SaaS Terms & Conditions EMEA/AP

Please note that these Terms & Conditions will take effect on 9th of June 2026.

Section 1: SaaS EMEA/AP Terms and Conditions of Use (As of: June 2026)

These Terms and Conditions of Use (hereinafter: Terms of Use) apply to the use of chargeable software applications on the basis of Software as a Service (SaaS) provided by IQSIGHT B.V., Achtseweg Zuid 173, 5651 GW Eindhoven, The Netherlands (hereinafter: "Provider"), subject to the activation by a valid License Code available from Provider’s Resellers by way of a separate Subscription. All Services are intended for professional use only, Provider does not accept consumers (e.g. non-commercial and private use of the Service) as Subscribers to a Service.

1. Definitions

1. "Account” means the authorization to access controlled-access Services of the Provider.

2. “Affiliate” as used in these Terms of Use means any legal entity which is controlled by a Party or which controls a Party or which is under common control with a Party. Control exists if, during the term of this Agreement, at least 50% (fifty percent) of the equity interests or voting shares are held in a business organization or in the event of the management and policies of a business organization being controlled directly or indirectly through equity ownership, contract or other means.

3. “License Code” means an individual code or password generated and issued by Provider and obtained by the Subscriber under the Subscription, which is required to activate the Service and grants the Subscriber access and use rights for the Service from the date of the License Code Activation and during the Subscription Term.

4. “License Code Activation” means the activation and validation of a License Code via a dedicated website or web portal operated by Provider or its business partners as defined in the Service Description. Upon License Code Activation, the Service shall be made available by Provider for use by the Subscriber for the Subscription Term.

5. “Party” or “Parties” hereinafter individually and jointly refers to the Subscriber and/or the Provider

6. “Reseller” means an independent third party vendor, authorized by Provider to resell the Service and distribute License Codes to Subscribers.

7. “Service” means the respective Software as a Service (SaaS) application provided by the Provider to Subscriber subject to License Code Activation of a valid License Code available from Provider’s Resellers by way of a separate Subscription.

8. “Service Description” or “Data Sheet” means a separated document provided for each Service which contains the description of technical functionalities of the Service in terms of specifications, quantity, performance data, performance period, quality etc. and including details regarding applicable system requirements, technical and organizational data protection measures and subcontractors used by Provider or its Affiliates. The latest Service Description document versions can be found in the https://remote.boschsecurity.com/terms-conditions-all.

9. "Keenfinity ID“ means the user ID of the single sign-on authentication service provided by Keenfinity GmbH, which enables the use of various independent digital service offerings of the Keenfinity Group, for which a Subscriber's e-mail address is required.

10. “Subscriber” means the legal entity (excluding any Affiliates) accepting these Terms of Use in order to activate and use the Service within the scope of its commercial activity. Provider does not offer its Service to consumers. By accepting these Terms of Use, Subscriber confirms to act as a commercial business or as an entrepreneur intending to use the Service within the scope of their commercial activities.

11. "Subscriber Data" means all data, information, content or material submitted by Subscriber or on behalf of Subscriber in connection with the use of the Service, cloud space and/or an Account or manually generated by the Subscriber with the Service. Subscriber Data also includes access and registration data.

12. “Subscription” means a separate contract entered into between the Subscriber and the Reseller for the purchase of a License Code necessary for the activation and use of the Service, e.g., by way of an offer, an order form or an online order. The Subscription regulates the remuneration to be paid by Subscriber to Reseller for the License Code and the use of the Service, the Subscription Term as well as any warranty rights and service level claims the
    Subscriber may be entitled to against the Reseller, if any. Provider is not a party to or under any obligation resulting from such Subscription.

13. “Subscription Term” means the duration of Subscriber’s right to use the Service as agreed in the Subscription, specified within the License Code and measured starting from the date of the License Code Activation.

14. “Usage Data” means all automatically transmitted machine data (sensor or other machine data) or automatically generated system data (e.g. log files, information on utilization or availability of the Service).

