Terms and Conditions for the Use of the Closelink Platform Solution for Vendors

1. General

(1) The online portal www.closelink.com (hereinafter also referred to as the “platform”) is a service of Closelink GmbH (“Closelink”) providing sellers and purchasers with a web-based platform solution for enabling purchasing activities and/or planning and management activities in the sector of the shipping industry and companies procuring or buying maritime supplies or other goods and services for vessels.

(2) Closelink does not become a party to the contracts between customers and vendors, but solely makes the platform available for the contractual relations between customers and vendors.

(3) These terms and conditions (“T&Cs”) regulate the Vendors rights and obligations for the use of the platform, unless and to the extent expressly agreed otherwise in an individual contractual agreement between Closelink and the Vendor.

(4) The T&Cs are an integral part of the legal relationship between Closelink and the Vendor on the use of the services that are offered by Closelink via the platform.

(5) The platform shall only be accessible and these T&Cs shall only apply to entrepreneurs (Unternehmer), legal entities under public law or special funds under public law within the meaning of Sec. 310 (1) of the German Civil Code (Bürgerliches Gesetzbuch – BGB).

(6) Closelink’s Data Privacy Statement which governs the collection and processing of personal data with Closelink being the controller of such personal data (i.e., Closelink using data obtained from the Vendor for Closelink’s own business purposes) is accessible on Closelink’s homepage under www.closelink.com/privacy-policy. Regarding the processing of personal data provided by Vendors using the platform (e.g., data of the Vendors’ employees and business contacts as well as Users managed via the platform), the Vendors remain controllers of such personal data and Closelink acts as a processor under the Data Processing Agreement (“DPA”) supplementing these T&Cs. The terms “controller” and “processor” shall be interpreted as provided for in the General Data Protection Regulation (“GDPR”; i.e., “controller” refers to the entity determining the purposes and means of processing, “processor” refers to the entity processing personal data on behalf of the controller).

(7) Deviating terms and conditions of the Vendors are hereby rejected and shall not be part of the legal relationship between Closelink and the Customer.

(8) The Vendor will be notified of any changes to these T&Cs by Closelink in writing or in text form. If the Vendor does not reject such changes within six weeks after receipt of the notification, the changes shall be deemed agreed. In case of any change to these T&Cs, the attention of the Vendor will be drawn separately to the right to object and the legal consequences of remaining silent.

(9) “Vendors” shall mean those Users of the platform who offer and/or wish to offer goods and/or services for sale via the platform and/or supply the goods to the Customers and/or perform the services towards the Customers. Potential vendors are likewise covered by the term.

(10) “Customers" shall mean those Users of the platform who source and/or wish to source goods and/or services from the Vendors via the platform. Potential customers are likewise covered by the term.

(11) “Users” shall mean all visitors to the platform, including Vendors, Customers, their respective representatives and authorized employees as well as other authorized third parties that are granted access to the platform regardless of prior registration in accordance with Section 3 below.

2. General Obligations of the Vendor

(1) The Vendor shall keep its login data and passwords confidential and shall ensure that its authorized Users (in particular, in case of group accounts) are obliged to keep the login data and passwords confidential. The Vendor shall implement appropriate security measures in order to prevent any unauthorized access to the platform by third parties. The Vendor must ensure and is solely responsible that (i) its authorized representatives and employees use the account in line with these T&Cs and (ii) no unauthorized third parties are being granted access to the platform. If the Vendor gains knowledge that a user account has been misused, used unauthorized or could have been misused by third parties, it is required to provide Closelink with the details of such incident immediately, but not later than three days after the incident. As soon as Closelink becomes aware of the unauthorized use, Closelink is entitled to the rights pursuant to Section 7 below. Closelink reserves the right to change the Vendor’s login data and password; in such case Closelink will immediately inform the Vendor by email.

(2) Any actions performed using the login data of a Vendor or one of its employees are generally attributable to the respective Vendor and such Vendor shall be responsible and liable for any actions of Users acting in his name or on his behalf, except where the Vendor proves that third parties have illegally used the login data for the respective action without fault on part of the Vendor. Vendors are responsible for all declarations of intent submitted by themselves on the platform. The Vendor shall ensure that its employees have been familiarized with data processing as part of the use of the platform in accordance with the legal data privacy regulations and any necessary consent by the data subjects has been validly obtained. If a required consent is revoked for one of its employees, the Vendor must deactivate the user account concerned without undue delay and inform Closelink thereof. In all other respects, our Data Privacy Statement applies.

