General Terms and Conditions of Purchase (GTCP)
for services and works performed by usd AG

as of: July 14, 2023

General Terms and Conditions of Purchase (GTCP) for services and works performed by usd AG
Appendix A: Declarations of commitment
Appendix B: Contract for commissioned processing according to Art. 28 GDPR
Appendix C: Information and IT security requirements
Appendix D: Code of ethics and conduct

General Terms and Conditions of Purchase (GTCP) for services and works performed by usd AG

§ 1 General, scope of application, conclusion of contract

(1) usd AG, hereinafter also referred to as "Customer", is an internationally active consulting company for IT and information security. The Customer provides consulting and other services to its customers, hereinafter also referred to as "End Customer".

(2) These General Terms and Conditions of Purchase (GTCP) govern the general conditions for the purchase of services and work by the Customer.

(3) The concrete parameters of the respective order such as, for example, the services to be rendered, the temporal scope, place and manner of performance as well as the remuneration shall be agreed with the Customer by means of an order placed by the Customer. In case of contradictions between the provisions of the GPC and the order, the provisions of the order shall prevail.

(4) For all orders placed by the Customer, only the following GTCP shall apply for the duration of the business relationship.
The Contractor's general terms and conditions shall not be valid even if the Customer does not expressly object to them in an individual case and the Contractor declares that it will only deliver on its own terms and conditions, unless the Customer has previously expressly accepted these terms and conditions in writing. With the acceptance of the order, at the latest, however, with the start of its execution, the Contractor acknowledges the exclusive validity of the GPC. The GPC shall only apply vis-à-vis entrepreneurs within the meaning of Section 310 (1) of the German Civil Code (BGB).

(5) Contracts shall be concluded upon the Contractor's written acceptance of the Customer’s written order. The Customer shall be bound by orders for five (5) days from the order date unless a different binding period is specified in the respective order. A delayed acceptance by the Contractor shall be deemed a new offer and shall require the express written acceptance by the Customer. A simple email or transmission by software shall be sufficient to comply with the written form requirement under this paragraph.

 § 2 Cooperation of the Contracting Parties

(1) The Contractor shall provide services and/or work for the Customer and/or End Customer on its own responsibility and independently.

(2) The Contractor shall in principle be free from instructions in the performance of the service. However, the Contractor shall be obliged to ensure smooth cooperation with other contractors or other project participants and the End Customer.

(3) Insofar as the Contractor uses its own employees or subcontractors, it shall be solely authorized to issue instructions to them. The persons employed shall not be integrated into the organization of the Customer and/or the End Customer.

§  3 Rights to the results of services, third-party property rights

(1)  Unless otherwise agreed in the order, the Contractor shall grant the Customer an exclusive right of use to the results of the performance, unlimited in terms of time, space and content, at the time the performance is rendered.

(2) The Contractor shall guarantee that the results of the services rendered within the scope of the contract are free of industrial property rights and that, to the Contractor's knowledge, no other rights exist which restrict or exclude use in accordance with Section 3 (1). The Contractor shall ensure in particular by means of agreements with its employees or agents that the scope of use provided for in § 3 para. 1 is not impaired by any co-authorship or other rights. The Contractor shall indemnify the Customer against all claims asserted by third Parties against the Customer due to the infringement of property rights by the use of the results of the performance. The Customer shall notify the Contractor immediately in text form if such claims are asserted against it by third Parties.

§4 Contractor's personnel, subcontractors

(1) The persons employed by the Contractor must have the necessary training or know-how to be able to handle the ordered services in accordance with the technical and time requirements that must be met in addition to the requirements of the Customer and/or the End Customer. The Contractor shall ensure a high degree of personnel continuity and shall therefore only replace employees or approved subcontractors if there is a substantial reason for doing so. The Customer may demand the change or exchange of assigned persons if they do not meet the required prerequisites or if there is otherwise a substantial reason (e.g. sustained poor performance, request for exchange by the End Customer). The costs associated with the change, in particular familiarization and training costs, shall be borne by the Contractor.

(2)  Insofar as the Contractor is a natural person and performs the agreed services in its own person: The Contractor shall perform its services in its own name and for its own account. The Contractor declares to be economically and legally independent and in particular to act as an entrepreneur to a relevant extent also for other contractual partners. The Contractor shall notify the Customer without delay of any changes in this respect during the term of the contract.

(3) The use of subcontractors is not intended. If necessary, the Contractor is obliged to notify the Customer and to have the Customer approve the use of subcontractors in writing. In the event that the Contractor uses subcontractors, the Contractor shall be responsible vis-à-vis the Customer and/or the End Customer for ensuring that all rights and obligations resulting from the respective order are fulfilled by the subcontractor. Upon request of the Customer, the Contractor shall prove the fulfillment of this obligation within 14 days by written evidence.