2. Scope of Service

1. Provider provides the Service solely on the basis of these Terms of Use, the applicable Service Description and other attachments as referenced herein.

2. Terms and conditions of Subscriber or of third parties will not apply even if Provider does not specifically object to such terms and conditions. Even where Provider refers to a letter containing or referring to Subscriber’s or a third party’s business terms and conditions, this does not constitute agreement to such business terms and conditions.

3. Individual agreements executed in writing between the Parties on a case-by-case basis (including ancillary agreements, supplements and amendments) will in any event take precedence over these Terms of Use.

4. Subject Matter

1. The subject matter of these Terms of Use is the provision of the Service via remote access for use by or on behalf of Subscriber, including the necessary cloud space. The Service is described in more detail in the Service Description.

2. The implementation of an interface integration with Subscriber’s existing system landscape is outside the scope of these Terms of Use and requires a separate written agreement between the Parties.

3. Provider at its sole discretion has the right to have the Service performed by third parties (including, without limitation, Affiliates of Provider).

4. Provision of Service

1. Provider shall make available the then current version of the Service for use in accordance with the provisions of these Terms of Use on a server infrastructure instance provided by Provider or its subcontractors (hereinafter referred to as an "Instance") during the Subscription Term.

2. Access to the Service by Subscriber shall be browser-based via the Internet or, by choice of Provider, via a Service interface or dedicated portal made available by Provider.

3. Provider shall provide Subscriber the necessary access credentials required for use of the Service, unless the registration of a SingleKey ID is required. Registration for a Keenfinity ID is the sole responsibility of Subscriber.

4. If an Account is required to obtain access to and to use the Service, the Provider shall make this Account available to Subscriber after Subscriber agrees to these Terms of Use. The Account and the access credentials are not transferable. Subscriber is liable for all actions performed under Subscriber’s Account.

5. Subscriber shall change all passwords into passwords known only to them without undue delay and shall keep them confidential. Provider is not responsible for the consequences of misuse of a user password.

6. Provider shall make cloud space available for Subscriber and Usage Data on Provider’s Instance to the extent that this is required for the intended use of the Service. Further details on the scope of services involving cloud space and on the storage of Subscriber Data can be found in the Service Description.

7. Subscriber Data shall be stored and be regularly backed-up by Subscriber throughout the Subscription Term. Subscriber shall be solely responsible for compliance with retention periods required of Subscriber under commercial and tax law.

5. Technical Availability of the Service and the Subscriber Data, Support

The technical availability of the Service as well as service and support levels, if any, are solely governed by the Subscription.

6. Service Usage Rights

1. Subject to License Code Activation, the Subscriber obtains a limited, non-exclusive, non-sub-licensable and non-transferable, revocable right to utilize the Service, and any intellectual property rights contained therein, in the context of the functionalities and the intended use of the Service in accordance with the Service Description during the Subscription Term and within the region agreed in the Subscription. Within this framework, Subscriber is entitled

   1. to make the Account and the Service available to third parties exclusively using the Service on behalf of and for the Subscriber;

   2. to store and print documentation that may be provided with the Service, whilst maintaining the existing copyright notices.

2. The open source software components used in the Service shall be illustrated in the Service Description or in the Service itself to the extent a legal obligation exists based on the conditions of the applicable open source software license.

3. Provider makes the Service available as Software as a Service (SaaS) per remote access. It shall not be made available to Subscriber for Subscriber’s own permanent storage nor does Subscriber have the right to make it available to third parties or to use it in a data center environment.

4. If, during the Subscription Term or between the purchase of the License Code and License Code Activation, Provider makes new versions, updates, upgrades, modifications or extensions of the Service available or carries out other changes with respect to the Service, the provisions of this Section 6 shall also apply thereto, even if the modifications or extensions were ordered by Subscriber and paid for separately.

