General Terms & Conditions

Proximity DMP Master Services Agreement
(Version MSA-2018-01)

Beaconinside has developed a technology called “Proximity DMP”, which the Client wishes to use to analyze the behavior of the Client’s customers.

For this purpose, the Parties hereby enter into the following Agreement:

1. General Provisions

1.1. This Master Services Agreement (hereinafter referred to as the “Agreement”) shall apply to all contractual relationships between Beaconinside and Client regarding the Proximity DMP service.

1.2. Any deviating terms and conditions of the Client as well as any deviations and/or amendments to this Agreement shall only become part of the Agreement if they have been expressly acknowledged by Beaconinside in writing (email is sufficient). This Agreement shall also apply exclusively if Beaconinside has not explicitly objected to any contrary terms and conditions.

1.3. Beaconinside reserves the right to modify these General Terms and Conditions with effect for the future (starting at the date of the renewal of the contract period) at any time. In this case, Beaconinside will notify the Client of these changes (at least 3 weeks before the ending of the period of notice). The changes shall be deemed to be accepted if the Client does not object within three weeks after receipt of the amendment notification. Beaconinside will inform the Client in its amendment notification about the Client’s right to object and the effects of a lack of objection. If the Client rejects the changes, the contract can not automatically be renewed and the agreement will be terminated after the contract period.

2. Formation of contract

2.1. Offers by Beaconinside are subject to change. The subject matter of the Agreement are the Beaconinside products and services as detailed below at the time the contract is concluded. Beaconinside reserves the right to make technical changes and improvements to its products and services within reason.

2.2. The Agreement between Beaconinside and the Client is entered into upon signature of an individual Insertion Order by Beaconinside and the Client. Alternatively, the Client can register on the Beaconinside website, which also constitutes acceptance of this Agreement.

2.3. The Client represents and warrants that all personal information as well as other relevant contractual data provided by Client during the conclusion of the Agreement are complete and correct. The Client is obliged to promptly inform Beaconinside about any changes to this data and/or to update altered data in its user account. In the event of a culpable breach of this obligation, Beaconinside is entitled to suspend the contractual services upon giving prior notice.

2.4. The Client is aware that contractual declarations (e.g. confirmation emails, amendments to the General Terms and Conditions as well as other notifications) may be sent via email. They are deemed to have been received when they can be retrieved in the email inbox which was specified by the user during the registration under normal circumstances.

3. Services

3.1. Beaconinside shall render the service in accordance with the Service Description in Annex 1. Unless expressly specified otherwise in the Service Description and in this Agreement, including the Service Level Agreement in Annex 3, Beaconinside ensures the provision of the service with an availability customary within the industry.

3.2. Beaconinside is entitled to use the assistance of third parties in order to fulfill its contractual

obligations.

4. Client rights and obligations

4.1. The Client is entitled to use the service and the software provided by Beaconinside only to the

extent described hereafter.

4.2. The Client must follow Beaconinside’s instructions as well as the protocols and specifications as requested by Beaconinside with regard to the telecommunication/data transmission.

4.3. Specifically, Client must implement the Proximity DMP SDK according to Annex 2, and use program code provided by Beaconinside without any modifications for its intended use.

4.4. The Client’s app must offer substantive services that go beyond the mere functionality of the

Proximity DMP SDK.

4.5. If Beaconinside has protected its services by technical means (e.g. security codes, firewalls,

etc.), the Client is not allowed to circumvent or remove such security measures.

4.6. The Client may upload data regarding infrastructure, buildings, and campaigns, including

images. The Client assumes all responsibility for all such uploaded data.

4.7. The Client is obliged to protect its own data by taking appropriate measures and by regularly

making backups of its data.

4.8. The Client agrees to keep the passwords and login data provided by Beaconinside for access to the services confidential and to inform Beaconinside immediately as soon as the Client becomes aware of unauthorized third parties gaining access to these passwords. If, due to the Client’s fault, unauthorized third parties use any services provided by Beaconinside by using the passwords, the Client is liable to Beaconinside for usage fees and damages.

