Terms and Conditions

General Terms and Conditions (GTC) of Data-Vise GmbH

Version: 1. June 2025

1. Scope and Conclusion of Contract

1.1. Parties and Subject Matter. This Agreement governs the legal relationship between Data-Vise GmbH, Georg-Hallmaier-Str. 9, 81369 München/Germany, hereinafter referred to as „Data-Vise,“ and its customers (hereinafter „Customer„) concerning the provision of the „Data-Vise“ tool for use via the internet (Software as a Service).

1.2. No Deviating Terms. The application of deviating terms or terms exceeding these provisions is excluded. This applies in particular to the Customer’s general terms and conditions, even if Data-Vise accepts an order from the Customer in which the Customer refers to its general terms and conditions and/or to which the Customer’s general terms and conditions are attached, and Data-Vise does not object to them.

1.3. Conclusion of Contract. The contract is concluded when the Customer books a service package (“Plan”) online via the Data-Vise website and Data-Vise confirms the booking by e-mail („Order Confirmation“).

1.4. Obligations in Electronic Commerce. § 312i (1) Nos. 1, 2, and 3 of the German Civil Code (BGB) as well as § 312i (1) sentence 2 BGB, which provide for certain obligations of the entrepreneur in contracts in electronic commerce, are waived.

2. Services of Data-Vise

2.1 Data-Vise. Data-Vise is a platform for „Conversational Data for Performance Marketing.“ It enables Customers to connect their online marketing data sources via the APIs of the respective platform providers (such APIs hereinafter “Source Data APIs” and the platform providers “Marketing Platform Provider”) to the Data-Vise platform. Customer’s online marketing data (“Customer Marketing Data”) is then read through the Source Data API and transferred to and stored by Data-Vise in a data warehouse (currently Google BigQuery) (hereinafter “Data Warehouse”). Customer Marketing Data includes information about campaigns, ad groups, ad details, performance metrics of campaigns (e.g. impressions, clicks), targeting data (e.g. locations, devices, interests) and ad content (e.g. headlines, images of ads) but no personal data about customers, leads or website visitors of Customer. Data-Vise utilizes AI models (e.g., currently OpenAI’s ChatGPT) via APIs (“AI Model APIs”) to analyze the Customer Marketing Data, provide insights, generate recommendations, and power a conversational interface for data exploration and dashboard generation (such output hereinafter “Marketing Data Insights”). The Service supports the Customer in understanding and optimizing their online marketing performance. The specifics of Data-Vise, including the supported Marketing Platform Provides and Source Data APIs, information about the Data Warehouse and AI Model APIs and information about the Customer Marketing Data are detailed in the service description, available at [Link to Service/Feature Description] (“Service Description”).

2.1. Right of Use. Data-Vise provides the Customer with the software product described in the Service Description („Software„) – namely the Data-Vise platform for analyzing online marketing performance data and providing AI-driven insights and recommendations – for use via the internet („Service„). The Software is operated on computers in a data center used by Data-Vise. For the term of this Agreement, the Customer receives the non-exclusive and non-transferable right to access the Software by means of a browser and an internet connection and to use it for its own business purposes, i.e., its own online marketing analysis. This includes the right to temporarily store program codes (e.g., JavaScript) on the Customer’s computer (e.g., in the working memory or browser cache) as required for this purpose and to execute them there. The right of use is limited to the usage units as specified in the Plan  booked by the Customer and the service description. Usage units may include, for example, the maximum number of users, connected data sources, AI tokens, or data storage volume (hereinafter „Usage Units“). Any transfer or provision of the Service or making available the Service to third parties is prohibited.

2.2. Availability. Data-Vise will endeavor to provide the Service to the Customer with a target availability of 95.0% as a monthly average during operating hours. Availability refers to availability at the interconnection point. The interconnection point is the connection point of the data center used by Data-Vise to the internet. Operating hours are 24 hours a day, 7 days a week (24/7). Maintenance work announced by Data-Vise by e-mail (e.g., installation of updates or upgrades) of up to ten (10) hours per calendar month is not part of the operating hours. Data-Vise will endeavor to schedule maintenance work during evening and night hours (20:00 to 06:00 CET/CEST) or on weekends and to notify the Customer thereof in due time. In calculating the actual availability achieved („Achieved Availability“) of the Service, outages due to force majeure (e.g., strike, civil unrest, natural disasters, epidemics) and shall not be taken into account.

2.3. Response Times. The Customer shall report disruptions to the Service to Data-Vise without undue delay. Data-Vise classifies disruptions as follows:

• Critical Disruption (Error Class 1): The core functionalities of the Service have completely failed or are significantly impaired for the Customer, so that productive use is no longer possible.
• Significant Disruption (Error Class 2): Important functionalities of the Service are disrupted, but use is still possible with restrictions or via workarounds.
• Other Disruption (Error Class 3): Minor impairments of the Service without significant impact on core functionalities.

      Response times: Response time is the period between the receipt of a qualified disruption report from the Customer by Data-Vise during support hours (weekdays, 9-17h CET/CEST, excluding public holidays at Data-Vise’s location, and December 24th and 31st) (hereinafter “Support Hours”) and the first qualified response by Data-Vise (e.g., confirmation, initial analysis). Data-Vise will respond to disruption reports within the following response times:

• Error Class 1: 24 hours
• Error Class 2: 48 hours
• Error Class 3: 7 working days

Response times do not apply to disruptions due to force majeure, causes attributable to the Customer (e.g., misconfiguration, insufficient internet connection of the Customer), or disruptions outside Data-Vise’s area of responsibility (e.g., failure of Source Data APIs).

