Dataplace Terms and Conditions

Caruso GmbH (hereinafter referred to as “CARUSO”) is a company with limited liability (GmbH) established under the laws of Germany registered with the commercial register (Handelsregister) maintained at the lower court (Amtsgericht) of Munich, Germany, under registration number HRB 233 669, having its corporate domicile (Sitz) in Ismaning, Germany.

YOUR COMPANY (hereinafter referred to as “Customer”)‎ is a legal entity representing a Customer of the CARUSO Dataplace. You as Customer may have an interest in or may already have a Subscription to consume In-Vehicle Data from one or several Data Suppliers of CARUSO. YOU (hereinafter referred to as “Platform User”) are an employee, a representative, or a vicarious agent that represents and acts on behalf of YOUR COMPANY.

Customer and CARUSO are hereinafter jointly referred to as “Parties” or individually as “Party”.

CARUSO owns the CARUSO Dataplace (hereinafter referred to as “Dataplace” or “Platform”) for which this agreement sets out the term and conditions. The Dataplace consists out of a Marketplace, a Delivery Engine, a Consent Portal, and a Developer Portal.

CARUSO operates the Dataplace, a cloud-based data platform for mobility and connected car data. The Dataplace is operated during the term of this agreement in the territory of the European Union (EU).

Customer selected one of the membership packages offered by CARUSO as agreed in the respective Partner Agreement signed by the Customer.

The membership grants Customer access to the CARUSO Dataplace platform, see Section 4.

Customers may buy In-Vehicle Data from various Data Suppliers via CARUSO, whereby CARUSO is acting as a reseller for various Data Supplier. In-Vehicle Data may be offered in a variety of pricing model, data formats, data quality, mainly dependent on the performance of the Data Supplier.

Specific terms and conditions that apply for Data Delivery through the Dataplace shall be covered by the Subscription. Customer accepts the terms and conditions when making a Subscription (see details can be found below under Section 4). The Subscription is hence the conclusion of a contract between Customer and CARUSO.

Any notices or other records to be delivered by one of the Parties pursuant to this Agreement must be done in writing and are deemed to have been delivered as email to the address of the other Party as below.

• Notices to CARUSO: notices@caruso-dataplace.com 
• Notices to Customer: contact email as provided in the Customer’s Dataplace account

CARUSO is also entitled to grant sublicenses to its vicarious agents, insofar as this is necessary for the fulfilment of this Agreement. Otherwise, the right of use is not transferable. CARUSO shall be entitled to retain the Customer’s contents beyond the duration of the contract, insofar as this is technically or legally necessary.

Unless otherwise defined in the Agreement, all capitalized terms used in this Terms and Conditions and its Annexes will have the meanings given to them as described below:

• Data shall mean any kind of discrete, objective facts, information, logs about events, entities, transactions, or activities required by CARUSO to operate the CARUSO Dataplace. This includes in particular In-Vehicle Data from connected vehicles but also Data from and about its Data Suppliers and/or its Customers.
  

  ---

• Personal Data shall mean any information relating to an identified or identifiable natural person, a Data Subject.
  

  ---

• Data Subject has the meaning of Art. 4 GDPR and refers to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  

  ---

• Data Protection Law means all applicable laws and regulations relating to data protection and privacy including (without limitation) the EU General Data Protection Regulation (2016/679) (“GDPR”), the EU Privacy and Electronic Communications Directive 2002/58/EC as implemented in each jurisdiction, European Union Member State laws regulating security breach notification and imposing data security requirements, and any amending, implementing or replacement legislation from time to time.
  

  ---

• Data Controller shall be the legal entity that determines the purposes and means of the processing of personal data (e.g., when processing an employee’s personal data, the employer is considered to be the controller). It is possible to have joint data controllers in certain circumstances.
  

  ---

• Data Processor shall be the legal entity that processes personal data on behalf of a Data Controller and is thus acting on behalf of its Customer or Client). The key responsibility of the processor is to ensure that conditions specified a Data Processing Agreement signed with the Data Controller are always met, and that obligations stated in GDPR are complied with.
  

  ---

• In-Vehicle Data shall mean Data generated from or within a connected vehicle which may be stored on a Data Supplier’s server, and which is subject to be provided to Data Consumers via the CARUSO Dataplace. In-Vehicle Data is considered to be personal data according to the Data Protection Law.
  

  ---

• In-Vehicle Data Packages shall mean a set of custom-defined or predefined In-Vehicle Data which is offered to Customers.
  

  ---

• Data Supplier shall mean a legal entity that provides In-Vehicle Data to a Customer via CARUSO. CARUSO is acting a reseller for the Data Supplier.
  

  ---

• Customer or Data Consumer shall mean a legal entity representing a Customer of CARUSO Dataplace. The Customer may have an interest in or is already having a Subscription to consume In-Vehicle Data from one or several Data Suppliers.
  

  ---

• Dataplace Account shall mean the access of the Customer to the Dataplace. Notices from CARUSO will be provided to contact email address as provided in the customer’s Dataplace account.
  

  ---

• Platform User shall mean any employees, representative, or vicarious agent that represents and acts on behalf of the Customer.
  

  ---

• Technical User shall mean a non-personal account on CARUSO Marketplace. A technical user has the same rights and functionalities as a Platform User.
  

  ---

• Marketplace is a web-based marketplace portal for presenting and viewing Offers about the data available and management of Subscriptions of a Customer.
  

  ---

• Developer Portal is a web-based portal with technical information for Data Suppliers and Data Consumers. The Developer Portal describe how to integrate with the Platform and the APIs of the Delivery Engine.
  