(4) If the Contractor engages subcontractors to execute the Customer’s order without the Customer’s written consent, the Customer shall be entitled to terminate the order without notice and may claim compensation for the damage incurred.

§ 5 Remuneration

(1) The hourly or daily rates or fixed prices specified in the order shall apply to all contractual services.

(2) Daily rates shall be understood as a daily flat rate for service times. If more than eight hours are worked on a calendar day, the additional hours are not billable. Surcharges of any kind whatsoever shall not be remunerated. If less than 8 hours are worked, each full hour worked shall be remunerated at 1/8 of the daily rate.

(3)  Fixed prices shall be understood as total prices for the provision of a specific service outcome for the Customer and/or the End Customer. The performance success is described in each case in the order and requires a (written) acceptance by the Customer and/or the End Customer.

(4) Incidental expenses including travel expenses to the places of performance, accommodation costs and expenses are an imputed part of the remuneration rates and shall not be reimbursed separately unless otherwise agreed in the order. Travel times are not performance times and will not be reimbursed. Unless otherwise agreed, assignments on Saturdays, Sundays and public holidays shall be remunerated without surcharges at the agreed daily rates.

(5) The Contractor shall provide the Customer with evidence of the services provided by it by means of a performance record for the month to be invoiced. A claim to remuneration shall only exist when the proof of performance has been approved by the Customer and/or the End Customer.

(6) The invoice must comply with the statutory provisions and separately state the value added tax in the respective applicable statutory amount. Invoices shall only be valid if the order number is noted and they are issued as read-only PDF to usd AG, Frankfurter Str. 233, C1, 63263 Neu-Isenburg, Germany. In addition, the internal contact person of usd must be indicated on the invoice.

(7) In the case of monthly billing, the invoice including proof of performance shall be submitted by email to rechnung@usd.de by no later than the 5th working day of the following month.

(8) There shall be no acceptance obligation on the part of the Customer. Should the project work be suspended or interrupted in the meantime for reasons for which the Customer is not responsible, the Customer shall be entitled to release the Contractor from the provision of services for this period. The Contractor shall only be entitled to remuneration for services actually rendered.

(9) Unless otherwise agreed, invoices for services under a contract for work and services shall be issued by the Contractor after acceptance of the service by the Customer and/or the End Customer. Invoices for services shall be issued on a monthly basis.

(10)  Factual and undisputed invoices to the Customer shall be due for payment 45 days after receipt of the invoice. If the Customer pays within 5 working days after receipt of the invoice, it shall be entitled to deduct a 2% discount, unless otherwise agreed in the order.

(11) The Contractor shall be obligated to duly pay any VAT owed to the tax office and to independently and duly pay tax on any remuneration.

§ 6 Acceptance of work performances

(1) If the Contractor has fully performed the agreed work services, it shall make the performance results available to the Customer and/or the End Customer for inspection and acceptance on the date agreed in the performance and time schedule. Acceptance shall be subject to a successful functional test, which shall commence no later than within three working days after provision by the Contractor.

(2) After the functional test has been carried out, the Customer and/or the End Customer shall immediately declare acceptance in writing or notify any defects found in writing.

(3) In the event of significant defects being identified, the Customer and/or the End Customer shall set the Contractor a reasonable deadline for the elimination of the defects. After their elimination, the Contractor shall make the performance results available again for inspection and acceptance. The time schedule agreed in para. 1 shall start again.

(4) Partial acceptances shall only take place if they have been expressly agreed. In this case, the declaration of functional readiness shall be limited to the agreed partial services. However, the declaration of overall acceptance of the performance results shall remain necessary.

§ 7 Delay

(1)  The schedule of dates and services shall be specified in the order or agreed between the Customer and the Contractor (hereinafter also "Parties") after conclusion of the contract. Unless otherwise agreed, such dates shall be bindingly observed. In the event of delays for which the Contractor is not responsible, the execution deadlines affected by the delay shall be postponed appropriately; the Parties' statutory claims shall remain unaffected.

(2) In the event of default, the Customer shall be entitled to the statutory rights.

 § 8 Poor performance

If a service is not provided in accordance with the contract, the Customer shall be entitled to demand that the Contractor provide the service in accordance with the contract within a reasonable period of time without additional costs for the Customer. This shall not apply if the Contractor is not responsible for the breach of duty. The Customer’s other claims, in particular for damages or reimbursement of expenses and its right to terminate for good cause, shall remain unaffected.

 § 9 Data protection, secrecy and security

(1) If personal data are collected, processed or used by the Contractor on behalf of the Customer, the Contractor shall conclude a commissioned processing agreement at the Customer’s request (Annex B).

(2) The Contractor shall confirm itself or ensure that it or all persons entrusted by it with the processing or fulfillment of the order comply with the statutory provisions on data protection, in particular in accordance with the EU General Data Protection Regulation and the Telecommunications Telemedia Data Protection Act (Annex A). The obligation to maintain data secrecy required by data protection law shall be made at the latest prior to the first commencement of the activity and evidence thereof shall be provided to the Customer upon request.