5. Subscriber shall not have any rights not explicitly granted to Subscriber under these Terms of Use. In particular, Subscriber has no right to:

   1. use the Service and/or the Account beyond the scope of use agreed in these Terms of Use or to permit third parties to use it;

   2. subject to Section 6.1a), make the Service and/or the Account available to third parties; or

   3. duplicate the Service and/or the Account or to provide it for use for a limited period of time, in particular not to lease it or loan it.

6. Subscriber is obliged to ensure that the provisions of these Terms of Use are complied with by any party or individual using the Services on Subscriber’s behalf.

7. If Subscriber breaches the provisions of Section 6, Provider may, after giving Subscriber advance notification in writing, block Subscriber’s access to the Service if the violation can be rectified by such blocking. The block shall be removed as soon as the reason for the blocking ceases to exist. If Subscriber continues to violate the provisions of Section 6 or does so repeatedly despite a respective warning in writing from Provider, Provider is entitled to terminate the contractual relationship for cause without notice unless Subscriber was not responsible for such breach. Provider’s right to claim damages shall remain unaffected.

8. The Provider is the sole owner of the Usage Data and may use and exploit it in anonymous form for any purpose in accordance with the applicable statutory provisions. The Subscriber warrants that he has not made any agreements with third parties that prevents its use.

7. Intellectual Property

Except for Subscriber Data, all right, title and interest to the content related to the Service, including without limitation all copyright, patent, trademark, trade secret or other proprietary rights in any text, graphics, logos, button icons, images and audio clips, is the property of Provider or its licensors. The license grant set forth in these Terms of Use is the complete grant of rights and no further rights shall be granted by implication, estoppel, equity or otherwise.

8. Subscriber Data

1. Subscriber hereby grants to Provider the right to use, for the purpose of providing the Service, the Subscriber Data filed in the cloud space for use of the Service, in particular the right to reproduce such Subscriber Data for this purpose (e.g. for data back-up), to modify it and to provide such Subscriber Data for the purpose of accessing it.

2. Subscriber warrants that

   1. Subscriber and/or its licensors hold all rights to the Subscriber Data required for the granting of rights under these Terms of Use; and

   2. the Subscriber Data does not violate these Terms of Use or applicable laws and does not infringe the intellectual property rights of a third party.

3. The Subscriber is responsible for the security of Subscriber Data. Subscriber is obligated to regularly back up his Subscriber Data. Each data back-up by Subscriber shall be performed so that the recovery of the Subscriber Data is
   possible at all times.

4. Provider is entitled to immediately block Subscriber’s use of the Service and the cloud space if there is justified suspicion that the stored Subscriber Data is unlawful and/or infringes third-party rights. There is a justified suspicion of unlawfulness and/or of an infringement of rights in particular when courts, authorities and/or other third parties notify Provider thereof. Provider shall then notify Subscriber of the block, stating the reason for the block. The block shall be removed as soon as the suspicion has been refuted.

9. Defect Claims

Any obligations, rights and remedies with regard to defects of the Service are the sole responsibility of the Reseller and are governed by the Subscription.

10. Duties and Obligations of Subscriber

1. Subscriber shall perform all cooperation duties required from Subscriber for the proper performance of the Service by Provider. In particular, Subscriber is obliged to:

   1. change all passwords allocated by Provider into passwords known only to Subscriber, to keep usage and access authorizations assigned to Subscriber secret, to protect them against access by third parties and not to disclose them to unauthorized users. These data shall be protected by suitable and effective measures. Subscriber shall notify Provider without undue delay in case of any suspicion that unauthorized persons might have obtained knowledge of access data and/or passwords;

   2. set up the system requirements necessary on Subscriber’s end as described in the Service Description;

   3. access and use the Service in strict compliance with all applicable laws and regulations including, without limitation, intellectual property laws, antitrust and competition laws, export control laws, and the use shall not conflict with any agreement that Subscriber has signed with any third party;

   4. comply with the restrictions/obligations with regard to the rights of use under Section 6 and to prosecute any violations of these obligations effectively and with the objective of preventing future violations;

   5. obtain the necessary consent from affected persons to the extent “personal data” or “personally identifiable information” are collected, processed or used within the Service and no statutory or other permission applies;

   6. respond to any data subject access requests pertaining to any “personal data” or “personally identifiable information” collected and processed within the scope of the Services in accordance with applicable law; and

   7. check data and information for viruses and other malware prior to sending data and information to Provider and to implement anti-virus programs in accordance with the state of the art.