  ---

• Delivery Engine provides access to In-Vehicle Data for customers with a valid Subscription via the CARUSO API. The Delivery Engine performs the Data Delivery and by doing so, it may also apply Harmonization and Caching of In-Vehicle Data. The customer needs to technically integrate the APIs of CARUSO to get In-Vehicle Data from the Dataplace.
  

  ---

• Data Delivery shall mean the process of delivering In-Vehicle Data from a Data Supplier to a Customer. Data Delivery may use different technical means to do so (e.g., pull, push, or stream of In-Vehicle Data). Data Delivery is based on the Vehicle Identification Number (VIN) and may be done for Individually-Owned Vehicles or Company-Owned Vehicles.
  

  ---

• CARUSO APIs shall mean the APIs (Application Programming Interface), i.e., the interfaces for the delivery of In-Vehicle Data to the Customer.
  

  ---

• API Call shall mean each single attempt by a system of the Customer to use the CARUSO API based on a Subscription by the Customer for the purpose of obtaining In-Vehicle Data. API Calls may be limited by Rate Limits.
  

  ---

• Rate Limit shall mean the upper threshold of allowed requests within a certain time frame from Customer to CARUSO.
  

  ---

• Harmonization shall mean to transform the Data of a certain Data Supplier to the harmonized CARUSO data format. This means inbound data of Data Supplier solely is changed in a way to make the data conformant to the CARUSO data catalog. This may include changing (1) the name of the data item (e.g., odometer to mileage), (2) the unit of the data items (e.g., miles to kilometer), (3) the granularity of the data item (e.g., front left door lock state and front right door lock state to front door state), or (4) data provisioning mechanisms (e.g., push, stream, pull-based to one of the other).
  

  ---

• Caching shall mean to temporary hold Data in a cache to provide a better experience to Data Consumers. A cache means a temporary storage area that has a copy of the last received In-Vehicle Data and (1) is only used to temporary hold Data at the CARUSO Dataplace in case of invalid/not available Data or error, (2) is only accessed if Data requests by a Customer leads to invalid Data or a technical error (e.g. error 500, 503); and (3) is deleted if the caching time-to-live expires.
  

  ---

• Individually-Owned Vehicle: Any vehicle owned, leased, or used by one or more individuals or a family.
  

  ---

• Company-Owned Vehicle: Any vehicle or a fleet of vehicles owned or leased by a business, company, government agency, or other organizations rather than by one or more individuals or family. In some jurisdictions and countries, fleet vehicle may also mean a vehicle that is privately owned by employees, or on novated leases, but is being used for work or commercial purposes.
  

  ---

• Offer is a non-binding description of the In-Vehicle Data Items or the In-Vehicle Data Packages to which any Customer may request a Subscription.
  

  ---

• Subscription shall mean an agreement between Customer and CARUSO Dataplace about Data Delivery. The Subscription describes the specific terms and conditions that apply for Data Delivery. The Subscription states Data Items, the permitted purpose and scope of use of the In-Vehicle Data, the price and price model and technical limitations for Data Delivery, if applicable. Such limitations and restrictions may be imposed by the Data Supplier selling the In-Vehicle Data to CARUSO in granting or limiting rights for data scope and data usage for the Customer.
  

  ---

• Confidential Information means, without limitation, any information and data, whether protected or not, likely to be protected or not by an intellectual property right, which are disclosed by the Discloser to the Receiver within the Purpose, of any nature (technical, commercial, economical, etc.) and on any support (in particular experience, know-how, method, tool design, process, specific component, software, etc.), whether orally, in writing, visually or in any other form (including, without limitation, documents, devices and computer readable media). Confidential Information also includes all copies made thereof.
  

  ---

• Material Breach: Breach of contractual obligation, in particular including but not limited to any act that compromised, jeopardized, or misused the commercial or private data of the other Party during the planned transaction (or CARUSO Customers) or, any act that is considered to be against the substantial manner (cardinal obligation) of the provisions of this Agreement.
  

  ---

• Written: A reference to writing or written also includes e-mail, except explicitly stated otherwise as “e-mail excluded”.

CARUSO is responsible for provision, operation, and maintenance of the Dataplace. It is the Customer’s responsibility to be technically able to use the Dataplace. In particular, CARUSO is not responsible for providing the Customer with any hardware and/or software except the Dataplace.

Regarding the Customer’s use of the Dataplace, CARUSO shall be the sole contractual partner of the Customer.

CARUSO will provide the Customer with information which is necessary to use the Dataplace and to consume In-Vehicle Data (details can be found below under Section 4). The Customer acknowledges that the Dataplace and its features and functionalities may change and evolve over time observing the Change Management Process as described in Annex 1.

The annual availability of the Dataplace shall be at least 99 % on average. Necessary maintenance outside of the normal business hours (see Section 7) and downtimes which could not be averted with reasonable efforts due to technical problems outside the responsibility of CARUSO (Force Majeure and/or malfunctions due to faulty operation and configuration by the Customer), shall not be taken into account.

CARUSO shall notify the Customer of planned maintenance in text form in advance. Such notification shall include the duration of the maintenance including the foreseeable scope of impairment in using the Dataplace. However, CARUSO expressly reserves the right for unannounced maintenance, if necessary, especially for reasons of data security and/or operational security. The Customer must be notified of any maintenance or downtime without undue delay and any maintenance must be carried out in such a way as to minimize malfunctions in operational processes as far as possible.

