Hotel Management Tools of HotelFriend Service GmbH – SaaS General Terms and Conditions

1. Scope of application

1.1 These General Terms and Conditions (hereinafter referred to as "T&C") apply to all contracts concluded between HotelFriend Service GmbH, Friedrichstr. 171, 10117 Berlin, Germany (hereinafter "HotelFriend") and hotels and other accommodation providers (hereinafter "Client"); together with HotelFriend (the "Parties" and each individually "Party") for the provision and operation of the internet-based software platform for the management and retrieval of the services specified in the service description (Annex 2), which can be accessed at www.hotelfriend.com/software.

1.2 HotelFriend has developed a modular hotel management software. This software, copyrighted for HotelFriend AG, is an internet-based software solution that includes key functions in hotel work organisation according to the services specified in the service description (Annex 2). HotelFriend provides this software for use over the Internet as a Software-as-a-Service (SaaS) solution.

1.3 The Client wishes to use the hotel management software on a rental basis. The use of the HotelFriend system is based on the below-mentioned General Terms and Conditions (hereinafter "T&C").

1.4 These T&C apply exclusively. Deviating, contradictory or additional terms and conditions of the Client will only become part of the contract if and to the extent that HotelFriend has explicitly agreed in writing to their inclusion. This requirement for consent applies in every case, particularly even if HotelFriend delivers services without reservation, knowing the Client's General Terms and Conditions. The inclusion of differing, contrary or additional conditions requires a written contract or the written confirmation of HotelFriend.

2. Contract conclusion; Subject of the contract; Obligations of HotelFriend

2.1 The subject of the contract is the hotel management software developed by HotelFriend. The hotel management software is offered in packages that differ in scope and price. The scope of services can be taken from the service description (Annex 2) and is determined by the selection made by the client in the order form. Both the hotel management software and the program modules mentioned in the service description are hereinafter referred to as "Contractual Software".

2.2 A binding order and thus the conclusion of the contract is effected by sending the order form to HotelFriend and HotelFriend accepting the customer's offer. If contracts are concluded via the HotelFriend website, the IP address and user data at the time of the order are recorded and stored together with the contract documents.

2.3 HotelFriend provides the Client with the Contractual Software described in detail in the service description for use over the internet during the term of the contract. The Client thus obtains the technical possibility and authorisation to access the Contractual Software, which is hosted on a central cloud infrastructure, via the internet and use the functionality of the Contractual Software within the scope of this contract.

2.4 The place of performance for HotelFriend's contractual services is the router exit of the data center used by HotelFriend. The Client's connection to the Internet, the maintenance of the network connection as well as the procurement and provision of hardware and software required on the Client's side are not subject to this contract.

2.5 The Contractual Software is available seven days a week, although there may be partial or complete availability restrictions due to software maintenance work from 02:00 to 6:00 AM ("Operating Time"). The average availability during the Operating Time is over 99.8% per year. The application may still be available, albeit with interruptions and restrictions, during other times ("Maintenance Times"); there is no right to use the service during these times. HotelFriend will notify the client in advance, as far as possible, if maintenance work is necessary during operating hours and the application cannot therefore be available, provided the maintenance cannot be postponed and it was not previously known to HotelFriend.

2.6 HotelFriend provides a German-language user documentation in electronic form only. This contains detailed instructions and regulations for the use of the Contractual Software. Insofar as HotelFriend additionally provides foreign language software applications produced by third parties and a German version of the user documentation is not generally available from the third-party manufacturer, HotelFriend may provide the user documentation in English.

2.7 HotelFriend provides the Client with storage space and undertakes to back up the transferred data. HotelFriend will use virus scanners and firewalls to prevent or block unauthorised access to the Client's data and the transmission of harmful data, in particular viruses, as far as this is possible with reasonable economic and technical effort. However, the Client is aware that full protection against harmful data is not possible. If a threat cannot be eliminated by other means in a technically and economically reasonable and promising manner, HotelFriend is entitled to delete data belonging to the Client that is contaminated with harmful content. HotelFriend will notify the Client of this and allow the Client to back up the Client's data before the backups are deleted. The Client alone is responsible for compliance with commercial and tax law retention periods.