2. Subscriber is not authorized:

   1. to obtain access to non-public areas of the Service or to the technical systems on which the Service is based;

   2. to utilize robots, spiders, scrapers or other similar data collection or extraction tools, to utilize programs, algorithms or methods to search, access, acquire, copy, or monitor the Service outside of the documented API endpoints;

   3. to knowingly send Subscriber Data with viruses, worms, Trojans or other infected or harmful components, or to otherwise interfere in the proper functioning of the Service;

   4. to decrypt, decompile, disassemble, reconstruct or to otherwise attempt to discover the source code of the Service, any software or proprietary algorithms used, except as permitted under mandatory applicable laws;

   5. to test, scan, or examine the vulnerability of the Service, or

   6. to intentionally utilize devices, software or routines which have a disruptive effect on the Services, functions or usability of the Service or willfully destroy other data, systems or communications, generate excessive load, or harmfully interfere, fraudulently intercept or capture.

   7. To disguise or falsify its IP address or geo location from which the Service is used e.g. by utilizing VPN or similar methods.

11. Data Privacy

1. The Parties shall comply with all applicable laws and regulations, including but not limited to data protection law, and commit their employees engaged in connection with the performance of the Service to data protection, except to the extent that they are already under a general obligation to act accordingly.

2. If Subscriber processes personal data, then Subscriber warrants that he is authorized to do so in accordance with applicable data protection regulations, and in the event of any infringement, Subscriber shall indemnify Provider from and against third party claims.

3. Provider shall only process Subscriber Data to the extent required to provide the Service. Subscriber consents to the processing of such data to this extent.

4. Where Provider processes personal data on behalf of Reseller and Subscribers, Provider acts as a data processor on behalf of Reseller and Subscribers and such processing constitutes commissioned data processing according to Article 28 of the EU General Data Protection Regulation. In relation to such processing, Provider’s Data Processing Agreement apply. This Data Processing Agreement consists of Section 1 (SaaS EMEA/ AP Terms and Conditions of Use) and Section 2 (Data Processing Terms and Conditions for Software as a Service Applications) of these Terms of Use together with the Service Description applicable to the respective service subscribed to by Customer, all of which together constitute the complete agreement within the meaning of Article 28(3) GDPR.

5. The obligations pursuant to this Sections 11 shall continue to exist as long as Subscriber Data are in the area of influence of Provider, also after the termination date of the Subscription.

12. Confidentiality

1. The Parties shall observe the confidentiality of all information which is to be treated as confidential and obtained in the context of this contractual relationship, or shall, respectively, only use it in relation to third parties, for whatever purpose, subject to the prior written agreement of the other Party. Information to be treated as confidential includes information explicitly marked as confidential by the Party communicating the information and information where the confidentiality thereof derives from the circumstances of its provision.

2. Affiliates and subcontractors of Provider are not to be considered third parties with regards to the obligation of Section 12.1 above.

3. Notwithstanding the above, Provider shall be free to exchange confidential information required for the provision and technical set up or maintenance of the Service for Subscriber with the Reseller or such third parties that, based on a separated agreement with Subscriber, are responsible for the technical installation and set up or maintenance of the Service for the Subscriber. Such exchange of confidential information, however, is limited to information needed for the contractual responsibility of such third party towards the Subscriber and subject to an equivalent confidentiality obligations between Provider and such third party.