(3) The Contractor shall confirm itself or ensure that it or all persons entrusted by it with the assignment or performance of the order have been obliged to comply with the regulations on compliance with social secrecy and bank secrecy (Annex A).

(4) The Parties are obliged to treat all confidential information, business and trade secrets obtained within the framework of the contractual relationship as confidential, in particular not to pass them on to third Parties or to use them other than for contractual purposes. The Contractor shall confirm itself or ensure that it or all persons entrusted by it with the processing or fulfillment of the order have been obligated to observe confidentiality. The fulfillment of legal obligations remains unaffected by this.

(5) Confidential information is information which a reasonable third party would consider worthy of protection or which is marked as confidential; this may also be information which becomes known during an oral presentation or discussion. The obligation of confidentiality shall not apply to information which is already lawfully known to the Parties or which becomes known outside the contract without a breach of a confidentiality obligation.

(6) The Contractor undertakes to comply with the Customer's information security standards (Appendix C).

(7) The Contractor shall be entitled to disclose confidential information to subcontractors only if and to the extent that such confidential information is necessary for the provision of the respective services by the subcontractor ("need-to-know" principle). This shall also only apply if the subcontractor has previously committed itself to data protection, confidentiality and security vis-à-vis the Contractor to at least the same extent as the Contractor has committed itself vis-à-vis the Customer.

 § 10 Corporate Social Responsibility

The Contractor agrees to comply with the Customer's Code of Ethics and Conduct (Appendix D).

 § 11  Verification of compliance

The Contractor shall entitle the Customer to verify compliance with the obligations under § 9 and § 10 if there is sufficient cause to do so and shall cooperate constructively in the verification.

 § 12 Termination

(1) Both Parties may terminate the contractual relationship with two weeks' notice. This shall also apply if a specific performance period / term is specified in the order.

(2) In the event of termination in accordance with Paragraph 1, the Contractor shall only be entitled to remuneration for the services properly performed up to the end of the contract. The Contractor shall have no further claims for damages or reimbursement of expenses.

(3) The notice of termination shall be sent by email to

partner-management@usd.de.

(4) The right to terminate without notice for good cause shall remain unaffected. Good cause for termination without notice shall exist in particular - but not conclusively - if the Contractor culpably fails to comply with its obligations pursuant to Section 9 (1), (2), (3) and (4) within a reasonable period set or if the Customer cannot reasonably be expected to continue to adhere to the contract because the Contractor has violated the obligations under Annex A intentionally or through gross negligence.

 § 13 Obligations after the end of the contract

(1) Upon termination of the contract, the Contractor shall immediately and without being requested to do so return all documents, aids, materials or objects received from the Customer or the End Customer which were not permanently provided to the Contractor for the purpose of executing the contract as intended. This shall also apply to all copies. Furthermore, all performance results shall be handed over to the Customer or the End Customer in any form.

(2) The Customer shall be entitled to demand safe deletion or destruction in whole or in part instead of surrender. This shall be proven to the Customer upon request and at the Customer's option by means of a corresponding declaration or otherwise. Statutory storage obligations shall remain unaffected.

 § 14 Duties of loyalty

(1) The Contractor undertakes to develop sales activities exclusively for the benefit of the Customer for the duration of the provision of services at End Customers. This shall apply for up to six months after the end of the respective service provision. 

(2) The Contractor shall also impose the obligations under Paragraph 1 on the persons or subcontractors employed by it in the respective individual project.

 § 15 Liability insurance

The Contractor shall be obligated to cover its services within the scope of the individual orders by a liability insurance in an appropriate amount, however, at least in the amount of 250,000.00 Euro (two hundred fifty thousand Euro), the existence of which shall be proven upon request.

 § 16 Final provisions

(1) The Parties agree that amendments and additions to this contract must be made in writing. If any provision of this contract is invalid or unenforceable, the remaining provisions shall remain unaffected.

(2) German law shall apply to the exclusion of the UN Convention on Contracts for the International Sale of Goods (CISG); the provisions of international private law shall also not apply.

(3) The exclusive place of jurisdiction for all disputes arising from or in connection with these Terms and Conditions shall be Frankfurt am Main, Germany, provided that the Contractor is a merchant. The Customer shall remain entitled to bring or initiate legal action or other legal proceedings at the Contractor's general place of jurisdiction. The right of both Parties to seek interim legal protection before the courts having jurisdiction according to the statutory provisions shall remain unaffected.

(4) In case of doubt, the German contract text of the GTCP and its components as well as the Contractor's order shall take precedence over translations in other languages

Appendix A: Declarations of commitment

By signing the order, the Contractor confirms that it will personally comply with the obligations defined under Section 9 (2) and (3) of the GTCP and that it will oblige all persons entrusted by it with the processing or fulfillment of the order placed by the Customer to comply with the following regulations before processing the order.

