Terms and Conditions

Terms of Conditions for the temporary licensing of rho data Software

The following terms and conditions govern the contractual relationship between rho data GmbH, Heinestraße 41a, 70597 Stuttgart, and any undertaking which uses software of rho data (hereinafter referred to as “Customer”).

§ 1 Subject matter of the contract; conclusion of the contract

Subject of any contract based on these terms, Customer is granted a right to use the rho data Software (hereinafter referred to as “rho data Software”). against payment within the scope described below and within the term of the Agreement. A contract is concluded when a Customer registers online for the use of rho data software and accepts this terms and conditions. No written form is required for the declaration of acceptance. According to this terms and conditions, rho data does only conclude agreements with companies, undertakings within the meaning of Sec. 14 German Civil Code and tradesman, not with employees or any other individuals or consumers according to Sec. 13 German Civil Code. Everyone who registers a company for the usage of rho data Software represents and warrants that he has sufficient power to conclude legally binding a contract in the name of the Customer with rho data. Subject to this contract are no manuals and other documentation. The contract between rho data and the Customer based on this terms and conditions (hereinafter referred to as the “Agreement”) consists of 1) these terms and conditions 2) the current pricelist of rho data, available upon request 3) the data processing agreement (Annex 1). Terms and conditions of the Customer shall not apply, even if they are not expressly or impliedly rejected by rho data. If the parties make individual arrangements with respect to the scope of this agreements, such arrangement shall only valid if they are set out in writing (email is sufficient). In case of any contradiction between an individual arrangement and this terms and conditions, the individual arrangements will prevail.

§2 Granting of rights of use

rho data grants the Customer and all companies affiliated with the customer pursuant to Sec. 15 of the German Stock Corporation Act (AktG) the non-exclusive, non-transferable right, limited in time for the duration of the Agreement, to use the rho data software within the scope and in accordance with the Agreement for the number of registered accounts. The rho data software is operated as software as a service via cloud computing and is not installed at the customer site, except the parties have concluded otherwise in an individual arrangement. The customer may only use the rho data software for its own internal purposes as specified in the individual contract. In particular, the customer is not entitled to use the rho data software for other commercial services towards third parties, in particular, but not limited to services that consist exclusively or predominantly in the use and application of the rho data software. The customer is not entitled to grant sublicenses. The customer has no right to receive the source code or to access the source code.

§3 Interaction with standard interfaces of third party software

rho data Software uses standardized interfaces of third party software to gather the communication data for the further analysis. It is the responsibility of the Customer to have sufficient licenses for every third party software which he wants to be used by rho data software to gather data. rho data does not have influence on the quality of the data-sources and the functioning and further development of the interfaces of third party software. Therefore, rho data can neither guarantee nor warrant the interaction with specific interfaces and specific third party software for the whole term of the Agreement.

§4 Registration and accounts

The administrator of the Customer must create a rho data account. The administrator can send invitations to other employees of the Customer. By accepting the invitations, the employees are included in the analysis. rho data may block an account if there are indications that it has been used in an unauthorized manner and/or that there is an attempt to gain unauthorized access to the rho data Software or the underlying systems of rho data from the user account (“Hacking”). In such a case, rho data shall immediately notify Customer (via the contact data existing at the time of conclusion of the Agreement) and shall restore access to the User by creating a new user account, unless there are facts that suggest that the Customer has attempted to gain unauthorized access to the rho data systems.

§5 Data protection

To the extent that rho data processes personal data of employees of the customer in the course of providing the rho data software, the customer shall act as the “data controller” within the meaning of Art. 4 No. 7 GDPR and rho data shall act as a processor within the meaning of Art. 4 No. 8 GDPR. When concluding a contract, the parties shall at the same time also conclude a data processing agreement in accordance with Appendix 1. As the Customer remains data controller it is the Customers responsibility to ensure compliance with data protection law, non-discloser-agreements and all applicable statutory secrecy obligations.

