. The Customer will inform GAIA im- mediately if there is a suspicion that the access data and/or passwords could have become known to unauthorized persons;

11.2.2. not retrieve (or cause any unauthorized person to retrieve) any information or data without proper authorization or interfere (with or cause any unauthorized person to interfere) with any programs operated by GAIA or intrude (or cause any such intrusion) into GAIA’s data networks without proper authorization;

11.2.3. obtain any necessary data protection consents from the respective data subject, insofar as it collects, processes or uses personal data when using the Application and no statutory permissions apply;

11.2.4. before sending data and information to GAIA, check them for viruses and use state of the art virus protection programs;

11.2.5. if they transmit data to generate Application Data using the Application, back them up regularly and according to the importance of the data, and make their own backup copies to enable reconstruction of the data and information in case of a data loss;

11.2.6. if and insofar as the technical possibility to do so is made available to them by mutual agreement, regularly back up the Application Data stored on the Server, e.g., by way of a download.

12. Data security and data protection‍

12.1. The Parties shall comply with any applicable data protection laws and shall oblige their employees or other representatives to maintain appropriate data secrecy.

12.2. If the Customer collects, processes or uses personal data, they guarantee that they are authorized to do so according to any applicable data protection laws, and shall indemnify GAIA from any third-party claims in connection with a breach of any such laws.

12.3. The Parties agree that the Application Data may comprise personal data which is protected by applicable data protection laws and that GAIA will act as data processor (Auftragsdatenverarbeiter) of relation to such personal data. Against this background, the Parties agree on the data processing terms set out in Annex B.

12.4. GAIA will collect and use Customer related data only to the extent required for the performance of the Agreement. The Customer agrees to the collection and use of such data to such extent.

12.5. The obligations pursuant to Sec. 11.1 through 11.3 shall apply for as long as Application Data are in the sphere of influence of GAIA, also beyond the term of the Agreement.

12.6. GAIA may perform the services under this Agreement through sub-contractors in Germany and other EU countries, provided that such subcontractors are subject to the obligations set out in Sec. 11.1 through 11.4.

13. Confidentiality‍

13.1. Information to be treated confidentially hereunder is (i) any information which is expressly designated as confidential by the Party providing the information and (ii) any information, the confidentiality of which clearly results from the circumstances of the transfer. In partic- ular, the Application Data are to be treated confidentially.

13.2. Information is not to be treated as confidential hereunder insofar as the Party receiving the relevant information proves that it

13.2.1. was known to them or generally accessible before the date of receipt;

13.2.2. was known or generally available to the public prior to the date of receipt;

13.2.3. became known or generally accessible to the public after the date of receipt, with- out the information-receiving Party being responsible for disclosure.

13.3. The Parties shall keep confidential all confidential information that has come to their knowledge within the scope of the Agreement and shall only use such confidential information vis-à-vis third parties – for whatever purpose – with the prior consent in text form of the respective other Party. Furthermore, they shall apply to such confidential information appropriate secrecy measures according to the circumstances.

13.4. The obligations under this Sec. 12 shall continue to exist beyond the term of the Agreement for an indefinite period.

14. Liability and limitations

14.1. The Parties shall be liable under the Agreement without limitation in the event of intent (Vorsatz) or gross negligence (grobe Fahrlässigkeit) for all damage caused by them and their legal representatives or vicarious agents.

14.2. In the event of simple negligence (einfache Fahrlässigkeit), the Parties shall be liable under the Agreement without limitation only in the event of injury to life, limb or health (Verletzung des Körpers, des Lebens oder der Gesundheit).

14.3. Apart from that, a Party shall only be liable insofar as they have breached a essential contractual obligation. Essential contractual obligations are those obligations which are of particular importance for the achievement of the purpose of the Agreement, as well as all those obligations which, in the event of a culpable breach, may result in the achievement of the purpose of the Agreement being jeopardized. In these cases, liability is limited to compensation for foreseeable, typically occurring damages. Liability under Section 536a BGB and the Product Liability Act shall remain unaffected.

15. Term and termination‍

15.1. The term of the Agreement shall commence with its conclusion and shall have an indefinite period. The services hereunder shall be provided as set out in the Offer and, in further detail, in Annex A.

15.2. The Agreement can be terminated by either Party by written notice with a notice period of one (1) month to the end of a year. GAIA will regularly inform the Customer about an up- coming renewal period.

15.3. The right of either Party to terminate the Agreement for cause shall remain unaffected.

15.4. Notwithstanding Sec. 14.3, GAIA may terminate the Agreement without notice if the Customer is in delay with the payment due under the Agreement.

15.5. Upon termination of the Agreement, GAIA shall be obliged to provide the Customer with the Application Data stored by the Customer on a permanently readable mobile and audit-proof data carrier.

16. Final provisions‍

16.1. The Agreement shall be governed by the substantive laws of the Federal Republic of Ger- many. The provisions of the UN Convention on Contracts for the International Sale of Goods shall not apply in relation to this Agreement.

