End-User License Agreement

This End-User License Agreement (hereinafter referred to as “License Agreement” or “EULA”) is a legal agreement between you (either an individual or a single legal entity; hereinafter referred to as “Licensee”) and Winter und Gellweiler – Software Engineering GbR, Alter Schlachthof 39 D2, 76131 Karlsruhe, Germany (hereinafter referred to as “CraftCoders”). This License Agreement applies from the date when the Licensee receives the Software from CraftCoders or a reseller (esp. Atlassian). By installing, copying, downloading or otherwise using the Software, the Licensee agrees to be bound by the terms of this License Agreement. If the Licensee does not agree to the terms of this License Agreement, the Licensee may not install, copy, download or otherwise use the Software.

§ 1 Scope of Application

  1. This EULA applies to the use and licensing of Software by CraftCoders (“Software”) as an add-on to an Atlassian Pty Ltd (“Atlassian”) Software, whereas the Software is distributed via the online marketplace of Atlassian for on-demand applications and downloadable software applications (“Atlassian Marketplace”).
  2. For the download and use of the Software, the corresponding terms and conditions of Atlassian, in particular the Atlassian Marketplace Terms of Use (see https://www.atlassian.com/licensing/marketplace/termsofuse#introduction), apply in addition to this License Agreement. If an independent contractual relationship is established between the Licensee and Atlassian, this shall not be affected by this License Agreement.
  3. Unless otherwise agreed, the contract and license conditions of the particular manufacturer or supplier and/or the currently valid open source license conditions shall apply to third-party software and open source software which CraftCoders supplies to the Licensee either as a separate product or integrated in its own Software. These stipulated conditions may contain provisions that differ from this EULA, in particular, with regard to the granting of use rights and the warranty and liability conditions. CraftCoders has no influence on the business and licensing policy of the manufacturers of third-party software and is unable to prevent, for example, the Licensee incurring costs for a necessary upgrade, for example, due to changes in the license model for the third-party software or stopping support for certain versions in future. CraftCoders shall inform the Licensee about the valid contract and license conditions for the third-party software at the time of conclusion of the License Agreement. If the contract and license conditions for the third-party software contain loopholes, the provisions of this EULA shall apply accordingly.
  4. General terms and conditions or purchase conditions of the Licensee shall not apply even if CraftCoders supplies deliveries without objecting to said conditions.
  5. The then current version of the EULA shall also apply to all future License Agreements between CraftCoders and the Licensee even if this is not expressly referred to again.

§ 2 Provision and use of the Software; Support   

  1. CraftCoders provides the Licensee with the Software by making it available (i) for download on the Atlassian Marketplace for operation on the Licensee’s own infrastructure (Data Center version) or (ii) to be used directly with Atlassian’s hosted services, such as Atlassian’s Cloud offerings (Cloud version). The properties and functions of the Software as well as the type and scope of the licenses purchased by the Licensee are set forth and described on the CraftCoders website  or on the Atlassian Marketplace. Unless otherwise agreed, the Licensee shall be provided with the Software in the latest version at the time of provision and only in object or binary code form. The Licensee shall have no right to receive the source code of the Software. CraftCoders provides the Licensee with user documentation or other explanations (e.g. in the form of FAQ) in the English and German language by making it available on the CraftCoders Website.
  2. CraftCoders reserves the right to change the Software or individual functions, in particular to adapt them to the current state of the art, as far as this does not unreasonably change the relationship between performance and consideration to the disadvantage of the Licensee and the adaptation is reasonable for the Licensee.
  3. The Licensee shall be responsible for installing the Software in a corresponding Atlassian application (i.e. Jira, Confluence) under Licensees control or in a Atlassian Cloud instance, for complying with the agreed use conditions and system requirements and for ensuring smooth interaction between the Software and the Atlassian applications, his own systems and other programs of the Licensee. CraftCoders shall reasonably advise and support the Licensee in preparing and carrying out the installation.
  4. Excluded from the intended use of the Software is the use in hazardous situations in which injury to life, body or health of persons may occur, such as during a military operation, in a nuclear power plant etc. The use of the Software in such situations is not permitted; accordingly, CraftCoders shall not be liable for any damage resulting from such use.
  5. The Software is not intended for handling documents that are subject to confidentiality obligations. It is therefore not recommended to use the Software for this purpose. Should the Software nevertheless be used for handling documents subject to confidentiality obligations, the Licensee must take additional technical and organizational security measures (e.g. physical and logical network separation or firewalls) to prevent unauthorized persons from gaining access to the documents subject to confidentiality obligations.CraftCoders points out the following dependencies on Atlassian with regard to the provision and use of the software:
  6. Due to Security Incidents, the access to the Software for individual or all Licensees may be restricted or suspended. In this respect, CraftCoders is dependent on Atlassian’s decision, but will take appropriate account of the legitimate interests of Licensees within the scope of its possibilities, inform them immediately of the measures taken and do everything reasonable to lift the access restriction as quickly as possible.
  7. The usage of the Software may be restricted by platform quotas and limits for Forge apps (see https://developer.atlassian.com/platform/forge/platform-quotas-and-limits/) or other usage restrictions by Atlassian over which CraftCoders has no control.
  8. CraftCoders provide Software support as specified on the CraftCoders website or on the Atlassian Marketplace.