2.4. Setup. The Customer shall carry out the initial setup of the Service (individual settings or input/import of data, connection of Source Data APIs) itself. A modification of the Service, in particular reprogramming according to the Customer’s wishes, is not owed. Corresponding services must be specially agreed upon and remunerated.

2.5. Support. Data-Vise provides free e-mail support during Support Hours to assist with the use of the Service. Support does not include: general know-how transfer, training, configuration and implementation, or customer-specific documentation or software customization. Data-Vise endeavors to respond to support requests within 2 business days.

2.6. Documentation. Unless otherwise agreed, Data-Vise only owes the provision of user documentation as online help in English language.

2.7. Updates and Changes. During the term of the Agreement, Data-Vise will provide updates to the Service that are necessary to maintain the contractual conformity of the Service and will inform the Customer about these updates and their provision on its website. The Customer acknowledges and agrees that the provision and functionality of the Service are dependent on various third-party APIs and services, including but not limited to the AI Model API and Source Data API („Third-Party Dependencies„). The Customer understands that: (a) these Third-Party Dependencies are subject to change, modification, or discontinuation by the respective third-party providers, often without prior notice to Data-Vise; and (b) the field of artificial intelligence and AI models is evolving rapidly, which may impact the performance, availability, or features of AI models utilized by the Service. As a result, Data-Vise may be required to make adjustments, modifications, or updates to the Service to accommodate such changes in Third-Party Dependencies or AI model developments to maintain the Service. Data-Vise may make changes beyond what is necessary to maintain the contractual conformity of the Service in the course of providing a new version (Upgrade). The newly provided version replaces the originally provided version of the Service and becomes the subject of this Agreement. Data-Vise will only make a change to the Service that materially adversely affects the Customer’s access or usability if Data-Vise informs the Customer thereof. Information about updates and changes will be provided to the Customer by Data-Vise in good time on a durable medium (e.g., by e-mail or on Data-Vise’s website). If a change to the Services materially adversely affects access or usability, the Customer may terminate the contract free of charge within 30 days. The period begins with the receipt or publication of the information about the change. If the change takes place after receipt of the information, the time of the change replaces the time of receipt of the information. Termination is excluded if the adverse effect on access or usability is not material. The provision of updates and changes is made free of charge by updating the Service. Installation by the Customer is not necessary.

3. Remuneration and Payment Default

3.1. Fee Structure. The Customer owes Data-Vise the remuneration agreed in the selected Plan for the use of the Service during the contract term. The remuneration consists of a monthly usage fee.

3.2. Accrual of Usage Fee. The monthly usage fee is payable monthly in advance.

3.3. Invoicing. Data-Vise shall invoice the fees at the beginning of the contract and then monthly in advance. The invoice amount is due immediately, unless otherwise stated on the invoice. Invoicing is done online by making the invoice available as a downloadable and printable PDF file in the customer account or by sending it via e-mail („Online Invoice“). In the case of an Online Invoice, it is deemed to have been received by the Customer when it is accessible to the Customer in the customer account and thus enters its sphere of control, or upon receipt of the e-mail.

3.4. Payment Methods. Payment of invoice amounts shall be made using the payment methods offered in the ordering process (e.g., credit card, SEPA direct debit). If SEPA direct debit is offered and selected by the Customer, the Customer undertakes to issue Data-Vise with a corresponding SEPA direct debit mandate. The Customer will be informed about the SEPA direct debit collection at least one day before the due date by e-mail (Pre-Notification).

3.5. Net Prices. All prices are exclusive of the applicable statutory value-added tax (VAT).

3.6. Payment Default. If the Customer is in default with the payment of the remuneration for one month, Data-Vise is entitled to temporarily suspend access to the Service or to terminate the contract extraordinarily. During the suspension, the Customer has no access to the data stored in the Service.

4. Obligations and Duties of the Customer

4.1. Lawful Use. The Customer will use the Service only within the scope of the contractual and statutory provisions and will not infringe any third-party rights when using it. In particular, when using the Service, the Customer will observe the provisions of copyright law, business secrets, non-disclosure agreement will not import any harmful or illegal data or otherwise misuse the Service.

4.2. . The Customer acknowledges that the Marketing Data Insights are generated by an AI and that AI output is based on probabilities and may be inappropriate, incorrect or incomplete. It is the Customer’s responsibility to verify the accuracy and appropriateness of the Marketing Data Insights step-by-step and carefully before using it. The Customer is particularly obligated to first test marketing activities based on the Marketing Data Insights cautiously and on a small scale, and not to immediately and comprehensively rely on the accuracy and completeness of the Marketing Data Insights. If the Customer fails to conduct this careful review and step-by-step implementation, they shall bear sole and full responsibility for any resulting damages or underperformance.

