1. Subject Matter and Scope

(1) This agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision and use of cloud- and API-based services of 365 business development GmbH for Microsoft Dynamics 365 Business Central.

(2) This agreement applies to all products and services of the Processor to the extent and for as long as personal data is processed on behalf of the Controller in the course of their use. This applies in particular to processing operations that are technically carried out via the Processor's central API or cloud service.

(3) This agreement supplements the main agreement concluded between the parties for the use of software, cloud services, support or other services of the Processor. In the event of conflicts, this agreement takes precedence with respect to data protection and data processing.

2. Nature and Purpose of Processing

(1) The Processor processes personal data exclusively for the purpose of providing the contractually agreed services to the Controller.

(2) Processing may include in particular the following activities:

• Receipt, technical forwarding, conversion, validation or processing of data via cloud or API services,
• communication with third-party or target systems on behalf of the Controller,
• use of technical libraries, interfaces or platform services to execute the commissioned function,
• temporary processing in working memory,
• logging of technical operations to the extent necessary for security, error analysis, stability or the prevention of misuse.

(3) The Processor does not conduct any content-based analysis of personal data for its own purposes.

3. Duration of Processing

(1) Processing takes place for the duration of the respective main agreement or for as long as the Processor provides services involving processing on behalf of the Controller.

(2) The right to terminate the agreement for cause remains unaffected.

4. Type of Personal Data and Categories of Data Subjects

(1) Depending on the product used and the specific use case, the following categories of personal data may be processed in particular:

• Master and contact data,
• communication data,
• address data,
• company and contact person data,
• payment and transaction data,
• contract and transaction data,
• tax and billing-related data,
• log and metadata,
• other data that the Controller processes or has transmitted via the products and services used.

(2) The following categories of data subjects may be affected by the processing in particular:

• Employees of the Controller,
• contact persons, members of governing bodies and other representatives of the Controller,
• customers, prospects, suppliers and service providers of the Controller,
• other business partners of the Controller,
• other persons whose data is processed by the Controller in the course of using the services.

5. Obligations of the Controller

(1) The Controller is responsible for the lawfulness of the processing and for ensuring the rights of data subjects are upheld.

(2) The Controller ensures that it is authorised to transfer the personal data to the Processor and to have it processed within the scope of this agreement.

(3) The Controller provides instructions to the Processor in a complete, correct and legally permissible manner.

(4) The Controller shall notify the Processor without undue delay if it identifies errors or irregularities in connection with data protection requirements.

6. Instructions

(1) The Processor processes personal data solely on documented instructions from the Controller, unless required to do so by law.

(2) Verbal instructions must be confirmed in text form without undue delay.

(3) If the Processor is of the opinion that an instruction violates data protection regulations, it shall notify the Controller immediately. The Processor is entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Controller.

7. Confidentiality and Access Restriction

(1) The Processor ensures that persons involved in the processing of personal data are committed to confidentiality or are subject to an appropriate statutory obligation of secrecy.

(2) Access to personal data is restricted to those persons who require it to fulfil the contractually agreed services.

8. Technical and Organisational Measures

(1) The Processor implements appropriate technical and organisational measures within the meaning of Art. 32 GDPR to ensure a level of protection appropriate to the risk.

(2) The measures are designed in particular to

• ensure the confidentiality, integrity, availability and resilience of systems and services,
• control access to personal data,
• make the disclosure, input, alteration and deletion of data traceable,
• support the recoverability and fault tolerance of the processing systems,
• maintain procedures for regularly testing, assessing and evaluating the effectiveness of the measures.

(3) The Processor is entitled to adapt the technical and organisational measures to the state of the art and to organisational requirements, provided that the level of protection is not thereby reduced.

9. Assistance to the Controller

(1) The Processor assists the Controller to a reasonable extent in fulfilling the Controller's obligations under the GDPR, in particular with regard to

• responding to requests from data subjects,
• maintaining the security of processing,
• notifying and handling personal data breaches,
• data protection impact assessments and, where applicable, prior consultations,
• fulfilling documentation and information obligations.

(2) Where assistance is not covered by the contractually agreed standard services, it may be subject to separate remuneration.

10. Notification of Personal Data Breaches

(1) The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach, to the extent that it relates to processing under this agreement.

(2) The notification shall be made with the information available to the Processor at that time that the Controller requires to fulfil its statutory obligations.

