Solutions
Regulated industries
Ressources
Stand: May 2022
Founders1 GmbH
Adelheidstr 93
65185 Wiesbaden
Represented by
Geschäftsführer: Eckhard Ortwein
Contact
Tel.: +49 (0)172 7801239
Registered at
Charlottenburg (Berlin), HRB 234373 B
VAT-ID
Sales Tax VAT-ID related to §27a UStG: DE347408472
Agreement with a user that creates a new workspace and invites users to join the workspace
Effective: May 25, 2022
These Customer Terms of Service (the “Customer Terms”) describe your rights and responsibilities when accessing and using our onlineSingle-Source-of-Trust platform enabling Know-your-Customer (KYC) and collaboration processes (the “Services”). Please read them carefully. If you are a Customer (defined below), these Customer Terms govern your access and use of our Services. If you are being invited to a workspace set up by a Customer, the User Terms of Service (the “User Terms”)govern your access and use of the Services. We are grateful you’re here.
These Customer Terms (or, if applicable, your written agreement with us)and any Order Form(s) (defined below) together form a binding “Contract”between Customer and us. “We,” “our” and “us” refers to the applicableBetterCo entity in the section entitled “Which BetterCo Entity is CustomerContracting With?” below.
If you purchase subscription(s), create a workspace (i.e., a digital space where a group of users may access the Services, as further described in our Help Center pages), invite users to that workspace, or use or allow use of that workspace after being notified of a change to theseCustomer Terms, you acknowledge your understanding of the then-current Contract and agree to the Contract on behalf of Customer.Please make sure you have the necessary authority to enter into theContract on behalf of Customer before proceeding.
“Customer” is the organization that you represent in agreeing to the Contract. If your workspace is being set up by someone who is not formally affiliated with an organization, Customer is the individual creating the workspace. For example, if you signed up using a personal email address and invited a couple of friends to work on a new startup idea but haven't formed a company yet, you are the Customer.
If you signed up for a plan using your corporate email domain, your organization is Customer, and Customer can modify and re-assign roles on your workspace (including your role) and otherwise exercise its rights under the Contract. If Customer elects to replace you as there presentative with ultimate authority for the workspace, we will provide you with notice following such election and you agree to take any actions reasonably requested by us or Customer to facilitate the transfer of authority to a new representative of Customer.
Individuals authorized by Customer to access the Services (an “AuthorizedUser”) via a provisioned account (“User Account”) may submit or access content or information to/of the Services, such as information, messages, files or data (“User Data”). Authorized Users solely own User Data and can authorize Customer, other Authorized Users or other Individuals (a“Guest User”) to access User Data.
Customer, however, may exclusively provide us with instructions on what todo with the User Account. For example, Customer may provision or deprovision User Accounts and access to the Services, enable or disable third party integrations, manage permissions, retention and export settings, transfer or assign workspaces, add, change or deleteCustomer data, or consolidate workspaces or data in module with other workspaces or data in modules. Since these choices and instructions may result in the access, use, disclosure, modification or deletion of certain or all User Data, please review the Help Center pages for more information about these choices and instructions.
Customer will (a) inform Authorized Users of all Customer policies and practices that are relevant to their use of the Services and of any settings that may impact the processing of User Data; and (b) ensure the authorized transfer and processing of User Data under the Contract is lawful.
A subscription allows an Authorized User to access the Services. No matter the role, a subscription is required for each Authorized User. A subscription may be procured through the Services interface, or in some cases, via an order form entered into between Customer and us (each, an “OrderForm”). Please see the Help Center for more information on procuring subscriptions and inviting new Authorized Users. Each Authorized User must agree to the User Terms to activate their subscription. Subscriptions commence when we make them available to Customer and continue for the term specified in the Services “check-out” interface or in the Order Form, as applicable. Each subscription is for a single Authorized User for a specified term and is personal to that Authorized User. We sometimes enter into other kinds of ordering arrangements, but that would need to be spelled out and agreed to in an Order Form. During an active subscription term, adding more subscriptions is fairly easy. Unless the Order Form says otherwise, Customer may purchase more subscriptions at the same price stated in the Order Form and all will terminate on the same date. Check out our Help Center pages for additional information onsetting up a workspace and assigning roles.
We may share information about our future product plans because we like transparency. Our public statements about those product plans are an expression of intent, but do not rely on them when making a purchase.If Customer decides to buy our Services, that decision should be based on the functionality or features we have made available today and not on the delivery of any future functionality or features.
Occasionally, we look for beta testers to help us test our new features.These features will be identified as “beta” or “pre-release,” „early adopter“ or words or phrases with similar meanings (each, a “BetaProduct”). Beta Products may not be ready for prime time so they are made available “as is,” and any warranties or contractual commitments we make for other Services do not apply. Should Customer encounter any faults with our Beta Products, we would love to hear about them; our primary reason for running any beta programs is to iron out issues before making anew feature widely available.
The more suggestions our customers make, the better the Services become. IfCustomer sends us any feedback or suggestions regarding the Services, there is a chance we will use it, so Customer grants us (for itself and all of its Authorized Users and other Customer personnel) an unlimited, irrevocable, perpetual, sublicens able, transferable, royalty-free license to use any such feedback or suggestions for any purpose without any obligation or compensation to Customer, any AuthorizedUser or other Customer personnel. If we choose not to implement the suggestion, please don’t take it personally. We appreciate it nonetheless.
Our Services integrate third party offerings and include a platform that third parties may use to develop applications and software that complement Customer’s use of the Services (each, a “Non-BetterCo Product”). We will also maintain a directory called the BetterCo App Directory where someNon-BetterCo Products are available for installation. THESE ARE NOT OUR SERVICES, SO WE DO NOT WARRANT OR SUPPORT NON-BETTER-CO PRODUCTS, AND, ULTIMATELY,CUSTOMER (AND NOT US) WILL DECIDE WHETHER OR NOT TO ENABLE THEM. ANY USEOF A NON-BETTER-CO PRODUCT IS SOLELY BETWEEN CUSTOMER AND THE APPLICABLE THIRD PARTY PROVIDER.
If a Non-BetterCo Product is enabled for Customer’s workspace, please be mindful of any User Data that will be shared with the third party provider and the purposes for which the provider requires access. We will not be responsible for any use, disclosure, modification or deletion of UserData that is transmitted to, or accessed by, a Non-BetterCoProduct. Check out our Help Center pages for more information.
Please review our Privacy Policy(https://www.BetterCo.ai/privacy-policy) NOTE: we upload there PRIVACY POLICY WHICH YOU FIND BELOW) for more information on how we collect and use data relating to the use and performance of our websites and products.
Customer must comply with the Contract and ensure that its AuthorizedUsers comply with the Contract and the User Terms. We may review conduct for compliance purposes, but we have no obligation to do so. Weren't responsible for the content of any User Data or the way Customer or its Authorized Users choose to use the Services to store or process any User Data. The Services are not intended for and should not be used by anyone under the age of 16. Customer must ensure that all AuthorizedUsers are over 16 years old. Customer is solely responsible for providing high speed internet service for itself and its Authorized Users to access and use the Services.
If we believe that there is a violation of the Contract that can simply be remedied by Customer’s removal of certain User Data or Customer’s disabling of a Non-BetterCo Product, we will, in most cases, ask Customer to take direct action rather than intervene. However, we may directly step in and take what we determine to be appropriate action, if Customer does not take appropriate action, or if we believe there is a credible risk of harm to us, the Services, Authorized Users, Guest Users or any third parties.
