This agreement is made between the parties as a supplementary regulation for compliance with data protection regulations in accordance with Art. 28 of the General Data Protection Regulation (DSGVO) and specifies the obligations of the contracting parties regarding data protection that arise from the contract concluded with the Provider.

Insofar as the term “data processing” or “processing” (of data) is used in this Agreement, the definition of “processing” within the meaning of Art. 4 No. 2 DSGVO shall apply. The Provider is hereinafter referred to as “Contractor“, the Customer hereinafter as “Customer“.

1. Subject of the contract

   1. The Contractor shall provide services for the Client in the area of provision, further development and maintenance of the cloud-based SaaS application “BIMcosmos” on the basis of the Terms of Use (hereinafter: “Main Agreement”). In this context, the Contractor shall obtain access to personal data and shall process such data exclusively on behalf of and in accordance with the instructions of the Client. The scope and purpose of the data processing by the Contractor are set out in the Main Agreement and the appendices thereto. The Customer shall be responsible for assessing the permissibility of the data processing.

   2. In order to specify the mutual rights and obligations under data protection law, the parties conclude the present agreement (hereinafter: “this Agreement“). In case of doubt, the provisions of this agreement shall take precedence over the provisions of the main agreement.

   3. The provisions of this Agreement shall apply to all activities related to the Main Contract in which the Contractor and its employees or persons authorized by the Contractor come into contact with personal data originating from the Client or collected for the Client.

2. Type of data processed, group of data subjects

   1. As part of the performance of the Main Contract, the Contractor will have access to personal data. These data include:

      1. Salutation, first name, last name, e-mail, telephone, mobile, company data, street, house number, post office box, country, server domain, language, job title, bank and contact data of clients of the client;

      2. Name and contact details of the client’s employees;

      3. other third party data processed by the client in the software;

      4. if applicable, data of special categories according to Art. 9 DSGVO, from which the origin, political opinions, religious or ideological convictions or trade union membership can be inferred, as well as health data or data concerning sexual life or the

      5. sexual orientation of a person concerned

   2. Group of persons affected by the data processing:

      1. the client and its employees and workers;

      2. Project parties and their employees;

      3. Third parties who gain access to the software.

3. Runtime

   1. The term of this agreement shall be based on the term of the main agreement, provided that no obligations or rights of termination beyond this arise from the following provisions.

   2. An extraordinary right of termination of each party remains unaffected.

4. Right of instruction

   1. The Contractor may only collect, process or use data within the scope of the main contract and in accordance with the Client’s instructions.

   2. The Client’s instructions shall initially be determined by this Agreement and may thereafter be amended, supplemented or replaced by the Client in writing or in text form by individual instructions.

   3. All instructions issued shall be documented by both the Client and the Contractor. Instructions that go beyond the performance agreed in the main contract shall be treated as a request for a change in performance.

   4. If the Contractor is of the opinion that an instruction of the Customer violates data protection provisions, it shall notify the Customer thereof without undue delay. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Customer. The Contractor may refuse to carry out an obviously illegal instruction.

5. General obligations and protective measures of the contractor, confidentiality

   1. The Contractor shall design its company and its operating procedures in such a way that the data it processes in connection with the main contract are protected against unauthorized disclosure to third parties.

   2. In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Contractor, suspected security-related incidents or other irregularities in the processing of personal data by the Contractor, persons employed by it within the scope of the contract or by third parties, the Contractor shall inform the Customer without undue delay. This shall not apply if the breach of the protection of personal data is not expected to lead to a noticeable impairment of the rights and freedoms of natural persons.

   3. If the Customer’s data at the Contractor is endangered by seizure or attachment, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Customer thereof without undue delay, unless it is prohibited from doing so by court or administrative order. In this context, the Contractor shall immediately inform all competent bodies that the decision-making authority over the data lies exclusively with the Client as the “responsible party” within the meaning of the GDPR.

   4. The Contractor shall comply with its obligations under Article 30 (2) of the GDPR to maintain a processing directory.

   5. The Contractor shall support the Client in complying with the obligations set out in Art. 33-36 of the GDPR to the extent that the Client is dependent on the Contractor’s support in this respect.

   6. The Contractor shall take all necessary technical and organizational measures for the adequate protection of the Client’s data pursuant to Art. 32 DS-GVO. The Customer is aware of these technical and organizational measures set out in Annex 15.1 to this Agreement and shall be responsible for ensuring that they provide an adequate level of protection for the risks of the data to be processed. The Contractor reserves the right to change the security measures taken, while ensuring that the contractually agreed level of protection is not undercut.

   7. The Contractor has appointed a company data protection officer in accordance with Art. 37 DSGVO and § 38 BDSG.

   8. The Contractor is obliged to maintain confidentiality when processing data for the Client. The Contractor undertakes to observe the same rules of confidentiality as are incumbent upon the Client.

   9. The persons employed in data processing by the Contractor are prohibited from collecting, processing or using personal data without authorization. The Contractor shall impose a corresponding obligation on its employees and its agents who are entrusted by it with the processing and performance of this Agreement and shall ensure compliance with this obligation with due care.