4.9. The Client shall not make the software provided by Beaconinside available to any third parties, except for Affiliated Companies according to sec. 14 German Companies Act (Aktiengesetz). In addition, the Client shall not

4.9.1. modify, translate, reverse engineer, decompile, disassemble or otherwise create derivative works from the Beaconinside software or documentation. Information pursuant to Section 69e of the German Copyright Act which is required to achieve interoperability with other programs created independently can be purchased from Beaconinside for a fee upon request;

4.9.2. transfer, lend, rent, lease, distribute the software provided by Beaconinside or the service, or use them for providing services to a third party, or grant any rights in and to the Beaconinside software or documentation to a third party in any form, without Beaconinside’s express prior written and unless all respective fees have been paid and all of Beaconinside’s other conditions have been met; or

4.9.3. remove, modify or make illegible the labels, markers or designations regarding copyrights and

other intellectual property rights of the Beaconinside software or documentation.

5. Prices and Payment Conditions

5.1. The fees for the service that the Client makes use of are set out in Beaconinside’s current valid price list. Unless explicitly stated otherwise, all fees are quoted in Euros and are exclusive of the statutory value-added tax (VAT) applicable at the time. Any customs duties and similar public charges shall be borne by the Client.

5.2. Invoices will be sent to the Client via mail or in electronic form, unless expressly agreed

otherwise.

5.3. The payment of the invoices shall be due within 30 days of the invoice date. In the event of the Client’s default of payment, Beaconinside is allowed to charge default charges up to €5.00 as

well as default interest in accordance with the statutory provisions. Beaconinside reserves the right to prove and assert greater damages due to default. If the Client’s payments are considerably delayed, Beaconinside reserves the right to suspend the provision of any further services, in particular the Client’s access to the service, at the expense of the Client until all due payments have been made. In the event of suspended services, the Client is nevertheless obliged to pay the agreed fees. After having set the Client a reasonable deadline and expiration of that deadline, Beaconinside has the right to terminate the Agreement with immediate effect. In case of returned direct debits or unpaid checks, the Client shall reimburse Beaconinside for the costs incurred to the extent that the Client was responsible for the event given rise to these costs. Further claims and rights to which Beaconinside may be entitled in this respect shall remain unaffected. Even if the Client does not use the provided service, the Client is still obliged to pay the agreed fees.

5.4. Any complaints relating to an invoice must be submitted to Beaconinside in writing or by email to invoice@beaconinside.com within four weeks upon receipt of the invoice. If no such complaint has been made within four weeks upon receipt of invoice, the invoice is deemed to be accepted. Beaconinside will inform the Client in the invoice about the consequences of failing to submit a timely complaint.

5.5. The Client shall have a right to offset against claims only if its counterclaim has been established by a final and binding decision or is undisputed. The same shall apply to the right of retention, the valid exercise of which shall further require that the counterclaim of the Client must arise under the same contractual relationship.

6. Term and Termination

6.1. The term of the Agreement is determined in the Insertion Order. The termination must be made

in writing and be submitted via mail or fax.

6.2. The right to immediate termination for cause shall remain unaffected. In particular, Beaconinside

has the right to immediately terminate the Agreement

6.2.1. if the Client breaches its obligations pursuant to sections 4.3, 4.5, 4.8, or 4.9 of this Agreement,

6.2.2. if the Client is in default of payment and does not settle the outstanding payment upon receipt

of a warning letter with a deadline for payment and expiration of that deadline to no avail,

6.2.3. if the Client publishes racist, pornographic, immoral or illegal content on its website and/or

content which glorifies or trivializes violence,

6.3. Either party has the right to immediately terminate the Agreement

6.3.1. if the other party breaches its obligations pursuant to sections 7.3 or 10 of this Agreement,

6.3.2. if the other party is insolvent, subject to insolvency proceedings, insolvency proceedings have been commenced or the commencement of insolvency proceedings is dismissed due to lack of assets,

6.3.3. if the other party violates the provisions of these Terms and Conditions and fails to remedy this violation upon receipt of a written request with an adequate deadline. No such request is necessary if it has no prospect of success or if the violation is so serious that the terminating party cannot be reasonably expected to adhere to the Agreement. A violation is also be deemed serious if the other party has received notices of warnings several times because of similar violations.

6.4. Upon termination of the Agreement, the Client is obliged to delete all copies of the codes that

were provided by Beaconinside.

6.5. The right of termination is excluded prior to the end of the Term. If the Client terminates the Agreement disregarding such exclusion, then the Client shall be subject to a contractual penalty in the amount of the outstanding payments.