§ 3 Granting of Use Rights to the Software

  1. All copyrights, industrial property rights and other property rights to the Software (including all new versions) shall remain solely with CraftCoders in the relationship with the Licensee (or with the licensors of CraftCoders in the case of third-party software). The Licensee shall only receive the non-exclusive use rights which are described in this § 3.
  2. CraftCoders grants the Licensee a non-exclusive, temporally limited (subscription) right to use the provided Software for the Licensee’s own business purposes as agreed or as stipulated by both parties. Unless otherwise agreed, the Licensee is not entitled to use the software for the business purposes of third parties or to allow third parties to use it for themselves, to make it accessible to third parties or to pass it on to third parties. The right to use granted further varies depending on whether the Licensee is using the Data Center or the Cloud version.
  3. Data Center version: The Licensee may store and operate the software on the systems contractually defined by type and number and use it for the agreed type and number of licensed units (e.g. authorized users, number of documents). The type and scope of the rights of use granted and the content-related scope of the licenses (e.g. the agreed purposes of use) are set out in detail on the CraftCoders website or on the Atlassian Marketplace. Within the scope of contractual use, the Licensee is entitled to reproduce the software to the extent necessary and to make the necessary backup copies, which must be marked as such. Copyright and other proprietary rights notices within the provided software or third-party products may not be removed or changed by the Licensee. After installation of a new version of the software that is provided to the Licensee, e.g. as part of supplementary performance or maintenance, the rights of use for the previous program version shall lapse.
  4. Cloud version: The Licensee may use the software for its business purposes within the contractually agreed scope of use. The license parameters applicable to the software, which specify and limit the agreed scope of use, are set out on the CraftCoders website or an the Atlassian Marketplace.
  5. The Licensee shall not be entitled to translate, modify or redesign the Software beyond the extent permitted by law – especially the extent described in § 69d of the German Copyright Act. Disassembly and decompilation of the Software to establish interoperability of the Software with other programs is only permitted under the conditions and within the mandatory limits of § 69e German Copyright Act and if CraftCoders does not voluntarily provide the necessary information and documents within a reasonable period of time despite written request by the Licensee.
  6. If the Licensee receives Software from CraftCoders solely for test purposes or during a trial period, the use rights of the Licensee shall be limited to those actions whose objective is to determine the state of the Software and its suitability for the Licensee’s operational purposes and systems. Any further acts of use, in particular productive operation, as well as the creation of copies (including backup copies), editing and decompilation of the Software are prohibited. At the end of the agreed test period, the Licensee shall delete the Software completely and irretrievably from his systems (if applicable) and shall provide CraftCoders with written confirmation of deletion upon request. The Licensee has the right to terminate the free trial period at any time for convenience.
  7. Unless otherwise agreed, the Licensee is prohibited from acquiring Software from CraftCoders solely for test purposes or during a trial period if the Licensee already received Software for test purposes or during a trial period from Craft Coders and this initial agreed test period has expired. The licensee is especially prohibited from repeatedly acquiring Software from CraftCoders solely for test purposes or during a trial period by using differing e-mail-addresses.  
  8. Any use of the Software beyond the agreed license terms requires CraftCoders’ prior written consent. If the Software is used without this consent, CraftCoders shall invoice the Licensee for the remuneration resulting from the further use (also retrospectively). Claims for damages remain reserved.