2.8 HotelFriend backs up its servers once a day in the maintenance period and keeps the data backups for at least 7 working days. Additionally, HotelFriend secures the data against unauthorized access with reasonable effort, in line with state-of-the-art technology and economically reasonable. In the event of data loss, HotelFriend will restore the last available data stock free of charge.

2.9 HotelFriend undertakes to maintain the Contractual Software, in particular to diagnose and rectify defects within a reasonable period of time. Defects are significant deviations from the contractually defined specification. Additional maintenance services that do not serve to rectify defects may be provided by HotelFriend subject to separate agreement and for separate remuneration.

2.10 HotelFriend provides the Client with various support services depending on the type of service package chosen by the Client. The details are governed by the service specification.

2.11 HotelFriend provides the Client with free product support via email. Queries received will be answered by HotelFriend within 48 hours (excluding weekends and statutory and regional holidays).

2.12 Unless explicitly mentioned above or in the listing of services, HotelFriend does not owe any further services. In particular, HotelFriend is not obliged to provide installation, setup, consulting, adjustment, and/or training services beyond what is included in the service package, or to create and provide custom programming or additional programs.

3. Rights of use

3.1 For the duration of this contract, HotelFriend grants the Client the payable, non-exclusive, non-transferable, and non-sublicensable right to use the contractual software on the system at HotelFriend's data centre. The contractual software is not provided to the client. If HotelFriend provides new versions, updates, or upgrades of the contractual software during the term of this contract, the above-mentioned right of use applies to these in the same way. However, HotelFriend is not obliged to provide new versions, upgrades, or updates unless this is absolutely necessary for the elimination of defects or if agreed otherwise in this contract. Beyond the purposes of this contract, the Client is not entitled to use the contractual software or other data than his own, to reproduce, download, or make them accessible to third parties outside the agreed circle of users.

3.2 For each case in which the Client culpably allows the contractual software to be used by third parties or grants third parties unauthorised rights of use, the Client shall pay a lump sum compensation to the amount of double the contractually due remuneration for each case. The Client has the right to prove that no damage or significantly lower damage occurred. All further rights of HotelFriend remain unaffected by the above regulation.

3.3 In the event of unauthorised transfer of use or grant of rights of use, the Client shall, upon request, immediately provide HotelFriend with all information necessary for the assertion of claims against the user, in particular his name and address and the duration of the period of use, and shall prevent any future transfer of use.

3.4 The Client grants HotelFriend the right to use the information received from him or his authorised representatives for the operation of the contractual software in the execution of the contract. HotelFriend is also entitled to keep backups of the information in a backup data centre.

3.5 If the contractual use of the services is impaired by third-party rights without fault on the part of HotelFriend, HotelFriend is entitled to refuse the services affected. HotelFriend will immediately inform the Client and enable him to access his data in a suitable manner. The Client is entitled to a reasonable reduction of the remuneration during the period of impairment of use. Other claims or rights of the Client remain unaffected.

4. Obligations of the Client

4.1 The Client will fulfil all obligations necessary for the performance and execution of this contract in a timely, complete, and professionally correct manner.

4.2 After the conclusion of the contract, the Client will name a contact person for HotelFriend. This person will in particular provide the necessary information for the execution of this contract and is considered authorised to make decisions with legal effect. The Client may name another or additional contact persons. Changes in the person of the contact person must be immediately communicated to HotelFriend.

4.3 The Client will also be solely responsible for ensuring that the users have an Internet connection and suitable software and hardware equipment or configuration according to the service description (Annex 2) from HotelFriend. The operation and maintenance of these technical prerequisites lie solely in the responsibility of the Client.

4.4 The Client will protect his or the users' assigned user and access authorisation as well as identification and authentication security against access by unauthorised third parties and not pass them on to unauthorised users. As soon as the user has evidence that the usage and access rights have been unlawfully obtained by a third party or could be misused, the Client is required to immediately notify HotelFriend for the purposes of minimising damage.

4.5 The Client will inform HotelFriend (mobile IV) about the authorised persons intended by him for the use of the contractual software.

4.6 Furthermore, the Client will obtain the required consent from the respective person concerned, insofar as he collects, processes, or uses personal data in the course of using the contractual software and there is no legal permission for this. The Client will also comply with all data protection and other legal requirements.

