Preamble

The customer has commissioned branchly GmbH, Auerfeldstraße 18, 81541 Munich ("branchly") with the SaaS operation of an AI content navigation system. In the course of contract performance, branchly will have access to the customer's personal data. Art. 28 General Data Protection Regulation (GDPR) imposes special requirements on such processing agreements. To comply with these requirements, the parties conclude the present agreement.

1. Subject Matter of the Contract, Content of the Processing

1.1 branchly provides the SaaS provision on the basis of the customer's commission in accordance with branchly's offer and the terms and conditions for SaaS services ("Master Agreement").

1.2 In order to specify the data protection rights and obligations, the parties conclude the present processing agreement. The subject matter and duration of the service provision by branchly are governed by the Master Agreement. In case of doubt, the provisions of the present agreement take precedence over the provisions of the Master Agreement.

2. Scope, Purpose and Performance of Data Processing; Type of Data and Circle of Data Subjects; Duty to Obey Instructions

2.1 The scope and purpose of data processing by branchly result from the Master Agreement and the associated service description.

2.2 As part of the service provision, branchly may have access to data stored on the SaaS platform. These are the following types of data:

- "Customer's search queries; these may occasionally also contain personal information (e.g. customer's email address, phone number)".

2.3 branchly may process the customer's personal data exclusively for the purpose of fulfilling the Master Agreement on behalf of the customer or based on individual instructions from the customer. If branchly processes data due to a legal obligation within the meaning of Art. 28 (3) lit. a GDPR, branchly shall inform the customer before processing, unless legally precluded.

2.4 branchly must comply with and implement individual instructions from the customer regarding the collection, processing, or use of data. The customer is at all times entitled to issue corresponding instructions. This also includes instructions regarding the correction, deletion, and blocking of data. If branchly believes that a customer's instruction violates data protection regulations, branchly will inform the customer accordingly. The reasonable costs of implementing instructions that go beyond the contractual services of the Master Agreement will be reimbursed by the customer in accordance with branchly's applicable hourly rates.

3. Subprocessing

3.1 branchly is entitled to engage further data processors ("subprocessors"). Currently, branchly uses the following subprocessors.

Contractual agreements with subprocessors are designed by branchly to comply with the provisions of the GDPR.

3.2 branchly informs the customer of any intended change regarding the engagement or replacement of other subprocessors, thereby giving the customer the opportunity to object to such changes. If the customer has justified objections to the use of such a new subprocessor on the grounds that the use does not comply with the requirements of the GDPR, the customer is entitled to raise objections to the use of the subprocessor with branchly within 14 days of receiving the change notification. If branchly subsequently, despite justified objections, declares to the customer that it will not refrain from using the subprocessor, the customer is entitled to terminate the Master Agreement in writing with a notice period of four weeks.

3.3 For purposes of this provision, subprocessor relationships are understood to mean services that are directly related to the provision of the main service. This does not include, in particular, ancillary services that branchly may use, such as telecommunications services, postal/transport services, maintenance and user service, or the disposal of data carriers. However, branchly is obligated to take appropriate and lawful contractual agreements and control measures to ensure data protection and data security even with outsourced ancillary services.

4. Data Confidentiality and Confidentiality

branchly ensures that the employees deployed for processing personal data are obligated to maintain confidentiality or are subject to an appropriate legal duty of confidentiality. These obligations must be formulated in such a way that they continue to exist even after the employment relationship between the employee and branchly has ended.

5. Protective Measures and Control

5.1 branchly takes the technical and organizational measures (TOMs) required in accordance with Art. 32 GDPR. branchly may change and adapt the technical and organizational measures, especially in light of technological advancements, provided that this does not undercut the initial level of security.

5.2 Upon request, branchly provides the customer with all necessary information to demonstrate compliance with the obligations under Art. 28 GDPR, for example, by presenting suitable documentation. branchly also enables verification by the customer or another auditor appointed by the customer. For this purpose, branchly allows the auditor to inspect the branchly's premises for the purpose of verification during normal business hours without significant disruption of the business operations. The reasonable costs of participating in such an audit on the part of branchly will be reimbursed by the customer in accordance with branchly's hourly rates. 5.3 The customer undertakes to treat all information, documents, data, and findings that become known during the aforementioned audits and disclosures or disclosed by branchly strictly confidential, to use them exclusively for data protection checks, and not to use them for other purposes. Employees or external third parties engaged by the customer, unless bound by professional confidentiality, are to be subject to an equivalent duty of confidentiality as that stipulated here.

6. Duty to Provide Information and Support

6.1 If branchly becomes aware of a breach of the customer's personal data protection, it will promptly report this to the customer. In consultation with the customer, branchly will take appropriate measures to secure the data and mitigate any potential adverse effects for those affected. branchly supports the customer in fulfilling the reporting and notification obligations under Art. 33 and 34 GDPR.

6.2 Taking into account the nature of the processing and the information available to it, branchly supports the customer in compiling data protection impact assessments in accordance with Art. 35, 36 GDPR.

6.3 Should the data at branchly be jeopardized by garnishment or seizure, insolvency or composition proceedings, or other events or measures by third parties, branchly must inform the customer immediately. In this context, branchly will promptly inform all those responsible that the sovereignty and ownership of the data lie exclusively with the customer as the "Controller" within the meaning of the GDPR.

7. Data Deletion

7.1 Upon termination of the Master Agreement, the data collected, processed, and used within the scope of the processing agreement will be deleted, unless there are legal retention periods.

7.2 If data carriers have been provided by the customer in the course of data processing, branchly will return them no later than upon termination of the Master Agreement.

8. Rights of Data Subjects

8.1 Insofar as a data subject should directly contact branchly to exercise data subject rights (e.g. with regard to rectification, blocking or restriction of processing, or deletion of data), branchly will promptly forward this request to the customer.

8.2 Upon request, branchly supports the customer in exercising these rights, e.g. in terms of information obligations (notification, provision of information), rectification, blocking or restriction of processing, and deletion of personal data. The reasonable costs for support by branchly will be reimbursed by the customer in accordance with branchly's hourly rates.

9. Term and Final Provisions

9.1 The present agreement ends with the termination of the Master Agreement. It remains in force even beyond the termination of the Master Agreement as long as branchly has access to the customer's personal data.

9.2 The liability scheme agreed between the parties in the Master Agreement also applies to liability between the parties in connection with this processing agreement.

9.3 Changes and additions to this agreement require written form. This also applies to the waiver of this formal requirement.

9.4 German law exclusively applies, excluding such legal norms that refer to other legal systems. The United Nations Convention on Contracts for the International Sale of Goods (CISG) does not apply.