4. The obligations under Section 12.1 shall not apply to such information or parts thereof for which the receiving Party proves that it

   1. was known to the receiving Party or generally accessible prior to the date of receipt or became known from a third party after the date of receipt in a lawful manner and without any confidentiality obligation; or

   2. was already known to the general public or was generally accessible prior to the date of receipt; or

   3. became known to the general public or became generally accessible after the date of receipt without the receiving Party being responsible for this; or

   4. has waived its right to confidentiality in respect of which the notifying Party has waived its right to confidentiality by means of a written declaration to the receiving Party.

5. The obligations under Section 12.1 shall survive termination of these Terms of Use for an indefinite period, as long as a criterion for an exception pursuant to Section 12.2 has not been evidenced.

13. Liability

1. Any liability claims by Subscriber based on defects or malperformance of the Service must be made against Reseller under the Subscription. Subject only to Section 13.2 any claims against Provider based on defects or malperformance of the Service are excluded.

2. Provider is liable for direct damages in accordance with the statutory provisions

   1. in the event of intent or gross negligence,

   2. in accordance with the provisions of the Dutch product liability regulations,

   3. within the scope of a guarantee given by Provider, and

   4. in the event of injury to life or limb or impairment to health of a person.

3. If and to the extent permitted by applicable local law:

   1. any liability for indirect or consequential damages is excluded;

   2. any liability pursuant to this Section 13 is limited to an amount of € 25,000.00 (in words: twenty-five thousand Euros) per contract year, starting from the date of the License Code Activation.

14. Term, Termination

1. Except as otherwise agreed, the stipulations set forth herein shall enter into force upon acceptance of these Terms of Use and shall remain valid for the time the Subscriber has access to the Service.

2. Unless specifically agreed otherwise between Reseller and Subscriber in the Subscription, the use rights granted herein based on a valid License Code, shall be limited for a period of 12 months from the date of the License Code Activation.

3. The Parties’ statutory right to terminate for cause without notice shall remain unaffected.

15. Obligations Upon and After Termination

The Provider shall delete Subscriber Data from all Provider systems one month after the end of the Subscription Term, unless the Subscriber obtains a new License Code to continue using the Service or if there are legal retention periods to the contrary. The Subscriber is obliged to export and save the Subscriber Data on his own responsibility in good time before expiry of the Subscription Term.

16. Export Control

1. Subscriber is aware that the use of the Service may be subject to import/export restrictions. In particular there may be approval requirements, or use of the Service and related technologies may be subject to restrictions/limitations in foreign countries.

2. Subscriber shall comply with respectively applicable national and international import/export control regulations, and with all other relevant regulations.

3. Provider’s provision of Services is subject to such fulfillment not being opposed by impediments due to national or international import/export regulations or by any other statutory provisions.

4. Delays due to export examinations or approval procedures render deadlines and delivery dates inapplicable. If necessary approvals are not granted or if the delivery of the Service is not capable of being approved, Provider shall be relieved from providing the Service.

5. The Provider has the right to terminate the provision of the Service without notice if such termination is necessary for the Provider in order to comply with national or international legal provisions. In the event of termination the Subscriber is excluded from raising a claim for any damage or other rights on account of the termination.

6. The Service shall not be utilized for military purposes or for nuclear technology purposes.

17. Miscellaneous

1. The contractual relationships between the Parties shall be governed by the substantive laws of the Netherlands. Service of the UN Convention on Contracts for the International Sale of Goods (CISG) is excluded.

2. Legally relevant statements and notices to be delivered to Provider by Subscriber after acceptance of these Terms of Use (e.g. setting of time limits, notification of defects, and declaration of rescission or price reduction) must be made in text form in order to be effective.

3. Should any provision of these Terms of Use be or become invalid or unenforceable, this shall, however, not affect the remaining provisions.