4.7 The Client will not misuse or allow the misuse of the contractual software in any way, particularly transmit contents with illegal content. The Client will also avoid any attempt to retrieve information or data without authorisation, either himself or by unauthorised third parties, to interfere with or allow interference with programs operated by HotelFriend, or to intrude unauthorised into data networks of HotelFriend.

4.8 The Client will report errors in the contractual performance to HotelFriend immediately at least in text form, indicating how and under what circumstances the error or defect occurs and will actively assist HotelFriend in troubleshooting. After examining a defect report by the Client, if it turns out that the defect did not occur within the responsibility of HotelFriend, HotelFriend may charge the Client for the cost of testing for the error report at the prices valid at HotelFriend. This does not apply if the Client could not recognise, even with the necessary care, that the malfunction did not occur within the HotelFriend's area of responsibility.

4.9 During the use of the contractual software and the contractual performance, the Client will comply with all applicable laws and other legal regulations of the Federal Republic of Germany. In particular, the Client is prohibited from uploading data or contents that violate legal provisions, infringe third party protective or copyright laws or other rights of third parties. The Client is responsible for the data and contents he provides. HotelFriend does not check the contents for their correctness, virus freedom or technical processability.

4.10 For own data backup, section 2.8 of this contract applies.

4.11 HotelFriend will hand over all data of the hotel to the Client within 30 days after the termination of the contract. For the handover of the data to the Client, the lump-sum compensation specified in the service description (Annex 2) is due. The lump sum compensation is to be set lower if the client can prove a lower spending.

4.12 If a third party asserts a legal violation due to data or content provided by the Client, HotelFriend is entitled to block the contents completely or temporarily if a justified doubt about the legality of the data and/or contents exists due to objective evidence. In such a case, HotelFriend shall urge the Client to cease the legal violation or prove the legality of the contents within a reasonable period. If the client does not comply with this request, HotelFriend is entitled to terminate the contract without notice for an important cause without further rights and claims being affected. Costs that HotelFriend incurs due to these measures may be charged to the Client at the price valid at HotelFriend. If the Client is responsible for the legal violation, he will compensate HotelFriend for the damage resulting from it.

4.13 Furthermore, the Client is obliged to provide all kind of cooperation services immediately and free of charge, in particular when HotelFriend requests him to do so and the necessary measures do not exceed a reasonable effort.

4.14 In case of a serious or other violation of his obligations from this contract by the Client as well as in case of repeated violations, HotelFriend is entitled to temporarily suspend the contractual services in whole or in part or to terminate the contractual relationship for an important reason and without prior notice. Costs that HotelFriend incurs due to these measures can be charged to the Client at the prices valid at HotelFriend. If the Client is liable for the violation of the law, he is obliged to compensate HotelFriend for the damage resulting from it. Other rights remain reserved.

4.15 The Client grants HotelFriend the use of his own copyrighted and/or trademark-protected images and word marks in products, product presentations, and advertising materials. This applies in particular for the Client's presentation on the marketplace, SaaS products, as well as the websites of HotelFriend, printed advertising materials, social networks, studies, and other self-promotion. Deviating terms of use are to be indicated when delivering any texts and media, in particular image and word marks of the Client or third parties to HotelFriend.

5. Remuneration

5.1 For the use of the contractual software, the client pays the price agreed to in the order form. If HotelFriend provides further services not explicitly mentioned in this contract, the prices currently valid at HotelFriend apply. The price lists can be requested from HotelFriend at any time.

5.2 The client has to compensate for the use of the contractual software under the access data provided to him, even if it is carried out by unauthorised third parties. The requirement for HotelFriend's claim to compensation is the proof that the client is responsible for the use by the third party. The obligation to pay also exists if the client had a justified suspicion that the access data has become known to third parties and has not immediately informed HotelFriend. However, the client is not required to compensate for the use by unauthorised persons, if the usage act has occurred after the client has informed HotelFriend that the access data is known to third parties.

5.3 The agreed remuneration becomes due for payment according to the conditions stated in the order form. Other services become due after the service has been provided and the invoice has been received by the client.