4.4 Prohibited Use. The Customer will a) not perform or attempt to perform reverse engineering of the Software, Service, algorithms, processes, steps or prompts of the underlying systems of Data-Vise; b) not attempt to ascertain or disclose system prompts, algorithms, or other confidential configuration details of the AI models or prompts used by Data-Vise or the platform; c) not use the insights gained through the use of the Service, particularly regarding the functionality of Data-Vise, the structure of the Marketing Data Insights, or the prompts, for the creation, development, or provision of their own products, services, or offerings that directly or indirectly compete with Data-Vise.

4.3. System Requirements and Cooperation Duties. Requirements for hardware and software on the Customer’s side, as well as organizational requirements and cooperation duties of the Customer, may be set out in the service description.

4.4. Backup Copies. The Customer is obliged to keep copies of the Customer Marketing Data and Marketing Data Insights. Data-Vise and the Data Warehouse is not intended to act as a backup of solution for Customer Marketing Data. If the Customer breaches this duty to perform proper data backup, Data-Vise shall only be liable for data loss up to the amount of damage that would have occurred even if the Customer had performed regular data backup.

5. Customer Data and Data Protection

5.1. Customer Data. “Customer Data” means Customer Marketing Data, customer API credentials for the Source Data APIs and Marketing Data Insights. Customer Data does not include personal data within the meaning of the GDPR. Data-Vise will use the Customer data solely for the provision of the Services as set out in section 5.2. below. Data-Vise will keep confidential Customer Data as per section 6.

5.2. Use of Customer Data. The Customer hereby grants Data-Vise free of charge the non-exclusive, worldwide right, limited to the term of this Agreement, to use the Customer Data to provide the Service. This includes the right to collect Customer Marketing Data from the Marketing Platform Providers via the Data APIs, to transfer and store Customer Data in the Data Warehouse and process and analyze Customer Data using the AI Model APIs to generate Marketing Data Insights (i.e. analytics, insights, and recommendations). Data-Vise may use the Customer Data and any Customer feedback for error analysis of the Service and for the improvement of the Services and development of new services.

5.3. Personal Data Processing. To the extent Data-Vise processes information of Customer’s users of the Service (e.g. names, access credentials, settings), Customer is the controller and Data-Vise data processor within the meaning of the GDPR. In this respect the attached Data Processing Agreement (DPA) shall apply (see Annex 2). For the avoidance of doubt: Customer Data, in particular Customer Marketing Data does not qualify as personal data and is not subject to the DPA.

6. Confidentiality, Reference

6.1. Confidentiality Obligation. Data-Vise and the Customer (hereinafter collectively „Parties,“ individually „Party“) undertake, during the term of this Agreement and for a period of three (5) years thereafter, to use all Confidential Information within the meaning of Clause 6.2 only for the purposes of this Agreement and to treat it confidentially. In particular, the disclosure of Confidential Information to third parties (subject to Clause 6.4) requires the prior consent of the other Party.

6.2. Confidential Information. „Confidential Information“ means all documents, information, and data designated or marked as „confidential“ or similar by the disclosing Party in writing, orally, electronically, or in any other form, which have been made accessible or become known to the Parties as a result of or in connection with the cooperation under this Agreement. Confidential Information also includes, in particular, all information which by its nature is to be regarded as confidential, such as trade secrets, Customer Data within the meaning of Clause 5.1 (with regard to confidentiality by Data-Vise), know-how, software (including Data-Vise itself), source codes, business plans, system prompts of Data-Vise, financial information, and marketing strategies.

6.3. Exceptions. The foregoing obligations shall not apply to the extent that a Party that has received Confidential Information („Receiving Party“) can demonstrate that such Confidential Information:
6.3.1. was publicly available at the time of disclosure or subsequently became publicly available through no fault of the Receiving Party; or
6.3.2. was lawfully disclosed to the Receiving Party by a third party who, to the knowledge of the Receiving Party, was not under any confidentiality obligation to the disclosing Party; or
6.3.3. was already lawfully in the possession of the Receiving Party or known to it at the time of disclosure, without this being based on a direct or indirect breach of a confidentiality obligation; or
6.3.4. was developed by the Receiving Party independently and without use of or reference to the Confidential Information of the disclosing Party; or
6.3.5. must be disclosed pursuant to mandatory statutory or regulatory provisions or on the basis of an unappealable court or official order. In such a case, the Receiving Party shall (to the extent legally permissible) inform the disclosing Party without undue delay of the requirement to disclose and shall make all reasonable efforts to limit the scope of disclosure to the necessary minimum and to ensure confidential treatment of the information.

6.4. Third Parties. Third parties within the meaning of Clause 6.1 are not the respective legal representatives, employees, lawyers, auditors, and tax advisors of the Parties, as well as tax authorities and other persons who are obliged by law to maintain secrecy, insofar as disclosure is necessary for the fulfillment of contractual obligations or for the protection of legitimate interests. No Third parties in relation to Data-Vise are also the subcontractors and third-party providers used by Data-Vise pursuant to Clauses 2.1, 2.2, and 5.2 for the provision of Services (e.g., provider of the Data Warehouse and AI Model APIs).

6.5. Reference. Data-Vise is entitled to name the Customer as a reference customer and for this purpose to use the name, company name, and logos of the Customer to designate the Customer (e.g., on the Data-Vise website, in presentations, or other marketing materials). The Customer may object to the reference for important reasons with effect for the future.