4. The courts of ‘s-Hertogenbosch, the Netherlands, have exclusive jurisdiction and venue.

18. Data transfer for the purpose of software improvement and expansion

1. The subscriber accepts a data transfer for the purpose of software-improvement within the Service Description. The Provider will process the data to improve and expand Bosch software. The data may be processed for this purpose by the Provider and its Affiliates as well as by the processor(s) commissioned by the Provider for an indefinite period of time.

2. For this purpose, the Subscriber provides the Provider free of charge with video content within the Service.

3. The Parties, each acting independently as data controllers, undertake to comply with relevant data protection laws and to implement adequate measures for data security and data protection, with regard to the Subscriber in particular to inform the data subject about the transfer of data to the Provider.

4. By providing the video material, the Subscriber shall not acquire any rights to the resulting software. In particular, all publication, reproduction, editing and usage rights shall remain with the Provider.

Section 2: Data Processing Terms and Conditions (Customers) for Software as a Service Applications provided by Provider Security Systems B.V. (As of: June 2026)

These Data Processing Agreement (“Data Processing T&Cs”) apply to the processing of Personal Data by IQSIGHT B.V., Achtseweg Zuid 173, 5651 GW Eindhoven, The Netherlands (hereinafter: “Provider”) as data processor on behalf of Customer as data controller in the context of Software as a Service (SaaS) applications provided by Provider (Customer and Provider hereinafter individually referred to as a “Party” and together as the "Parties").

1. Preamble

These Data Processing Agreement specify the Parties' obligations under the Contract in relation to data protection and apply to all activities in connection with the Contract in which employees of Provider or subcontractors of Provider may process Personal Data of Customer on their behalf (“Commissioned Data Processing”, Auftragsverarbeitung).

2. Definitions

1. Any defined terms used in these Data Processing Agreement but not defined herein, shall have the meaning given to them in the Service Terms.

2. “Service Terms” means the respective Service Terms and Conditions of Use for the Subscriber and the Terms and Conditions for SaaS Resellers for the Reseller applicable to the respective Software as a Service (SaaS) applications as amended from time to time and incorporated in the Contract.

3. “Personal Data” has the meaning defined in Article 4 para. 1 of the EU-GDPR.

4. “EU-GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

3. Subject Matter, Duration and Specification of Commissioned Data Processing

1. The subject matter, type and purpose of the Commissioned Data Processing are described in the Contract, including in particular the Service Terms and the relevant Service Description.

2. These Data Processing Agreement apply for the duration of the Contract unless otherwise provided herein.

3. The Commissioned Data Processing takes place in the European Economic Area. Customer agrees that Provider may relocate the processing to a third country if the special conditions of Article 44 et seqq. EU-GDPR are satisfied.

4. Scope of Application and Responsibility

1. Provider processes Personal Data on behalf of Customer. This comprises the activities as described in the Contract, in particular the Service Terms and the relevant Service Description. With regard to the processing of Personal Data, Customer is responsible for compliance with applicable data protection law and in particular for the legality of the data processing.

2. Provider processes Personal Data within the framework of Customer’ instructions. Customer’s instructions consist of the instructions initially defined in the Contract, in particular the Service Terms and the relevant Service Description. Further requests for changes, additions or replacements of instructions can be made by Customer in writing or in text form to the office designated by Provider. Individual instructions falling outside the scope of the Service as agreed in the Contract, will be treated as change requests and Provider will be entitled to request a reasonable remuneration.

3. Provider will inform Customer immediately if he believes that an instruction violates data protection laws or regulations. Provider is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed by Customer.

5. Obligations of Provider

1. Provider may only process data subjects’ Personal Data within the scope of Customer’s instructions. If Provider is obliged by national or European law to process data in a deviating manner, he shall inform Customer accordingly before such processing begins, unless the law in question prohibits such information on the grounds of an important public interest.