5.4 All mentioned fees and prices are exclusive of the currently valid statutory sales tax. This will be charged additionally to the fee separately or regulated by the reverse-charge procedure.

5.5 The offsetting with counterclaims of the client or the retention of payments due to such claims is only permitted if the counterclaims are undisputed or have been legally established and are based on the same contractual relationship. The client can only assign his claims from this contract to third parties with the prior written consent of HotelFriend.

6. Default

6.1 During a payment delay of the client of more than two consecutive monthly fees, HotelFriend is entitled to block access to the contractual software during the delay in payment. The client remains obliged to pay the monthly prices and remunerations in this case.

6.2 If the client

6.2.1 falls behind with the payment of the contractually owed remuneration or a not insignificant part of the prices/remuneration for two consecutive months; or

6.2.2 falls behind with the payment of the fee in a period of more than two months, amounting to the fee for two months, HotelFriend is entitled to terminate the contract without notice and demand damages in the amount of the remuneration agreed upon up to the end of the regular contract term.

6.3 The amount of damages is to be set higher or lower if HotelFriend can prove a higher or the client can prove a lower damage.

6.4 HotelFriend reserves the right to assert further claims due to payment delays.

6.5 If HotelFriend is in delay with the operable provision of the contractual software, liability is governed by section 8. The client is only entitled to withdraw from the contract if HotelFriend does not adhere to a reasonable extension set by the client, which must be at least 2 weeks.

7. Changes of services

7.1 HotelFriend can change the service at any time in a manner reasonable for the client. The change is particularly reasonable if it becomes necessary for an important reason, such as disruption of the provision of services by subcontractors, and the service features, as described in the service description and user documentation, are still essentially fulfilled. HotelFriend will notify the client about the change in writing or by email at least six weeks before it comes into effect.

7.2 Irrespective of this, HotelFriend is always entitled to change or supplement its service offer or parts thereof. HotelFriend will announce the amendment or supplement to the client in writing or by email at least six weeks before it becomes effective. The client can object to the changes in writing or by email within two weeks of receipt of the amendment notification. If the client does not object, the changes and additions become part of the contract. HotelFriend will inform the client in the amendment notice about the effects of his behaviour. If the client objects to the change within the required time, HotelFriend may terminate the contract at the earliest possible time.

8. Liability for defects

8.1 Deviations from the services agreed to in the service description are considered poor performance, not non-performance. The corresponding warranty rights of the client are finally regulated in this section 8 and in section 9.2 of these GTC (reduction due to violation of third party protective rights). Warranty claims expire within one year of their occurrence. This does not apply to claims for damages. For defects in the contractual services, HotelFriend is liable according to this section 8, as far as impairments do not depend on restrictions of availability.

8.2 HotelFriend provides the Services with due care and expertise, as well as in accordance with industry standards. However, HotelFriend does not guarantee that the Services are error-free and/or operate without any interruptions. The service description (Appendix 2) describes the measurable standards of the Services and the client's rights in cases where these standards are not met.

8.3 If the services to be provided by HotelFriend under this contract are defective, HotelFriend will, within a reasonable period of time and after receipt of a notice of defects, improve or re-render the services at its discretion. In the case of the use of third-party software which HotelFriend has licensed for use by the client, the warranty liability consists in obtaining and installing generally available upgrades, updates or service packs.

8.4 If the defective service fails due to reasons for which HotelFriend is responsible, even within a reasonable period set by the client, the client can reduce the agreed remuneration by a reasonable amount. The right to reduce is limited in terms of its amount to the defective part of the monthly fee that has been dropped.

8.5 If the reduction reaches the maximum amount stated in section 8.3 in two months of a quarter, the client can terminate the contract without notice.

8.6 The client will inform HotelFriend immediately in writing or by email of any defects that have occurred.

8.7 The client will support HotelFriend in eliminating defects to a reasonable extent free of charge and will in particular provide all necessary documents, data, etc. which HotelFriend needs to analyse and eliminate the defects.

8.8 Except for the explicitly mentioned claims and rights of the client due to defects in the contractual services in this section 8, no further and other claims and rights exist, unless HotelFriend is liable to a greater extent due to mandatory legal regulations.