§6 Terms of payment

The license fee is determined in the price list, which is available upon request. Unless otherwise agreed, rho data shall be entitled to demand the respective license fee in advance. Unless otherwise agreed in writing, all prices are net in EURO and payments are due without any deduction within 30 calendar days, calculated from the date of invoice. If applicable, the Customer is obliged to pay the statutory value added tax applicable at the time. Other taxes and duties, such as withholding tax or import duties, which are levied on the services or goods of rho data shall be borne by the customer. If claims are made against rho data for such taxes and duties, the customer shall indemnify rho data against such claims. If the customer does not pay within the due date, he will be in default after two reminders. In such a case rho data shall be entitled to charge the customer interest on arrears at a rate of 9 percentage points above the current base rate of the Deutsche Bundesbank. If the delay in payment lasts longer than three months or if the customer is in default with at least two consecutive payments, rho data shall be entitled to terminate the respective individual contract without notice and/or to withdraw from it. Any further claims of rho data shall remain unaffected.

§7 Liability

rho data shall be liable for damages without limitation,

caused by intentional or grossly negligent behavior of rho data, its legal representatives or executive employees or by intentional behavior of its other vicarious agents from injury to life, body or health, from the assumption of a guarantee or a procurement risk as well as under the Product Liability Act. rho data’s liability shall be limited to the damages that are typically to be expected within the framework of an individual contract, in case of damages,

caused by slightly negligent behavior of rho data, its legal representatives, executive employees or other vicarious agents, if a duty is violated, the observance of which is of particular importance for the achievement of the purpose of the contract (cardinal duty). Any other liability of rho data which is not subject to Sec. 8 (1) and (2) is excluded.

The term of the Agreement is one month. At the end of the contractual term the contract shall be extended to one further month, except it is terminated in writing by one of the contracting parties 15 days before its expiry.

§8 Duration and termination of the contract

The term of the Agreement is one month. At the end of the contractual term the contract shall be extended to one further month, except it is terminated in writing by one of the contracting parties 15 days before its expiry.

§9 Miscellaneous

Unless otherwise expressly stipulated in these contractual terms and conditions, all declarations and notifications within the scope of the contractual relationship and the business relationship with the Customer must be made in writing (email is sufficient) or in electronic form. German law shall apply exclusively between the parties. The provisions of the United Nations Convention on Contracts for the International Sale of Goods of 11.04.1980 (CISG) are excluded. Exclusive place of jurisdiction for all claims against merchants and public corporations for all types of proceedings is the registered office of rho data. rho data also has the right to sue customers at their general place of jurisdiction. Should a provision of these contractual terms and conditions be or become invalid in whole or in part, this shall not affect the validity of the remaining provisions. An invalid provision shall be replaced by a provision which is legally possible and comes closest to the invalid provision in terms of content and which most closely corresponds to the well understood economic interests of the parties in the invalid provision. The same applies to possible loopholes in the regulations.

Appendix 1

Data Processing Agreement

Between rho data (acting as data processor which processes data on behalf of and under the instructions of Customer) and each Customer of rho data (acting as a data controller), a Data Processing Agreement shall be concluded in accordance with the following terms and conditions:

§1 Subject and duration of the Data Processing Agreement

The subject matter of this contract is derived from the contract referred to here. The nature and purpose of the envisaged processing of data is the provision of rho data software as a cloud solution and the processing of personal data that necessarily goes hand in hand with this. The duration of this contract (term) corresponds to the term of the contract. This contract concerns the processing of the following categories of data:

Number of e-mails (but not the content of the communication, only the number) For e-mails: Sender, recipient, addresses in CC and BCC, timestamp (sent, received); Was the message read? When? Conversation ID (Was the message a response to another message?), Response time; Does the message have an attachment? Types of addresses of e-mails and other digital communication (internal or external? For internal also: hierarchical level of the communication partner; department of the communication partner). Calendar entries (but not the content of calendar entries, only the persons (including external ones) who were also invited, the duration, location and number of persons actually participating) Information about who has made calendar entries and invited people to meetings; additional information from calendar entries invited accounts; Implied number of invitations, invitation timestamp, acceptances/rejections; Recurring appointment yes/no This contract concerns the processing of data of the following categories of data subjects:

Employees of the client external stakeholders

§2 Data processing within the EU; exceptions for international processing under contract

The provision of the contractually agreed data processing takes place exclusively in a member state of the European Union or in another state that is a party to the Agreement on the European Economic Area.