2. Provider shall set up the internal organization for his area of responsibility in such a manner that it meets the specific requirements of data protection. Provider shall take the technical and organisational measures described in the Service Description so as to ensure an adequate protection of Customer’s Personal Data. The purpose of these measures is to ensure long-term confidentiality, integrity, availability and resilience of the systems and services in connection with the Commissioned Data Processing. Customer is informed of these technical and organizational measures. It is Customer´s responsibility to ensure that these measures provide an adequate level of protection regarding the risks of processing Personal Data.

3. Provider reserves the right to change the technical and organizational measures taken, although it must be ensured that the contractually agreed level of protection is not reduced.

4. To the best of his ability and within the scope of the Services or under the Contract, Provider shall support Customer in dealing with requests and claims of data subjects according to Chapter III of the EU-GDPR and in respecting its obligations specified in Articles 32 to 36 EU-GDPR. For these services, Provider is entitled to to request a reasonable remuneration.

5. Provider warrants that its employees involved in the processing of Customer’s Personal Data and other individuals working for Provider are prohibited from processing such Personal Data outside the scope of Customer’s instructions. Provider further ensures that the persons authorized to process Personal Data have undertaken to maintain its confidentiality or are subject to an appropriate legal obligation of confidentiality. This obligation of confidentiality and secrecy shall remain in effect beyond the completion of the Contract.

6. Provider shall inform Customer without delay as soon as it becomes aware of any violation of the protection of Customer’s Personal Data. Provider shall take the necessary measures to safeguard Personal Data and to mitigate possible disadvantageous consequences for the data subject and shall consult with Customer in that respect without delay.

7. Provider is obliged to appoint a competent and reliable Data Protection Officer according to Article 37 EU-GDPR to the extent and as long as the statutory prerequisites for such an obligatory appointment are in force. Customer shall be informed of the contact data of this individual for the purpose of making direct contact. If Provider is not obliged to appoint a Data Protection Officer, he shall give Customer the name of the contact for any questions in relation to data protection that may arise in connection with the Contract. Contact information is available at https://www.iqsight.com/en/data-protection-notice/

8. Provider shall ensure that its obligations according to Article 32 para. 1 d) EU-GDPR are complied with and put in place a process for regular examination of the effectiveness of the technical and organisational measures to ensure the safety of processing.

9. Provider corrects or deletes the Personal Data if Customer instructs him to do so and this is covered by the framework of Customer’s instructions. If a deletion in conformity with data protection regulations or a corresponding restriction of data processing is not possible, Provider shall undertake the destruction of data carriers and other materials in conformity with data protection regulations on the basis of an individual instruction by Customer, unless already agreed in the Contract.

10. The Personal Data shall be erased at the date of completion of the Contract. It is up to Customer to prepare backup copies of its Personal Data and to move such Personal Data before the end of the Contract. Provider is not obliged to hand over Personal Data to which Customer has direct access.

11. Provider undertakes to maintain a record of data processing activities according to Article 30 para. 2 EU-GDPR.

6. Obligations of Customer

1. It is Customer’s responsibility to provide Provider with the Personal Data in due time so as to enable the latter to provide the Services according to the Contract. Customer is responsible for the quality of the Personal Data. Customer shall inform Provider immediately and completely in the event that it should identify any errors or irregularities with regard to data protection rules or in the performance of Provider when checking the work results.
   
   In the event that claims should be made by a data subject in connection with Article 82 EU-GDPR, Customer and Provider undertake to assist each other in the defence against such claims. Contact details of the first contact person in data protection matters and the data protection officer are available in Customer's Account data.

7. Enquiries from Data Subjects

If a data subject contacts Provider demanding correction, erasure, restriction of processing or information about the Personal Data, Provider shall refer the data subject to Customer if allocation to the Customer is possible on the basis of the information provided by the data subject.