7. Warranty Claims

7.1. Freedom from Defects and Quality. Data-Vise will provide the Service free of material and legal defects and maintain the Software in a condition suitable for contractual use during the contract term. The contractually agreed quality of the Software is determined by the Service Description and Plan.

7.2. Remedy of Defects. The Customer shall report defects in the Service to Data-Vise without undue delay and explain the specific circumstances of their occurrence. Data-Vise will remedy the defect within a reasonable time period. Data-Vise is entitled to temporarily show the Customer ways to circumvent errors and to remedy the defect later by adapting the Software, provided this is reasonable for the Customer.

7.3. Initial Impossibility. Strict liability for initial defects according to of the German Civil Code (BGB) is excluded.

7.4. Non-Provision. The Customer’s right of termination for non-provision pursuant to § 543 (2) sentence 1 No. 1 BGB is excluded unless the provision of the Service is to be regarded as permanently failed.

7.5. Statute of Limitations. Warranty claims shall become statute-barred within 12 months. This does not apply in the case of warranty claims for damages insofar as Data-Vise is mandatorily liable by law (cf. Clause 8.1 sentence 2).

7.6. Statutory Regulation. Otherwise, the statutory rules on liability for defects shall apply.

8. Limitation of Liability

8.1. Exclusion in Certain Cases. Data-Vise is liable for damages insofar as these
a) were caused intentionally or by gross negligence by Data-Vise, or
b) were caused by slight negligence by Data-Vise and are attributable to material breaches of duty which jeopardize the achievement of the purpose of this Agreement, or to the breach of duties the fulfillment of which is essential for the proper execution of this Agreement and on the observance of which the Customer may rely (e.g., Customer Data is completely lost and also old stocks are not reconstructible).
Otherwise, Data-Vise’s liability is excluded irrespective of its legal basis, unless Data-Vise is mandatorily liable by law, in particular for injury to life, body, or health of a person, assumption of an express guarantee, fraudulent concealment of a defect, or under the Product Liability Act. Guarantees by Data-Vise are only made in writing and, in case of doubt, are only to be interpreted as such if they are designated as a „guarantee.“

8.2. Limitation of Amount. In the case of Clause 8.1 sentence 1 letter b), Data-Vise is only liable to a limited extent for the damage typically foreseeable for a contract of this type.

8.3. Amount of Typically Foreseeable Damage. The Parties assume for the cases of Clause 8.1 sentence 1 letter b) that the „typically foreseeable damage“ for all damaging events occurring in a calendar year amounts to a maximum of the net remuneration for Software as a Service services from Data-Vise that is contractually agreed or incurred for this calendar year (whichever of these two amounts is higher).

8.4. Free Trial Phase. Data-Vise’s liability is limited to intent and gross negligence for damage caused during a free trial phase.

8.5. Employees and Agents of Data-Vise. The limitations of liability in Clauses 8.1 to 8.4 also apply to claims against employees and agents of Data-Vise.

9. Term and Termination

9.1. Free Trial Phase. If the Plan chosen by the Customer provides for a free trial phase, the following applies to the term of the contract: The trial phase begins with the conclusion of the contract. No usage fees are charged for the trial phase. Upon expiry of the trial phase, the Initial Term begins automatically, unless the Customer terminates the contract by the end of the trial phase.

9.2. Term. Unless otherwise set forth in the Plan chosen by Customer, the contract is concluded for an initial term of one (1) month („Initial Term„) and is subsequently automatically extended by one (1) further month at a time („Renewal Term„) unless the contract is terminated by a Party at the end of the Initial Term or a Renewal Term.

9.3. Form. Termination must be in text form (e.g., e-mail, termination function in the customer account).

9.4. Data at Contract End. Upon termination of the contract term, the Customer can no longer access the Customer Data in Data-Vise. It is the Customer’s responsibility to export the data (e.g. Marketing Data Insights) by the end of the contract term using the export function of the Service and to store it for further use. Data-Vise will make the Customer Data that the Customer provided or created when using the Service available for download after termination of the contract, provided the Customer does not already have the content (e.g. in stored at the Marketing Platform Provider) . This does not apply to content that has no use outside the context of the Service, is exclusively related to the Customer’s use of the Service, has been aggregated by Data-Vise with other data, and cannot be disaggregated or only with disproportionate effort. The Customer Data will be provided free of charge, within a reasonable period, and in a common and machine-readable format (e.g., CSV, JSON, image files). Data-Vise is only obliged to provide Customer Data beyond this if this has been separately agreed and remunerated. Upon termination of the contract, Data-Vise will delete the Customer Data unless Data-Vise is legally obliged to retain it. If deletion is only possible with disproportionate effort (e.g., in backups), Data-Vise is entitled to block the data and delete it in the next regular (at least annual) deletion run.

9.5. Cloud Switching (Data Act). The rights of the Customer and the obligations of Data-Vise regarding the switching of the Customer to another provider of data processing services or to an on-premises ICT infrastructure of the Customer are set out in Annex 3 „Switching of Data Processing Service pursuant to Article 25 of Regulation (EU) 2023/2854 (Data Act)“. This annex shall prevail in the event of any conflict with these GTC.

10.1. Right to Amend. Data-Vise reserves the right to amend these Terms and Conditions and the prices for specific Plans („Prices„) subject to the provisions set forth in this Section 11.