(3) The Vendor is fully responsible for the content posted by it on the platform (any text input and drawings). In particular, the Vendor is responsible that content posted is completely free of any third party rights and also legally suitable for this usage and is permitted to be made available.

(4) The Vendor shall indemnify Closelink from any claims and appropriate costs incurred by Closelink in conjunction therewith (including costs arising for the legal defense), including claims for damages which third parties assert against Closelink due to an infringement of their rights and/or breaches of applicable statutory regulations with regard to the content posted by the respective Vendor. All further rights of Closelink under applicable law, including claims for damages, remain unaffected.

(5) In principle and subject to applicable law and legislation, all content of the Vendor can be posted and managed via the platform which the Vendor considers necessary for entering into agreements with the Customers and which complies with applicable law.

(6) Closelink is entitled to check the content or have it checked at anytime for admissibility, without however being required to do so. If the content breaches these T&Cs, applicable law or legislation or third-party rights or if there is specific evidence of such a breach, Closelink is entitled to the rights under Section 7 below.

(7) The Vendor shall use the data obtained from the platform for their own internal business purposes only and shall not share it with third parties.

(8) The Vendor shall ensure that any of its representatives and employees acting in its name and/or on its behalf have the appropriate powers to enter into contracts via the platform for the Vendor. The Vendor shall upon request provide evidence of this to Closelink.

3. Registration

(1) To use be able to use the full services offered on the platform, the Vendor must register for the platform and open a user account.

(2) The offer to use the platform as a Vendor is only aimed at companies which are active in the sector of the shipping industry and companies offering and providing maritime supplies or other goods and services for vessels.

(3) Upon completion of the registration, the Vendor expressly declares its agreement with the applicability of these T&Cs which are accessible on the platform at any time.

(4) Upon creating the user account, the Vendor is obliged to truthfully and fully provide the data requested on registration and to verify the data used by Closelink for accuracy and completeness. It is not permitted to give stage names, pseudonyms or other invented names when the name is requested. If the data collected should change after registration or if it is incorrect or incomplete upon transmission of the user account, the Vendor is obliged to update its profile without undue delay to this effect or to otherwise transmit the changed data to Closelink.

(5) Closelink reserves the right to verify the Vendor’s details and to deny access to the platform should any irregularities arise. After completion of the registration process, Closelink will set up a user account for the Vendor and provide the Vendor with the access data for the user account (“login data”) to the email address given by the Vendor (so-called confirmation of permission)

(6) Closelink reserves the right to create a user account for individual Vendors without prior registration to the platform and to send the Vendor the login data by email if the required details of the Vendor are known to Closelink and the Vendor has declared its prior consent to the use of its data for this purpose in another way (so-called confirmation of permission). On first login to the platform, the Vendor declares its acceptance of these T&Cs.

(7) The login data sent to the Vendor in the confirmation of permission applies to a master account via which the Vendor is authorized to set up further user accounts for authorized employees. The Vendor represents and warrant towards Closelink that (i) it will only make these user accounts available to its own employees who have sufficient authority to use the platform and (ii) the user accounts of employees who are no longer employed by the Vendor or who do not have or do no longer have sufficient authority to use the platform will be deactivated without undue delay and such (former) employees will not have access to the platform anymore.

4. Contracts between Customers and Vendors

(1) Closelink does not become a party to the contracts between Customers and Vendors, but solely makes the platform available for the contractual relations between Customers and Vendors. Processing and performing contracts entered into via the platform is a matter for the respective Customers and Vendors alone. For the contracts concluded via the platform, Closelink assumes neither a guarantee for the fulfilment nor liability for material defects nor defects of title of the goods and/or services traded. Closelink bears no obligation for fulfilment.

(2) Closelink cannot assume any warranty for the true identity and power of disposition of the respective Users. In cases of doubt, Customers and Vendors are required to find out in an appropriate manner about the true identity as well as the right of disposal of the other contract party.

(3) The Users are responsible for ensuring that all contracts concluded by them via the platform on sourcing goods and/or services as well as delivering them do not breach national or international trade restrictions or sanctions applicable at the registered office of Closelink, such as sanction measures in the form of authorization requirements or prohibitions regarding services or investments and the export, import, transit, movement, sale, acquisition, delivery, provision and forwarding of goods and/or services.