§3 Technical-organizational measures

rho data shall document the implementation of the technical and organisational measures described and required in the run-up to the award of the contract prior to the start of processing, in particular with regard to the concrete execution of the contract, and shall hand them over to the Customer for inspection. Annex 1 of this contract processing agreement serves this purpose. In this context, reference may also be made to documents of the hosting service provider of rho data. rho data must provide the security in accordance with Art. 28 Para. 3 lit. c, 32 GDPR, in particular in conjunction with Art. 5 Para. 1, Para. 2 GDPR. Overall, the measures to be taken are data security measures and to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying probability of occurrence and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 (1) GDPR must be taken into account. The technical and organisational measures are subject to technical progress and further development. In this respect, rho data is permitted to implement alternative adequate measures. In doing so, the safety level of the specified measures may not be undercut. Significant changes must be documented.

§4 Authority of the Customer to issue instructions

The Customer has the right to give instructions regarding the treatment of the data which are the subject of the contract. Verbal instructions are confirmed by the Customer immediately (at least in text form). rho data must inform the Customer immediately if he believes that an instruction violates data protection regulations. rho data is entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Customer. rho data may not correct, delete or restrict the processing of the data processed on behalf of the Customer, but only after documented instructions from the Customer. If a person concerned contacts rho data directly in this respect, rho data shall forward this request to the Customer without delay.

§5 General obligations of rho data

In addition to compliance with the provisions of this contract, rho data is subject to the legal obligations pursuant to Art. 28 to 33 GDPR; in this respect, rho data guarantees in particular compliance with the following requirements: The maintenance of confidentiality in accordance with Art. 28 Para. 3 sentence 2 lit. b, 29, 32 Para. 4 GDPR. In carrying out the work, rho data shall only use employees who are bound to confidentiality and who have been previously familiarised with the provisions on data protection relevant to them. rho data and any person subordinate to rho data who has access to personal data may process such data exclusively in accordance with the instructions of the Customer, including the powers granted in this Agreement, unless they are legally obliged to process such data. Insofar as the Customer, for his part, is subject to an inspection by the supervisory authority, administrative offence or criminal proceedings, a liability claim by a data subject or third party (e.g. claims based on Articles 15 to 21 or 82 GDPR) or any other claim in connection with the contract processing at rho data, rho data shall support the Customer to the best of his ability. rho data and the Customer support each other in preparing the necessary documentation of the processing activities in accordance with Art. 30 Para 1, 2 GDPR. The Customer shall label the data stored and processed in accordance with this Data Processing Agreement with the aim of ensuring that all corresponding data can always be identified as the Customer’s data. rho data shall assist the Customer in complying with the obligations set out in Art. 32 to 36 GDPR with regard to the security of personal data, reporting obligations for data breaches, data protection impact assessments and prior consultation with a supervisory authority.

§6 Subcontracting

For the purposes of this provision, subcontracting relationships are understood to be those services which are directly related to the provision of the main service. This does not include ancillary services which rho data uses e.g. as telecommunication services, postal/transport services, maintenance and user service or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, rho data is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure data protection and data security of the Customer’s data, even in the case of outsourced ancillary services. The outsourcing to subcontractors or the change of the existing subcontractor are permissible, provided that:

rho data notifies the Customer of such outsourcing to subcontractors a reasonable time in advance in writing or in text form and the Customer does not object to the planned outsourcing in writing or in text form to rho data by the time the data is handed over, and is based on a contractual agreement in accordance with Article 28 Para. 2 to 4 GDPR. The transfer of personal data of the Customer to the subcontractor and his first action are only permitted after all requirements for a subcontracting have been met.