10.2. Notification of Amendments. Data-Vise shall notify the Customer of any proposed amendments to these Terms and Conditions or the Prices at least six (6) weeks (or the termination period applicable to Data-Vise right to terminate for convenience, whatever is longer) prior to their intended effective date („Amendment Effective Date„). Such notification („Amendment Notification„) shall:
a) Clearly specify the proposed new or modified contractual terms and/or the new Prices; and
b) State the Amendment Effective Date.

10.3. Customer’s Right to Object. The Customer may object to the proposed amendment(s) in writing (e.g., by email or via a designated function in the customer account, if available) at any time before the Amendment Effective Date.

10.4. Deemed Acceptance upon Non-Objection. If the Customer does not object to the proposed amendment(s) by the Amendment Effective Date, the new Terms and Conditions and/or Prices shall be deemed accepted by the Customer and shall become effective and binding as of the Amendment Effective Date.

10.5. Information on Consequences of Non-Objection. Data-Vise shall expressly inform the Customer in the Amendment Notification of:
a) The Customer’s right to object;
b) The deadline for such objection (i.e., the Amendment Effective Date); and
c) The legal consequence of failing to object, specifically that non-objection by the Amendment Effective Date will be deemed as acceptance of the proposed amendments.

11. Final Provisions

11.1. Declarations and Notices. Data-Vise is entitled to send all declarations and notices relating to the contractual relationship to the e-mail address provided by the Customer upon registration. The Customer will check this e-mail address regularly.

11.2. Service Description. The Service Description and description of the selected Plan is part of the contract.

11.3. Set-off. The Customer may only set off claims other than its contractual counterclaims arising from the respective legal transaction or assert a right of retention if this claim is undisputed by Data-Vise or has been finally established by a court.

11.4. Written Form. Amendments to this Agreement require written form (e-mail is sufficient). This also applies to the waiver of this written form requirement.

11.5. Applicable Law. This Agreement and all disputes arising in connection therewith (both contractual and tortious) shall be governed exclusively by German law, to the exclusion of the UN Convention on Contracts for the International Sale of Goods (CISG).

11.6. Jurisdiction. If the Customer is a merchant, a legal entity under public law, or a special fund under public law, the exclusive place of jurisdiction shall be that of Data-Vise’s registered office. Data-Vise remains entitled to sue the Customer at the Customer’s registered office.

11.7. Severability. Should individual provisions of this Agreement be or become invalid, this shall not affect the validity of the remaining provisions. In place of the invalid provision, that which the Parties would have reasonably agreed upon according to the originally intended purpose in economic terms shall apply. The same applies in the event of a contractual gap.

  

Annex 1 to the GTC: MVP (Minimum Viable Product) Terms

This Annex applies to Customers participating in the Data-Vise MVP program. These MVP terms supplement and, where conflicting, supersede the provisions of the General Terms and Conditions (GTC), including the Service Description, for the duration of the MVP phase for the respective MVP Customer.

1. Purpose: The MVP aims to gather customer feedback to inform the roadmap and final product, ensuring it is catered to end-user needs.
2. Pricing: The fee for the MVP is €249 per month, per user, exclusive of VAT.
3. Usage Units & Features (per user license):
   • Users: 1
   • Data Sources: Connection to up to 3 data sources (e.g., Meta Ads, Google Ads).
   • Ad Accounts per Data Source: Up to 5 ad accounts per connected data source.
   • AI Tokens: Fair use policy, nominally up to overall 5 million tokens (input plus output tokens) per month for the AI assistant.
   • Data Storage: Sufficient storage for the connected data sources within reasonable limits for an MVP (e.g., [Specify GB, e.g., 100GB] in Google BigQuery).
4. Support:
   • Weekly Calls: Opportunity for weekly calls (XX minutes) with the Data-Vise team for ongoing support, feedback, and leveraging marketing expertise alongside AI recommendations.
   • Email Support: High-priority email support with a target response time within 24 hours within Support Hours .
   • Video Call on Request: Video call support available on request during office hours (weekdays 9-17h CET/CEST).
5. Term and Termination: The MVP contract term is monthly and can be terminated by either party with 14 days‘ notice to the end of a calendar month.
6. Service Levels: No specific SLAs (e.g., for uptime or strict incident response times beyond the support commitments above) apply during the MVP phase. The Service is provided „as-is“ with best-effort availability. 

 

Annex 2 to the GTC: Data Processing Agreement (DPA)

Data Processing Agreement (DPA)
pursuant to Art. 28 GDPR
for „Data-Vise“

Between

Customer
(hereinafter „Controller“ or „Customer“)

and

Data-Vise GmbH
Georg-Hallmaier-Str. 9
81369 München/Germany
(hereinafter „Processor“ or „Data-Vise“)

(Processor and Controller hereinafter individually „Party,“ collectively „Parties“)

Preamble
The Parties have concluded an agreement for the provision of the web-based Data-Vise platform (hereinafter „Main Agreement“). In doing so, the Processor processes personal data on behalf of the Controller. The Processor is a processor within the meaning of Art. 4 No. 8 GDPR, and the Controller is a controller within the meaning of Art. 4 No. 7 GDPR. This Data Processing Agreement specifies the rights and obligations of the Parties under Art. 28 GDPR.
This DPA applies to the processing of personal data of the Controller’s users (e.g., employees, marketing teams) who use the Data-Vise platform. It does not apply to the Customer Marketing Data and Marketing Data Insights which is considered non-personal data for the purposes of this DPA and the services provided by Data-Vise.