For Customers that purchase our Services, fees are specified at the Services interface“check-out” or in the Order Form(s) — and must be paid in advance. Payment obligations are non-cancelable and, except as expressly stated in the Contract, fees paid are non-refundable. For clarity, in the eventCustomer downgrades any subscriptions from a paid plan to a free plan,Customer will remain responsible for any unpaid fees under the paid plan, and Services under the paid plan will be deemed fully performed and delivered upon expiration of the initial paid plan subscription term. Checkout our Help Center pages for more information about payment options.If we agree to invoice Customer by email, full payment must be received within fifteen (15) days from the invoice date. Fees are stated exclusive of any taxes, levies, duties, or similar governmental assessments of any nature, including, for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction(collectively, “Taxes”). Customer will be responsible for paying all Taxes associated with its purchases, except for those taxes based on our net income. Should any payment for the Services be subject to with holding tax by any government, Customer will reimburse us for such with holding tax.
Any credits that may accrue to Customer’s account (for example, from a promotion or application of the Fair Billing Policy), will expire following expiration or termination of the applicable Contract, will have no currency or exchange value, and will not be transferable or refundable.
If any fees owed to us by Customer (excluding amounts disputed reasonably and in good faith) are thirty (30) days or more overdue, we may, without limiting our other rights and remedies, downgrade any fee-basedServices to free plans until those amounts are paid in full, so long as we have given Customer ten (10) or more days’ prior notice that its account is overdue. Notwithstanding the second paragraph of the “Providing the Services” section below, Customer acknowledges and agrees that a downgrade will result in a decrease in certain features and functionality and potential loss of access to User Data.
Customer isn’t the only one with responsibilities; we have some, too. We will (a) make the Services available to Customer and its Authorized Users as described in the Contract; and (b) not use or process User Data for any purpose without Customer’s prior written instructions; provided ,however , that “prior written instructions” will be deemed to include use of the Services by Authorized Users and any processing related to such use or otherwise necessary for the performance of the Contract. For the avoidance of doubt, „written“ does not require a paper copy but a durable and legible declaration in which the person making the declaration is named (see Sec. 126b German Civil Code – Bürgerliches Gesetzbuch).
Be assured that (a) the Services will perform materially in accordance with our then-current Help Center pages; and (b) subject to the “Non-BetterCo Products” and “Downgrade for Non-Payment” sections, we will not materially decrease the functionality of a Service during a subscription term. For any breach of a warranty in this section,Customer’s exclusive remedies are those described in the sections titled“Termination for Cause” and “Effect of Termination”.
For all Service plans, we will use commercially reasonable efforts to make the Services available 24 hours a day, 7 days a week, excluding planned downtime. We expect planned downtime to be infrequent but will endeavor to provide Customer with advance notice (e.g., through theServices), if we think it may exceed sixty (60) continuous minutes.We do not provide remedy for any downtime and related inconvenience.
Business days are all Mondays to Fridays, excluding German national holidays, from 09:00 to 17:00 CEST. We are striving to be responded toCustomer Requests within three (3) Business days and start working on resolving issues as soon as possible.
The protection of User Data is a top priority for us so we will maintain administrative, physical, and technical safeguards at a material level. Those safeguards will include measures for preventing unauthorized access, use, modification, deletion and disclosure of UserData by our personnel. Before sharing User Data with any of our third party service providers, we will ensure that the third party maintains, at a minimum, reasonable data practices for maintaining the confidentiality and security of User Data and preventing unauthorized access. Customer (not us) bears sole responsibility for adequate security, protection and backup of UserData when in Customer’s or its representatives’ or agents’ possession or control or when Customer chooses to use unencrypted gateways (e.g.,IRC/XMPP clients) to connect to the Services. We are not responsible for what Customer’s Authorized Users or Non-BetterCo Products do withUser Data. That is Customer’s responsibility.
We may leverage our employees, those of our corporate affiliates and third party contractors (the “BetterCo Extended Family”) in exercising our rights and performing our obligations under the Contract. We will be responsible for the BetterCo Extended Family’s compliance with our obligations under the Contract.
Subject to the terms and conditions of the Contract, Customer (for itself and all of its Authorized Users) grants us and the BetterCo ExtendedFamily a worldwide, non-exclusive, limited term license to access, use, process, copy, distribute, perform, export and display User Data, and any Non-BetterCo Products created by or for Customer, only as reasonably necessary (a) to provide, maintain and update the Services; (b)to prevent or address service, security, support or technical issues;(c) as required by law; and (d) as expressly permitted in writing byCustomer. Customer represents and warrants that it has secured all rights in and to User Data from its Authorized Users as may be necessary to grant this license.
We own and will continue to own our Services, including all related intellectual property rights. We may make software components available, via app stores or other channels, as part of the Services. We grant to Customer an on-sublicens able, non-transferable, non-exclusive, limited license forCustomer and its Authorized Users to use the object code version of these components, but solely as necessary to use the Services and in accordance with the Contract and the User Terms. All of our rights not expressly granted by this license are hereby retained.
We might enable Customer to identify its contractual partners (e.g.clients), any persons acting on their behalf and beneficial owners (the"Contractual Partners"). For the purpose of this identification, the Services connect the Customer or its Contractual Partners to an electronic (video) identification procedure (e.g. via API) (the"Procedure").
The Procedure is compliant with the requirements for identification by video transmission under the German Money Laundering Act (Geldwäschegesetz– GwG), which the German Federal Financial Supervisory Authority(Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) has specified inits Circular (Rundschreiben) 3/2017 (GW) - Video IdentificationProcedure (Videoidentifizierung) (the "Circular"). The Procedure is also compliant with the requirements of other European supervisory authorities. Please contact us for information on a case-by-case basis.
In order to comply with the requirements of the Circular, the Customer shall enter into the so-called Compliance Agreements (the "ComplianceAgreements") with identification service providers (the"Service Providers") attached in Annex 5 )Call Center agreement tbd). The Service Providers shall be appointed by us.During the term of this Contract, it may be necessary to enter into additional Compliance Agreements with additional Service Providers. TheService Providers shall be obligated by the Compliance Agreements in relation to the Customer to comply with the Circular and thus to provide services in compliance with money laundering law. The Customer shall not incur any costs as a result of the Compliance Agreements.
The Customer agrees and authorizes BetterCo to store the information obtained during the Procedure (“KYC Verification Data”) in theCustomer’s workspace(s). During the term of this Contract, KYCVerification Data shall be immediately and directly electronically retrievable there for the Customer.
The Customer agrees that other Customers may access and use Customer’s KYCVerification Data if these other Customers have to identify the same Contractual Partners as the Customer (“KYC Verification DataSharing”). This KYC Verification Data Sharing requires consents of theContractual Partners which is collected through the Services.BetterCo shall use its best efforts to ensure that the Customer, for it spart, may also access the KYC Verification Data from other Customers and that the necessary consents of the Contractual Partners and of otherCustomers have been obtained for this purpose (“Fair Use”).
If the Customer and other Customers make use of KYC Verification DataSharing, BetterCo undertakes to transmit the KYC Verification Data immediately and directly as a messenger. The Customer a knowledges that BetterCo is not entitled to provide information about the identity of the other customers unless such disclosure is necessary due to an authority requirement.