7. Intellectual property

7.1. Upon conclusion of the Agreement, Beaconinside grants the Client the non-exclusive, non- transferable and non-sublicensable right to use the service during the term of the Agreement, insofar as this is necessary to use the service according to the respective Insertion Order. The right of use shall expire once the Client defaults with any payments due.

7.2. Beaconinside shall retain all intellectual property rights as well as any other property rights in and to the Beaconinside software, the service as well as other services that are provided under this contract, including source codes, databases, hardware and/or any other material (e.g. documentations, developments, functions, report templates, preparatory material, etc.).

7.3. The Client undertakes to not violate any applicable laws, in particular third party rights (e.g. copyrights, personality rights, intellectual property rights) or the terms of this Agreement while using the service. If applicable, this also includes the provisions of the US Children’s Online Privacy Protection Act (“COPPA”). Insofar, the Client shall, subject to analogous application of the rules laid out in secs. 7.4.1. et seqq., indemnify and hold Beaconinside harmless from any and all third party claims (including but not limited to all costs and expenses, incl. reasonable attorney’s fees) that are being asserted against Beaconinside upon first request.

7.4. Unless agreed otherwise, Beaconinside shall perform its contractual services free from third- party intellectual property rights and copyright (hereinafter referred to as: IP Rights) regarding the country of performance. If a third party asserts justified claims against the Client based on an infringement of IP Rights with respect to services that were performed by Beaconinside and were used in accordance with the contract, Beaconinside shall be liable to the Client as follows within the time period set forth above:

7.4.1. Beaconinside shall, at its own selection and expense, either acquire a license to use the supplies in question, to modify them such that they no longer infringe the IP Right, or replace them. If it would be unreasonable for Beaconinside to do this, the Client may rescind the contract or reduce the fee in accordance with statutory rules.

7.4.2. Beaconinside’s liability to pay damages shall be governed by the according section of this

Agreement.

7.4.3. The above obligations of Beaconinside shall only apply if the Client informs Beaconinside of claims asserted by the third party without delay and in writing, does not acknowledge any infringement and leaves any defense measures and settlement negotiations to the discretion of Beaconinside. If the Client ceases to use the supplies for damage limitation purposes or for any other significant reasons, it shall be obliged to point out to the third party that no acknowledgement of infringement may be inferred from the fact that use has been discontinued.

7.5. Claims of the Client shall be excluded if the Client is itself responsible for the infringement of an

IP Right.

7.6. Claims of the Client shall also be excluded if the infringement of the IP Right is caused by specifications stipulated by the Client, by a type of use not foreseeable by Beaconinside or by the delivery being modified by the Client or being used together with products not supplied by Beaconinside.

7.7. Beaconinside hereby fully reserves any proprietary rights and/or copyrights with regard to the use of cost estimates, drawings, manuals and other documents (hereinafter referred to as: “Documents”). The Documents shall not be made accessible to third parties, except for Affiliated Companies, without the Beaconinside’s prior consent and shall, upon request, be returned without delay to Beaconinside if the contract is not awarded to Beaconinside.

8. Liability

8.1. Beaconinside shall be responsible that the Beaconinside Proximity DMP correspond to the use permitted by Beaconinside. Beaconinside does not assume any liability for any damages resulting from a usage other than the intended use. The same applies to any damages resulting

from a use that is not in accordance with Beaconinside’s instructions and recommendations or any other unauthorized usage.

8.2. Beaconinside does not assume any liability for any disturbances, limitations, interruptions or disruptions of the service which are caused by circumstances beyond Beaconinside’s area of responsibility.

8.3. In particular, Beaconinside’s liability for compatibility of the SDK with any operating system

updates and for faulty SDK implementation or bad data input is excluded.

8.4. Notwithstanding the foregoing, either party shall only be liable for any damages which can be attributed to a willful or gross negligent violation of a duty by the violating party, its legal representatives or employees, as a result of grave organizational neglect or which are based on defects of a warranted quality of the Beaconinside Products, pursuant to the statutory provisions. This limitation shall not apply to any damages resulting from injury of life, body or health.

8.5. Irrespective of the legal grounds, either party shall only be liable for damages that have been caused by the culpable breach of a cardinal contractual obligation by its legal representatives or vicarious agents. Liability in this regard shall be limited to the typical damages that were reasonably foreseeable at the time the contract was concluded. Liability pursuant to the German Product Liability Act shall remain unaffected. Either party’s liability for indirect damages, in particular loss of profit, is hereby excluded.