§ 4 Provision of Updates

  1. Unless otherwise expressly stated in the description of the Software and the scope of the license, the Licensee shall have no right to the provision and installation of regular Updates or Upgrades. Mandatory legal claims of the Licensee remain unaffected.
  2. CraftCoders reserves the right, e.g. in the context of further developments of the Software, to provide the Licensee with Updates of the Software, e.g. if this appears necessary in regard of existing or suspected security gaps or malfunctions or if it is recommended for the optimization of the affected Software. Significant functional restrictions are not associated with such Updates. The Licensee hereby agrees to the installation of such Updates.
  3. Updates of the Software are provided in object or binary code via download (Data Center version) or are installed automatically (Cloud version). CraftCoders will not provide the source code of Updates to the Licensee. If the Licensee uses the Data Center version, he is responsible for the installation of Updates and shall check every Update he receives to determine whether it is free of defects before he starts the productive use. Regarding the rights of use related to Updates, the conditions of § 3 shall apply accordingly. The rights to the Software version replaced by the Update shall lapse automatically with the start of the productive use of the Update.
  4. If CraftCoders provides the Licensee with Updates of the Software free of charge, the Updates are provided “as is” and are not subject to CraftCoders’ liability for defects. Mandatory legal claims (e.g. for intentional breaches of duty) and possible warranty claims of the Licensee related to the originally purchased Software version remain unaffected, i.e. by providing an Update free of charge the Licensee does not lose any rights in this respect. If CraftCoders provides the Licensee with Updates of the Software free of charge, this does not lead to a new start of limitation periods.