As further described below, a free subscription continues until terminated, while a paid subscription has a term that may expire or be terminated. TheContract remains effective until all subscriptions ordered under theContract have expired or been terminated or the Contract itself terminates. Termination of the Contract will terminate all subscriptions and all Order Forms.
Unless an Order Form says something different, (a) all subscriptions automatically renew (without the need to go through the Services-interface“check-out” or execute a renewal Order Form) for additional periods equal to one (1) year or the preceding term, whichever is shorter; and (b)the per-unit pricing during any automatic renewal term will remain the same as it was during the immediately prior term. Either party can give the other notice of non-renewal at least thirty (30) days before the end of a subscription term to stop the subscriptions from automatically renewing.
We or Customer may terminate the Contract on notice to the other party if the other party materially breaches the Contract and such breach is not cured within thirty (30) days after the non-breaching party provides notice of the breach. Customer is responsible for its Authorized Users, including for any breaches of this Contract caused by its AuthorizedUsers. We may terminate the Contract immediately on notice to Customer if we reasonably believe that the Services are being used by Customer or its Authorized Users in violation of applicable law.
Customer may terminate its free subscriptions immediately without cause.We may also terminate Customer’s free subscriptions without cause, but we will provide Customer with thirty (30) days prior written notice.
Upon any termination for cause by Customer, we will refund Customer any prepaid fees covering the remainder of the term of all subscriptions after the effective date of termination. Upon any termination for cause by us, Customer will pay any unpaid fees covering the remainder of the term of those subscriptions after the effective date of termination. In no event will any termination relieve Customer of the obligation to pay any fees payable to us for the period prior to the effective date of termination.
We are custodians of User Data. During the term of a workspace’s subscriptions, Customer, Authorized Users and Guest users with access toUser Data will be permitted to export or share certain User Data from the Services; provided, however, that because we have different products with varying features and Customer has different retention options,Customer acknowledges and agrees that the ability to export or share UserData may be limited or unavailable depending on the type of Services plan in effect and the data retention, sharing or invite settings enabled.Following termination or expiration of a workspace’s subscriptions, we will have no obligation to maintain or provide any User Data and may there after, unless legally prohibited, delete all User Data in our systems or otherwise in our possession or under our control.
Customer represents and warrants that it has validly entered into theContract and has the legal power to do so. Customer further represents and warrants that it is responsible for the conduct of its AuthorizedUsers and their compliance with the terms of this Contract and the UserTerms.
EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, THE SERVICES AND ALL RELATED COMPONENTS AND INFORMATION ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS WITHOUT ANY WARRANTIES OF ANY KIND, AND WE EXPRESS LYDIS CLAIM ANY AND ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED,INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. CUSTOMER ACKNOWLEDGES THATWE DO NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED,TIMELY, SECURE, OR ERROR-FREE.
The limitations under this “Limitation of Liability” section apply with respect to all legal theories, whether in contract, tort or otherwise, and to the extent permitted by law. The provisions of this “Limitation ofLiability” section allocate the risks under this Contract between the parties, and the parties have relied on these limitations in determining whether to enter into this Contract and the pricing for theServices.
In case of willful misconduct and/or gross negligence, BetterCo shall beliable according to the statutory provisions of applicable law.
In case of ordinary negligence, we shall – provided that the standard of liability is not limited according to statutory provisions of applicable law (such as any limitation to the duty of care observed in own affairs) –only be liable for breach of material contractual obligations (material contractual obligations are obligations the breach of which endangers the purpose of the agreement and the fullfilment of which the Customer generally relies and may reasonably rely on); in this case our liability shall be limited to the typical damages that were reasonably foreseeable.
The aforementioned limitations do not apply to (a) damages resulting from injury to life, body or health; (b) liability pursuant to the GermanProduct Liability Act (“Produkthaftungsgesetz”); (c) the assumption of a guarantee for the condition of goods and/or work or fraudulent concealment of defects by us.
The aforementioned limitations of liability shall, subject to the provisions of Section 1.9.3(a), apply to any liability claims for whatever legal reason but in particular due to impossibility, default, defective or incorrect delivery, breach of contract, breach of obligations in contractual negotiations and tort, as far as such claims are subject to fault, and (b) any breach of duty by vicarious agents or any other person for whose conduct we can be held liable according to the statutory provisions of applicable law.
We are not responsible for any technical malfunction or other problems of any telephone, network or service, computer systems, servers or providers, computer or mobile phone equipment, software, failure of email or media players on account of technical problems or traffic congestion on the Internet or at any website or combination there of, including injury or damage to your or to any other person’s computer, mobile phone or other hardware or software, related to or resulting from using or downloading materials in connection with the web and/or in connection with the Services, including any mobile software. Under no circumstances we will be responsible for any loss or damage, including any loss or damage to any User Data or personal injury or death, resulting from anyone’s use of the Services, any User Data or third party applications, software or User Data posted on or through the Services or transmitted to users or any interactions between users of the Services, whether online or offline.
The Services will support logins using two-factor authentication (“2FA”),which is known to reduce the risk of unauthorized use of or access to theServices. We therefore will not be responsible for any damages, losses or liability to Customer, Authorized Users, or anyone else if any event leading to such damages, losses or liability would have been prevented by the use of 2FA. Additionally, Customer is responsible for all login credentials, including usernames and passwords, for administrator accounts as well the accounts of your Authorized Users. We will not be responsible for any damages, losses or liability to Customer, AuthorizedUsers, or anyone else, if such information is not kept confidential byCustomer or its Authorized Users, or if such information is correctly provided by an unauthorized third party logging into and accessing the Services.
Customer will defend BetterCo and the members of the BetterCo ExtendedFamily (collectively, the “ BetterCo Indemnified Parties”) from and against any and all third party claims, actions, suits, proceedings, and demands arising from or related to Customer’s or any of its AuthorizedUsers’ violation of the Contract or the User Terms (a “Claim AgainstUs”), and will indemnify the BetterCo Indemnified Parties for all reasonable attorney’s fees incurred and damages and other costs finally awarded against a BetterCo Indemnified Party in connection with or as a result of, and for amounts paid by a BetterCo Indemnified Party under a settlement Customer approves of in connection with, a Claim AgainstUs. We must provide Customer with prompt written notice of any ClaimAgainst Us and allow Customer the right to assume the exclusive defense and control, and cooperate with any reasonable requests assistingCustomer’s defense and settlement of such matter. This section statesy our sole liability with respect to, and the BetterCo Indemnified Parties’exclusive remedy against Customer for, any Claim Against Us.
Each party (“Disclosing Party”) may disclose “Confidential Information” to the other party (“Receiving Party”) in connection with the Contract, which is anything that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure including all Order Forms, as well as non-public business, product, technology and marketing information. Confidential Information of Customer includes User Data. If something is labeled “Confidential,” that’s a clear indicator to the Receiving Party that the material is confidential.Notwithstanding the above, Confidential Information does not include information that (a) is or becomes generally available to the public without breach of any obligation owed to the Disclosing Party; (b) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the DisclosingParty; (c) is received from a third party without breach of any obligation owed to the Disclosing Party; or (d) was independently developed by the Receiving Party.
The Receiving Party will (a) take at least reasonable measures to prevent the unauthorized disclosure or use of Confidential Information, and limit access to those employees, affiliates and contractors who need to know such information in connection with the Contract; and (b) not use or disclose any Confidential Information of the Disclosing Party for any purpose outside the scope of this Contract. Nothing above will prevent either party from sharing Confidential Information with financial and legal advisors; provided, however, that the advisors are bound to confidentiality obligations at least as restrictive as those in the Contract.