Data secrecy according to the EU General Data Protection Regulation

Personal data is any information relating to an identified or identifiable natural person (data subject).

The relevant statutory provisions on data protection, such as the European Union's General Data Protection Regulation (DSGVO) and the German Federal Data Protection Act (BDSG), apply to personal data.

According to the requirements of the GDPR, personal data may only be processed if there is a legal basis for doing so or the data subject has consented. In principle, the data may only be used for the intended purposes. When processing the data, it must be ensured in particular that the integrity, availability and confidentiality of the personal data are guaranteed.

Personal data must be

• processed in a lawful manner, in good faith and in a way that is comprehensible to the data subject;
• be collected for specified, explicit and legitimate purposes and shall not be further processed in a manner incompatible with those purposes;
• adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing;
• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate in relation to the purposes of their processing are erased or rectified without delay;
• stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed;
• processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by means of appropriate technical and organizational measures.

Secrecy of telecommunications pursuant to § 3 TTDSG

Insofar as the Contractor or the persons entrusted by it with the fulfillment of the order, the contractor or the persons entrusted by him with the fulfillment of the order are obligated to maintain the secrecy of telecommunications due to § 3 TTDSG.
persons entrusted with the fulfillment of the order are obligated to maintain the secrecy of telecommunications on the basis of § 3 TTDSG.

Telecommunications secrecy covers the content of telecommunications, such as telephone calls or emails. However, this also includes the circumstances surrounding the telecommunication, such as who took part in a call or from whom to whom an email was sent. The secrecy of telecommunications also extends to the detailed circumstances of unsuccessful connection attempts. The Contractor or the persons entrusted by it with the fulfillment of the order shall be prohibited from obtaining knowledge of the content or the more detailed circumstances of the telecommunications beyond what is necessary for the businesslike provision of the telecommunications services, including the protection of the technical systems. However, if the Contractor or the persons entrusted by it with the performance of the order have knowledge of such information, they shall not disclose it to unauthorized employees or persons. If the Contractor or the persons entrusted by it with the fulfillment of the order are asked for such information, the responsible contact person of the Customer and/or End Customer must be asked for permission before the information is passed on.

Social secrecy according to § 35 Social Code I (SGB I)

If the Contractor or the persons entrusted by it with the fulfillment of the order come into contact with social data in the course of the activity, it is prohibited under Section 35 of the German Social Code I to collect, process or use social data without authorization.

Pursuant to Section 67 (1) of the German Social Code, Book X, social data is individual information about the personal or factual circumstances of an identified or identifiable natural person that is collected, processed or used by an agency specified in Section 35 of the German Social Code, Book I with regard to its duties under this Code. In this context, it is irrelevant whether the information in question appears to be worthy of protection or not.

Banking secrecy

Within the scope of the activity at a credit institution, the Contractor or the persons entrusted by it with the fulfillment of the order shall be obliged to maintain banking secrecy. This means in particular that the Contractor or the persons entrusted by it with the performance of the order may not disclose to third Parties any information covered by banking secrecy which becomes known during the activity.

Anex B: Contract for commissioned processing according to Art. 28 GDPR (as of July 14, 2023)

The Customer processes data on behalf of the End Customers as a data processor using the services of the Contractor. The Customer does not act as the person body for data processing, but as the End Customer's processor. The End Customer bears the responsibility under data protection law.

Insofar as the conclusion of an agreement on commissioned processing is required in this constellation pursuant to Section 9 (1) of the GTCP, the Parties shall conclude the following agreement.

§ 1 Preamble

(1) The Contractor shall process personal data of the End Customer for the Customer. The Customer has selected the Contractor as a service provider within the scope of the due diligence requirements of Art. 28 of the General Data Protection Regulation (GDPR). A prerequisite for the admissibility of commissioned processing is that the Customer gives the Contractor the order in writing. According to the will of the Parties and in particular the Customer, this contract contains the written order for commissioned processing within the meaning of Art. 28 of the GDPR and regulates the rights and obligations of the Parties in connection with the data processing.

(2) Insofar as the term "data processing" or "processing" (of data) is used in this contract, this is generally understood to mean the use of personal data. The use of personal data includes in particular the collection, storage, transmission, blocking, deletion as well as the anonymization, pseudonymization, encryption or other use of data.

§ 2 Subject and duration of the order

(1) The subject of the order results from the associated purchase order, to which reference is made here.

(2) The duration of the order (term) corresponds to the term of the order.

§ 3 Specification of the order content

(1) The nature and purpose of the Contractor's task shall be specified in the purchase order and may include the potential processing of personal data within the scope of consulting and certification projects as well as technical security analyses.

(2) The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the Customer and may only take place if the special requirements of Art. 44 et seq. of the GDPR are met.