(4) A copy of the data on the transactions sent via the platform will remain at Closelink. Closelink will safeguard the confidentiality and correct storage of the data in accordance with the statutory data protection provisions. It will only be used for the purposes stated in the Data Privacy Statement.

5. Fees, Sanctions of Evasions

(1) Setting up a vendor account for the platform is free of charge for Vendors.

(2) For every order agreed between the Vendor and a Customer via the platform, the vendor owes Closelink a fee as under the current pricing conditions, which can be viewed on the platform. The prices are exclusive of VAT._The fee is due one day after the delivery date given on the platform and is invoiced in accordance with section 9. The vendor has the right to notify Closelink within 30 days of the delivery date given on the platform that the relevant order has not been carried out (“non-performance notice”). In this respect, only partial performance is not considered as non-performance. Closelink will check the non-performance notice and, if applicable, ask the respective customer for confirmation. It is at the professional discretion of Closelink to declare a non-performance notice as justified or unjustified. In the event of a justified non-performance notice, Closelink will credit the Vendor with the fee concerned with the next possible invoice.

(3) For a request initiated via the platform, an order may only be placed and accepted via the platform. If, contrary to sentence 1, the vendor is offered execution of a request posted on the platform in another form, particularly outside the platform, the Vendor must refuse it and ask the relevant Customer to post the offer using the platform. The Customer and Vendor are prohibited to circumvent the platform. In the event of a breach of this Section 5(3), Closelink is entitled to an extraordinary termination of the relationship with the respective Customer and/or respective Vendor and can demand a penalty for breach of contract of USD 350 per order submitted/accepted by circumventing the platform. Further rights of Closelink remain unaffected. Any claims for damages by Closelink are to be set off against the penalty received for breach of contract.

(4) Closelink does not cover and cannot be held responsible for any costs that originate from other software providers of the Vendor for the use of technical interfaces or any other service fees related to the use of Closelink’s platform.

6. Copyrights and Rights of Use

(1) The copyright and exclusive right of use to published objects created by Closelink (webpages, scripts, programs, graphics) remain solely with Closelink.

(2) The reproduction or use of elements of the platform in other electronic or printed publications, particularly on other webpages, is not permitted without the express consent of Closelink.

(3) Upon posting content on the platform, the Vendor grants Closelink in each case a free and transferable right of use and exploitation, unlimited in time and space to the respective content, in particular making it publicly accessible, editing and reproducing it where this is necessary for provision and publication in connection with the platform and/or advertising it. Where the content posted by the Vendor is removed again from the platform, this right of use and exploitation expires. However, Closelink remains entitled to store copies created for security and evidence purposes.

7. Closelink’s Rights to Delete Content, Block User Accounts etc.

If a Vendor breaches these T&Cs, statutory provisions or third party rights or if there is concrete evidence of such a breach or Closelink has another justified interest, especially for protecting other users from fraudulent activities, Closelink is entitled to take the following actions: (a) Deleting offers or other content that has been posted on the platform, (b) warning Vendors due to specific breaches, (c) limiting/restricting the use of the platform, (d) blocking provisionally and (e) blocking the user account permanently. In the choice of action, Closelink will consider the justified interests of the Vendor concerned, particularly whether there is evidence that the Vendor is not at fault for the breach. Closelink will inform the Vendor on the action by email and give it the opportunity to make a statement.

8. Liability of Closelink

(1) For any damages other than damages to life, limb or health, the liability of Closelink to the Vendor is excluded, except for any damages caused by intentional or grossly negligent behavior of Closelink, of one of its legal representatives or one of its vicarious agents and further provided that respective damage is also not caused by a breach of material contractual obligations of Closelink. Material contractual obligations are such obligations the fulfilment of which makes the proper execution of the contract possible in the first place and which the Vendor may normally expect to be complied with. Liability for breach of such a material contractual obligation is limited to damage typical of this type of contract the occurrence of which Closelink had to assume when entering into the contract based on the circumstances known on that date. The exclusions of liability and limitations stated do not apply in the event of the assumption of express warranties by Closelink as well as in the event of claims based on the lack of assured properties or where claims under the Product Liability Act are concerned.

(2) Closelink assumes no liability for malfunctions of the platform that are not the fault of Closelink.

(3) Closelink is only liable for the loss of data in line with the above clauses if such a loss would not have been avoidable on the part of the Vendor by appropriate data backup measures.

(4) The liability does not cover impairment of the contractual use of the services provided by Closelink via the platform that has been caused by improper or incorrect use by the Vendor.