The Receiving Party may access or disclose Confidential Information of the Disclosing Party if it is required by law; provided, however, that the Receiving Party gives the Disclosing Party prior notice of the compelled access or disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if theDisclosing Party wishes to contest the access or disclosure. Without limiting the foregoing, please contact us for details on how requests may be made for the disclosure of User Data and how we will handle those requests. If the Receiving Party is compelled by law to access or disclose the Disclosing Party’s ConfidentialInformation, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing access to suchConfidential Information as well as the reasonable cost for any support provided in connection with the Disclosing Party seeking a protective order or confidential treatment for the Confidential Information tobe produced.
The sections titled “Feedback is Welcome,” “Non-BetterCo Products,” “OurRemoval Rights,” “Use of the Services,” “Payment Terms,” “Credits,” “TheBetterCo Extended Family,” “What’s Yours is Yours …,” “And What’s Ours isOurs,” “Effect of Termination,” “Data Portability and Deletion,”“Representations; Disclaimer of Warranties,” “Limitation of Liability,”“Indemnification ”“Confidentiality” and “Survival,” as well as all of the provisions under the general heading “General Provisions,” will survive any termination or expiration of the Contract.
Customer grants us the right to use Customer’s company name and logo as are ference for marketing or promotional purposes on our website and in other public or private communications with our existing or potential customers, subject to Customer’s standard trademark usage guidelines as provided to us from time-to-time. We don’t want to list customers who don’t want to be listed, so Customer may send us an email tohello@BetterCo.ai stating that it does not wish to be used as a reference.
Neither us nor Customer will be liable by reason of any failure or delay in the performance of its obligations on account of events beyond there asonable control of a party, which may include denial-of-serviceattacks, a failure by a third party hosting provider or utility provider, strikes, shortages, riots, fires, acts of God, war, terrorism, and governmental action.
The parties are independent contractors. The Contract does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties. There are no third party beneficiaries to the Contract.
Except as otherwise set forth herein, all notices under the Contract will be by email, although we may instead choose to provide notice to Customer through the Services (e.g., a notification through theServices). Notices to BetterCo will be sent to hello@BetterCo.ai, except for legal notices, such as notices of termination or an indemnifiable claim, which must be sent to billing@BetterCo.ai. Notices will be deemed to have been duly given (a) the day after it is sent, in the case of notices through email; and (b) the same day, in the case of notices through the Services.
As our business evolves, we may change these Customer Terms and the other components of the Contract (except any Order Forms). If we make a material change to the Contract, we will provide Customer with reasonable notice prior to the change taking effect, either by emailing the email address associated with Customer’s account or by messaging Customer through the Services. Customer can review the most current version of theCustomer Terms at any time by visiting this page and by visiting the most current versions of the other pages that are referenced in theContract. The materially revised Contract will become effective on the date set forth in our notice, and all other changes will become effective upon posting of the change. If Customer (or anyAuthorized User) accesses or uses the Services after the effective date, that use will constitute Customer’s acceptance of any revised terms and conditions.
No failure or delay by either party in exercising any right under theContract will constitute a waiver of that right. No waiver under theContract will be effective unless made in writing and signed by an authorized representative of the party being deemed to have granted the waiver.
The Contract will be enforced to the fullest extent permitted under applicable law. If any provision of the Contract is held by a court of competent jurisdiction to be contrary to law, the provision will be modified and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and there maining provisions of the Contract will remain in effect.
Except with respect to the BetterCo Extended Family, neither party may assign or delegate any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party (not to be unreasonably withheld). Notwithstanding the foregoing, either party may assign the Contract in its entirety (including all Order Forms), without consent of the other party, to a corporate affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets.Customer will keep its billing and contact information current at all times by notifying BetterCo of any changes. Any purported assignment in violation of this section is void. A party’s sole remedy for any purported assignment by the other party in breach of this section will be, at the non-assigning party’s election, termination of the Contractup on written notice to the assigning party. In the event of such a termination by Customer, we will refund Customer any prepaid feescovering the remainder of the term of all subscriptions after theeffective date of termination. Subject to the foregoing, the Contractwill bind and inure to the benefit of the parties, their respectivesuccessors and permitted assigns.
All references to ‘BetterCo,’ ‘we,’ or ‘us’ under the Contract, what law will apply in any dispute or lawsuit arising out of or in connection with the Contract, and which courts have jurisdiction over any such dispute or lawsuit, depend on where Customer is domiciled.
Domicile
Contracting Entity
Governing Law
Venue
United States & Canada
EU countries
Rest of World
Founders1 GmbH
Germany
Berlin, Germany
The Contract, and any disputes arising out of or related hereto, will be governed exclusively by the applicable governing law above, without regard to conflicts of laws rules or the United Nations Convention on theInternational Sale of Goods. The courts located in the applicable venue above will have exclusive jurisdiction to adjudicate any dispute arising out of or relating to the Contract or its formation, interpretation or enforcement. Each party hereby consents and submits to the exclusive jurisdiction of such courts. Each party also hereby waives any right to jury trial in connection with any action or litigation in anyway arising out of or related to the Contract. In any action or proceeding to enforce rights under the Contract, the prevailing party will be entitled to recover its reasonable costs and attorney’s fees.
The Contract, including these Customer Terms and all referenced pages andOrder Forms, if applicable, constitutes the entire agreement between the parties and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. Without limiting the foregoing, the Contract supersedes the terms of any online agreement electronically accepted by Customer or anyAuthorized Users. However, to the extent of any conflict or inconsistency between the provisions in these Customer Terms and any other documents or pages referenced in these Customer Terms, the following order of precedence will apply: (1) the terms of any Order Form (if any), (2) theCustomer Terms and (3) finally any other documents or pages referenced in the Customer Terms. Notwithstanding any language to the contrary therein, no terms or conditions stated in aCustomer purchase order, vendor onboarding process or web portal, or any other Customer order documentation (excluding Order Forms) will be incorporated into or form any part of the Contract, and all such terms or conditions will be null and void.
Agreement with a user that joins an existing workspace to create and share projects and a user that joins an existing and shared project on an existing workspace
Effective: May 25, 2022
ThisPrivacy Policy describes how BetterCo collects, uses and discloses information and what choices you have with respect to the information.
When we refer to “BetterCo”, we mean the BetterCo entity that acts as the controller or processor of your information, as explained in more detail in the “Identifying the Data Controller and Processor” section below.
ThisPrivacy Policy applies to BetterCo’s online workplace tools and platform, including the associated BetterCo mobile and desktop applications(collectively, the “Services”), BetterCo.ai and other BetterCo websites(collectively, the “Websites”) and other interactions (e.g., customer service inquiries, etc.) you may have with BetterCo. If you do not agree with the terms, do not access or use the Services, Websites or any other aspect ofBetterCo’s business.
ThisPrivacy Policy does not apply to any third-party applications or software that integrate with the Services through the BetterCo platform (“Third-PartyServices”), or any other third-party products, services or businesses. In addition, a separate agreement governs delivery, access and use of the Services(the “Customer Agreement”), including the processing of any messages, files or other content submitted through Services accounts (collectively, “User Data”). The organization (e.g., your employer or another entity or person) that entered into the Customer Agreement (“Customer”) controls its instance of the Services(its “Workspace”) and any associated User Data. If you have any questions about specific Workspace settings and privacy practices, please contact the Customer whose Workspace you use. If you have an account, you can check your account settings for contact information of your Workspace owner(s) and administrator(s). If you have received an invitation to join a Workspace but have not yet created an account, you should request assistance from theCustomer that sent the invitation.