CARUSO is entitled to modify, expand, and evolve the functions and services of the Dataplace. CARUSO also reserves the right to change the set of functionalities of the Dataplace in a manner acceptable to the Customer. In that sense it shall be deemed a “significant reason”, in particular, if the change is needed for security-related reasons. Unless the changes are mere expansions of the functionalities or insignificant modifications of the performance to be rendered by CARUSO (e. g. minor design changes), or unless security-related reasons call for immediate action, CARUSO shall inform the Customer in writing about the changes as described in the Change Management Process in Annex 1.

CARUSO warrants only the suitability of the Dataplace for use to the agreed extent and not the timeliness, correctness and completeness of the information provided by the Data Suppliers.

CARUSO assures that when operating/using the Dataplace, it will observe all applicable legal regulations, in particular the laws on fair competition, data protection, copyright, and data-base rights.

Customer receives login information (username and password, hereinafter referred to as “Account”) by CARUSO for the Platform User’s individual access to the Marketplace portal of the Dataplace.

CARUSO provides per Subscription access information and APIs (e.g., ConsumerID, SubscriptionId, API-Key) to consume In-Vehicle Data. Customer shall not gain or try to gain access to In-Vehicle Data or any other Data through any means other than through the API.

API documentation is made available to the Customer via the Developer Portal including technical information on Data Delivery, data dictionary, and error handling. Customer confirms the approval for the suitability of the CARUSO API for the fulfilment of the purposes of this Agreement.

Platform Users need to log in their account on the Marketplace via a web-browser. The Customer has directly or indirectly access to view Offers, and manage Subscriptions, and access to the Developer Portal. Platform Users act on the Marketplace always on behalf of the Customer and its corresponding legal entity.

The Customer may request access for a Technical User. A Technical User acts on behalf of the Customer as stated in Section 7.2 and it is the obligation of the Customer to ensure that the Technical User account is only accessible by eligible personnel.

The Customer acknowledges that the Data Supplier may impose limitations and restrictions on the provisioning of data and Customer will carry out any business in conformance to such limitations and restrictions. Should the Customer misappropriate Data Supplier’s Data in any way, the Customer shall promptly inform CARUSO of such misappropriation and disclose to CARUSO the information of the misuse.

The Customer shall accept the terms and conditions for Data Delivery as outlined in the Subscription (including Data Items, the permitted purpose and scope of use of the In-Vehicle Data, the price and price model and technical limitations for Data Delivery, if applicable).

Customer accepts the terms and conditions of the Subscription for Data Delivery by a decisive click/checkmark logged in the CARUSO Dataplace.

The Term of a Subscription shall begin as stated in the Subscription, either on the date of the acceptance or on a defined later date and ends with the termination of this agreement or a defined earlier date.

Changes and amendments to the terms and conditions of the Subscription for Data Delivery require the written form. The written form requirement is fulfilled by e-mail to contact email as provided in the Customer’s Dataplace account.

Customer may only use the Data for the permitted scope and as consented by the Data Subjects.

Each party shall have the right to cancel a Subscription upon three months (90 days) notice, if not otherwise agreed.

In case of personal data breach by the Customer, CARUSO shall have the right to stop data delivery immediately and terminate this Agreement immediately.

In order to create a blacklist, CARUSO shall have the right to inform the Data Supplier of violations by the Customer and disclose the name of the Customer.

CARUSO delivers Data from Data Suppliers to the Customer. CARUSO may apply Harmonization and Caching of In-Vehicle Data. The Customer needs to technically integrate the APIs of CARUSO to consume In-Vehicle Data from the Dataplace. Data Delivery is based on the Vehicle Identification Number (VIN) and may be done for Individual Vehicles or Fleet Vehicles.

The Data is provided by the Data Supplier on an “as-is” and “as available” basis and without any warranty or representation for quality, quantity, completeness, accuracy, availability, error-free and fitness for any particular purpose. The Data Supplier does not guarantee a certain quality of requested In-Vehicle Data due to the following reasons:

Not all vehicles of Data Supplier may be capable of transmitting data. Not all markets/countries may be supported by the Data Supplier.

The driver of the vehicle may have the option to stop data transmission in the vehicle at any time (privacy mode). Data supplier has no influence on this user decision. Vehicles with activated privacy mode do not send data.

Vehicle may not be equipped with telematics control unit and may not have an activated SIM Card. Data Supplier only collects Data when a connection to the vehicle is established. In case of connection loss, no information can be transmitted. If the connection is transient or instable, data may be inaccurate or limited for reasons beyond data supplier control.

CARUSO may limit the possible number of API calls within a certain time frame as further specified in the Subscription.

Customer is obligated to ensure that the Personal Data is used exclusively in compliance to GDPR with the applicable data protection regulations. In particular, this includes the Customer’s obligation to inform the users/drivers of the vehicles of the fact that their personal data shall be processed in the context of the using the vehicle to the extent required by law and, insofar as doing so is necessary, the Customer’ obligation to obtain appropriate consent from the users/drivers of the vehicle. At CARUSO’s request, the Customer shall provide CARUSO with proof of the legitimacy of personal data processing activities using the fleet service, including sufficient information for the users.

Vehicles subject to Data Delivery must be activated for a Subscription. The vehicles to be activated and/or deactivated must be provided truthfully by the Customer. The Customer is obligated to keep the vehicles in Data Delivery up-to-date at all times. Customer must particularly ensure that they are authorized to do so. At CARUSO’s request, the Customer must provide documentary evidence to this effect (e.g., copy of the vehicle’s confirmation of registration, copy of the contract, confirmation of the vehicle owner/driver).