8.6. The aforementioned liability provisions shall apply accordingly to either party’s employees and

agents.

8.7. Any claims for damages arising from a simple negligence by either party shall become time- barred within one year upon occurrence of the damage. This limitation shall not apply to any damages resulting from injury of life, body or health. All other claims for damages shall become time-barred within the statutory period.

9. Data protection

9.1. The Client is obliged to comply with the applicable data protection law when using the service and Beaconinside Software. If applicable, the Client is also obliged to comply with the US Children’s Online Privacy Protection Act (“COPPA”) when using the service and Beaconinside Software.

9.2. The Client is obliged to ensure that its websites and apps clearly provide appropriate and sufficiently prominent notice to users regarding the collection and use of location and other personal data by Beaconinside, and gather the according consent (opt-in) of the affected users. The Client will also ensure that the websites and apps provide facilities for users to opt out of tracking. Until a user opts in and as soon as a user opts out, the tracking mechanisms provided by Beaconinside must be fully disabled.

9.3. The processing of personal data by Beaconinside on behalf of the Client requires a data

processing agreement, which the parties agree to as laid out in Annex 4.

9.4. For the purposes of this Agreement, Client owns the data collected on his behalf. Beaconinside may process Client data only in aggregated and anonymized form to maintain and improve Beaconinside’s products and services.

9.5. Beaconinside may save and process any data relating to the Client to the extent necessary for the purpose of the execution and implementation of the sales contract and as long as Beaconinside is required to keep such data in accordance with applicable law.

9.6. Beaconinside shall have the right to submit personal data relating to the Client to credit agencies, to the extent necessary for a credit check. Beaconinside shall not make available any personal data relating to the Client to other third parties without the express consent of the Client, except to the extent that a disclosure is required under applicable law.

10. Confidentiality

10.1. The parties shall keep all documents, information and data which have been disclosed during the course of the cooperation strictly confidential during the term of the Agreement and for two years thereafter. The parties undertake to use the same degree of care in safeguarding the documents, information and data of the other party that is used for its own confidential information, but a least with the due care of a prudent business man. All such documents, information and data shall be used exclusively to perform the contractual services.

10.2. These confidentiality obligations also apply to documents, information and data that relate to companies affiliated with the parties, other cooperation partners or contractors and to documents, information and data about clients and sales representatives of the parties.

10.3. These confidentiality obligations do not apply to documents, information and data that are in the public domain or later become part of the public domain through no breach of contract by a party, is required to be disclosed by operation of law, court or administrative order or that has been subsequently exempted from this confidentiality obligation by an Agreement in writing, per fax or via email.

 11. Miscellaneous

11.1. Any modifications to and or amendments of this Agreement must be made in writing (email is

sufficient). This also applies in case of a nullification of the written form requirement.

11.2. If any provision of this Agreement or part thereof is invalid or becomes invalid at a later time, the validity of the remaining provisions shall remain unaffected. The relevant provision shall be replaced by a provision that as closely as possible reflects the economic purpose of the invalid provision. The foregoing shall apply analogously if any provision has inadvertently been omitted.

12. Venue and applicable law

12.1. The legal relationship between Beaconinside and the Client shall be governed by German law.

12.2. The exclusive venue for all disputes arising directly or indirectly out of or in connection with the contract shall be Berlin. However, Beaconinside may also bring an action at the Client’s registered seat.

Annex overview

Annex 1: Service Description Annex 2: SDK Implementation Annex 3: Service Level Agreement Annex 4: Data Processing Agreement

Annex 1 Service Description

Under the Agreement, Beaconinside shall deliver the following services:

1. SDK

The use of the Proximity DMP is subject to successful implementation of the SDK in the Client’s mobile app

The Beaconinside SDK for Android (version 4.3 and higher) and iOS (version 9 and higher) apps recognizes beacons from different hardware manufacturers using signal strengths (iBeacon, Eddystone and proprietary formats), user location (using GPS, Wi-Fi location, cellular networks, device sensors), and user context:

Data collection is subject to the users’ consent to the app accessing the Bluetooth interface and location services (user opt-in).

2. DMP

The DMP offers analytics like a dashboard for visitor statistics and campaign evaluation.

3. Security

Data security using market standards, https encryption.

4. Partner network

APIs and interfaces for third parties are developed upon request. Data control and security are Client’s responsibility. Third-party fees may apply. Beaconinside does not guarantee continuous service availability.