16.2. To the extent permissible, exclusive place of jurisdiction and venue shall be Berlin, Ger- many.

‍

Annex A to the GAIA Terms of Use

1. Permitted stress (threshold values for the stress of the Application and Server)‍

1.1. GAIA can only provide its services, especially the compliance with the availability agreed below, according to the contract, if the Customer complies with the threshold values (num- ber of users) agreed below. In case of usage above these thresholds, a lower availability up to a non-availability of the Application and/or the Server is to be expected.

1.2. Quantity user: 1,000.

2. Concept of availability
Availability is the ability of the Customer to use the entire functionalities of the relevant Application as well as the Application DATA at the Power Delivery Point.

3. Determination of availability

3.1. GAIA provides the Application to the Customer during the agreed term but excluding the agreed periods of planned unavailability; the term minus the periods of planned unavailability is the system term.

3.2. The system runtime, the core usage time within the system runtime and the marginal usage time (as time outside the core usage time but within the system runtime) are agreed in the following table. Availability is calculated separately within the core usage time and within the marginal usage time. The value of availability is the percentage of availability within the reference period. The reference period results from the following table.

3.3. Notwithstanding any compliance with availability within the reference period, the Application shall have no more than the uninterrupted downtime shown in the table.

3.4. The parameters are agreed as follows:

3.5. The available usage (availability given) also includes the periods during

• Malfunctions in or due to the condition of parts of the technical infrastructure required for the execution of the Application not to be provided by GAIA or its vicarious agents;
• malfunctions or other events, which are not (co-)caused by GAIA or one of its vicarious agents, e.g., exceeding of an agreed permitted stress of the Application;
• insignificant reduction of the suitability for the contractual use.

4. Planned unavailability‍

4.1. GAIA is entitled to maintain, service, backup or otherwise work on the Application and/or Server during periods of scheduled unavailability. Scheduled periods of unavailability shall be agreed upon with Customer. In case of important reasons, Customer will not unreason- ably withhold its consent.

4.2. If and to the extent that the Customer can use the Application during periods of planned unavailability, there shall be no legal claim to this. If the use of an Application during times of planned unavailability results in a reduction or cessation of performance, the Customer shall have no claim to liability for defects or damages.

5. Reaction Times

5.1. GAIA takes care that within a time depending on the fault class and agreed in the following table from the receipt of the report of a technical fault of the Customer (fax, telephone, email) or from the machine error message by the Server or by the system installed at GAIA itself the fault removal is initiated, and the Customer is informed about it (reaction time). The provider does not guarantee a recovery time but tries to provide a solution time adequate to the error.

5.2.

5.2. The disturbance classes are defined as follows:

Annex B - Data Processing Terms

‍

1. Purpose and scope

1.1. The purpose of the Data Processing Terms contained in this Annex B (collectively, the “Clauses”), which form an integral part of the Agreement, is to ensure compliance with Ar- ticle 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

1.2. The Parties – with GAIA as the processor (for purposes of the Clauses also the “Processor”) and the Customer as controller (for purposes of the Clauses also the “Controller”) of relevant personal data – have agreed to the Clauses to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.

1.3. The Clauses apply to the processing of personal data which forms part of the Application Data, in particular in relation to the following:

1.4. The Clauses are without prejudice to obligations to which the Customer (as the controller)
is subject by virtue of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

1.5. The Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

2. Invariability of the Clauses
The Parties undertake not to modify the Clauses, except for adding information to its tables and exhibits or updating information in them. This does not prevent the Parties from including the standard contractual clauses laid down in the Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

3. Interpretation and hierarchy

3.1. Where the Clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU)
2018/1725 respectively, those terms shall have the same meaning as in that Regulation.

3.2. The Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively.

3.3. The Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or in a way that prej- udices the fundamental rights or freedoms of the data subjects.

3.4. In the event of a contradiction between the Clauses and any other provisions of the Agreement, the Clauses shall prevail.

4. Description of processing(s)
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Sec. 1.3 of the Clauses.

5. Obligations of the Parties

5.1. The Processor shall

5.1.1. process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject. In this case, the Processor shall inform the Controller of that legal requirement be- fore processing, unless the law prohibits this on important grounds of public inter- est. Subsequent instructions may also be given by the Controller throughout the duration of the processing of personal data. These instructions shall always be documented;

5.1.2. immediately inform the Controller if, in the Processor’s opinion, instructions given by the Controller infringe Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.

5.2. The Processor shall process the personal data only for the specific purpose(s) of the pro- cessing, as set out in Sec. 1.3 of the Clauses, unless it receives further instructions from the Controller.

5.3. Processing by the Processor shall only take place for the duration specified in Sec. 1.3 of the Clauses.

5.4. The Processor shall

5.4.1. implement appropriate technical and organizational measures to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects;

5.4.2. grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing, and monitoring of the Agreement. The Processor shall ensure that persons authorized to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.5. The Parties shall be able to demonstrate compliance with the Clauses and shall at all times comply with the following requirements:

5.5.1. The Processor shall deal promptly and adequately with inquiries from the Controller about the processing of data in accordance with the Clauses.