BetterCo may collect and receive User Data and other information and data (“OtherInformation”) in a variety of ways:
Customers or individuals granted access to a Workspace by a Customer (“Authorized Users)routinely submit User Data to BetterCo when using the Services.
BetterCo also collects, generates and/or receives Other Information:
To create or update a Workspace account, you or your Customer (e.g. your employer) supply BetterCo with an email address, phone number, password, domain and/or similar account details.In addition, Customers that purchase a paid version of the Services provideBetterCo (or its payment processors) with billing details such as credit card information, banking information and/or a billing address.
BetterCo uses a variety of cookies and similar technologies in our Websites and Services to help us collect Other Information. For more details about how we use these technologies, and your opt-out opportunities and other options, please see ourCookie Policy.
A Customer can choose to permit or restrict Third-Party Services for its Workspace. Typically, Third-Party Services are software that integrate with our Services, and a Customer can permit its Authorized Users to enable and disable these integrations for its Workspace. BetterCo may also develop and offer Better Coapplications that connect the Services with a Third-Party Service. Once enabled, the provider of a Third-Party Service may share certain information with BetterCo. For example, if a cloud storage application is enabled to permit files to be imported to a Workspace, we may receive the user name and email address of Authorized Users, along with additional information that the application has elected to make available to BetterCo to facilitate the integration.Authorized Users should check the privacy settings and notices in theseThird-Party Services to understand what data may be disclosed to BetterCo. When a Third-Party Service is enabled, BetterCo is authorized to connect and accessOther Information made available to BetterCo in accordance with our agreement with the Third-Party Provider and any permission(s) granted by Customer(including, by its Authorized User(s)). We do not, however, receive or store passwords for any of these Third-Party Services when connecting them to theServices. For more information on Third-Party Services, click here.
In accordance with the consent process provided by your device or other third-party API, any contact information that an Authorized User chooses to import (such as an address book from a device or API) is collected when using the Services.
BetterCo may receive data about organizations, industries, lists of companies that are customers, Website visitors, marketing campaigns and other matters related to our business from parent corporation(s), affiliates and subsidiaries, our partners, or others that we use to make our own information better or more useful. This data may be combined with Other Information we collect and might include aggregate-level data, such as which IP addresses correspond to zip codes or countries. Or it might be more specific: for example, how well an online marketing or email campaign performed.
We also receive Other Information when submitted to our Websites or in other ways, such as if you participate in a focus group, contest, activity or event, apply for a job, enroll in a certification program or other educational program hosted byBetterCo or a vendor, request support, interact with our social media accounts or otherwise communicate with BetterCo.
Generally, no one is under a statutory or contractual obligation to provide any User Data or Other Information (collectively, “Information”). However, certainInformation is collected automatically and, if some Information, such asWorkspace setup details, is not provided, we may be unable to provide theServices.
User Data will be used by BetterCo in accordance with Customer’s instructions, including any applicable terms in the Customer Agreement and Customer’s use of Services functionality, and as required by applicable law. BetterCo is a processor ofUser Data and Customer is the controller. Customer may, for example, use the Services to grant and remove access to a Workspace, assign roles and configure settings, access, modify, export, share and remove User Data and otherwise apply its policies to the Services.
BetterCo uses Other Information in furtherance of our legitimate interests in operating our Services, Websites and business. More specifically, BetterCo usesOther Information:
If Information is aggregated or de-identified so that it is no longer reasonably associated with an identified or identifiable natural person, BetterCo may use it for any business purpose. To the extent Information is associated with an identified or identifiable natural person and is protected as personal data under applicable data protection law, it is referred to in this Privacy Policy as “Personal Data.”
BetterCo will retain User Data in accordance with a Customer’s instructions, including any applicable terms in the Customer Agreement and Customer’s use of Services functionality, and as required by applicable law. Depending on the Services plan, Customer may be able to customize its retention settings and apply those customized settings at the Workspace level or other level. Customer may also apply different settings to messages, files or other types of User Data. The deletion of User Data and other use of the Services by Customer may result in the deletion and/or de-identification of certain associated Other Information.BetterCo may retain Other Information pertaining to you for as long as necessary for the purposes described in this Privacy Policy. This may include keeping your Other Information after you have deactivated your account for the period of time needed for BetterCo to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes, and enforce our agreements.
This section describes how BetterCo may share and disclose Information, as described in the section entitled 'Information We Collect and Receive' above. Customers determine their own policies and practices for the sharing and disclosure ofInformation. BetterCo does not control how they or any other third parties choose to share or disclose Information.
BetterCo takes security of data very seriously. BetterCo works hard to protectInformation you provide from loss, misuse, and unauthorized access or disclosure. These steps take into account the sensitivity of the Information we collect, process and store, and the current state of technology. Given the nature of communications and information processing technology, BetterCo cannot guarantee that Information during transmission through the Internet or while stored on our systems or otherwise in our care will be absolutely safe from intrusion by others. When you click a link to a third-party site, you will be leaving our site and we don’t control or endorse what is on third-party sites.
To the extent prohibited by applicable law, BetterCo does not allow use of ourServices and Websites by anyone younger than 18 years old. If you learn that anyone younger than 18 has unlawfully provided us with personal data, please contact us and we will take steps to delete such information.
BetterCo may change this Privacy Policy from time to time. Laws, regulations, and industry standards evolve, which may make those changes necessary, or we may make changes to our services or business. We will post the changes to this page and encourage you to review our Privacy Policy to stay informed. If we make changes that materially alter your privacy rights, BetterCo will provide additional notice, such as via email or through the Services. If you disagree with the changes to this Privacy Policy, you should deactivate your Services account.Contact the Customer if you wish to request the removal of Personal Data under their control.
BetterCo may transfer your Personal Data to countries other than the one in which you live. To the extent that Personal Data is transferred abroad, BetterCo will ensure compliance with the requirements of the applicable laws in the respective jurisdiction in line with BetterCo’s obligations.
In particular, we offer the following safeguards if BetterCo transfers PersonalData from jurisdictions with differing data protection laws:
To communicate with our Data Protection Officer, please email privacy@BetterCo.ai
Data protection law in certain jurisdictions differentiates between the “controller”and “processor” of information. In general, Customer is the controller of UserData. In general, BetterCo is the processor of User Data and the controller ofOther Information. BetterCo
Individuals across the globe, including the European Economic Area, the United Kingdom andBrazil, have certain statutory rights in relation to their personal data.Subject to any exemptions provided by law, you may have the right to request access to Information, as well as to seek to update, delete or correct thisInformation. You can usually do this using the settings and tools provided in your Services account. If you cannot use the settings and tools, contact theCustomer who controls your workspace for additional access and assistance or hello@BetterCo.ai.
To the extent that BetterCo’s processing of your Personal Data is subject to theGeneral Data Protection Regulation or other applicable laws covering the processing of Personal Data such as the UK Data Protection Act and theBrazilian General Data Protection Act (Lei Geral de Proteção de Dados),BetterCo relies on its legitimate interests, described above, to process your data. BetterCo may also process Other Information that constitutes yourPersonal Data for direct marketing purposes and you have a right to object toBetterCo’s use of your Personal Data for this purpose at any time.