(3) Potentially, the data may belong to any categories that are processed on the systems of the Customer and/or the End Customer. The Customer and the Contractor cannot foresee in advance of the order what information will be processed.

(4) All persons whose personal data are processed on the systems of the Customer and/or the End Customer in relation to the End Customer's order may potentially be affected. The Customer and the Contractor cannot foresee in advance of the order which information will be processed.

§ 4 Technical-organizational measures

(1) The Customer shall document the implementation of the required technical and organizational measures set out in advance of the award of the contract to the End Customer before the start of the Processing, in particular with regard to the specific execution of the contract, and shall submit them to the End Customer for review. If accepted by the End Customer, the documented measures shall become the basis of the order. Accordingly, the technical and organizational measures agreed with the End Customer must also be complied with by the contractor. The regulations can be found in Appendix D. If a review/audit of the End Customer reveals a need for adaptation, this must be implemented by mutual agreement.

(2) The Contractor shall establish security pursuant to Art. 28 Para. 3 lit. c, 32 DSGVO, in particular in connection with Art. 5 Para. 1, Para. 2 DSGVO. Overall, the measures to be taken are data security measures and to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. In this context, the state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 (1) of the GDPR must be taken into account (see Annex D).

(3) The technical and organizational measures are subject to technical progress and further development. In this respect, the Contractor shall be permitted to implement alternative adequate measures. In doing so, the security level of the specified measures may not be undercut. Significant changes shall be documented.

§ 5 Correction, restriction and deletion of data

(1) The Contractor may not correct, delete or restrict the processing of data processed under the order on its own authority, but only in accordance with documented instructions from the Customer. Insofar as a data subject contacts the Contractor directly in this regard, the Contractor shall forward this request to the Customer without delay.

(2) To the extent covered by the scope of services, the deletion concept, the right to be forgotten, correction, data portability
and information shall be ensured directly by the Contractor in accordance with documented instructions from the Customer.

§ 6 Quality assurance, other obligations of the contractor

(1)  In addition to compliance with the provisions of this Agreement, the Contractor shall have statutory obligations pursuant to Articles 28 to 33 of the GDPR; in this respect, the Contractor shall in particular ensure compliance with the following requirements:

 a) If there is a legal obligation to do so, the Contractor shall appoint a data protection officer who shall carry out his activities in accordance with Articles 38 and 39 of the GDPR.

The contact details of the data protection officer shall be made available to the Customer prior to commissioning.

If the Contractor is not obliged to appoint a data protection officer, the Contractor shall provide the Customer with the contact details of a company contact person for the topic of data protection.

The Customer shall be informed immediately of any change of data protection officer or contact person.

 b) The maintenance of confidentiality pursuant to Art. 28 (3) sentence 2 lit. b, 29, 32 (4) DSGVO. When carrying out the work, the Contractor shall only use employees who have been obligated to maintain confidentiality and who have previously been familiarized with the data protection provisions relevant to them. The Contractor and any person subordinate to the Contractor who has access to personal data may process this data exclusively in accordance with the Customer's instructions, including the powers granted in this Agreement, unless they are legally obligated to process it.

 c) The implementation of and compliance with all technical and organizational measures required for this order in accordance with Art. 28 (3) p. 2 lit. c, 32 GDPR (Annex D).

 d) The End Customer, the contracting authority and the contractor shall cooperate with the supervisory authority in the performance of their duties upon request.

 e) The immediate information of the Customer about control actions and measures of the supervisory authority, insofar as they relate to this order. This shall also apply insofar as a competent authority investigates in the context of administrative offense or criminal proceedings with regard to the processing of personal data during the commissioned processing at the Contractor.

 f) Insofar as the Customer is exposed on its part to an inspection by the supervisory authority, administrative offense or criminal proceedings, the liability claim of a data subject or a third party or any other claim in connection with the commissioned processing at the Contractor, the Contractor shall support it to the best of its ability.

 g) The Contractor shall regularly monitor the internal processes as well as the technical and organizational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.

 h) Verifiability of the technical and organizational measures taken vis-à-vis the Customer within the scope of its control powers pursuant to § 9 of this Agreement.

(2) The Contractor is obligated to support the Customer and/or End Customer in its duty to process requests from Data Subjects pursuant to Art. 12-23 GDPR. In particular, the Contractor shall ensure that the information required in this respect is provided to the Customer without delay so that the Customer can fulfill its obligations under Article 12 (3) of the GDPR.

§ 7 „Mobile Office" regulation

(1) The Contractor may allow its employees who are entrusted with the processing of personal data of the End Customer to process personal data in the Mobile Office.

(2) The Contractor shall ensure that compliance with the contractually agreed technical and organizational measures is also guaranteed in the mobile office of the Contractor's employees.