(5) The above limitations of liability also apply analogously to the benefit of the vicarious agents of Closelink.

(6) To the extent there is the opportunity to be routed via the platform to a database or websites etc. of third parties (e.g., by the insertion of links or hyperlinks), Closelink shall not be liable either for accessibility, existence or security of these databases, websites or services or for the content of the same, in particular, Closelink shall not be liable for the legality, accuracy of content, completeness or current nature etc.

(7) In any case, the Vendor is obliged to mitigate any damages in accordance with German law. This includes giving timely notice of damages to Closelink .

9. Invoicing, Offsetting

(1) Invoices for Closelink’s services will be issued monthly at the start of the month, incurred for the previous month.

(2) Invoices are payable within thirty days of the due date and receipt of the invoice. All bank charges for foreign transfers will be charged to the Vendor.

(3) The Vendor shall consent to the storage of the billing data for evidence purposes and/or as part of the statutory retention duty.

(4) The Vendor is only permitted to offset with uncontested or legally validated counterclaims. The Vendor is only entitled to a right of retention if it is based on the same contractual relationship.

10. Term

(1) The usage of the platform by the Vendor based on these T&Cs is for an indefinite period. It may be terminated by the Vendor at any time without notice. Termination may be made in writing, by fax or by email.

(2) Closelink may terminate the usage with a period of notice of three (3) months to the end of the month. The right to extraordinary termina on for good cause remains unaffected by this.

(3) A good cause for Closelink is in particular without limitation: (a) any breach by the Vendor of a significant provisions of the Contract of Use that is not rectified after an appropriate deadline; (b) tortious acts of the Vendor or attempt of the same, e.g. fraud; (c) arrears of payment obligations of the Vendor by more than six weeks; (d) persistent interruption of operations as a result of force majeure that is outside the control of Closelink, such as natural disasters, fire, no-fault collapse of activity networks.

(4) Upon effectiveness of the termination, Closelink is entitled to block the Vendor’s User Account.

11. Final Provisions

(1) If individual provisions of these T&Cs are or become wholly or partially invalid, the remaining provisions of these T&C shall not be affected. The invalid provision shall be replaced by the parties by mutual agreement by such a provision that comes closest to the economic purpose of the invalid provision in a legally effective manner.

(2) The relationships between the contracting parties shall be exclusively governed by the laws of the Federal Republic of Germany excluding its conflict of laws provisions and UN sales law (United Nations Convention on Contracts for the International Sale of Goods, CISG).

(3) The exclusive place of jurisdiction for all disputes arising from these T&C is the registered office of Closelink.

(4) The contract language is English.

Data Processing Agreement (DPA)

1. Subject matter

(1) This DPA specifies the rights and obligations of Closelink and the Customer arising from the processing of personal data in the performance of the services under the T&Cs. For this purpose, the Customer (as the “Controller”) hereby appoints Closelink (as the “Processor”) as a processor within the meaning of Article 28 GDPR. All terms used in this DPA shall have the meaning defined in the GDPR.

(2) Covered by this DPA are all personal data of the Controller to which the Processor has access during the performance of the services under the T&Cs. This shall apply irrespective of whether the Processor is provided with these personal data by the Controller, generates them independently or receives them by other means, e.g. from the data subjects themselves. Appendix 1 lists (i) the categories of persons concerned, (ii) the types of personal data and (iii) the scope and purpose of the processing. This DPA does not apply to data other than personal data.

(3) This DPA shall apply while services are provided under the T&Cs.

2. Principle of processing on behalf and processing abroad

(1) The Processor assures to take appropriate technical and organizational measures so that the processing is carried out in accordance with the requirements of the GDPR and the protection of the rights of the data subjects is ensured.

(2) The processing by the Processor and, if applicable, the other Subcontractors commissioned by it shall generally take place in a member state of the European Union. The Processor shall be entitled to transfer the processing to a third country if the special requirements of Chapter V of the GDPR are met.

3. Subcontracting

(1) Processor shall not use any other contractor ("Subcontractor") without the consent of the Controller.

(2) Controller hereby grants its consent to engage the Subcontractors named in Appendix 2.

(3) The Controller hereby also grants its general consent to the engagement of Subcontractors. In this regard, the Processor shall inform the Controller of any intended change with respect to the use or substitution of Subcontractors, giving the Controller the opportunity to object to such changes.