9. Third party protective rights

9.1 If the client is legally condemned due to the use of the services provided by HotelFriend in accordance with the contract due to a violation of industrial protective rights and copyrights of third parties, HotelFriend indemnifies the client from these claims under the following conditions:

9.1.1 The client notifies HotelFriend immediately in text form, as soon as he has knowledge of the claims asserted against him, and

9.1.2 The client grants HotelFriend the control over all defense measures and settlement negotiations. In particular, the client will not make any judicial or extrajudicial acknowledgement of the claims of the third party, and

9.1.3 The client supports HotelFriend in an appropriate way in defending or settling the claims.

9.2 In addition to the indemnification obligation according to the previous section 9.1, HotelFriend is only obliged to compensate the client for the infringement of third party protective rights if HotelFriend is responsible for the infringement.

9.3 The client's rights according to this section 9 do not exist if the infringement of third-party protective rights results from the fact that the client

9.3.1 has carried out a change to the contractual services that has not been approved by HotelFriend in writing under this contract or otherwise,

9.3.2 has used the contractual services in a way other than for the purpose of this contract, or

9.3.3 has combined it with hardware or software that does not meet the requirements specified in the service description (Appendix 2).

10. Liability

10.1 HotelFriend is liable to the client in case of intent or gross negligence for all damages caused by it and its legal representatives or vicarious agents according to the statutory provisions. In case of slight negligence, HotelFriend is liable according to the statutory provisions in case of injury to life, body, health or freedom.

10.2 HotelFriend is only liable for slight negligent breaches of duty if HotelFriend has violated an essential contractual obligation (cardinal obligation). In these cases, liability is limited in both type and amount to compensation for the foreseeable, typically occurring damage. Cardinal obligations within the meaning of this regulation include in addition to the contractual main performance obligations also obligations whose fulfilment makes the proper execution of the contract at all possible and on whose compliance the client may regularly rely. This includes in particular the provision and availability of the services as well as careful handling of the client's data by HotelFriend.

10.3 For a single damage case according to section 10.2, the liability is limited to the amount of the paid remuneration per contract year. In the first contract year, the annual fee is calculated based on the offer.

10.4 The liability of HotelFriend for damage compensation regardless of fault (§ 536 a BGB) for defects existing at the time of contract conclusion is excluded. Sections 10.2 and 10.3 remain unaffected.

10.5 HotelFriend's liability under mandatory legal provisions such as the Product Liability Act remains unaffected.

10.6 In all other respects, HotelFriend's liability is excluded.

10.7 HotelFriend is exempt from the obligation to perform under the contract, if and insofar as the non-performance of services is due to the occurrence of force majeure after the conclusion of the contract.

11. Privacy and data security

11.1 The Parties will comply with the applicable, particularly the data protection regulations valid in Germany, and will oblige their employees involved in the context of the contract to confidentiality of data unless they are already generally obliged to do so.

11.2 The Parties will also comply with the provisions applicable to contract data processing and the data center and will take the necessary technical and organizational measures to protect personal data in the sense of § 9 BDSG.

11.3 If the Client collects, processes or uses personal data himself or through HotelFriend, he is responsible for ensuring that he is entitled to do so under the applicable, particularly data protection regulations and indemnifies HotelFriend from all claims by third parties in case of a violation.

11.4 It is clarified that the Client generally remains the "owner of the data" (§ 11 BDSG) both in terms of the contract and in terms of data protection. The Client is solely authorized regarding the disposal and ownership of all customer-specific data (input data, processed, stored data, output data). HotelFriend is only authorized to process and/or use the customer-specific data exclusively on the Client's instructions (e.g., to comply with deletion and blocking obligations) and within the context of this contract. In particular, HotelFriend is prohibited from making customer-specific data accessible to third parties in any way without the prior written consent of the Client.

11.5 The Client is not generally entitled to demand access to the premises with the contractual software and other system components. Unaffected by this are the access rights of the Client's data protection officer after written registration to check compliance with the requirements according to the Agreement on Contract Data Processing (Appendix 3) and the otherwise lawful handling of personal data by HotelFriend within the framework of the operation of the contractual software under this contract.