8. Verification

1. Upon request, Provider shall submit suitable proof to Customer that the obligations set forth in Article 28 EU-GDPR and these Data Processing Agreement are complied with. The Provider implements security measures informed by recognized industry-standard frameworks, including ISO 27001 and the NIST Cybersecurity Framework, which serve solely as guiding references within its risk-based security program. Any such references describe general orientation only and shall not be interpreted as a warranty, representation, or contractual commitment to meet, achieve, or maintain any specific standard or certification. The Provider may update or adjust its security measures in accordance with its risk-management procedures and operational requirements.

2. In the event that spot checks by Customer or an auditor appointed by Customer should turn out to be necessary in individual cases, request shall be made in text form. Provider is entitled to make approval of such checks dependent on signing an adequate declaration of secrecy by Customer or the auditor assigned by Customer. If the auditor appointed by Customer should be a competitor of Provider, Provider is entitled to object. Such objection shall be declared to Customer in text form.

3. In the event that an audit should be carried out by the data protection supervisory agency or another state authority, Section 8.2 shall apply accordingly. Signing a confidentiality obligation is not required if the supervisory authority is subject to professional or statutory confidentiality any breach of which shall be penalized in accordance with the German Criminal Code.

4. Provider is entitled to request adequate compensation for carrying out such an audit as per chapter 8.2 or 8.3, unless the reason for such an audit is the strong suspicion that a data protection breach has taken place within the scope of responsibility of Provider. In such a case, details of the suspicion must be submitted by Customer together with the notification of the examination.

9. Subcontractors (additional subprocessors)

1. Customer agrees that Provider may use subcontractors for the Commissioned Data Processing. Before involving or replacing subcontractors for the Commissioned Data Processing, Provider shall inform Customer in text form with four weeks' notice. Customer may object to such a change. Any objection must be lodged within 14 days, and all reasons must be specified explicitly. If no objection is lodged within this time limit, consent to the involvement or replacement is deemed to have been given. If there is an important reason which cannot be eliminated by Provider by adjusting the assignment, Customer is granted an extraordinary right of termination. The subcontractors already existing at the time of entering into the Contract and their respective services are listed in the Service Description of the respective Service. No separate information is provided about them. If Provider uses any subcontractors for the Commissioned Data Processing, Provider is obliged to convey its obligations regarding data protection under these Data Processing Agreement to the subcontractors.

2. Upon written request by Customer, Provider shall provide information regarding the data protection obligations of its subcontractors used for Commissioned Data Processing at any time.

3. The provisions of this Section 9 shall also apply if a subcontractor in a third country is involved - observing the principles of Chapter 5 of the EU-GDPR. Provider agrees to cooperate to the required extend in meeting the prerequisites as set in Chapter 5 of the EU-GDPR.

10. Liability

1. The limitations of liability as defined in the Service Terms apply.

2. Customer shall indemnify Provider against any claims brought by third parties against Provider as a result of the Commissioned Data Processing unless the claim of such third party is based on the processing of Personal Data by Provider in breach of Customer’s instructions.

11. Information Duties

In the event that Customer’s Personal Data processed by Provider should be placed at risk as a result of seizure or confiscation, insolvency or settlement proceedings or by other events or measures of a third party, Provider shall inform Customer without delay. In this regard, Provider shall inform all third parties without delay that the control and ownership of the Personal Data exclusively lies with Customer as "controller", as defined in the EU-GDPR.

12. Miscellaneous

1. These Data Processing Agreement shall be governed by the substantive laws of the Netherlands. The application of the UN Convention on Contracts for the International Sale of Goods (CISG) is excluded.

2. Legally relevant statements and notices to be delivered to Provider by Customer after conclusion of the Con-tract must be made in text form in order to be effective.

3. In the event of contradictions, the regulations in these Data Processing T&Cs shall take precedence over the regulations of the Contract.

4. Should any provision of these Data Processing Agreement be or become invalid or unenforceable, this shall, how-ever, not affect the remaining provisions.

5. The courts with jurisdiction at the registered office of Provider (i.e. Eindhoven, the Netherlands) shall have exclusive jurisdiction and venue.