6. Control rights of the client

   1. The Customer shall have the right to monitor the Contractor’s compliance with the statutory provisions on data protection and/or compliance with the agreements made and/or compliance with the Customer’s instructions at any time to the extent required.

   2. The Contractor undertakes to provide the Client, upon the latter’s written request and within a reasonable period of time, with all information and evidence required to carry out an inspection within the meaning of paragraph 1.

   3. The Contractor may claim remuneration for enabling the control rights by the Client.

   4. The Contractor shall be obliged, in the event of measures taken by the supervisory authority vis-à-vis the Client within the meaning of Art. 58 DSGVO in conjunction with. § Section 40 BDSG, in particular with regard to information and control obligations, the Contractor shall provide the Client with the necessary information.

7. Subcontracting relationships

   1. The Customer agrees that the Contractor may use the subcontractors named in Annex 15.2 to perform the contractually agreed services. The Contractor shall inform the Customer before calling in further subcontractors or replacing the existing subcontractors. The Contractor shall carefully select subcontractors according to their suitability and reliability. When engaging subcontractors, the Contractor shall oblige them in accordance with the provisions of this Agreement.

   2. The customer may object to the change within a reasonable period of time and for good cause. If no objection is made within the period, the consent to the change shall be deemed given.

   3. If subcontractors in a third country are to be involved, the Contractor must ensure that an appropriate level of data protection is guaranteed at the respective subcontractor (e.g., by concluding an agreement based on the EU standard data protection clauses and, if necessary, creating further guarantees).

   4. Subcontracting relationships within the meaning of this contract are only those services that have a direct connection with the provision of the main service. Ancillary services, such as transport, maintenance and cleaning as well as the use of telecommunications services or user services are not covered. However, the Contractor shall be obligated to enter into appropriate and legally compliant contractual agreements as well as control measures to ensure data protection and data security of the Customer’s data also in the case of outsourced ancillary services.

8. Requests and rights of data subjects

   1. The client is solely responsible for safeguarding the rights of the data subjects.

   2. The Contractor shall support the Client as far as possible with suitable technical and organizational measures in fulfilling the Client’s obligation to respond to and fulfill requests from data subjects pursuant to Art. 12 – 23 GDPR, insofar as the Client is dependent on support in this respect.

9. Liability

   1. In the internal relationship with the Contractor, the Client alone shall be responsible to the Data Subject for compensation for damages suffered by a Data Subject due to inadmissible or incorrect data processing or use within the scope of commissioned processing in accordance with the data protection laws.

   2. The parties shall each release themselves from liability if one party proves that it is not responsible in any respect for the circumstance as a result of which the damage occurred to an affected party. The indemnification shall be subject to the condition that any settlement or acknowledgement of third party claims shall only be made with the prior written consent of the respective other party.

10. Termination of the main contract

    1. The Contractor shall return to the Client after termination of the main contract or at any time upon the Client’s request all documents, data and data carriers provided to it, as well as any processing and utilization results created, which are related to the contractual relationship, insofar as the Client does not or cannot access them itself, or – at the Client’s request, insofar as there is no obligation to store the personal data under Union or German law – delete them. This shall also apply to any data backups at the Contractor. The Contractor shall provide documented proof of the proper deletion of any data still available upon termination of the contract.

    2. The Contractor shall be obligated to treat as confidential any data of which it becomes aware in connection with the main contract, even beyond the end of the main contract. The present agreement shall remain valid beyond the end of the main contract as long as the Contractor has personal data at its disposal which have been forwarded to it by the Client or which it has collected for the Client.

11. Right of retention

    1. The parties agree that the defense of the right of retention by the Contractor within the meaning of § 273 BGB (German Civil Code) is excluded. § 273 BGB (German Civil Code) with regard to the data to be processed and the associated data carriers is excluded.

12. Various individual clauses

    1. Amendments and supplements to this Agreement as well as a waiver of a right under this Agreement must be made in writing to be effective, unless a stricter form is required by law. The above provisions shall also apply to the waiver of the written form requirement pursuant to this paragraph.

    2. This Agreement (together with the Annexes) fully reflects the agreements between the Parties with respect to the subject matter of the Agreement; no collateral agreements have been made. All previous agreements of the parties in connection with the subject matter of the contract are replaced by this contract.

    3. Should individual provisions of this contract prove to be invalid, this shall not affect the validity of the rest of the contract. In such a case, the parties are obliged to replace the invalid provision with the legally permissible provision that achieves the purpose of the invalid provision, in particular what the parties intended, in the closest possible approximation. The same shall apply if a gap requiring supplementation should arise during the execution of the contract.

    4. For any notice, statement, information or other communication required by this Agreement to be given in writing, the transmission of a signed statement as a PDF copy or other electronic copy by email shall be sufficient for its effective delivery, unless otherwise expressly provided.