1. Subject Matter and Duration of Processing
   The subject matter of this DPA is the processing of personal data by the Processor on behalf of the Controller as described in Annex II. The duration of this DPA corresponds to the term of the Main Agreement.
2. Application of EU Standard Contractual Clauses (SCCs)
   The Parties hereby agree to the application of the Standard Contractual Clauses between controller and processor pursuant to Art. 28(7) of the General Data Protection Regulation (EU) 2016/679 („GDPR“) ((EU) 2021/915 of June 4, 2021) („Standard Contractual Clauses“ or „SCCs“). The SCCs are published in the Official Journal of the European Union L 199/18 and can be accessed at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915. They are an integral part of this DPA.
   In clauses 1 lit. a, 8 lit. c no. 4, 9.1 lit. b and lit. c as well as 9.2 para. 3 of the Standard Contractual Clauses, the Parties hereby choose option 1. The optional clause 5 of the Standard Contractual Clauses (docking clause) does not apply. The following clauses of the Standard Contractual Clauses shall not apply: Clause 2 (Unalterability) and Clause 7.7 lit. e (Third Party Beneficiary Clause in Contracts with Sub-Processors).

 

3. Sub-processors
   In Clause 9(a) of the SCCs, the Parties select Option 2 (general written authorisation). The period for prior notice of new or replacement sub-processors shall be 30 days. If the Controller objects to a new sub-processor, the Parties will negotiate in good faith to find an amicable solution. If such an agreement cannot be reached within 14 days, the Processor is entitled to (partially) terminate the Main Agreement to the extent that the new sub-processor is required for the provision of the contractual services. Any fees paid in advance for the terminated services will be refunded pro rata by the Controller in this case. The current list of sub-processors is provided in Annex IV.
4. Audit Rights
   The Controller’s audit rights under Clause 8.9 of the SCCs shall be exercised as follows: The Processor shall make available to the Controller existing documentation, certifications, reports, and records concerning data processing and security measures („Security Documentation“). If the Security Documentation is not sufficient to assess the Processor’s compliance with the SCCs (e.g., in case of concrete indications of non-compliance), the Processor will answer additional written inquiries from the Controller. If and to the extent that these are also insufficient, the Processor shall permit on-site audits, especially if a competent supervisory authority requests such an audit. The Controller shall bear its own costs for audits.
5. Remuneration for Additional Efforts
   The Processor’s expenses for the following services shall be remunerated separately by the Controller based on actual effort incurred: expenses arising from on-site audits by the Controller at the Processor’s premises, as well as expenses for creating documentation, certifications, reports, and records on security measures that go beyond what the Processor already has. Before incurring such costs, the Processor will inform the Controller. The amount of remuneration for labor shall correspond to the rates agreed between the Parties, or alternatively, to standard industry and local rates.
6. Final Provisions
   Should individual provisions of this DPA be or become invalid, the validity of the remaining provisions shall not be affected. In place of the invalid provision, that which the Parties would have reasonably agreed upon according to the originally intended economic purpose shall apply. The same applies in the event of a contractual gap. Regarding formal requirements, applicable law, and place of jurisdiction, the provisions of the Main Agreement shall apply. This DPA shall prevail over any conflicting provisions in the Main Agreement regarding data processing.

ANNEX I to the DPA

Controller: The Customer, as identified in the Main Agreement.

Processor: Data-Vise GmbH, Georg-Hallmaier-Str. 9, 81369 München/Germany

ANNEX II to the DPA

1. Categories of data subjects whose personal data is processed:
   • Users of the Data-Vise Service (Controller’s employees): Individuals authorized by the Controller to use the Data-Vise platform.
2. Categories of personal data processed:
   • User data of the Data-Vise Service:
     • Identification data: First name, last name, e-mail address, password (hashed).
     • User credentials and access data
     • User settings
3. Sensitive data processed (if applicable) and applied restrictions or safeguards:
   No sensitive data is intentionally processed.
4. Nature of the processing:
   Provision of Data-Vise, a Software-as-a-Service platform
5. Purpose(s) for which the personal data is processed on behalf of the Controller:
   Provision and operation of the Data-Vise platform as a tool for the Controller’s users to analyze online marketing performance, generate reports, and optimize marketing strategies, as per the Main Agreement.
6. Duration of the processing:
   The duration of the processing corresponds to the term of the Main Agreement.

 

 

ANNEX III: TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE DATA SECURITY

The security measures of Data-Vise sub-processor Scaleways are described at https://www.scaleway.com/en/security-and-resilience/

1. Confidentiality

The following chapter „Confidentiality“ describes measures that serve to protect personal data from unauthorized or unintentional disclosure. This includes protection against external and internal attackers (e.g. hackers, frustrated or curious employees) as well as protection against structural threats (e.g. untrained employees, inadequate role/rights concepts, deficiencies in the data protection organization)

1.2 Access control

Measures to prevent data processing systems from being used by unauthorized persons.