(3) The Contractor shall in particular ensure that if personal data is processed in the Mobile Office, the storage locations are configured in such a way that local storage of data on IT systems used in the Mobile Office is excluded. If this is not possible, the Contractor shall ensure that local storage is exclusively encrypted and that other persons in the household do not have access to this data.

(4) The Contractor shall require its employees to process personal data in compliance with data protection requirements within the scope of a Mobile Office Guideline.

§ 8 Subcontracting relationships

(1) Subcontracting relationships within the meaning of this provision shall be understood to be those services which relate directly to the provision of the main service. This does not include ancillary services which the Contractor uses, for example, as telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems.

(2) However, the Contractor shall be obligated to enter into appropriate and legally compliant contractual agreements as well as control measures to ensure data protection and data security of the End Customer's/client's data also in the case of outsourced ancillary services.

(3) The use of subcontractors on the part of the Contractor is not intended in the provision of the agreed order processing. The outsourcing to subcontractors or a subsequent change of the existing subcontractors is permissible insofar as

• the Contractor notifies the Customer of such outsourcing to subcontractors a reasonable time in advance in writing or text form, and
• the Customer does not object to the planned outsourcing in writing or in text form to the Contractor by the time the data is handed over, and
• a contractual agreement in accordance with Article 28 (2-4) of the GDPR is used as a basis.

(4) The transfer of personal data of the End Customer/Customer to the subcontractor and the subcontractor's first activity shall be permitted only after all requirements for subcontracting have been met.

(5) The Contractor shall ensure that the provisions agreed in this Agreement and, if applicable, any supplementary instructions of the Customer also apply to the subcontractor.

(6) If the subcontractor provides the agreed service outside the
outside the EU / EEA, the Contractor shall take appropriate measures to ensure that it is admissible under data protection law. The same shall apply if service providers within the meaning of para. 1 sentence 2 are to be used.

(7) Any further outsourcing by the subcontractor shall require the express information and consent of the Customer (at least in text form); all contractual provisions in the contractual chain shall also be imposed on the further subcontractor.

(8) The Contractor shall carry out regular checks of the Subcontracted Processors. These checks shall be documented and made available to the Customer upon request.

§ 9 Control rights of the Customer

(1) The Customer shall have the right to carry out inspections in consultation with the Contractor or to have them carried out by inspectors to be named in individual cases. It shall have the right to satisfy itself of the Contractor's compliance with this Agreement in its business operations by means of spot checks which must be notified in good time, at least 14 days in advance.

(2) The Contractor shall ensure that the Customer can satisfy itself of the Contractor's compliance with its obligations pursuant to Art. 28 GDPR. The Contractor undertakes to provide the Customer with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.

(3) Evidence of such measures, which do not only relate to the specific order, may be provided by compliance with approved rules of conduct pursuant to Art. 40 GDPR, certification in accordance with an approved certification procedure pursuant to Art. 42 GDPR, current test certificates, reports or report excerpts from independent bodies (e.g. auditors, auditing, own data protection officer, IT security department, data protection auditors, quality auditors) or by suitable certification by IT security or data protection audit (e.g. in accordance with ISO 27001).

(4) The Contractor may claim remuneration for enabling inspections by the Customer. This shall also include compensation for expenses for the working time of the personnel employed by the Contractor..

§ 10 Notification of violations by the Contractor

(1) The Contractor shall support the Customer in complying with the obligations set out in Articles 32 to 36 of the GDPR regarding the security of personal data, data breach notification obligations, data protection impact assessments and prior consultations. This includes, among other things

 a) ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the predicted likelihood and severity of a potential security breach and allow for the immediate detection of relevant breach events.

 b) the obligation to notify the Customer without undue delay of any infringement of data protection regulations or of the contractual agreements made and/or the instructions issued by the Customer which has occurred in the course of the processing of data by him or other persons involved in the processing. The Contractor's notification to the Customer must in particular contain the information pursuant to Art. 33 paras. a) to d).

 c) the obligation to support the Customer within the scope of its duty to inform the Data Subject and to provide it with all relevant information in this context without delay.

 d) the support of the Customer for its data protection impact assessment.

 e) assisting the Customer in prior consultations with the supervisory authority.

(2) The Contractor may claim remuneration for support services that are not included in the service description or are due to misconduct on the part of the Customer.

§ 11 Authority of the Customer to issue instructions

(1)  The Contractor shall process personal data exclusively within the scope of the agreements made and/or in compliance with any supplementary instructions issued by the Customer. Exceptions to this are legal regulations which may require the Contractor to process data in a different manner. In such a case, the Contractor shall notify the Customer of such legal requirements prior to processing, unless the relevant law prohibits such notification due to an important public interest. The purpose, nature and scope of the data processing shall otherwise be governed exclusively by this Agreement and/or the Customer's instructions. The Contractor is prohibited from processing data in a manner deviating from this unless the Customer has consented to this in writing.