CARUSO reserves the right to verify compliance with the above specifications at any time and to take appropriate steps in the case of non-compliance. Depending on the breach, this also includes the temporary or permanent exclusion of the Customer responsible for the breach from the fleet service.

The Customer is a separate Data Controller or a Data Processor on behalf of a Data Controller under data privacy laws and shall be responsible for compliance with data protection law when retrieving and handling data at the CARUSO API. Customer shall ensure that all use of personal data complies with Art. 5 Regulation (EU) 2016/679 (“GDPR”) towards the Data Subject.

The Parties are bound to comply with all data protection laws and data protection regulations and to ensure compliance by all members of their Personnel. Details may be established in the respective Subscription between Data Supplier, CARUSO and Customer, in particular the roles of the parties according to Art. 4 Regulation (EU) 2016/679 (“GDPR”).

If CARUSO acts as a Data Processor, a Data Processing Agreement (DPA) between Customer and CARUSO is necessary and Annex 2 shall apply.

At the request of CARUSO, the Customer shall provide unrestricted and comprehensive information on all measures relevant to data protection in connection with the handling of data as well as on compliance with and control of data protection regulations. For this purpose, the Customer shall provide and explain the relevant documents and data, including, if applicable, Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR.

CARUSO implements and maintains technical and organizational measures to protect Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. CARUSO may update or modify these measures from time to time if such updates and modifications do not result in the degradation of the overall security of the Dataplace.

CARUSO has no obligation to protect copies of Data of the Customer that the Customer stores or transfers outside of the Dataplace (e.g., offline, or on-premises storage at the Customer).

The Customer is solely responsible for the use of the security functionalities provided by the Dataplace, including, but not limited to secure handling of passwords and other credentials, to delete expired Platform Users and to apply appropriate password policies.

The Customer is solely responsible for securing the account and authentication credentials, as well as systems and devices the Customer uses to access the Dataplace, securing its server resources and infrastructure, securing any account and Customer system authentication credentials obtained from other Customers on CARUSO as part of a subscription to such a Customer’s service, backing up its Data as appropriate.

The Customer is solely responsible for securing the account and authentication credentials, as well as systems and devices the Customer uses to access the Dataplace, securing its server resources and infrastructure, securing any account and Customer system authentication credentials obtained from other Customers on CARUSO as part of a subscription to such a Customer’s service, backing up its Data as appropriate.

Any breach of security, such as loss, theft or unauthorized use of your security credentials must be notified to CARUSO immediately.

The Customer assures that when using the Dataplace, it will comply to all applicable legal regulations, in particular the laws on fair competition, data protection, copyright, and database rights.

The Customer is obligated to have at least one registered Platform User. The Customer must keep the login information to the Dataplace and data delivery credentials to access CARUSO APIs secure and may only make them available to authorized employees.

The Customer undertakes to obligate their employees to handle the access data confidentially and to inform CARUSO immediately if it is suspected that the login information may have become known to unauthorized persons.

CARUSO has the right to disable any username or password at any time, if in CARUSO’s opinion the Customer failed to comply with any of the obligations listed in this section or where CARUSO suspects illegal, fraudulent activity or unauthorized use of your account or contact information.

Customer is responsible for any operation and configuration made under their account, inter alia their data.

Customer shall be responsible to regularly secure their own data. This applies both to the Data on the local systems or servers of the Customer.

The Customer may use the name of the Data Suppliers as a reference towards Data Subjects.

This means Customer is only entitled to use the company name of the Data Supplier in the same form and font as the surrounding text of the end customer reference. Any highlighting by color, by writing in a different font, or in any other way is prohibited.

Neither the Customer nor any Third Party shall use the trademark, logo, and identity of Data Supplier for marketing or similar purposes without Data Supplier´s prior written consent.

CARUSO is entitled to review Customer’s compliance with the obligations under this Agreement, in particular with the obligation stated in Section 7. CARUSO may carry out related audits by itself or through a designated, independent, reputable, recognized third party auditor bound to confidentiality under professional privileges during business hours after reasonable prior notice. In this respect, Customer agrees to CARUSO and its authorized representatives to view and audit, during normal business hours upon advance written notice to Customer, any facility, process, or entity used to fulfill Customer’s obligations stated in Section 7 to determine compliance with the requirements of this Agreement.

If an audit reveals any cases of non-compliance with Customer’s obligations, CARUSO will inform the Customer accordingly and CARUSO may, at its sole discretion, either

• require the Customer to ensure compliance without undue delay and/or
• withhold any transfer of Data Supplier data to the Customer until the Customer has demonstrated compliance, and/or
• require the Customer to ensure compliance without undue delay and/or

CARUSO shall bear the costs of such audit measures, unless a non-contractual use, especially a non-compliance with Section 6 and 7, is discovered, in which case the Customer shall bear the cost.

CARUSO is liable for willful intent, gross negligence and in the case of deceit without restriction. In the case of mild negligence, CARUSO shall be liable insofar as it has infringed a duty which is of material significance to the achievement of the contractual purpose (cardinal duty, inter alia the provision of the Dataplace), restricted to the foreseeable damage typical of the agreement. Irrespective of the reason for the claim, CARUSO shall assume no further liability insofar as nothing to the contrary has been agreed between the Parties.

CARUSO does not accept responsibility for any loss the Customer or anybody else may suffer because any instructions or information sent by the Customer or CARUSO are sent in error, fail to reach the recipient, or are distorted unless such loss results from our negligence, failure to exercise reasonable skill and care, fraud or our deliberate fault.