This section provides additional details about the personal information we collect about California consumers and the rights afforded to them under the CaliforniaConsumer Privacy Act or “CCPA.”
For more details about the personal information we have collected over the last 12months, including the categories of sources, please see the Information WeCollect And Receive section above. We collect this information for the business and commercial purposes described in the How We Use Information section above.We share this information with the categories of third parties described in theHow We Share and Disclose Information section above. BetterCo does not sell (as such term is defined in the CCPA) the personal information we collect (and will not sell it without providing a right to opt out). Please note that we do use third-party cookies for our advertising purposes as further described in ourCookie Policy.
Subject to certain limitations, the CCPA provides California consumers the right to request to know more details about the categories or specific pieces of personal information we collect (including how we use and disclose this information), to delete their personal information, to opt out of any “sales”that may be occurring, and to not be discriminated against for exercising these rights.
California consumers may make a request pursuant to their rights under the CCPA by contacting us at privacy@BetterCo.ai. We will verify your request using the information associated with your account, including email address. Government identification may be required. Consumers can also designate an authorized agent to exercise these rights on their behalf.
Subject to applicable law, you also have the right to (i) restrict BetterCo’s use of OtherInformation that constitutes your Personal Data and (ii) lodge a complaint with your local data protection authority.
Please also feel free to contact BetterCo if you have any questions about this PrivacyPolicy or BetterCo’s practices, or if you are seeking to exercise any of your statutory rights. BetterCo will respond within a reasonable timeframe. You may contact us at privacy@BetterCo.ai or at our mailing address below:
A list ofacceptable and unacceptable conduct for our Services.
Last Updated: May 25, 2022
ThisAcceptable Use Policy sets out a list of acceptable and unacceptable conduct for our Services. If we believe a violation of the policy is deliberate, repeated or presents a credible risk of harm to other users, our customers, theServices or any third parties, we may suspend or terminate your access. This policy may change as BetterCo grows and evolves, so please check back regularly for updates and changes. Capitalized terms used below but not defined in this policy have the meaning set forth in the User Terms of Service.
Do:
Do Not:
ContactingBetterCo
Please also feel free to contact us if you have any questions about BetterCo’s Acceptable Use Policy. You may contact us at hello@BetterCo.ai or at our mailing address below:
Founders1 GmbH
Hardenbergstrasse 27
10623 Berlin
Last Update: May 25, 2022
Introduction
A. This Data Processing Agreement (“DPA”) is incorporated into, and is subject to the terms and conditions of, the Order Form (“Agreement”) between Licensor (“Licensor” or "we") and the Licensee entity that is a party to Agreement (“Licensee” or “you”). Licensor and the Licensee will herein after (also) be individually referred to as a “Party” and collectively as the “Parties”.
B. Licensor, when Processing Personal Data in the context of the performance of the Agreement, can be considered a ‘Processor’ within the meaning of the General Data Protection Regulation (EU) 2016/679 (the “GDPR”)and the Licensee can be considered a ‘Controller’ within the meaning of the GDPR.
C. The Parties, given the obligations stated in the GDPR and additional member state law to which the Licensee is subject in addition thereto(hereinafter collectively referred to as the: “Applicable Privacy Law”), wish to record their rights and obligations in writing by means of this DPA. D. In this DPA, the terms ‘Personal Data’, ‘Processing’, ‘Data Subject’, ‘Subprocessor, ‘Purpose’ and ‘Personal Data Breach’ shall have the same meaning as set out in the GDPR and should be interpreted in accordance with the GDPR.
1. PersonalData to be processed
Licensor undertakes to Process the Personal Data, Processed in the context of the performance of the Agreement, on the terms and conditions of this DPA. The nature and the Purpose of the Processing, as well as the type of Personal Data and categories of Data Subjects processed by Licensor on behalf of Licensee, is set out in the Agreement, in the absence of which the processing is limited to those activities strictly necessary for the performance of the Agreement. Notwithstanding the aforementioned, Licensor is allowed to process the Personal Data to the extent that Licensor is required todo so by either Union or member state law to which Licensor is subject. In such a case, Licensor shall inform Licensee of that legal requirement before processing, unless that law prohibits providing such information on important grounds of public interest
2. Role of Parties
Licensor shall only process the Personal Data on documented instructions from Licensee. Licensee is deemed to have given the instructions to Licensor for any processing strictly necessary for the provisioning of the services described in the Agreement. These instructions include the processing that results out of changes to these services, to the extent the Agreement allows for such changes.
3. Confidentiality
Licensor shall keep confidential all the Personal Data and otherconfidential information, and shall not make it public, other than to theextent necessary for the provision of the services or insofar as Licensor islegally obliged or ordered by a court to disclose and/or supply the PersonalData. Licensor will agree to the same conditions for confidentiality with thepersons who have access to the Personal Data (e.g., Licensor personnel).
4. Security measures
Preserving the confidentiality and integrity of Licensee’s information is one of Licensor’s highest priorities. Licensor has technical and organizational measures in place to ensure a level of security appropriate to the risk, including the Licensor Security Policy. These measures shall be appropriate, taking into account the state of the art, the costs of implementation and the nature, scope, context and Purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The most recent version of the overview of all the security measures that Licensor undertakes can be requested via email. The nature of the provision of services– the delivery and implementation of standard software – entails that there are limited possibilities for taking specific measures for a Licensee, in addition to the standard security measures as mentioned above. Licensor is therefore only obliged to take such measures tailored to the Licensee if this has been expressly agreed between the Licensee and Licensor. Licensor is allowed to change the mentioned measures as it deems fit. Licensor shall periodically test, assess and evaluate the effectiveness of the technical and organisational measures taken to secure the Processing, whether or not by calling in an expert third party. Such assessments might result in changes in the measures taken. Licensor shall take all necessary steps to ensure that any natural person acting under Licensor’s authority, who has access to Personal Data, does not process this Personal Data except on instructions from Licensee, unless he or she is required to do so by Union or Member State law.
5. Personal Data Breaches
In the case that Licensor encounters a Personal Data Breach which impacts your data security, Licensor will inform you without any unreasonable delay, but in any case, within 72 hours, as soon as Licensor has taken note of it. This notification shall at least, to the extent Licensor has the information:
A. describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
B. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
C. describe the likely consequences of the Personal Data Breach;
D. describe the measures taken or proposed to be taken by the controller to address the Personal Data Breach, including, where appropriate, measures to mitigate Licensor possible adverse effects;
E. provide Licensee with any other information Licensee needs according to the Applicable Privacy Law.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. Licensor shall assist Licensee in ensuring compliance with the obligations pursuant to the Applicable Privacy Law, taking into account the nature of Processing and the information available to the processor. This also includes assisting Licensee in informing the Data Subjects about Personal Data Breaches. Licensor shall document any Personal Data Breaches, including the facts relating to the Personal Data Breach, the consequences thereof and the corrective actions taken, as well as any other relevant information regarding the Personal Data Breach. Licensor will make every effort to take effective measures in the event of a Personal Data Breach in order to undo the negative consequences resulting from the Personal Data Breach as much as possible and to limit any further negative consequences as much as possible.
6. Hosting& storage
Licensor shall process (or arrange the Processing of) the Personal Data solely within the European Economic Area (“EEA”), unless (i) Licensee authorizes or instructs the transfer of Personal Data outside the EEA or (ii) Licensor is required to transfer the data by the Applicable Privacy Law to which Licensor is subject.