§ 5 Liability for Defects

  1. CraftCoders shall provide the Software in a condition suitable for contractual use and shall maintain it during the term of the License Agreement. The obligation to maintain the Software shall not include the adaptation of the Software to changed use conditions and to technical and functional developments such as changes to the Licensee’s systems.
  2. CraftCoders warrants that the Software has the properties and functionalities defined in the product description during the agreed term and that the contractually agreed use of the Software does not infringe any third-party rights. Technical data, specifications and performance details in public statements by CraftCoders, especially in advertising material, shall not be regarded as contractually agreed specifications.
  3. Defects shall not include functional impairments of the Software which arise, for example, from incorrect operation by the Licensee, from the Licensee’s systems or system environment, from incomplete or incorrect data or data not complying with the requirements of CraftCoders, or from other circumstances from the Licensee’s sphere of risk. Any liability for defects shall depend on the Licensee complying with the system requirements and operation conditions specified by CraftCoders, and not changing the Software or using them contrary to the provisions of the License Agreement (e.g. for target systems or in a system environment other than that agreed), unless the Licensee proves that the defect does not relate to these circumstances.
  4. If a defect occurs during the term of the License Agreement, CraftCoders shall rectify it within a reasonable period of time. If the rectification of a defect finally fails and if this constitutes an important reason for the Licensee, the Licensee shall be entitled to terminate the License Agreement for cause without observing a notice period. The Licensee shall not be entitled to terminate the License Agreement on account of a minor defect. The Licensee shall not be entitled to withdraw from the License Agreement. CraftCoders shall only compensate damages and reimburse futile expenditure according to the limits set forth in § 7.
  5. The Licensee may only assert the right of termination pursuant to § 543 (2) No. 1 of the German Civil Code provided that the Licensee has previously requested CraftCoders to remedy the defect in writing, setting a reasonable deadline of at least two (2) weeks, and the deadline has expired without success.
  6. CraftCoders is liable for defects that were already present at the time of conclusion of the License Agreement, contrary to the legal regulation of § 536a German Civil Code, only if CraftCoders is responsible for such defects. In addition, § 7 shall apply.
  7. In the event of defects of third-party software supplied by CraftCoders to the Licensee, CraftCoders will, at its discretion, assert its warranty claims against the manufacturer or upstream supplier on behalf of the Licensee or assign them to the Licensee for its own enforcement. Warranty claims against CraftCoders shall only apply in accordance with this EULA if legal enforcement of the claims against the manufacturer or upstream supplier remains unsuccessful or is futile on account of the insolvency of the manufacturer or upstream supplier. Throughout the duration of the claim against the manufacturer or upstream supplier, the limitation period of the Licensee’s warranty claims against CraftCoders shall be suspended. If CraftCoders satisfies the Licensee’s claims, any defect claims against the manufacturer or upstream supplier that were assigned to the Licensee shall be returned to CraftCoders (re-assignment).
  8. If CraftCoders provides services during the analysis or rectification of a defect without being obliged to do so, CraftCoders may request the Licensee to pay separate remuneration for these services based on the actual cost. This provision shall apply, in particular, whenever a defect reported by the Licensee cannot be proven or cannot be attributed to CraftCoders. There shall be no claim to additional remuneration if it was not apparent to the Licensee, when exercising the necessary and reasonable care, that there was no defect in the Software.
  9. The limitation period for defect claims by the Licensee shall be one (1) year. This provision shall not apply if CraftCoders caused a defect intentionally or through gross negligence, maliciously concealed a defect from the Licensee or another compelling legal regulation precludes a reduction in the limitation period.

§ 6 Infringements of IP Rights

  1. CraftCoders warrants that the Software provided to the Licensee is free of third-party intellectual property rights and shall indemnify the Licensee from third-party claims due to infringements of intellectual property rights in accordance with the following provisions.
  2. If third parties raise claims against the Licensee due to the infringement of their intellectual property rights caused by the Software, the Licensee shall inform CraftCoders immediately in writing and in detail. CraftCoders shall be entitled but not obliged to solely conduct the dispute with the third party both in and out of court. If CraftCoders makes use of this option, the Licensee shall support CraftCoders in its defense to a reasonable extent without payment and shall grant CraftCoders all necessary authorizations in this respect. The Licensee will not acknowledge the claims of the third party on its own initiative.
  3. If the Software contains a defect of title during the term of the License Agreement, CraftCoders shall provide the Licensee with a lawful way to use the Software. To rectify the defect, CraftCoders may alternatively at its choice modify the affected Software or replace them (fully or partially) by equivalent Software. If an infringement of third-party intellectual property rights and/or a legal dispute concerning the third-party claims can be rectified or avoided by the Licensee using a more up-to-date version of the Software provided by CraftCoders free of charge, the Licensee shall be obliged to accept and use this Software as part of his obligation to minimize damages, unless he proves that use of the more up-to-date version is unreasonable for him.
  4. CraftCoders will indemnify the Licensee within the liability limits set forth in § 7 from all damages arising from the infringement of intellectual property rights, insofar as these are based on a defect of title in the Software used by the Licensee in accordance with the License Agreement, which was present during the term of the License Agreement and for which CraftCoders is responsible. In all other respects, the provisions for material defects in § 5 apply accordingly to the Licensee’s claims based on defects of title.
  5. CraftCoders is not liable, in particular, if claims of a third party based on alleged infringement of intellectual property rights are based on the fact that the Software was modified by the Licensee or used in violation of the contractually agreed purposes and conditions of use (e.g., for target systems other than those agreed upon or in a system environment other than that agreed upon).