11. Sub-processors

(1) The Controller grants the Processor general authorisation to engage further processors (sub-processors) for the provision of individual services.

(2) The Processor shall inform the Controller of any intended changes regarding the addition or replacement of sub-processors in an appropriate manner. The Controller may object to such a change on substantive data protection grounds.

(3) The Processor shall contractually commit sub-processors to a level of data protection that is at least equivalent to the requirements of this agreement, to the extent they process personal data on behalf of the Processor.

(4) Sub-processors currently in use or typically used may include in particular hosting, infrastructure, platform, security, communications or support service providers.

(5) To the extent that services are provided via Microsoft Azure, hosting is currently performed in the Germany West Central (Frankfurt am Main, Germany) region.

12. Third-country Transfers

(1) Processing of personal data in a third country or by a service provider in a third country only takes place where the legal requirements for doing so are met.

(2) Where required, appropriate safeguards pursuant to Art. 44 et seq. GDPR are ensured.

13. Audit Rights

(1) The Processor shall demonstrate to the Controller, upon reasonable request, compliance with the obligations set out in this agreement.

(2) Evidence may be provided in particular by current certifications, reports, self-assessments, documentation of technical and organisational measures or other suitable documents.

(3) On-site inspections by the Controller or an auditor appointed by the Controller are permitted upon prior reasonable notice, during normal business hours and subject to the Processor's legitimate confidentiality and security interests, to the extent that suitable evidence pursuant to paragraph 2 does not take precedence.

(4) Inspections must not unreasonably impair the Processor's business operations and must be limited to what is necessary to verify compliance with data protection requirements.

14. Return and Deletion upon Termination

(1) Upon termination of the services covered by this agreement, the Processor shall, at the Controller's choice, delete or return personal data, unless a statutory retention obligation or other legal obligation to continue storage applies.

(2) To the extent that no permanent storage of content data takes place in the course of the services, the obligation under paragraph 1 is limited to any personal data still held by the Processor at the time of termination.

(3) Statutory retention and record-keeping obligations remain unaffected.

15. Liability

The statutory liability of the parties remains unaffected.

16. Relationship to the Main Agreement

To the extent that this agreement does not contain more specific provisions, the provisions of the main agreement apply as a supplement.

17. Final Provisions

(1) Amendments and supplements to this agreement require text form, unless a stricter form is prescribed by law.

(2) Should individual provisions of this agreement be or become wholly or partially invalid, the validity of the remaining provisions shall remain unaffected.

(3) To the extent permitted by law, the law of the Federal Republic of Germany shall apply.

Annex 1 – Description of Processing / Service Overview

This agreement covers all products and services of 365 business development GmbH to the extent that they are provided in whole or in part via central API or cloud services and personal data is processed on behalf of the Controller in the process.

This applies in particular to the product solutions listed on the Processor's website, currently including in particular:

• 365 business Print Agent
• 365 business ERiC
• 365 business Banking
• 365 business Sanction Screen
• 365 business Address Validation
• 365 business Proxy Application
• 365 business E-Invoice
• 365 business PDF
• 365 business Barcode
• 365 business Search & Replace

The specific processing depends on the product used, the licensed functionality, the technical configuration and the actual use by the Controller.

Annex 2 – Examples of Typical Processing Scenarios

Depending on the product, the following processing scenarios may occur in particular:

• technical forwarding of data to external interfaces or target systems,
• calculation, validation, conversion or transmission of operational payload data,
• processing of document, address, communication, payment, tax or transaction data,
• use of cloud-based additional functions, API calls or broker / middleware services,
• short-term intermediate storage or processing in working memory to carry out the requested function,
• generation of technical log entries relating to user, tenant, transaction or system information, to the extent necessary for operations and security.

Annex 3 – Technical and Organisational Measures (Summary)

The Processor implements appropriate technical and organisational measures. These include in particular, where applicable:

• role- and permission-based access restrictions,
• authentication and authorisation concepts,
• transport encryption,
• secured hosting and infrastructure environments,
• logging of security-relevant events,
• measures to ensure availability and resilience,
• patch and vulnerability management procedures,
• data backup and recovery procedures, to the extent required for the respective service,
• internal processes for handling security incidents,
• commitment of personnel to confidentiality.

This summary may be supplemented by separate information on technical and organisational measures.