 Access protection to systems through authentication (user ID with password)
 Procedure for granting and withdrawing authorizations including logging
 Password policy (minimum password length, complexity, uniqueness, enforcement by the system)
 Protecting IT systems against viruses and other malware with updates
 VPNs for external access
 Written instructions for „manual locking“ of PCs

• Access control

Measures to ensure that users authorized to use data processing systems can only access data for which they are authorized and that personal data cannot be copied, modified or deleted without authorization during processing.

 Written and documented authorization concept 
 Regular checking of roles, authorizations and assignment of roles to persons 
 Logging of changes to roles, authorizations and the assignment of roles to persons 
 Written instructions on dealing with departing employees 
 Restriction of admin access (e.g. number of admins) 
 Logging of changes, deletions and data exports 
 Documented data carrier management 
 Instructions for secure deletion of data carriers 
 Instructions for the secure destruction of documents containing personal data (document shredder) 

• Separation

 Physical separation of data from different clients (different server, different hard disk)
 Logical separation of databases of different clients (assignment of data records to clients, different file folders/databases/tables). 
 Separation of production, test and development systems
 Multi-client capability (e.g. different settings possible for each client, such as storage duration)   

1.5 Encryption (Article 32(1)(a) GDPR)

Measures for encrypting data.

If encryption is used, explain what is encrypted, when and how, including the method (AES, TLS 1.2), the key length (256 bit, 2048 bit) and tools used (e.g. Veracrypt)

 Encryption during storage (hard disk and database encryption with AES 256-bit) 
 Encryption on mobile devices (e.g. laptops, smartphones)
 Encryption on mobile data carriers (USB sticks, SD cards) 

1.6 Pseudonymization (Art. 32 para. 1 lit. a) GDPR)

Measures for pseudonymization, i.e. the replacement of identification features as a name, an address or an e-mail address with a unique identifier, the pseudonym. The identification features (and the assignment to the pseudonym) are stored separately from the content data and are specially secured. With pseudonymization, re-identification is possible, which means that personal data is available (no anonymization!).

If pseudonymization is used, please explain

• the extent to which pseudonymization is used
• how the data with the identification features (name etc.) are separated from the content data, and
• how the identification features are specially protected.

In addition to a technical separation (different databases, servers, etc.), an organizational separation can also be considered (different departments/persons, external data trustee, internal instruction prohibiting the merging of „Chinese walls“).

 Replacement by codes: Unique identifiers such as names or e-mail addresses are replaced by randomly generated codes
 Separate data storage: Pseudonymized content data and attribution information are stored in separate databases or on different servers 
 Chinese Wall: Internal instructions prohibit the merging of pseudonymized data and attribution information  
 Use of a data trustee; an external service provider manages the allocation information
 Department separation: Different departments are responsible for pseudonymized data and assignment information   
 Access controls:Only a limited group of people are granted access to the assignment information     

2. Integrity (Art 32 para. 1 lit. b) GDPR)

The „Integrity“ section describes measures that serve to ensure the complete and correct provision of personal data. The measures are aimed at identifying unauthorized changes to the data and providing procedures for rectification.

• Input control

Measures to ensure that it is possible to check whether and by whom personal data has been entered, changed or deleted.

 Logging of creation, entry, modification and deletion and other relevant actions with data (e.g. export, reports)
 Logging of the user who has performed an action 

 

2.2 Transfer control

Measures to ensure that personal data cannot be read, copied, modified or deleted without authorization during electronic transmission or transport on data carriers.

 Written instructions for secure data carrier transport
 Security for electronic transmission (encryption, see above)
 Regulations for teleworkers / home workers, remote maintenance 

3. Availability (Art 32 para. 1 lit. b) GDPR)

The „Availability“ section includes measures to ensure that personal data is available when it is needed. This also includes measures to restore data in the event of loss or destruction.

3.2 General measures

 Uninterruptible power supply (UPS) for server systems
 Fire, water and smoke protection in server rooms
 Air conditioning systems in server rooms
 Hard disk mirroring (RAID)
 Written backup concept (backup strategy („3-2-1), full backup/differential backup, periodicity, scope, retention period, storage locations and method)
 Data backup and recovery concept
 Tests of backup and recovery procedures
 Virus protection
 Intrusion Detection System (IDS) / Intrusion Prevention System (IPS)
 Storage of backups in a separate location  

3.3 In particular: Recoverability after an incident (Art. 32 para. 1 lit. c) GDPR)

Measures to quickly restore the availability of personal data after a physical or technical incident.

 Emergency plan to ensure appropriate „restart times“

• In particular: Resilience (Art 32 para. 1 lit. b) GDPR)

Measures to make data processing systems resilient when unpreventable disruptions affect the systems.

 Setting up redundancies to intercept the failure of network nodes
 Backup concepts and emergency concepts
 DDoS defense mechanisms

4. Procedures for regular review, assessment and evaluation (Art 32 (1) (d) GDPR)

Measures to regularly review, assess and evaluate the effectiveness of technical and organizational measures.