§ 7 General Liability

  1. If CraftCoders provides Software or Updates to the Licensee without any remuneration, e.g., during a free trial period, CraftCoders shall only be liable for intent and gross negligence, regardless of the legal reason.
  2. CraftCoders will pay compensation for property and financial damage and loss as well as for futile expenses, regardless of the legal reason (e.g., due to defects, default, tort or other breaches of duty), only to the following extent:
  3. in the event of intent and gross negligence as well as in the event of an assumption of a guarantee (Garantie) by CraftCoders in the full amount;
  4. in all other cases only in the event of a breach of a material contractual obligation, without which the achievement of the purpose of the License Agreement would be jeopardized and on the fulfillment of which the Licensee may therefore regularly rely (Kardinalpflicht); and in these cases restricted to compensation for typical damages foreseeable by CraftCoders at the time of the conclusion of the License Agreement.
  5. CraftCoders shall be liable for the restoration of data within the limits set forth in § 7.2 only to the extent that the Licensee has ensured that the data can be reproduced at any time with reasonable effort from data backups stored by the Licensee in machine-readable form.
  6. The above-mentioned liability restrictions shall also apply to the legal representatives, agents and employees of CraftCoders.
  7. The statutory liability for damage resulting from the loss of life, physical injury or injury to health and according to the German Product Liability Act shall not be affected by the above-mentioned provisions.

§ 8 Remuneration and Payment Terms

  1. The amount and due date of the license fees as well as the available payment options are shown to the Licensee during the online ordering process on the Atlassian Marketplace or the CraftCoders website. In both versions (Data Center and Cloud), the Software is licensed for a limited period of time (subscription), a recurring subscription fee shall be incurred. The subscription fee shall be invoiced by CraftCoders or a reseller (esp. Atlassian) in accordance with the Atlassian Marketplace terms of use (see https://www.atlassian.com/licensing/marketplace/termsofuse#introduction).
  2. The Licensee shall pay, in addition to all other amounts payable under this License Agreement, all state, federal, sales or other taxes, however designated, which are levied or imposed by reason of the sale, installation, license or use of the Software provided hereunder, except for taxes imposed by German tax authorities on CraftCoders income.
  3. If the Licensee is in default of payment, CraftCoders shall be entitled, after prior notice and setting a reasonable period of time for payment (under threat of blocking the Software), to block the Licensee’s access to the Software until all outstanding and due invoices have been settled in full. Further rights of CraftCoders due to the default in payment (in particular to termination of the License Agreement for good cause) remain unaffected.

§ 9 Term and Termination

  1. The License Agreement shall come into effect upon receiving the Software by CraftCoders. Unless otherwise agreed, the License Agreement shall have an initial binding term of one (1) year. The License Agreement shall thereafter be renewed for one (1) further contract year in each case unless it is terminated by one of the parties with one (1) month notice prior to the expiry of the respective term. With the termination of the License Agreement, CraftCoders obligation to provide Updates also expires.
  2. The parties’ right of termination for good cause shall not be affected. Good cause shall be deemed to exist for CraftCoders, in particular, if the Licensee is more than four (4) weeks in default with a substantive part of the remuneration due or if the Licensee infringes material contractual obligations in any other way and does not cease this infringement within the period of grace set by CraftCoders even after being requested to do so. If the License Agreement is terminated by CraftCoders for good cause for which the Licensee is responsible, CraftCoders shall reserve the right to claim the full remuneration for the current term.
  3. Every termination of the License Agreement shall be effected in writing in order to become legally valid. Partial terminations shall be excluded.
  4. Upon expiry or termination of a subscription license, the Licensee shall stop using the Software immediately and shall destroy the backup copies that were made (if applicable). At the request of CraftCoders, the Licensee shall provide written confirmation of compliance with the above-mentioned obligations.