CARUSO may rely on all communications given or made by the Customer or anyone else using the Customers username, account number and password which we reasonably believe to have been made by you or on your behalf. The Customer will be bound by any agreement entered into or expense incurred on your behalf in reliance upon such a communication.

CARUSO reserves the right not to act on your instructions where we suspect illegal, fraudulent activity or unauthorized use of your account or contact information.

CARUSO does not accept responsibility for any payments from the Customer’s bank account or any loss you may suffer caused by your failure to keep your registration details confidential, or your failure to comply with these Terms and Conditions. In particular, CARUSO will not be responsible for any act, omission, failure, fraud, delay, negligence, insolvency or default of any bank, financial institution, clearing or payments system, or regulatory, governmental or supra-national body or authority, nor for any failure or any disruption to any communications systems required to operate in order for any monies to be transferred. CARUSO does not accept responsibility if it is or becomes unlawful for CARUSO to give any instruction or make any payment required by these Terms and Conditions.

If CARUSO is not Party to contracts that Customer concludes using the Dataplace, CARUSO shall not be liable for damages that occur directly in the relation between the Customer and other Customers of CARUSO Dataplace.

CARUSO shall not be liable for the temporarily disrupted access to the Dataplace caused by necessary maintenance. Necessary maintenance shall usually be carried out outside normal business hours (08:00-18:00 CET/CEST), if not communicated otherwise.

The liability restrictions and exclusions mentioned above shall not apply to claims based on the damage arising from the injury to life, limb, or health and to claims based on the Product Liability Act. Insofar as the liability of CARUSO is restricted or ruled out, the personal liability of the vicarious agents of CARUSO shall similarly be restricted or ruled out.

If the Parties have agreed upon a Non-Disclosure Agreement (hereinafter referred to as “NDA”), the NDA shall remain in full force and effect.

The confidentiality obligations set forth in the NDA shall apply with regard to all confidential information disclosed during the performance of this, under this Agreement and other agreements between the Parties with regard to the Dataplace (in particular any letter of intent).

In any case both parties agree to protect all disclosed Confidential Information from access by third parties and keep it at least with the same diligence with which it treats its own Confidential Information, at least, however, with the diligence that is usual in such cases. Confidential Information may not be disclosed to any third party unless expressly permitted by the discloser or applicable statutory laws.

The Parties agree that the confidentiality obligation under the NDA, if applicable, as well as the confidentiality agreement set forth in Section 10 above shall remain valid for the period of five years after termination of this Agreement.

The Agreement comes into force upon signature by both Parties and shall regularly be valid for 12 months in the first instance. The Agreement shall be automatically extended for another year respectively, provided it has not been terminated by one Party in writing 3 months (90 days) prior to its expiration.

In the event of a relevant breach of contract (as per the definition below), the other Party may (at its own discretion) terminate this Agreement without notice or at a term of notice of its own choosing by written notice to the Party having breached the Agreement. In that sense a “relevant breach of contract” means one or several of the following circumstances:

If a Material Breach of contract is not cured within 30 business days after the submission of a respective request by the other Party to cure the breach.

If either Party has committed a Material Breach of this Agreement which makes the continuation of the Agreement impossible for both Parties

If either Party fails to fulfil its obligations under this contract over a period of at least three months after receiving the first notice from the other Party, or ceases its business operation, or there threatens to cease operations.

After the effective date of a termination of this Agreement either Party must not use any software, service, or product (in particular interfaces) which have been provided by the other Party in course of the onboarding procedure or execution of the Agreement (also including any negotiations prior to signing either agreement).

Termination of this agreement shall have no effect on existing contractual obligations of the Customer towards other Customers. The Customer may fulfil these obligations using the Dataplace even after termination of this agreement.

The provisions of this agreement shall apply respectively with the restriction that, the Customer shall not (and will technically not be able to) enter into new agreements with other Customers or renew the existing ones.

Neither Party shall be liable for any delay in performing or failure to perform its obligations under this Agreement due to any cause outside its reasonable control. Such delay or failure shall not constitute a breach of this Agreement and the time for the performance of the affected obligations shall be extended by such period as is reasonable.

The provisions of this Agreement and its Annexes may be modified between CARUSO and the Customer for valid reasons (among others change in law and jurisprudence affecting the respective provisions) by corresponding agreement as set out below:

CARUSO shall provide the Customer with the changed provisions in text form and point out the changes as well as the date for the planned coming into force.

At the same time, CARUSO shall allow the Customer an appropriate grace period of at least two months for them to declare if they accept the changed provisions for continuing the execution of this Agreement.

If the Customer does not make a declaration within the grace period granted, which starts with reception of the notice in text form, the changed provisions shall be deemed as agreed upon. CARUSO shall separately and expressly point out to the Customer the legal consequences, viz. the right to object, the objection period, and the consequences of silence.

This Agreement, including all appendices and documents attached to it or referred to within its scope constitute the entirety of the contractual agreements between the Parties in respect of the object of this Agreement. In the event of contradictions between the terms and conditions of this Agreement and the attached Appendices, the provisions of this Agreement take precedence.

Any earlier expressed or tacit agreements as well as any written or oral assurances, declarations, negotiations, understandings and promises which are not expressly identified as an integral part of this Agreement, are excluded from and superseded by this Agreement.

This Agreement cannot be transferred as a whole or in parts by either Party.