(4) Where the Processor uses the services of a Subcontractor to carry out certain processing activities on behalf of the Controller, the same data protection obligations as set out in this Contract shall be imposed on the Subcontractor by way of a contract or other legal instrument under Union law or the law of the Member State concerned, in particular providing sufficient assurance that the appropriate technical and organizational measures are implemented in such a way that the processing is carried out in accordance with the requirements of the GDPR. To this end, the parties clarify that it is sufficient for the imposition of the same data protection obligations if the level of protection under the subcontract corresponds to the level of protection under this DPA.

(5) If the Subcontractor fails to comply with its data protection obligations, the Processor shall be liable to the Controller for the Subcontractor's compliance with its obligations in accordance with Article 28 (4) GDPR.

(6) Subcontracting within the meaning of this provision shall not include services which the Processor uses from third parties as an ancillary service to support the performance of this DPA. These include, for example, telecommunications services, maintenance and user service, auditors or the disposal of data carriers. However, the Processor shall be obligated to enter into appropriate and legally compliant contractual agreements and to take control measures to ensure the protection and security of the Controller's data, even in the case of ancillary services contracted out to third parties.

(7) The Subcontractor's compliance with approved codes of conduct pursuant to Article 40 GDPR or an approved certification procedure pursuant to Article 42 GDPR may be used as a factor to demonstrate sufficient assurance within the meaning of Section 3 (4) of this DPA.

4. Controller's right to issue instructions

(1) The personal data covered by this DPA shall only be processed upon documented instructions from the Controller - including with regard to the transfer of personal data to a third country or an international organization - unless the Processor is required to do so by the law of the Union or the Member States to which the Processor is subject; in such a case, the Processor shall notify the Controller of such legal requirements prior to the processing, unless the relevant law prohibits such notification due to an important public interest.

(2) The instructions of the Controller are facilitated via the functions of the platform as governed by the T&Cs.

(3) The Processor shall not use the personal data collected under this DPA for any other purposes than the performance of the services under the T&Cs. Excluded from this are security copies, insofar as they are necessary to ensure proper processing, as well as data required with regard to compliance with statutory retention obligations.

5. Control rights of the Controller

(1) The Processor undertakes to provide the Controller, upon written request and within a reasonable period of time, with such information as is necessary to prove compliance with the obligations under this DPA.

(2) For this purpose, the Processor may also submit current test certificates, reports or report extracts from independent bodies (e.g. auditors, auditing, data protection officers, IT security department, data protection auditors, quality auditors) or suitable certification by IT security or data protection audit.

(3) The Controller shall compensate the Processor for the expenses incurred in providing the information.

6. Technical and organizational measures

(1) The Processor warrants that the persons authorized to process the personal data under this DPA have committed themselves to confidentiality or are subject to an appropriate legal duty of confidentiality.

(2) Taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, the Controller and the Processor shall each take appropriate technical and organizational measures within their respective spheres of responsibility to ensure a level of protection appropriate to the risk.

(3) In assessing the adequate level of protection, particular account shall be taken of the risks inherent in the processing, in particular from destruction, loss, alteration or unauthorized disclosure of, or access to, the personal data covered by the contract, whether accidental or unlawful, which have been transmitted, stored or otherwise processed.

(4) The technical and organizational measures to be taken by the Processor are set out in Appendix 3 to this DPA. The Controller acknowledges that compliance with the measures agreed in Appendix 3 to this DPA satisfies the requirements of this Section 6.

(5) The Processor shall be entitled at any time to replace the technical and organizational measures specified in Appendix 3 to this DPA by other measures, provided that the Processor complies with the requirements agreed in Section 6 (2).

(6) The Parties agree that compliance with approved codes of conduct pursuant to Article 40 GDPR or an approved certification procedure pursuant to Article 42 GDPR may be used as a factor to demonstrate compliance with the requirements set forth in this Section 6.

(7) The Processor shall ensure that natural persons under its authority who have access to the personal data covered by this DPA process them only on the instructions of the Controller, unless they are obliged to process them under Union or Member State law.

7. Information obligations of the Processor

(1) The Processor shall inform the Controller without undue delay in accordance with Article 33 (2) of the GDPR if it becomes aware of a breach of the protection of the Controller's personal data covered by this DPA.

(2) The Controller shall compensate the Processor for the expenses incurred in providing the information, unless the violation of the protection of the Controller's personal data covered by this DPA is due to the fault of the Processor.