 Definition of responsibilities and processes to define and regularly review appropriate data security measures (data security policy)

5. Further organizational measures / order control

 Roles and responsibilities (data protection officer, data protection manager, data security manager)
 Responsibilities and processes for concluding sub-processing contracts with subcontractors, including their review
 Responsibilities and processes for the involvement of other processors (sub-processors), including monitoring and contract review
 Responsibilities and processes for dealing with instructions from clients and for ensuring purpose limitation in order processing
 Return and deletion of data at the end of order processing
 Responsibilities and processes for dealing with applications from affected persons

 Procedure for testing the effectiveness of the measures (e.g. simulation of attacks, penetration test)

Binding guidelines on order processing for employees of the contractor with the following regulations:

 Responsibilities and processes for maintaining a record of processing activities (as a processor)
 Detection of data protection incidents and reporting to the client
 Ensuring the obligation of employees to maintain confidentiality
 Procedure for reviewing and adapting the data processing policy

 

 

ANNEX IV to the DPA: LIST OF SUB-PROCESSORS

The Controller has authorised the use of the following sub-processors:

1. Name: Viper Development GmbH (haftungsbeschränkt)
   Address: Haakestrasse 37, 21075 Hamburg, Germany
   Description of processing (Service provided): External software development and maintenance for the Data-Vise platform.
   Location of processing: Germany
2. Name: SCALEWAY S.A.S.
   Address: 8 rue de la Ville l’Evêque, 75008 Paris, France
   Description of processing (Service provided): Cloud hosting provider for the Data-Vise platform infrastructure.
   Location of processing: EU (primarily France/Netherlands/Poland, specify exact data center region if known)

 

 

Annex 3 to the GTC: Switching of Data Processing Service pursuant to Article 25 of Regulation (EU) 2023/2854 (Data Act)

(1) Principles and Contractual Form
The rights of the Customer and the obligations of Data-Vise regarding the switching of the Customer to another provider of data processing services or to an on-premises ICT infrastructure of the Customer are set out in this Annex. This Annex applies only when the Data Act becomes effective.

(2) Minimum Content and Obligations of Data-Vise upon Switching
a) Right to Switch and Data Porting; Transition Period and Assistance Obligations:
The Customer is entitled, at any time upon request,
i) to switch to a data processing service of another provider, or
ii) to port all its exportable data and digital assets (pursuant to lit. e) to an on-premises ICT infrastructure.
Data-Vise shall enable and complete this switch or porting without undue delay, but at the latest within a mandatory transition period of a maximum of 30 calendar days. This period begins after the expiry of the maximum notice period pursuant to lit. d.
During the transition period, Data-Vise is obliged:
i) to provide reasonable assistance to the Customer and authorized third parties,
ii) to ensure the continuity of the Customer’s business operations with due diligence,
iii) to inform the Customer of known, relevant risks,
iv) to ensure a high level of data security during porting and storage.
b) Support of Exit Strategy:
Data-Vise supports the Customer’s exit strategy by timely provision of all relevant information, as far as legally permissible.
c) Automatic Contract Termination:
The contract for the affected services shall be deemed terminated as soon as
i) the switch pursuant to lit. a is completed, or
ii) the notice period pursuant to lit. d has expired and the Customer requests the deletion of its exportable data and digital assets pursuant to para. 3 lit. c.
Data-Vise shall inform the Customer thereof without undue delay in text form.
d) Maximum Notice Period for Initiating the Switch:
The notice period for initiating the switch may not exceed two months. Shorter contractually agreed periods remain unaffected.
e) Exportable Data and Digital Assets:
A complete list of exportable data and digital assets can be found in the Service Description. It includes at least all exportable data within the meaning of Art. 2 No. 38 Data Act.
f) Exceptions for the Protection of Trade Secrets:
A list of excluded data categories, the porting of which would pose a risk to trade secrets, is contained in the Service Description. These exceptions may not hinder or delay the switch pursuant to Art. 25 (2) lit. f Data Act.
g) Minimum Period for Data Retrieval:
The Customer has the right to access and retrieve its exportable data and digital assets for at least 30 calendar days after expiry of the transition period (data retrieval period).
h) Data Deletion after Retrieval Period:
After expiry of the data retrieval period, Data-Vise undertakes to completely and securely delete all relevant data, provided the switch is completed or deletion has been requested by the Customer. Confirmation shall be provided upon request in text form.
i) Switching Charges:
Switching charges are calculated in accordance with Art. 29 Data Act and will be charged based on effort at an hourly rate of € 120 net (plus VAT) in 6-minute increments and do not exceed the actual costs incurred by Data-Vise. From three years after the entry into force of the Data Act, these charges will no longer apply, with the exception of those mentioned in Art. 29 (4) Data Act.

(3) Customer’s Decision after Expiry of the Notice Period
The Customer shall inform Data-Vise in text form after expiry of the notice period (para. 2 lit. d) of one of the following measures:
a) Switch to another provider (incl. notification of necessary information about the new provider),
b) Switch to its own ICT infrastructure,
c) Deletion of the exportable data and digital assets pursuant to para. 2 lit. h.

(4) Extended Transition Period in Case of Technical Impracticability
If a switch is not technically feasible within 30 days, Data-Vise shall inform the Customer within 14 calendar days, stating the reasons, and propose an alternative transition period of a maximum of seven months. During this time, Data-Vise’s performance obligation remains.

(5) Customer’s Right to Unilateral Extension of the Transition Period
The Customer may unilaterally extend the transition period (para. 2 lit. a) or the alternative period (para. 4) once in text form. The extension may be for a period that the Customer deems appropriate for its purposes. An extension period of seven months should generally not be exceeded.