Annex 2 SDK Implementation

The SDK must be implemented as follows:

1. Download

The SDK binary file and sample integration source code may be downloaded from Github at github.com/beaconinside/sdks

2. Testing

The SDK must be tested in a Sandbox environment before deploying to a production audience. The SDK requires testing in real-world situations not just using device simulators.

The SDK must be tested with respect to energy consumption and resource usage (e.g. bandwidth, memory).

3. User permissions

The SDK requires app-level user permissions for location services to work properly. Requesting these permissions is outside of the scope of the SDK.

Annex 3 Service Level Agreement

Beaconinside agrees the following level of service:

  1. Beaconinside does not guarantee a general availability of its servers and APIs.
  2. Beaconinside points out that the services may be interrupted or disrupted by circumstances beyond Beaconinside’s area of responsibility, including but not limited to acts of third parties that do not act on Beaconinside’s behalf, technical conditions of the internet that Beaconinside cannot influence or force majeure. If such circumstances interfere with the availability or functionality of the services provided by Beaconinside, this has no effect on the contractual conformity of the services provided by Beaconinside.
  3. In case of unforeseen events, Beaconinside is entitled to suspend the service for maintenance or

repair purposes if this is necessary to ensure the proper operation of the service.

  1. Scheduled interruptions of service will be announced at least three days in advance.

Annex 4 Data Processing Agreement pursuant to art. 28 General Data Protection Regulation (GDPR)

between the Client (Controller) and Beaconinside (the Processor)

1. Subject matter and duration of this Data Processing Agreement

1.1. Subject matter

The Subject matter of this Data Processing Agreement results from the Master Services Agreement.

1.2. Duration

The duration of this Data Processing Agreement corresponds to the duration of the Master Services Agreement.

2. Specification of the data processing

2.1. Nature and Purpose of the intended Processing of Data

Nature and Purpose of Processing of personal data by the Beaconinside for the Client are precisely defined in the Master Services Agreement.

2.2. The undertaking of the contractually agreed Processing of Data shall be carried out exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Each and every Transfer of Data to a State which is not a Member State of either the EU or the EEA requires the prior agreement of the Client and shall only occur if the specific Conditions of arts. 44 et seq. GDPR have been fulfilled.

2.3. Type of Data

The type of personal data used will be precisely defined during the services performed under this Agreement. The processing of personal data comprises in general the following data types/categories (List/Description of the Data Categories)

− mobile identifiers, including the IDFA, Android Advertising ID, IDFV, and/or Google

Advertising ID − geodata − pseudonymous identifiers − IP address and log files

2.4. Categories of Data Subjects

The Data Subjects comprise of users of the Client’s mobile apps.

3. Technical and Organizational Measures

3.1. Before the commencement of processing, the Beaconinside shall document the execution of the necessary Technical and Organizational Measures, set out in advance of the awarding of this Data Processing Agreement, specifically with regard to the detailed execution of the Data Processing Agreement, and shall present these documented measures to the Client for inspection. Upon acceptance by the Client, the documented measures become the foundation of this Data Processing Agreement. Insofar as the inspection/audit by the Client shows the need for amendments, such amendments shall be implemented by mutual agreement.

3.2. Beaconinside shall establish the security in accordance with art. 28(3)(c) and art. 32 GDPR in particular in conjunction with art. 5(1) and (2) GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of art. 32(1) GDPR must be taken into account.

3.3. The Technical and Organizational Measures are subject to technical progress and further development. In this respect, it is permissible for Beaconinside to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented.

4. Rectification, restriction and erasure of data

4.1. Beaconinside may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only on documented instructions from the Client.

4.2. Insofar as a Data Subject contacts Beaconinside directly concerning a rectification, erasure, or restriction of processing, Beaconinside will immediately forward the Data Subject’s request to the Client.

4.3. Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by Beaconinside in accordance with documented instructions from the Client without undue delay.

5. Quality assurance and other duties of Beaconinside

In addition to complying with the rules set out in this Data Processing Agreement, Beaconinside shall comply with the statutory requirements referred to in arts. 28–33 GDPR; accordingly, Beaconinside ensures, in particular, compliance with the following requirements:

5.1. Appointed Data Protection Officer, who performs his/her duties in compliance with arts. 38 and 39 GDPR. His/Her current contact details are always available and easily accessible on the website of Beaconinside.