There are no oral declarations, no representations or side agreements to this Agreement. Changes and/or additional agreements are only valid if agreed in writing and with legally binding signature. This also applies to any agreements relating to the written form requirement itself.

If individual or several provisions of this Agreement are or become unenforceable or invalid, the remaining provisions shall nonetheless be valid. In the event of invalidity of any clause, such clause shall be replaced by a valid clause as mutually agreed by both Parties.

This Agreement is governed and interpreted in accordance with the laws of the Federal Republic of Germany with the exclusion of International Private Law and the UN Convention on Contracts for the International Sale of Goods (CISG). The place of jurisdiction for any and all disputes arising in connection with this Agreement, or its validity is Munich, Germany.

The Parties agree on the following Annexes to be an integral part of this contract:

• Annex 1 – Change Management Process
• Annex 2 – Data Processing Agreement
• Annex 3 – Technical and Organizational Measurements
• Annex 4 – List of Subprocessors

The following process describes how CARUSO shall inform the Customer of changes to the technical functionalities of the Dataplace in accordance with clause 6 of the Terms and Conditions:

CARUSO shall send a Deprecation Note to the Customer (to the contact email as provided in the Customer’s Dataplace account). This Deprecation Note by CARUSO provides a detailed technical description of the intended change and names any deprecated functionality. It may further announce replacement functionality or describe a functionally equivalent mapping to other platform functionality and/or other Customer services available on the Dataplace.

The Deprecation Note will also include detailed information on the timeline of the release of any replacement functionality, if applicable.

Six months after the Deprecation Note by CARUSO, one after the End-of-Life Note) the deprecated functionality will not be supported anymore.

Agreement on Order Processing pursuant to Art. 28 GDPR between Customer (Responsible Party – hereinafter referred to as Data Controller or Customer) and Caruso GmbH, Steinheilstraße 10, 85737 Ismaning, Germany (Contractor, hereinafter referred to as Data Processor or ”CARUSO”)

Subject Matter and Duration of the Contract

Subject and duration of the agreement are bound to the services from the agreement “Terms and Conditions CARUSO Dataplace”

Concretization of the Order Content

The nature and purpose of the proposed processing of data are described in the following Sections of this agreement “CARUSO Dataplace Terms and Conditions”:

• Section 4 “Access to the Dataplace Platform”
• Section 5 “Data Delivery”

The provision of the contractually agreed data processing takes place exclusively in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area.

Any relocation to a third country shall require the prior consent of the contracting authority and may take place only if the special conditions of Art. 44 et seq. of the EC Treaty are fulfilled and if GDPR regulations for transfer of personal data to third countries or to international organizations are met.

The type of personal data used is specifically described in the service agreement in Section 4 “Access to the Dataplace Platform” and Section 5 “Data Delivery”.

The categories of data subjects involved in the processing are specifically described in the service agreement in Section 4 “Access to the Dataplace Platform” and Section 5 “Data Delivery”.

Technical-Organizational Measures (TOMs)

CARUSO shall document the implementation of the technical and organizational measures outlined and required prior to the award of the contract prior to commencement of processing, in particular with regard to the concrete execution of the contract and shall hand them over to the Customer for inspection. If accepted by the Customer, the documented measures become the basis of the order. If the inspection/audit of the Customer reveals a need for adjustment, this must be implemented by mutual agreement.

CARUSO shall provide the security pursuant to Art. 28 para. 3 lit. c, 32 GDPR in particular in conjunction with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk in terms of confidentiality, integrity, availability, and resilience of the systems. In doing so, the state of the art, the implementation costs and the type, scope, and purpose of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR shall be taken into account.

The technical and organizational measures shall be subject to technical progress and development. In this respect, CARUSO is permitted to implement alternative adequate measures. The safety level of the defined measures must not be undercut. Material changes must be documented.

The technical and organizational measures of CARUSO are set out in Annex 3 of this agreement.

Correction, Limitation and Deletion of Data

CARUSO may not correct, delete, or restrict the processing of the data processed on behalf of the Customer without authorization, but only in accordance with documented instructions from the Customer. If a person concerned directly addresses CARUSO in this respect, CARUSO shall immediately forward this request to the Customer.

As far as included in the scope of services, the deletion concept, right to be forgotten, correction, data portability and information are to be ensured directly by CARUSO according to documented instructions of the Customer.

Quality Assurance and other Obligations of the Contractor

In addition to compliance with the provisions of this contract and the GDPR, CARUSO shall have statutory obligations. CARUSO shall in particular ensure compliance with the following requirements:

• Written appointment of a data protection officer who carries out his duties in accordance with Art. 38 and 39 GDPR. You can reach the data protection officer via the e-mail address dpo@caruso-dataplace.com or our postal address with the addition “Data protection”.
• Maintaining confidentiality pursuant to Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 GDPR. In carrying out the work, CARUSO shall only employ employees who are obliged to maintain confidentiality and who have been familiarized beforehand with the relevant data protection provisions. CARUSO and any person under its authority who has access to personal data may process such data only in accordance with the instructions of the Customer, including the powers conferred by this Agreement, unless they are required to do so by law.
• The implementation of and compliance with all technical and organizational measures required for this contract pursuant to Art. 28 para. 3 sentence 2 lit. c, 32 GDPR.
• The contracting authority and CARUSO shall, on request, cooperate with the Supervisory Authority in the performance of its tasks.
• Immediate information to the contracting authority on control actions and measures taken by the supervisory authority in so far as they relate to this contract. This shall also apply if a competent authority investigates the processing of personal data in the course of an administrative offence or criminal proceeding at CARUSO’s premises.
• Insofar as the Customer is subject to inspection by the supervisory authority, administrative offence or criminal proceedings, the liability claims of a person concerned or a third party or any other claim in connection with the processing of the order by CARUSO, CARUSO shall support the Customer to the best of its ability.
• CARUSO shall regularly monitor internal processes and technical and organizational measures in order to ensure that processing within its sphere of responsibility is carried out in accordance with the requirements of the applicable data protection legislation and that the rights of the data subject are protected.
• Verifiability of the technical and organizational measures taken vis-à-vis the Customer within the scope of his control powers in accordance with Section 6 of this contract.