§ 10 Confidentiality and Data Protection

  • The Licensee shall be obliged to maintain confidentiality regarding all business and trade secrets of CraftCoders entrusted to him, made accessible to him, or which become known to him in another way. The Licensee shall only use this confidential information for the intended purpose of the License Agreement. The Licensee shall grant access to the confidential information only to those of his employees who need to know it in order to fulfill the purposes of the License Agreement (need to know principle). The obligation to maintain confidentiality shall apply for another period of three (3) years after the License Agreement has ended.
  • The confidential information of CraftCoders shall include, in particular, the Software (along with documentation) in all code and expression forms. The use rights granted in § 3 above shall not be affected in this respect. The Licensee shall not be entitled to obtain confidential information of CraftCoders through reverse engineering. Re-verse engineering shall be regarded as all actions, including observation, testing, examination and deconstruction, with the objective of acquiring confidential information. The application of mandatory statutory copyright regulations remains unaffected in this respect.
  • The obligation to maintain confidentiality shall not apply to confidential information which was already known to the Licensee beforehand without the obligation to maintain confidentiality or is or becomes generally known without the Licensee being responsible, or which is legally notified to the Licensee by a third party without the obligation to maintain confidentiality or was proven to have been developed independently by the Licensee.
  • The provisions of this § 10 shall not restrict the right of the parties to make further use of ideas, concepts or procedures which relate to the contractual services and became part of the general know-how of their respective employees during cooperation, provided this does not infringe the industrial property rights of the other party or a third party.
  • The parties shall be obliged to keep all business items and documents, which they receive, in a proper way so that third parties cannot examine these items and documents. The parties shall be obliged to hand over these items and documents to the other party at any time when requested to do so.
  • Any other legal obligations to maintain confidentiality (e.g. in relation to business and trade secrets from the Law on the Protection of Trade Secrets or regarding personal data from the General Data Protection Regulation (GDPR)) shall apply and shall not be affected by the above-mentioned provisions. Since CraftCoders processes personal data on behalf of the Licensee when using the software in the Cloud version (in particular for short-term storage), the parties conclude the data processing agreement, which forms an integral part of this License agreement (see Appendix).

§ 11 Final Provisions

  1. Export of the Software by the Licensee and/or use in an international context, e.g. by his foreign subsidiaries, may be subject to national and international provisions of export control law. In this case the Licensee shall be responsible for complying with any export bans and requirements (e.g. obtaining official permits) and shall pay the related costs. The Licensee will indemnify CraftCoders upon first request against all claims, costs and damages in connection with violations of export control regulations by the Licensee.
  2. The Licensee may only assign or transfer contractual rights and obligations to third parties – including companies affiliated with the Licensee – with the prior written consent of CraftCoders. § 354a of the German Commercial Code shall not be affected.
  3. Any amendments and additions to the License Agreement, as well as declarations effecting the License Agreement (e.g. settings of deadlines, termination) must be made in writing in order to be effective. The contractually agreed written form requirement shall also be effected through the transfer of documents via email. The written form requirement can itself only be waived in writing.
  4. The License Agreement shall be governed exclusively by the laws of the Federal Republic of Germany, excluding the UN Convention on Contracts for the International Sale of Goods. The exclusive place of jurisdiction for all disputes arising out of or in connection with the License Agreement shall be CraftCoders, Germany. CraftCoders shall also be entitled to take legal action at any other national or international court of competent jurisdiction.
  5. If individual clauses of this License Agreement are or become invalid, or if the License Agreement contains a loophole, the validity of the other clauses shall not be affected. The parties shall replace the invalid or missing clause by a valid clause which comes as close as possible to the intended economic purpose of the parties at the time of conclusion of the License Agreement.

Version: 1; Date: 01.07.2024

***

Appendix

Standard contractual clauses for Processing pursuant to Art. 28 GDPR

Section I

Clause 1 Purpose and scope

  1. The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28 (3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  2. The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28 (3) and (4) of Regulation (EU) 2016/679.
  3. These Clauses apply to the processing of personal data as specified in Annex II.
  4. Annexes I to IV are an integral part of the Clauses.
  5. These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679.
  6. These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679.

