Preamble

The customer has commissioned branchly GmbH, Am Kartoffelgarten 14, 81671 Munich ("branchly") with the SaaS operation of an AI content navigation system. In the execution of the contract, branchly receives access to personal data of the customer. Art. 28 of the General Data Protection Regulation (GDPR) imposes special requirements on such a service agreement. To ensure compliance with these requirements, the parties conclude this agreement.

1. Subject of the Contract, Content of the Order

1.1 branchly provides the SaaS provision based on the customer's commissioning as per branchly's offer and the General Terms and Conditions for SaaS services ("Main Contract").

1.2 To specify the data protection rights and obligations, the parties conclude this processing agreement. The subject matter and duration of the services provided by branchly are determined by the Main Contract. The provisions of this agreement take precedence over the provisions of the Main Contract in case of doubt.

2. Scope, Purpose, and Execution of Data Processing; Type of Data and Circle of Affected Persons; Instruction Obligations

2.1 The scope and purpose of data processing by branchly arise from the Main Contract and the corresponding service description.

2.2 In the context of service provision, branchly may potentially access data stored on the SaaS platform. This includes the following types of data:

– "Customer inquiries; these may exceptionally contain personal information (e.g., email address, phone number of the customer)."

– IP addresses of end users (which are only temporarily and technically necessary for providing the service)

– Browser language and device type.

2.3 branchly may process personal data of the customer solely for the purposes of fulfilling the Main Contract on behalf of the customer or based on individual instructions from the customer. If branchly processes data due to a legal obligation within the meaning of Art. 28 (3) lit. a GDPR, branchly will inform the customer before processing, as long as this is not legally excluded.

2.4 branchly must observe and implement individual instructions from the customer regarding the collection, processing, or use of data. The customer is entitled to issue corresponding instructions at any time. This includes instructions regarding the correction, deletion, and blocking of data. If branchly believes that an instruction from the customer violates data protection regulations, it will notify the customer. The reasonable costs of executing instructions that go beyond the contractual services of the Main Contract will be reimbursed by the customer according to the applicable hourly rates of branchly.

3. Subcontracting Relationships

3.1 branchly is entitled to engage further processors ("subcontractors"). Currently, branchly uses the following subcontractors.

Contractual agreements with subcontractors are structured by branchly in such a way that they comply with the provisions of the GDPR.

3.2. branchly informs the customer about any intended changes regarding the engagement or replacement of other subcontractors, allowing the customer to object to such changes. If the customer has justified objections against the use of such a new subcontractor, indicating that the use does not meet the requirements of the GDPR, the customer is entitled to raise an objection to branchly within 14 days after receiving the change notification. If branchly, despite justified objections from the customer, declares that it will not refrain from using the subcontractor, the customer is entitled to terminate the Main Contract in writing with four weeks' notice.

3.3 Subcontractor relationships in the sense of this regulation refer to those services that are directly related to the provision of the main service. This does not include ancillary services, such as telecommunications services, postal/transport services, maintenance, and user support, which branchly may utilize. However, branchly is obligated to ensure data protection and data security, even for outsourced ancillary services, by taking appropriate and legally compliant contractual agreements and control measures.

4. Data Confidentiality and Privacy

branchly ensures that employees involved in processing personal data are obliged to confidentiality or are subject to an appropriate legal confidentiality obligation. These obligations must be framed in such a way that they continue to apply even after the termination of the employment relationship between the employee and branchly.

5. Protection Measures and Control

5.1 branchly implements the necessary technical and organizational measures ( TOMs) as per Art. 32 GDPR. branchly can change and adjust the technical-organizational measures, particularly in response to developments in technology, as long as the initial security level is not undermined.

5.2 branchly provides the customer with all necessary information upon request to verifiably comply with the obligations under Art. 28 GDPR, for example by providing appropriate documentation. branchly also enables verification by the customer or another auditor appointed by them. For this purpose, branchly allows the auditor, upon registration for auditing purposes, to verify compliance with the obligations relevant to the processing of orders during normal business hours without significantly disturbing the operation. The reasonable costs of participation in such an audit on branchly's part will be reimbursed by the customer according to branchly's hourly rates. 5.3 The customer agrees to treat all information, documents, data, and insights that become known or are disclosed by branchly strictly confidential, to use them exclusively for data protection control, and not to utilize them otherwise. Employees or external third parties engaged by the customer are required, unless they are professionally obligated to confidentiality, to be subjected to an equivalent confidentiality obligation as set forth herein.

6. Duty to Inform and Support

6.1 If branchly becomes aware of a breach of the customer’s personal data protection, it will promptly notify the customer. branchly will, in consultation with the customer, take appropriate measures to secure the data and to mitigate any potential adverse effects for the affected individuals. branchly supports the customer in fulfilling the reporting and notification obligations under Articles 33 and 34 GDPR.

6.2 branchly assists the customer in producing data protection impact assessments in accordance with Articles 35 and 36 GDPR, considering the nature of processing and the information available to it.

6.3 Should the data at branchly be endangered by seizure or confiscation, insolvency or settlement procedures, or other events or measures by third parties, branchly must inform the customer immediately. branchly will promptly inform all responsible parties in this context that the sovereignty and ownership of the data solely rests with the customer as the "controller" in the sense of the GDPR.

7. Deletion of Data

7.1 The deletion of data collected, processed, and used in the context of the contractual relationship occurs upon termination of the Main Contract, unless statutory retention periods contradict this.

7.2 If data carriers have been provided by the customer during data processing, branchly will return them no later than upon termination of the Main Contract.

8. Rights of Affected Persons

8.1 If an affected person directly contacts branchly to exercise their rights (e.g., regarding rectification, blocking, restricting processing, or deletion of data), branchly will promptly forward this request to the customer.

8.2 branchly supports the customer upon request in upholding these rights, e.g., concerning the information obligations (notification, provide information), rectification, blocking or restriction of processing, and deletion of personal data. The reasonable costs for support by branchly will be reimbursed by the customer according to branchly's hourly rates.

9. Duration and Final Provisions

9.1 This agreement ends with the termination of the Main Contract. It remains in effect even after the termination of the Main Contract as long as branchly holds personal data of the customer.

9.2 The liability provisions agreed upon between the parties in the Main Contract also apply to liability between the parties in connection with this agreement for order processing.

9.3 Changes and additions to this agreement must be in writing. This also applies to the waiver of this written form requirement.

9.4 Only German law applies, excluding legal norms that refer to other legal systems. The United Nations Convention on Contracts for the International Sale of Goods (UNCITRAL) does not apply.