7. Sub-processors
Licensee agrees that Licensor may engage Sub-processors to process Personal Data on Licensee’s behalf. The Sub-processors currently engaged by Licensor and authorized by Licensee are available via the following URL: https://www.betterco.ai/subprocessors
Licensor shall notify Licensee if it adds or removes Sub-processors at least thirty (30) days prior to any such changes. Licensee may object inwriting to the Processing of its Personal Data by a new Sub-processor within thirty (30) following the notification of this policy and such objection shall describe Licensee’s legitimate reason(s) for objection. If Licensee does not object during such time period the new Sub-processor(s) shall be deemed accepted. If Licensee objects to the use of the new Sub-processor pursuant to the aforementioned process, Licensor will have thirty days to decide to cease using this new Sub-processor or appoint a new Sub-processor with regard to the Processing of Personal Data on behalf of Licensee. In case that solution is not satisfactory, Licensee may suspend or terminate the DPA, and subsequently the Agreement. Further termination rights, as applicable and agreed, are set out in the Agreement. When engaging a Sub-processor: A. Licensor remains fully liable for the fulfilment of the obligations under this DPA; B. Licensor will lay down the engagement of the Sub-processor in an appropriate sub-processing agreement; C. The aforementioned agreement will contain clauses to address Licensee’s compliance pursuant to the Applicable Privacy Law in a materially similar way.
8. DataSubjects rights
Licensee is Processing Personal Data from its Licensees, partners and suppliers (Data Subjects) using Licensor, possibly amongst other systems. The Applicable Privacy Law grants certain rights to the Data Subjects. The responsibility for dealing with (the exercise of) these rights rests at Licensee. However, Licensor will, if requested by Licensee, provide Licensee with all reasonable cooperation in the fulfilment of Licensee’s obligations on the basis of the rights of Data Subjects at the Licensee’s expense. Licensor cannot guarantee that it can always provide the cooperation within the timeframes specified in the Applicable Privacy Law that bear on Licensee.
9. Information, cooperation, audit and compliance
Licensor shall make available to Licensee all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Licensee in order to assess compliance with this DPA. If Licensee wants to have an audit performed, you have to let Licensor know at least 30 days beforehand. Any audit will always be performed at a day and time that is favorable to Licensor. Audits can only take place by an independent, certified auditor. Both you and your auditor are bound by a full non-disclosure agreement on the process and outcome of the audit. Any cost, directly or indirectly, accompanied with an audit is to be paid by Licensee. Licensee is not allowed to carry out such an inspection more than once per contract year. At Licensee’s expense, Licensor will assist Licensee in ensuring compliance with its obligations pursuant to the Applicable Law.
10. Limitation of liability
Any limitation of liability specified in the Agreement(s) applies mutatis mutandis to this DPA. If as a result of an attributable shortcoming by Licensor, or an act or omission attributable to Licensor, a penalty is imposed on Licensee by a government supervisor, which penalty is directly related to the aforementioned shortcoming, act or omission, Licensor indemnifies Licensee for(that part of) that fine. For clarity: the indemnity does not apply to the part of the fine that is related to the behaviour of Licensee himself. The limitation of liability as specified in the Agreement applies to this indemnification. Any limitation of liability will lapse in case of intent or gross negligence on the part of Licensor.
11. Consequences of Applicable Privacy Law
As a Controller, Licensee is responsible and accountable for the Personal Data you are Processing using the services of Licensor. Therefore, the responsibility for compliance with the Applicable Privacy Law, in the Processing of Personal Data in relation to the Agreement(s) rests at Licensee. Licensee warrants that the Processing of Personal Data pursuant to the Agreement complies with the Applicable Privacy Law and will indemnify and hold harmless Licensor for any claims from any third party that are based on a breach of the aforementioned warranty.
12. Term, termination and consequences of termination
This DPA shall be in force for the same duration as the Agreement. This DPA shall automatically terminate once all Agreements are terminated. Licensor will not store the Personal Data that it processes in relation to the services for a longer period than necessary for the performance of its obligations under the Agreement. General principle is that the storage of data is no longer necessary after the provision of the services under the Agreement has been completed. This means that Personal Data will in principle be destroyed by Licensor after the agreed services have been completed. Licensor is explicitly not obliged to save the Personal Data for a longer time. Licensee is responsible for meeting any storage and administration obligations.
13. Applicable law and competent court
German law applies to this DPA. Except insofar the Agreement designates an exclusively competent court, the court located in the district where Licensor is domiciled (Berlin, Germany) has exclusive jurisdiction.
* * * * *
Last Update: May 2022
1. Vorbemerkung
Diese Dokumentation definiert die technischen und organisatorischenMaßnahmen gemäß Art 24, 32 Abs. 1 DSGVO bezüglich der als Software-as-a-Service zur Verfügung gestellten Leistungen. Die Maßnahmenkategorien werden den Schutzbedarfszielen Vertraulichkeit, Verfügbarkeit, Integrität und Belastbarkeit zugeordnet.
2 Vertraulichkeit, Art. 32 Abs. 1 LIT. B DSGVO
Maßnahmen zur Gewährleistung der Vertraulichkeit personenbezogenerDaten gemäß Art. 32 Abs 1 LIT B DSGVO.
2.1 Zutrittskontrolle
Die im folgenden beschriebenen Maßnahmen werde ergriffen um den unbefugten Zugang zu Datenverarbeitungssystemen, mit denen personenbezogene Daten verarbeitet oder genutzt werden, zu verhindern. Alle an der Verarbeitung sensibler Daten beteiligten Systeme werden ausschließlich bei sorgfältig ausgewählten Service Providern betrieben (siehe Auftragskontrolle). Es bestehen keine eigenen Rechenzentren in denen sensible Daten gespeichert werden. Somit besteht kein physischer Zutritt zu datenverarbeitenden Systemen. Darüber hinaus werden die folgenden Maßnahmen definiert.
2.1.1 Dezentrales Arbeiten / Privaträume
Im Rahmen des dezentralen Arbeitens unter Nutzung von Privaträumen sind die folgenden Vorschriften einzuhalten:
2.1.1.1 Papierloses Arbeiten
Sofern die zu leistenden Aufgaben in Bezug zu personenbezogenen Datenstehen, sind diese stets in papierloser Form zu erfolgen. Es werden keine Abschriften, Kopien oder Ausdrucke sensibler Daten angefertigt.
2.1.1.2 Sichere Verwahrung sensibler Dokumente
Sofern Abschriften, Kopien oder Ausdrücke, die personenbezogene, sensible Daten beinhalten aufgrund der auszuübenden Tätigkeit nicht vermieden werden können, sind diese gesichert und verschlossen zu verwahren.
2.1.1.3 Trennung der Räumlichkeiten
Die zur Ausübung der Tätigkeiten genutzten Räume sind hinreichend vor dem Zutritt Dritter zu schützen.