    5. Unless otherwise provided for in this Agreement or in mandatory statutory provisions, neither party shall be entitled to assign or otherwise transfer its rights under this Agreement, in whole or in part, to a third party without the prior written consent of the other party.

    6. This contract does not establish any third party rights. This contract does not establish any kind of company between the parties or company-like obligations.

    7. This contract shall be governed exclusively by German law, to the exclusion of international private law and conflict of laws.

    8. The place of jurisdiction for all disputes arising from this contract is Hamburg, insofar as this can be permissibly agreed.

Annex 15.1 – Technical and organizational measures of the contractor for data protection according to Art. 32 DSGVO

The Contractor is obliged to comply with the following technical and organizational measures for data security within the meaning of Art. 32 DSGVO:

1. Introduction

   1. Subject of the document

      This document summarizes the technical and organizational measures taken by the Contractor within the meaning of Article 32 (1) of the GDPR. These are measures with which the contractor protects personal data. The purpose of the document is to support the controller in fulfilling its accountability obligation under Art. 5 (2) GDPR.

13. Confidentiality (Art. 32 para. 1 lit. b DSGVO)

    1. Access control

       The following implemented measures prevent unauthorized persons from gaining access to the data processing facilities:

       1. Work in the home office: unauthorized persons have no access to the employee’s residence

       2. Work in home office: instruct employees, if possible, to work in study separate from living quarters

    2. Access control

       The following implemented measures prevent unauthorized persons from accessing the data processing systems:

       1. Authentication with user and password

       2. Use of anti-virus software

       3. Firewall deployment

       4. Automatic desktop lock

       5. Create user profiles

       6. Use of 2-factor authentication

       7. General corporate policy on data protection or security

    3. Access control

       The following implemented measures ensure that unauthorized persons do not have access to personal data:

       1. Number of administrators is kept as small as possible

       2. Management of user rights by system administrators

    4. Separation control

       The following measures ensure that personal data collected for different purposes are processed separately:

       1. Separation of productive and test system

       2. Logical client separation (software-side)

       3. Setting database rights

14. Integrity (Art. 32 para. 1 lit. b DSGVO)

    1. Transfer control

       It is ensured that personal data cannot be read, copied, changed or removed without authorization during transfer or storage on data carriers and that it is possible to check which persons or bodies have received personal data. The following measures are implemented to ensure this:

       1. Email encryption

       2. WLAN encryption (WPA2 with strong password)

       3. Provision of data via encrypted connections such as SFTP or HTTPS

    2. Input control

       The following measures ensure that it is possible to check who has processed personal data in data processing systems and at what time:

       1. Logging of the entry, modification and deletion of data

       2. Clear responsibilities for deletions

15. Availability and resilience (Art. 32 para. 1 lit. b DSGVO)

    1. The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client:

       1. Regular backups

       2. Creation of a backup & recovery concept

       3. Hosting (at least of the most important data) with a professional hoster

16. Procedures for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)

    1. Data protection management

       The following measures are intended to ensure that an organization that meets the basic requirements of data protection law is in place:

       1. Using the heyData platform for data protection management

       2. Appointment of the data protection officer heyData

       3. Obligation of employees to data secrecy

       4. Regular training of employees in data protection

       5. Keeping an overview of processing activities (Art. 30 GDPR)

    2. Incident Response Management

       The following measures are intended to ensure that notification processes are triggered in the event of data privacy breaches:

       1. Data breach notification process pursuant to Art. 4 No. 12 GDPR to the supervisory authorities (Art. 33 GDPR)

       2. Data breach notification process pursuant to Art. 4 No. 12 DSGVO vis-à-vis data subjects (Art. 34 DSGVO)

       3. Involvement of the data protection officer in security incidents and data breaches

       4. Use of anti-virus software

       5. Firewall deployment

    3. Privacy-friendly default settings (Art. 25 (2) GDPR)

       The following implemented measures take into account the requirements of the principles “Privacy by design” and “Privacy by default”:

       1. Training of employees in “Privacy by design” and “Privacy by default”.

       2. No more personal data is collected than is necessary for the respective purpose.

    4. Order control

       The following measures ensure that personal data can only be processed in accordance with the instructions:

       1. Written instructions to the contractor or instructions in text form (e.g. by order processing contract)

       2. Ensuring the destruction of data after completion of the order, e.g. by requesting appropriate confirmations

       3. Confirmation from contractors that they commit their own employees to data secrecy (typically in the order processing contract)

       4. Careful selection of contractors (especially with regard to data security)

       5. Ongoing review of contractors and their activities

       6. Ensuring the destruction of data after completion of the order, e.g. by requesting appropriate confirmations

Annex 15.2: Approved subcontractors

The following companies are approved subcontractors within the meaning of sec. 7:

Name	Operating company, address	Place of data processing	Area of application within the scope of the contract	Affected
Microsoft Cloud	Microsoft Ireland Operations Ltd.*, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland	Server in the European Union	Hosting	Customers, project parties and employees of the customer or project parties