8. Duties in support of the Controller

(1) In view of the nature of the processing, the Processor is obliged to support the Controller as far as possible with appropriate technical and organizational measures in fulfilling its obligation to respond to requests to exercise the rights of the data subject referred to in Chapter III of the GDPR (data subject rights).

(2) The Processor is obliged, taking into account the nature of the processing and the information available to it, to assist the Controller in complying with the obligations set out in Articles 32 to 36 GDPR.

(3) The Processor is obligated to provide the Controller with all necessary information to demonstrate compliance with the obligations set forth in Article 28 GDPR and to enable and contribute to reviews - including inspections - conducted by the Controller or another auditor appointed by the Controller.

(4) The Processor shall inform the Controller without undue delay if it believes that an instruction violates the GDPR or other data protection provisions of the Union or the Member States.

(5) The Controller shall compensate the Processor for the expenses incurred in the performance of the aforementioned services pursuant to this Section 8.

9. Obligation to delete and return

Upon completion of the provision of services under the T&Cs, the Processor shall be obliged to either delete or return all personal data collected under this DPA, at the discretion of the Controller, unless there is an obligation under Union or Member State law to store the personal data collected under this DPA. In particular, the applicable retention and archiving obligations shall remain unaffected.

10. Final provisions

(1) Insofar as services of the Processor are marked as subject to compensation under this DPA, the corresponding services of the Processor shall be remunerated according to the general remuneration rates of the Controller in the version valid at the time of performance of the service.

(2) The liability provisions of the T&Cs shall apply accordingly to this DPA.

(3) This DPA is an integral part of the T&Cs. In the event of any discrepancies between the provisions of the T&Cs and this DPA, the provisions of this DPA shall prevail.

Appendix 1: Persons, data and purposes covered

Categories of data subjects:

• Users of the platform
• Employees of the Customers and Vendors
• Business contacts

Types of personal data:

• Contact and master data (e.g. name, address)
• Contract data
• Communication data

Scope and purpose of processing:

• Provision of services on the platform under the T&Cs

Appendix 2: Subcontractors

NameScope of processingAmazon Web ServicesCloud ProviderSentryError TrackingSentryError TrackingMongoDB AtlasDatabase HostingMailchimpMail DispatcherGoogle AnalyticsUser TrackingUserlikeCustomer SupportZapierTask AutomationMagicBellNotification Center

Appendix 3: Technical and organizational measures

Pseudonymization

Pseudonymization (i.e., processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate) is implemented in the following areas

Confidentiality

a) Physical access control

Technical measures:

• Alarm system
• Smart cards / transponder systems
• Video surveillance of the entrances

Organizational measures:

• Key regulation (key delivery, etc.)
• Logging the visitors

b) Digital access control

Technical measures:

• Login with username + password
• Login with biometric data
• Use of VPN technology for remote accesses
• Firewall
• Smartphone encryption
• Encryption of notebooks / tablet
• Automatic desktop lock
• Encryption of notebooks / tablet
• Logging of accesses to applications, especially when entering, changing, and deleting data

Organizational measures:

• Manage user permissions
• Creating user profiles
• Guideline for the creation of a "secure" password
• Mobile device policy
• General policy data protection and / or security
• Reduction in the number of administrators
• Password policy incl. password length, password change

c) Separation control

Technical measures:

• Separation of productive and test environment

Organizational measures:

• Setting database rights

Integrity

a) Transfer control

Technical measures:

• Establishment of dedicated lines or VPN tunnels
• Logging of accesses and retrievals
• Provision via encrypted connections such as sftp, https

Organizational measures:

• Disclosure of personal data in anonymized or pseudonymized form

b) Input control

Technical measures:

• Technical logging of the entry, modification and deletion of personal data
• Manual or automated control of the logs

Organizational measures:

• Traceability of entry, modification, and deletion of personal data through individual user names

Availability and resilience

a) Availability control

Organizational measures:

• Creating a backup & recovery concept
• Control of the backup process
• Regular tests for data recovery and logging of results
• Storing the backup media in a safe place outside the server room

Procedures for regular review, assessment and evaluation

a) Data protection management

Technical measures:

• Software solutions for data protection management in use
• Other documented safety concept

Organizational measures:

• Employees trained and committed to confidentiality / data secrecy
• Regular sensitization of employees through training

b) Incident Response Management

Technical measures:

• Use of a firewall and regular updating
• Use of spam filters and regular updating
• Use of virus scanner and regular updating

‍