§7 Control rights of the Customer

The Customer has the right to carry out inspections in consultation with rho data or to have them carried out by inspectors to be appointed in individual cases. He shall have the right to convince himself of rho data’s compliance with this agreement in his business operations by means of spot checks, which as a rule must be notified in good time. rho data shall ensure that the Customer can satisfy himself that rho data’s obligations under Art. 28 GDPR have been fulfilled. rho data undertakes to provide the Customer with the necessary information on request and in particular to provide evidence of the implementation of the technical and organisational measures. Evidence of such measures, which do not only concern the specific contract, can be provided by

compliance with approved rules of conduct in accordance with Art. 40 GDPR; certification in accordance with an approved certification procedure pursuant to Art. 42 GDPR; current certificates, reports or report extracts from independent bodies (e.g. auditors, revision, data protection officer, IT security department, data protection auditors, quality auditors); a suitable certification through IT security or data protection audit (e.g. according to BSI basic protection).

§8 Deletion and return of personal data

Copies or duplicates of the data will not be made without the knowledge of the Customer. Excepted from this are back-up copies, insofar as they are necessary to ensure proper data processing, as well as data required in order to comply with statutory storage obligations. Upon completion of the contractually agreed work or earlier upon request by the Customer - at the latest upon termination of the contract – rho data shall delete all personal data received. Documentation which serves as proof of the orderly and proper processing of data shall be kept by rho data in accordance with the respective retention periods beyond the end of the contract. He can hand them over to the Customer at the end of the contract for his own relief.

§9 Limitation of liability; other

The limitation of liability clause from the contract shall apply accordingly. Clause 15 of the Agreement shall apply to the contract processing agreement accordingly

Annex 1 - Technical and organisational measures

1. Confidentiality (Art. 32 Para. 1 lit.b GDPR)

Access control

- No unauthorised access to data processing equipment, e.g.: magnetic or chip cards, keys, electric door openers, plant security or gatekeepers, alarm systems, video systems;

- Access control No unauthorized system use, e.g: (secure) passwords, automatic locking mechanisms, two-factor authentication, encryption of data media;

- Access control No unauthorized reading, copying, modification or removal within the system, e.g: Authorization concepts and need-based access rights, logging of accesses;

- Separation control Separate processing of data collected for different purposes, e.g. multi-client capability, sandboxing

2. Pseudonymisation (Art. 32 Para. 1 lit. a GDPR; Art. 25 Para. 1 GDPR)

- The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the need for additional information, provided that this additional information is kept separately and is subject to appropriate technical and organisational measures;

- Anonymisation: All references to employee’s data are deleted before the analysis and replaced by an assignment to a team

- The pseudonymisation and aggregation of the data records to teams takes place at rho data in a docker container created for each customer, which is completely deleted after the pseudonymisation has been carried out

3. Integrity (Art. 32 Para. 1 lit. b GDPR)

- Transfer control No unauthorized reading, copying, modification or removal during electronic transmission or transport, e.g: encryption, Virtual Private Networks (VPN), electronic signature; Object Storage is protected by RCAB

- Input control Determining whether and by whom personal data have been entered, modified or removed from data processing systems, e.g: logging, document management;

4. Availability and resilience (Art. 32 Para. 1 lit. b GDPR)

- Availability control Protection against accidental or deliberate destruction or loss, e.g: Backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting channels and emergency plans;

5. Rapid recoverability (Art. 32 Para. 1 lit. c GDPR);

6. Procedures for regular review, assessment and evaluation (Art. 32 Para. 1 lit. d GDPR; Art. 25 Para. 1 GDPR)

- Data protection management;

- Incident response management;

7. Data protection-friendly default settings (Art. 25 Para. 2 GDPR);

- Order control No commissioned data processing within the meaning of Art. 28 GDPR without corresponding instructions from the client, e.g: Clear contract design, formalised contract management, strict selection of the service provider, obligation to convince in advance, follow-up checks.