(2) The Customer shall confirm verbal instructions without delay (at least in text form). The Contractor shall name to the Customer the person(s) authorized to receive instructions from the Customer. In the event of a change or longer-term prevention of the person(s), the successor(s) or representative(s) shall be notified to the Customer in writing without delay.

(3) The Contractor shall inform the Customer without delay if it is of the opinion that an instruction violates data protection regulations. The Contractor shall be entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the Customer.

§ 12 Deletion and return of personal data

(1) Copies or duplicates of the data shall not be made without the knowledge of the Customer. Excluded from this are security copies, insofar as they are necessary to ensure proper data processing, as well as data that is required with regard to compliance with statutory retention obligations.

(2) Upon completion of the contractually agreed work or earlier upon request by the Customer - at the latest upon termination of the order - the Contractor shall hand over to the Customer all documents that have come into its possession, processing and utilization results created, as well as data files that are related to the contractual relationship, or shall destroy them in accordance with data protection requirements after prior consent. The same shall apply to test and reject material. The protocol of the deletion shall be submitted upon request.

(3) Documentation that serves as proof of the proper data processing in accordance with the order shall be retained by the Contractor beyond the end of the contract in accordance with the respective retention periods. The Contractor may hand them over to the Customer at the end of the contract to relieve the Contractor.

§ 13 Right of retention

The Parties agree that the Contractor's right of retention within the meaning of Section 273 of the German Civil Code (BGB) with respect to the processed data and the associated data carriers is excluded.

§ 14 Liability

The liability rules according to Art. 82 GDPR apply.

§ 15 Miscellaneous

(1) If the property of the Customer and/or the End Customer with the Contractor is endangered by measures of third parties, for example by seizure or confiscation or by other events, the Contractor shall notify the Customer immediately. The Contractor shall point out to the third parties that the responsibility and ownership of the data lies exclusively with the Customer and/or the End Customer.

(2) Amendments and supplements to this contract and all of its components require a supplementary agreement in text form.

(3) Should one or more of the clauses of this agreement be invalid, this shall not affect the validity of the remainder of the agreement.

Appendix C: Information and IT security requirements

The Contractor undertakes to comply with the following information security requirements pursuant to Section 9 (6) of the GTCP.

§ 1 Organization of information security

(1) The Contractor shall designate a person to be responsible for information security and to manage the implementation of information security requirements.

(2) The Contractor shall require subcontractors who have an influence on the Customer's information security to meet the same or equivalent security requirements.

§ 2 Asset management

The Contractor shall maintain an inventory of all assets used in the course of the provision of services. This includes, for example, IT systems, software and third-party service providers.

§ 3 Entry and access controls

(1) The Contractor shall allow entry to its premises only via specified entrances. Non-company personnel will always be escorted through the premises.

(2) The contractor uses an access and identity management system that requires complex passwords to authenticate users before granting system access and to control
their permissions. It uses two-factor authentication for remote access to confidential data.

(3) The Contractor shall grant personalized access authorizations for IT systems that have an impact on the information security of the Customer exclusively according to the "least privilege" principle, review them regularly and withdraw them if they are no longer required.

(4) The Contractor shall manage its IT network so that different network zones exist (if necessary) which are separated by a firewall or equivalent.

§ 4 Personnel security

(1) The Contractor shall train all persons relevant for the Customer's information security once a year on current information security topics.

(2) The Contractor shall check the persons entrusted with the provision of services on the basis of a police clearance certificate or equivalent proof.

(3) The Contractor shall obligate the persons employed to render the service to handle the Customer's confidential data securely (e.g., keeping customer data confidential, sending it securely by email, disposing of it securely).

§ 5 Data and communication security

(1) The Contractor shall secure deployed portable IT devices (e.g. laptops) with hard disk encryption.

(2) The Contractor shall transmit and store confidential data of the Customer in encrypted form in accordance with the state of the art.

(3) The Contractor shall not use removable media in handling confidential data of the Customer.

(4) The Contractor shall securely delete confidential data of the Customer after the end of the contract.

§ 6 Procurement, maintenance and development of systems

(1) The Contractor shall use IT systems that have a hardened operating system, protection against malware, and host-based security software, and takes information security requirements into account at the procurement stage.

(2) The Contractor shall continuously maintain deployed IT systems and install available security updates in a timely manner.

(3) The Contractor shall develop software securely in compliance with current industry standards (e.g. OWASP).

§ 7 Security in IT operations

(1) The Contractor shall design the IT systems relevant for the sufficiently redundant for the provision of the service.

(2) The Contractor shall securely retain and monitor event logs of relevant IT systems to track access to confidential data and IT systems and identify identify security incidents.

(3) The Contractor shall subject all IT systems accessible from the Internet that affect the information security of the Customer to technical security analyses. Critical vulnerabilities are corrected promptly by the Contractor.