Subcontracting Relationships

For the purposes of this regulation, subcontracting shall mean services which relate directly to the provision of the principal service. This does not include ancillary services which CARUSO uses, e.g., as telecommunications services, postal/transport services, maintenance and user services or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. CARUSO shall, however, be obliged to take appropriate and legally compliant contractual agreements and control measures to guarantee the data protection and data security of the Customer’s data even in the case of outsourced ancillary services.

The Customer agrees to the commissioning of the subcontractors named in Annex 4 “List of Subprocessors” under the condition of a contractual agreement in accordance with Art. 28 para. 2-4 GDPR: Outsourcing to sub-contractors or changing the existing sub-contractor is permissible, insofar as CARUSO notifies the Customer of such outsourcing to subcontractors in writing or in text form a reasonable period in advance, and the customer does not object to the planned outsourcing in writing or in text form to CARUSO up to the time the data is transferred, and a contractual agreement in accordance with Art. 28 para. 2-4 GDPR is applied.

The passing on of personal data of the Customer to the subcontractor and his first action are only permitted when all requirements for subcontracting have been met.

If the subcontractor renders the agreed service outside the EU/EEA, CARUSO shall ensure that it is permissible under data protection law by taking appropriate measures. The same applies if service providers within the meaning of para. 1 sentence 2 are to be used.

Further outsourcing by the subcontractor requires the express consent of the main contractor (at least in text form) all contractual regulations in the contract chain must also be imposed on the further subcontractor.

Control Rights of the Customer

The Customer shall have the right to carry out inspections in consultation with CARUSO or to have them carried out by inspectors to be appointed in individual cases. He shall have the right to convince himself of CARUSO’s compliance with this Agreement in his business operations by means of spot checks, which as a rule must be notified in good time.

Evidence of such measures, which do not relate only to the specific contract, may be provided by compliance with approved rules of conduct pursuant to Art. 40 GDPR or certification in accordance with an approved certification procedure pursuant to Art. 42 GDPR or current certificates, reports or report extracts from independent bodies (e.g. auditors, auditors, data protection officers, IT security department, data protection auditors, quality auditors) or a suitable certification through an IT security or data protection audit.

CARUSO shall ensure that the Customer can satisfy himself that the obligations of CARUSO under Art. 28 GDPR have been complied with. CARUSO undertakes to provide the Customer with the necessary information upon request and, in particular, to prove the implementation of the technical and organizational measures.

Notification of Infringements by the Contractor

CARUSO shall assist the Customer in complying with the obligations set out in Articles 32 to 36 of the GDPR regarding the security of personal data, reporting obligations in the event of data breakdowns, data protection impact assessments and prior consultations. This includes among others

• ensuring an adequate level of protection through technical and organizational measures which take into account the circumstances and purposes of the processing and the predicted likelihood and severity of a possible breach of rights due to security vulnerabilities and allow the immediate detection of relevant breach events
• the obligation to report violations of personal data to the Customer without delay
• the obligation to assist the contracting authority within the framework of its duty to inform the data subject and to make all relevant information available to the data subject without delay in this connection
• the support of the Customer for his data protection impact assessment
• the support of the Customer within the framework of prior consultations with the supervisory authority

CARUSO may claim remuneration for support services which are not included in the service description, or which are not attributable to a misconduct on the part of CARUSO.

Authority of the Customer to issue Instructions

Oral instructions shall be confirmed by the Customer without delay (at least in text form).

CARUSO shall inform the customer immediately if he is of the opinion that an instruction violates data protection regulations. CARUSO is entitled to suspend the execution of the corresponding instruction until it has been confirmed or changed by the Customer.

Deletion and return of personal data

Copies or duplicates of the data shall not be made without the knowledge of the Customer. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as data which are necessary with regard to compliance with statutory storage obligations.

Upon completion of the contractually agreed work or earlier upon request by the Customer – at the latest upon termination of the performance agreement – CARUSO shall hand over to the Customer all documents, processing and usage results as well as data stocks which have come into his possession and which are connected with the contractual relationship, or destroy them in accordance with data protection regulations after prior consent. The same applies to test and scrap material. The deletion log shall be provided on request.

Documentations which serve as proof of the orderly and proper data processing shall be stored by CARUSO beyond the end of the contract in accordance with the respective retention periods. He may hand them over to the Customer to discharge him at the end of the contract.

Entry into force

This annex (Agreement on Order processing pursuant to Art. 28 DSGVO) shall enter into force upon signature of the agreement “CARUSO Dataplace Terms and Conditions”.

Technical and Organizational Measures of Caruso GmbH according to Art. 25 Para. 1 and Art. 32 Data Protection Regulation (GDPR), Version: 01.04 / Status: Feb. 2021

Confidentiality (Art. 32 para. 1 lit. b GDPR)

Entry Control

CARUSO controls access to company properties through a combination of access control system, personal control at reception, manual locking system and security locks. Visitors are controlled in the building by escorts. Outside personnel, cleaning staff, etc. are carefully selected.