Clause 2 Invariability of the Clauses

  1. The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.
  2. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 3 Interpretation

  1. Where these Clauses use the terms defined in Regulation (EU) 2016/679 respectively, those terms shall have the same meaning as in that Regulation.
  2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
  3. These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4 Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 5 Docking clause

  1. Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing the Annexes and signing Annex I.
  2. Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex I.
  3. The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.

Section II

Obligations of the Parties

Clause 6 Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for

which the personal data is processed on behalf of the controller, are specified in Annex II.

Clause 7 Obligations of the Parties

7.1. Instructions

  1. The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
  2. The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 or the applicable Union or Member State data protection provisions.

7.2. Purpose limitation

The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.

7.3. Duration of the processing of personal data

Processing by the processor shall only take place for the duration specified in Annex II.

7.4. Security of processing

  1. The processor shall at least implement the technical and organizational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
  2. The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorized to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.5. Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

7.6. Documentation and compliance

  1. The Parties shall be able to demonstrate compliance with these Clauses.
  2. The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.
  3. The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.
  4. The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
  5. The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.

7.7. Use of sub-processors

  1. The processor has the controller’s general authorization for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least 14 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.
  2. Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679.
  3. At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
  4. The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.
  5. The processor shall agree a third party beneficiary clause with the sub-processor whereby – in the event the processor has factually disappeared, ceased to exist in law or has become insolvent – the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

7.8. International transfers

  1. Any transfer of data to a third country or an international organization by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679.
  2. The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46 (2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.

Clause 8 Assistance to the controller

  1. The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorized to do so by the controller.
  2. The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions.
  3. In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
  4. the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
  5. the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
  6. the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
  7. the obligations in Article 32 of Regulation (EU) 2016/679.
  8. The Parties shall set out in Annex III the appropriate technical and organizational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 9 Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679, where applicable, taking into account the nature of processing and the information available to the processor.

9.1. Data breach concerning data processed by the controller

In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:

  1. in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
  2. in obtaining the following information which, pursuant to Article 33 (3) of Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:
  3. the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  4. the likely consequences of the personal data breach;
  5. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

  • in complying, pursuant to Article 34 of Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2. Data breach concerning data processed by the processor

In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

  1. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
  2. he details of a contact point where more information concerning the personal data breach can be obtained;
  3. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

Section III

Final Provisions

Clause 10 Non-compliance with the Clauses and termination

  1. Without prejudice to any provisions of Regulation (EU) 2016/679, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.
  2. The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:
  3. the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
  4. the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679;
  5. the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679.
  6. The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.
  7. Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.

ANNEX I

List of parties

Controller: The Licensee concluding the contract

Processor: Winter und Gellweiler – Software Engineering GbR, Alter Schlachthof 39 D2, 76131 Karlsruhe, Germany (“CraftCoders”).

Annex II

Description of the processing

Categories of data subjects whose personal data is processed: corresponds to the Privacy Policy of our Software (Cloud – version)

Categories of personal data processed: corresponds to the Privacy Policy of our Software (Cloud – version)

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: n/a

Nature of the processing: The specific nature, scope and means of processing result from the stipulations made between the contractual partners in the License Agreement and, if applicable, further stipulations from the data protection agreement concluded between the Licensee and CraftCoders.

Purpose(s) for which the personal data is processed on behalf of the controller: corresponds to the Privacy Policy of our Software (Cloud – version)

Duration of processing: Corresponds to the term of the License Agreement.

For processing by (sub-)processors, also specify subject matter, nature and duration of the processing.

ANNEX III

Technical and Organisational Measures, including to ensure the Security of Data

Technical and organizational security measures implemented by Craft Coders: https://mailto.wiki/information-security-policy/index.html

ANNEX IV

List of sub-processors

The controller consents to the appointment of the following sub-processors:

corresponds to the Privacy Policy of our Software (Cloud – version)