(4) The Contractor shall perform regular data backups for all data not stored at the Customer's premises, shall protect such data from unauthorized access and shall ensure proper functioning by means of regular checks.

§ 8 Information security incidents

The Contractor shall report incidents affecting the Customer's information security to the Customer within two working days by email to partner-management@usd.de.

§ 9 IT risk management

The Contractor shall identify, assess and evaluate IT risks associated with the service and implement any necessary security measures.

§ 10 Audited information security

(1) The Contractor shall audit compliance with the information security requirements on an annual basis and document the result in an audit report. Alternatively, the Contractor may rely on audit reports of independent third parties (e.g. ISO 27001). The audit report shall be provided to the Customer upon request.

(2) The Contractor shall grant the Customer a right to audit, provided that no audit report is submitted or a security incident relevant to the Customer occurs.

Appendix D: Code of Ethics and Conduct

The Customer acknowledges its responsibility in the economic, ecological and social sense in the pursuit of a sustainable business orientation and implements the 10 principles of the United Nations Global Compact (UNGC) and, since the adoption of the 2030 Agenda for Sustainable Development of the United Nations, also the 17 sustainability goals defined thereby. The long-term goal of the Customer is that all contractors also demonstrate efforts to meet this responsibility in the course of the business relationship. By accepting the order, the Contractor confirms compliance with the following agreements in accordance with the Supply Chain Sourcing Obligations Act (LkSG).

§ 1 Basic principles

The Contractor undertakes to comply with all legal requirements and international human rights. Furthermore, the Contractor is aware of its social responsibility and considers it its duty to fully meet this responsibility in all entrepreneurial activities. The Contractor is committed to proactively pursue the issue of sustainability and for this purpose strives to continuously optimize operational processes.

§ 2 Ethical responsibility

(1) The Contractor shall act and make decisions free from the influence of extraneous considerations and interests and shall comply with the applicable anti-corruption provisions in this respect. The Contractor may not offer, promise, demand, grant or accept any services in business transactions unless they are appropriate in the context of direct cooperation. The Contractor is also obliged to disclose any dubious cases that could be regarded as corruption.

(2) The Contractor is obliged to refrain from any kind of intentional deception with the aim of obtaining an unfair or illegal financial advantage. The Contractor shall not take part in actions that aim at the inflow of illegally obtained assets into the legal cycle of the financial and economic world.

(3) The Contractor separates their entrepreneurial interests from their own interests that would result in a conflict. Conflicts may arise in the context of personal relationships, financial advantages and/or cooperation with competitors. The Contractor decides and acts without being influenced by commercial, financial or other pressure.

(4) The Contractor shall comply with the standards of fair competition. For this purpose, the Contractor shall comply with the applicable laws that regulate dealings with competitors with regard to agreements and activities that influence prices and performance.

§ 3 Social responsibility

(1) The Contractor shall at all times comply with all provisions of applicable laws prohibiting discrimination. Accordingly, the Contractor does not tolerate any form of discrimination or unequal treatment on the basis of race, ethnic origin, gender, religion, ideology, disability, age, pregnancy, sexual orientation and identity or any other protected characteristics. The personal dignity, privacy and personal rights of each individual shall be respected.

(2) The Contractor shall ensure occupational safety and health protection at the workplace so that the physical integrity and general health of the employees is not endangered at any time.

(3) The Contractor assures that wages comply with the applicable statutory minimum requirements and industry standards and are not subject to any unauthorized deductions. The Contractor shall ensure that applicable local working time restrictions are complied with and correspond to industry practice.

(4) The Contractor shall respect the right of freedom of association of the employees within the framework of applicable rights and laws.

(5) The Contractor rejects any form of slavery, forced labor or bonded labor and guarantees its employees the right and the possibility to voluntarily give up employment. The Contractor is obliged to comply with the international regulations on the minimum age for admission to employment and the prohibition and immediate elimination of child labor. Stricter national regulations concerning child labor are to be applied with priority.

§ 4 Sustainable responsibility

(1) The Contractor declares environmental and climate protection to be an integral part of responsible corporate management. The Contractor is committed to the long-term goal of environmental protection for present and future generations. To this end, the Contractor shall comply with national legal standards.

(2) The Customer welcomes efforts by the Contractor to establish, plan or operate an environmental management system that prevents, mitigates or compensates for potentially negative impacts, including raw material consumption, greenhouse gas emissions, water, waste, air quality and biodiversity.

(3)  The Customer welcomes the use of renewable energy sources by the Contractor in the value creation process.

§ 5 Cooperation

The Customer considers compliance with these standards and an honest and sincere communication in this regard to be essential for cooperation with the Contractor. The Contractor shall make this declaration available to all companies affiliated with it in accordance with §§ 15 ff AktG (German Stock Corporation Act). The Customer also advocates the application of this declaration to subcontractors and suppliers. In case of justified mistrust, the Customer reserves the right to verify compliance by means of a survey.