CARUSO uses Amazon Web Services as a cloud service provider for application hosting, as well as data storage. AWS data centers are protected and controlled using AWS technical organizational measures.

Access Control

All access to data systems is secured by identifying and authenticating users via strong passwords and behavioral instructions to lock down and confidentially handle sensitive data. Only appropriately authenticated users are granted access to systems.

Unauthorized activities in the Data Processor’s systems are prevented by restricted authorizations. Users are granted only those authorizations and accesses that are required for the performance of their activities; guest accesses in the system and network are accordingly separated, respectively restrictively regulated. Accesses are blocked or deleted after the need for access has expired. In principle, two-factor authentication is required for all accesses.

CARUSO uses Amazon Web Services (AWS) as a cloud service provider for application hosting and data storage. Access via the Internet is, in addition to the measures described above, protected, and controlled by AWS using the technical organizational measures of AWS.

Separability

CARUSO separates data collected for different purposes by storing it in separate systems. Within the same system, access control and authorizations ensure that access to data that is not required, or unauthorized access is not possible. Development, test, and production systems do not exchange data with each other that has not been subjected to prior pseudonymization (see there).

For special purposes, Customers may be provided with sandbox systems for development and testing, to which only restricted and limited access is granted.

Pseudonymization (Art. 32 Para. 1 lit. a GDPR; Art. 25 Para. 1 GDPR)

Data used from the productive system for testing purposes is pseudonymized before use, anonymized if possible. In the production system, personal data is only processed with reference to individuals if this is required for the fulfillment of the purpose.

Integrity (Art. 32 (1) (b) GDPR)

CARUSO uses Amazon Web Services as a cloud service provider for application hosting, as well as data storage. The technical organizational measures of AWS ensure availability and resilience for this data.

Transfer Control

Data is transferred and passed on via the Internet using protected and secure communication (certificate-based). Data is not passed on via data carriers.

Input Control

The data processing systems of CARUSO are subject to the usual logging according to the standard of the systems used.

Availability and Resilience (Art. 32 (1) (b) GDPR)

Availability control

CARUSO uses Amazon Web Services as a cloud service provider for application hosting, as well as data storage. The technical organizational measures of AWS ensure availability and resilience for this data.

CARUSO does not operate any company-owned servers on company premises. All premises are equipped with fire protection facilities in accordance with statutory regulations.

Recoverability (Art. 32 para. 1 lit. c GDPR)

CARUSO uses Amazon Web Services as a cloud service provider for application hosting, as well as data storage. The technical organizational measures of AWS ensure recoverability for this data.

Procedures for regular Review, Assessment and Evaluation (Art. 32 (1) (d) GDPR; Art. 25 (1) GDPR)

Data Protection Management

An external data protection officer is appointed to perform the advisory and control functions.

Employee sensitization includes data protection instruction at the start of employment, and personal sensitization by the external data protection officer in individual cases.

As part of the internal procedure directory, the data flows are documented, and the permissibility of the processing and use is proven in accordance with the GDPR. Any necessary prior checks are already integrated at the planning stage.

Incident Response Management

IT relevant aspects of a data protection compliance audit:

• Documented processes to ensure data subject rights are in place.
• Documentation of notification processes for breaches in accordance with Art 33, 34 DSGVO is available
• An emergency plan exists

Data Protection-friendly Default Settings (Art. 25 (2) GDPR)

The controller takes appropriate technical and organizational measures to ensure that, by means of default settings, only personal data whose processing is necessary for the respective specific processing purpose is processed as a matter of principle.

• Specifications in the system development process or in the system adaptation
• Differentiated authorization concept
• Storage periods are part of the contractual regulation

Order Control

No commissioned data processing within the meaning of Art. 28 GDPR without corresponding instructions from the Customer:

• Clear contract design in accordance with Art. 28 GDPR – Commissioned processing.
• Formalized order management
• Obligation of CARUSO’s employees to maintain confidentiality

List of subprocessors of Caruso GmbH for the purpose of operating and maintaining the CARUSO Dataplace

Name: Amazon Web Services EMEA SARL
Address: 38 avenue John F. Kennedy, L-1855 Luxemburg, Luxemburg
Purpose: hosting the platform, services and work environments
GDPR Regulation: Data Privacy Agreement

Name: Atlassian. Pty Ltd
Address: Level 6, 341 George Street, Sydney NSW 2000, Australia
Purpose: Provision and operation of the platform support.
GDPR Regulation: Data Privacy Agreement / EU Model Clauses

Name: Auth0, Inc.
Address: 10800 NE 8th Street, Suite 600, Bellevue, WA 98004, USA
Purpose: holding of authentication information and verifying access credentials (IDaaS)
GDPR Regulation: Data Privacy Agreement

Name: Datadog Inc.
Address: 620 8th Avenue, Floor 45, New York, NY 10018, USA
Purpose: Supervision and monitoring of the infrastructure and application
GDPR Regulation: EEA Data Processing Addendum

Name: Sendinblue
Address: Köpenicker Straße 126, 10179 Berlin, Germany
Purpose: Marketing Services (Newsletter), Sending Dataplace Notifications
GDPR Regulation: Data Processing Agreement

Name: Microsoft Corporation
Address: One Microsoft Way, Redmond, WA 98052, USA
Purpose: Provision and operation of the Microsoft 365 platform. Finance Administration and Controlling
GDPR Regulation: Data Privacy Agreement / EU Model Clauses