5.2. Confidentiality in accordance with art. 28(3)(2)(b, arts. 29 and 32(4) GDPR. Beaconinside entrusts only such employees with the data processing outlined in this Data Processing Agreement who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. Beaconinside and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Client, which includes the powers granted in this Data Processing Agreement, unless required to do so by law.

5.3. Implementation of and compliance with all Technical and Organizational Measures necessary for this Data Processing Agreement in accordance with art. 28(3)(2)(c), art. 32 GDPR.

5.4. The Client and Beaconinside shall cooperate, on request, with the supervisory authority in

performance of its tasks.

5.5. The Client shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this Data Processing Agreement. This also applies insofar as Beaconinside is under investigation or is party to an investigation by a competent authority in connection with infringements to any civil or criminal law, or administrative rule or regulation regarding the processing of personal data in connection with the processing of this Data Processing Agreement.

5.6. Insofar as the Client is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with this Data Processing Agreement data processing by Beaconinside, Beaconinside shall make every effort to support the Client.

5.7. Beaconinside shall periodically monitor the internal processes and the Technical and Organizational Measures to ensure that processing within his area of responsibility is in

accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.

5.8. Verifiability of the Technical and Organizational Measures conducted by the Client as part of

the Client’s supervisory powers referred to in section 7 of this Data Processing Agreement.

6. Subcontracting

6.1. Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal/transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. Beaconinside shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Client’s data, even in the case of outsourced ancillary services.

6.2. Beaconinside may commission subcontractors (additional contract processors) only after prior explicit written or documented consent from the Client. Outsourcing to subcontractors or changing an existing subcontract are permissible when the subcontracting is based on a contractual agreement in accordance with art. 28(2)–(4) GDPR.

6.3. The transfer of personal data from the Client to the subcontractor and the subcontractor’s commencement of the data processing shall only be undertaken after compliance with all requirements has been achieved.

6.4. If the subcontractor provides the agreed service outside the EU/EEA, Beaconinside shall ensure compliance with EU Data Protection Regulations by appropriate measures. The same applies if service providers are to be used within the meaning of para. 6.1(2).

6.5. Further outsourcing by the subcontractor is permitted under the same requirements. All contractual provisions in the contract chain shall be communicated to and agreed with each and every additional subcontractor.

7. Supervisory powers of the Client

7.1. The Client has the right, after consultation with Beaconinside, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this agreement by Beaconinside in his business operations by means of random checks, which are ordinarily to be announced in good time.

7.2. Beaconinside shall ensure that the Client is able to verify compliance with the obligations of Beaconinside in accordance with art. 28 GDPR. Beaconinside undertakes to give the Client the necessary information on request and, in particular, to demonstrate the execution of the Technical and Organizational Measures.

7.3. Evidence of such measures, which concern not only the specific Data Processing Agreement, may be provided by compliance with approved Codes of Conduct pursuant to art. 40 GDPR, certification according to an approved certification procedure in accordance with art. 42 GDPR, current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, Data Protection Officer, IT security department, data privacy auditor, quality auditor), or a suitable certification by IT security or data protection auditing (e.g. according to BSI-Grundschutz (IT Baseline Protection certification developed by the German Federal Office for Security in Information Technology (BSI)) or ISO/IEC 27001).

7.4. Beaconinside may claim remuneration for enabling Client inspections.

8. Communication in the case of infringements by Beaconinside

8.1. Beaconinside shall assist the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in arts. 32 to 36 GDPR. These include:

8.1.1. Ensuring an appropriate level of protection through Technical and Organizational Measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.

8.1.2. The obligation to report a personal data breach immediately to the Client.

8.1.3. The duty to assist the Client with regard to the Client’s obligation to provide information to the Data Subject concerned and to immediately provide the Client with all relevant information in this regard.

8.1.4. Supporting the Client with its data protection impact assessment.

8.1.5. Supporting the Client with regard to prior consultation of the supervisory authority.

8.2. Beaconinside may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of Beaconinside.

9. Authority of the Client to issue instructions

9.1. The Client shall immediately confirm oral instructions (at the minimum in text form).

9.2. Beaconinside shall inform the Client immediately if Beaconinside considers that an instruction violates Data Protection Regulations. Beaconinside shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or changes them.

10. Deletion and return of personal data

10.1. Copies or duplicates of the data shall never be created without the knowledge of the Client, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.