2.2 Zugangs- und Zugriffskontrolle
Die im Folgenden definierten Maßnahmen gewährleisten, dass die zur Nutzung eines Datenverarbeitungssystems berechtigten Personen nur Zugriff auf Daten erhalten die unter ihre Zugriffsberechtigung fallen, sowie bei der Verarbeitung, Nutzung und Speicherung von personenbezogenen Daten keinerlei personenbezogenen Daten durch Unbefugte gelesen, kopiert, verändert oderentfernt werden können. Die getroffenen Maßnahmen gewährleisten, dass nur Mitarbeiter und Systemadministratoren Zugang zu den datenverarbeitenden Systemen haben, die diesen unmittelbar zur Ausübung ihrer Tätigkeit benötigen. Der Zugang zu Datenverarbeitenden Systemen unterliegt einem bedarfsgerechten Genehmigungs- und Freigabeverfahren durch das Management. Die Systeme werden durch externe Service Provider nach den gängigenSicherheitsstandards betrieben und mittels entsprechender technischer Maßnahmen wie Firewalls gegen den unbefugten Zugang gesichert. Software und Systeme werden regelmäßig bei Bedarf auf Schwachstellen gescannt und unterliegen regelmäßig Patch-Zyklen um Schwachstellen die unberechtigten Zugang ermöglichen könnten auszuschließen. Der Zugang zu datenverarbeitenden Systemen unterliegt einem auf einem ‘need-to-know’ und Rollen basierten Berechtigungskonzepts. Die Vergabe von Zugriff auf einzelne Systeme, Bereiche und Daten innerhalb dieser Systeme, sowie die Berechtigungen an (Lesen, Schreiben, Ändern, Löschen) einzelnen Datensätzen, erfolgt restriktiv und auf explizite Beantragung und Genehmigung. Verwaltung und Vergabe erfolgt durch einen auf das Minimum begrenzten Kreis von Personen. Die Genehmigung kann ausschließlich durch das Management erfolgen. Sämtliche Zugangsdaten unterliegen einer an die Kritikalität der Systeme ausgerichteten Passwortrichtlinie. Eine Speicherung der Zugangsdaten erfolgt ausschließlich mittels Hashing/Salt Verfahren.
2.3 Trennungskontrolle
Alle betriebenen Systeme implementieren die folgenden Maßnahmen zu Trennungskontrolle der Daten. Entwicklungs-, Test- und Produktivumgebungen sind physisch voneinandergetrennt. Systeminterne Zugriffe werden durch entsprechende technisch eMaßnahmen unterbunden. Zugangsdaten zu den einzelnen Systemen werden strikt voneinander getrennt und nicht auf andere Umgebungen übertragen. Systeme die Dritten zur Verfügung gestellt werden implementieren auf Softwareebene eine strikte Mandantentrennung. Innerhalb eines Mandanten stehen rollenbasierte Konzepte zur Verfügung um eine Mandanten interne Zugriffs- und Trennungskontrolle abbilden zu können.
3 Integrität
Maßnahmen zur Gewährleistung der Integrität personenbezogener Datengemäß Art. 32 Abs 1 LIT B DSGVO.
3.1 Übertragungskontrolle
Die zur Übertragungskontrolle getroffenen Maßnahmen stellen sicher, dass personenbezogene Daten bei der elektronischen Übertragung sowie derSpeicherung auf Datenträgern nicht von Unbefugten gelesen, kopiert, verändertoder entfernt werden können.
3.1.1 Speicherung von Daten
Personen bezogenen Daten aus den produktiven Systemen werden ausschließlich auf den Servern der entsprechenden Umgebung gespeichert. Gemäßden Maßnahmen zur Trennungskontrolle werden keinerlei personenbezognenen Daten außerhalb der jeweiligen Umgebung gespeichert. Dies beinhaltet insbesondere Computer von Mitarbeitern. Die Speicherung der Daten erfolgt auf den durch die gemäß derService-Provider Liste definierten Dienstleistern zur Verfügung gestellten Systeme. Gemäß der zur Zugangskontrolle beschriebenen Maßnahmen ist eine physische Entnahme der Daten ausgeschlossen.
3.1.2 Elektronischer Datentransport
Eine elektronische Datenübertragung erfolgt ausschließlich verschlüsselt (TLS, SFTP, S/MIME). Maßnahmen zur Verschlüsselung sind sowohl für die System-interne Kommunikation, die Anbindung von Diensten Dritter sowiefür die öffentliche Nutzung der Software implementiert. Die angewandten kryptographische Verfahren folgen dem Industriestandard und werden bei Bedarf regelmäßig überprüft und aktualisiert.
3.2 Eingangskontrolle
Maßnahmen zur Eingangskontrolle gewährleisten die Nachvollziehbarkeit und Überprüfbarkeit aller Eingaben, Änderungen und Entfernungen personenbezogener Daten innerhalb der Datenverarbeitungssysteme. Auf systemischer Ebene erfolgt eine Protokollierung jeglichen Zugriffs auf die Datensysteme mittels Logfiles. Diese gewährleisten die Nachverfolgbarkeit auf das jeweils ursprünglich verantwortliche System. Auf Software-/Datenbankebene ist eine vollständige Versionierung/Historisierung sowie Auditierung implementiert, die jede Änderung, Eingabe oder Entfernung (jeweils auf Feld/Attributsebene) eindeutig einem Nutzer und einem Zeitstempel zuordnet. Die revsisionssichere Historisierung der personenbezogenen Daten ermöglicht jederzeit die Wiederherstellung eines vorherigen Zustandes derDaten.
4 Verfügbarkeit und Belastbarkeit
Im Folgenden werden die Maßnahmen beschrieben die ergriffen werden um gemäß Art. 32 Abs 1 LIT B und C DSGVO den Schutz personenbezogener Daten vorZerstörung zu gewährleisten. Daten werden ausschließlich auf Managed Services betrieben (AWS), die eine hinreichende Redundanz und Ausfallsicherheit aufweisen. Eine bestmögliche Verfügbarkeit der Systeme wird durch den Einsatz eines Loadbalancers gewährleistet. Datenbanken werden, durch den Managed-Service Partner, täglich und kontinuierlich gesichert.
4.1 Wiederherstellbarkeit
Die Widerherstellbarkeit der Systeme ist durch eine vollständige Automatisierung der Prozesse gewährleistet und wird, unter anderem im Rahmen der Bereitstellung neuer Versionen, regelmäßig überprüft. Datenbanken und Applikation sind physisch voneinander getrennt, und können so unabhängig voneinander wiederhergestellt werden. Durch den Einsatz von Standard-Technologien in derSoftware-Entwicklung sowie dem Betrieb ist eine Wiederherstellung unabhängigder aktuell eingesetzten Service-Provider jederzeit möglich.
5 Maßnahmen der Überprüfung, Bewertung und Evaluierung
Gemäß Art. 32 Abs 1 LIT D DSGVO ist ein Verfahren zur regelmäßigen Prüfung der Wirksamkeit der Maßnahmen implementiert.
5.1 Auftragskontrolle
Die Auswahl etwaiger Auftragnehmer, insbesondere die Wahl technischer Service-Provider erfolgt unter Prüfung der Vorgaben an die Datensicherheit. Die Auswahl inkludiert das Einholen von Referenzen potentieller Auftragsdatenverarbeiter, insbesondere aber die Einsicht der Datensicherheitskonzepte der jeweiligen Partner.
5.2 Verpflichtung auf Vertraulichkeit
Mitarbeiter werden bei Aufnahme des Beschäftigungsverhältnisses auf die Vertraulichkeit und das Fernmeldegeheimnis verpflichtet. Bedarfsgerechte Schulungen gewährleisten eine dauerhafte Sensibilisierung der Mitarbeiter in den Bereichen Datenschutz, IT undInformationssicherheit.