5.5.2. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations that are set out in the Clauses and stem directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

5.5.3. At the Controller’s request, the Processor shall also permit and contribute to audits of the processing activities covered by the Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the Controller may take into account relevant certifications held by the Processor. The Controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the Processor and shall, where appropriate, be carried out with reasonable notice.

5.5.4. The Parties shall make the information referred to in this Sec. 5.5, including the results of any audits, available to the competent supervisory authority/ies on request.

5.6. In relation to the use of sub-processors, the following shall apply:

5.6.1. The Processor has the Controller’s general authorization for the engagement of sub-processors from an agreed list. The Processor shall specifically inform in writ- ing the Controller of any intended changes of that list through the addition or re- placement of sub-processors at least two (2) weeks in advance, thereby giving the Controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The Processor shall provide the Controller with the information necessary to enable the controller to exercise the right to object.

5.6.2. Where the Processor engages a sub-processor for carrying out specific processing activities (on behalf of the Controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with the Clauses. The Processor shall ensure that the sub-processor complies with the obligations to which the Processor is subject pursuant to the Clauses and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

5.6.3. At the Controller’s request, the Processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the Controller. To the ex- tent necessary to protect business secret or other confidential information, including personal data, the Processor may redact the text of the agreement prior to sharing the copy.

5.6.4. The Processor shall remain fully responsible to the Controller for the performance of the sub-processor’s obligations in accordance with its contract with the Proces- sor. The Processor shall notify the Controller of any failure by the sub-processor to fulfil its contractual obligations.

5.6.5. The Processor shall agree a third party beneficiary clause with the sub-processor whereby - in the event the Processor has factually disappeared, ceased to exist in law or has become insolvent - the Controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

5.7. In relation to international transfers, the following shall apply:

5.7.1. Any transfer of data to a third country or an international organization by the Processor shall be done only based on documented instructions from the Controller or in order to fulfil a specific requirement under Union or Member State law to which the Processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.

5.7.2. The Controller agrees that where the Processor engages a sub-processor in accordance with Sec. 5.6 for carrying out specific processing activities (on behalf of the Controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the Processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.‍

6. Assistance to the Controller‍

6.1. The Processor shall promptly notify the Controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorized to do so by the Controller.

6.2. The Processor shall assist the Controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations, the Processor shall comply with the Controller’s lawful instructions.

6.3. In addition to the Processor’s obligation to assist the Controller pursuant to Sec.

6.2, the Processor shall furthermore assist the Controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information avail- able to the Processor:

6.3.1. the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;

6.3.2. the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;

6.3.3. the obligation to ensure that personal data is accurate and up to date, by informing the Controller without delay if the Processor becomes aware that the personal data it is processing is inaccurate or has become outdated;

6.3.4. the obligations in Article 32 of Regulation (EU) 2016/679.

7. Notification of personal data breach‍

7.1. In the event of a personal data breach, the Processor shall cooperate with and assist the Controller for the Controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or under Articles 34 and 35 of Regulation (EU) 2018/1725, where applicable, taking into account the nature of processing and the information available to the Processor.

7.2. In the event of a personal data breach concerning data processed by the Controller, the Processor shall assist the Controller:

7.2.1. in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the Controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);

7.2.2. in obtaining the following information which, pursuant to Article 33(3) of Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:

a) the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

b) the likely consequences of the personal data breach;

c) the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to miti- gate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

7.2.3. in complying, pursuant to Article 34 of Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and free- doms of natural persons.

7.3. In the event of a personal data breach concerning data processed by the Processor, the Processor shall notify the Controller without undue delay after the Processor having be- come aware of the breach. Such notification shall contain, at least:

7.3.1. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);

7.3.2. the details of a contact point where more information concerning the personal data breach can be obtained;

7.3.3. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

8. Non-compliance with the Clauses and termination

8.1. Without prejudice to any provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, in the event that the Processor is in breach of its obligations under the Clauses, the Controller may instruct the Processor to suspend the processing of personal data until the latter complies with the Clauses or the Agreement is terminated. The Processor shall promptly inform the Controller in case it is unable to comply with the Clauses, for whatever reason.

8.2. The Controller shall be entitled to terminate the Agreement insofar as it concerns processing of personal data in accordance with the Clauses if:

8.2.1. the processing of personal data by the Processor has been suspended by the Con- troller pursuant to Sec. 8.1 and if compliance with the Clauses is not restored within a reasonable time and in any event within one (1) month following suspension;

8.2.2. the Processor is in substantial or persistent breach of the Clauses or its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;

8.2.3. the Processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to the Clauses or to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

8.3. The Processor shall be entitled to terminate the Agreement insofar as it concerns pro- cessing of personal data under the Clauses where, after having informed the Controller that its instructions infringe applicable legal requirements, the Controller insists on compliance with the instructions.

8.4. Following termination of the Agreement, the Processor shall, at the choice of the Controller, delete all personal data processed on behalf of the Controller and certify to the Controller that it has done so, or, return all the personal data to the Controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the Processor shall continue to ensure compliance with the Clauses.

‍

‍