10.2. After conclusion of the contracted work, or earlier upon request by the Client, at the latest upon termination of the Master Services Agreement, Beaconinside shall hand over to the Client or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to this Data Processing Agreement that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.

10.3. Documentation which is used to demonstrate orderly data processing in accordance with this Data Processing Agreement shall be stored beyond the contract duration by Beaconinside in accordance with the respective retention periods. It may hand such documentation over to the Client at the end of the contract duration to relieve Beaconinside of this contractual obligation.

11. Technical and Organizational Measures

11.1. Confidentiality (art. 32(1)(b) GDPR)

11.1.1. Physical Access Control

All servers are operated in locked rooms protected by access control systems. Only authorized employees have access to the premises. Beaconinside ensures access to the premises via mandatory access authentication for all individuals. There is a logged role and group-based determination of persons with the right of access.

At Beaconinside, each employee has access to IT systems and services via their own employee access. The access rights are limited to the responsibilities of the respective employee or team. Access to your own systems is regulated by Beaconinside via password procedures and the use of SSH keys with at least 2048 bits. The SSH keys defend the productive systems against attacks that target weak passwords because the password-based access to the corresponding systems is disabled. Authentication secrets are only transmitted encrypted over the web. In addition, Beaconinside has a requirement for the creation of passwords. This ensures high security even in systems that provide password-based access. The passwords must meet the following characteristics: − at least 8 characters long − at least 1 letter in capital letters − at least 1 letter in small notes − at least 1 number − at least 1 non-alphanumeric character Workstations are protected against unauthorized use by manual and automatic activation of a password-protected screen protector. The systems of Beaconinside are protected by firewalls, which discard all incoming connections as standard. Exclusively defined exceptions are accepted.

11.1.2. Electronic Access Control

All servers and services of Beaconinside are subject to continuous monitoring. This includes the logging of personal access in the user interface. The work stations of Beaconinside are also secured with the usual measures. For example, virus scanners are installed, and laptops are encrypted.

11.1.3. Internal Access Control (permissions for user rights of access to and amendment of data)

Access rights holders can only access data that is set up in the individual authorization profile. The scope of the authorizations is limited to the logical and temporal minimum necessary for the respective task or function fulfillment. Logging out of the workplace is required in writing and is practiced.

11.1.4. Isolation Control

There is a secure and encrypted storage of data carriers.

11.1.5. Pseudonymisation (art. 32(1)(a) GDPR; art. 25(1) GDPR)

11.2. Integrity (art. 32(1)(b) GDPR)

11.2.1. Data Transfer Control

All data is encrypted during data transmission over the internet. The transfer of data between backend systems is protected. Data with high protection requirements is encrypted. Beaconinside requires the logging of each transmission of received or transmitted data with high protection requirements. The handling of local data carriers such as USB sticks is regulated. The complete, safe and permanent deletion of data or data carriers with customer data of the customer is recorded. The logs are archived for at least 24 months with revision security.

11.2.2. Data Entry Control

The granting of rights to enter, modify and delete data with a high level of required protection is based on an authorization concept with a logging obligation. The employees of Beaconinside do not work directly on the database level, but use applications to access the data. The entry, modification and deletion of data by individual user names is traceable. There is documentation of the administrative activities, e.g. create, modify, delete users.

11.3. Availability and Resilience (art. 32(1)(b) GDPR)

11.3.1. Availability Control

Beaconinside ensures availability of the data in several respects. The use of ISO 27001, ISO 27017 and ISO 27018-certified data centers from Google Inc. is the result of the highest availability and the use of redundant data centers.

11.3.2. Rapid Recovery (art. 32(1)(c) GDPR)

There is a daily backup of the entire system. This can be used in when the other availability measures should fail.

11.3.3. Procedures for regular testing, assessment and evaluation (art. 32(1)(d) GDPR; art. 25 (1)

GDPR) – 11.3.4. Data Protection Management;

Beaconinside has process documentation and a functional separation, which is ensured by a documented two-eyes principle. Test system and live system are separate instances. Employees have guidelines and work instructions, which clearly define which systems are used for which purpose.

11.3.5. Incident Response Management

– 11.3.6. Data Protection by Design and Default (Article 25 Paragraph 2 GDPR)

– 11.3.7. Order or Contract Control

Beaconinside examines and documents the safety measures taken by contractors. In addition, contractors and their activity are monitored continuously. Beaconinside obliges the employees of the contractor to confidentiality.