11.6 The Parties will use all documents, information and data they receive for the execution of this contract and which are referred to them as confidential only for the execution of this contract and will treat them as confidential as long as and to the extent they are not generally known. The Parties are obliged to oblige their employees deployed in connection with the contract to secrecy of data in accordance with § 5 BDSG, as far as these are not already generally obliged accordingly. These obligations remain in effect for a further two years, calculated from the end of the contract.

11.7 HotelFriend can subcontract but has to impose a corresponding obligation on the subcontractor.

12. Contractual term; Termination

12.1 The minimum term of the contract (“minimum contractual term”) is one (1) year. If a differing minimum term was agreed on the order form, this shall apply. The contract can be terminated by each party at the earliest at the end of the minimum term with a notice period of three (3) months. If the contract is not terminated as indicated in sentence 3, it will extend by another year (“extension period”) and can then be terminated with a notice period of three (3) months at the end of the respective extension period. The extension continues until the contract is terminated. Upon renewal of the contract, the current versions of all annexes (in particular Annex 1 General Terms and Conditions, Annex 2 Service Description, and Annex 3 Data Processing Agreement) as published on the HotelFriend website at the time of renewal shall apply, provided that the customer does not object in writing at least four (4) weeks prior to the end of the respective extension period.

12.2 The right to termination for cause remains unaffected. There is particularly an important reason for termination if:

12.2.1 One party breaches significant obligations or repeatedly non-significant obligations from the contract and does not eliminate the breach after being requested by the other party within an acceptable time frame, or

12.2.2 For one party, due to a higher power that has lasted longer than a week, adherence to the contract is not reasonable, or

12.2.3 An application for the opening of insolvency proceedings over the other party's assets has been made.

12.3 All terminations under this contract must be in writing to be effective.

12.4 Following the termination of the contractual relationship, for any reason, the Parties are obliged to properly settle the contractual relationship. Following the termination of the contract, the Client won’t have access to the contractual software and the information contained therein. In particular, HotelFriend will

12.4.1 Provide the Client's data from the contract software in a common file format on a mobile data carrier or for download upon the Client's written request and against payment of the corresponding remuneration in accordance with the then-current price list. This does not include data that does not belong exclusively and solely to the Client.

12.4.2 Delete the Client's data immediately after written confirmation of successful transmission and destroy all made copies.

Service Description of the Internet-based Hotel Management Software

This service description is Annex 2 to the contract for the use of the internet-based hotel management software of HotelFriend Service GmbH between HotelFriend and the customer ("contract software"). Unless otherwise defined in this contract, the terms used have the meaning given to them in the contract for the use of the internet-based hotel management software of HotelFriend Service GmbH.

1. Scope of Services

The scope of services varies depending on the specifications chosen in the order form.

1.1 Hotel Management Suites
The basic configuration of the suites is defined as follows for our Hotel Management Suites:

1.1.1 Quick Start Suite
Property Management System, Rate Management, Accounting & Reporting, Housekeeping Management, Channel Manager, Booking Engine, HotelFriend Payments, Concierge Mobile App.

1.1.2 Select Suite
Property Management System, Rate Management, Accounting & Reporting, Housekeeping Management, Booking Engine, HotelFriend Payments, Concierge Mobile App.

1.1.3 Enterprise Suite
Property Management System, Rate Management, Accounting & Reporting, Housekeeping Management, Booking Engine, HotelFriend Payments, Concierge Mobile App, Customisations.

1.2 Hotel Management Features

1.2.1 Property Management System
The core system for managing reservations, guest profiles, room inventory, check-in/check-out processes, and reports. Includes functions for managing room assignments, guest lists, and basic reception operations.

1.2.2 Rate Management
Provides tools to define and adjust room rates based on occupancy, demand, and seasonal factors. Includes functions for setting different tariff plans and managing rate parity across different channels, handling prepayments and cancellation policies. (Note: This is different from the more sophisticated Revenue Management Module).

1.2.3 Accounting and Reporting
Provides tools for financial reporting, including revenue tracking, expense management, and creation of key financial reports. Facilitates basic accounting functions related to hotel operations.

1.2.4 Housekeeping Management
Allows tracking of room status (clean, dirty, out of order), assigning tasks to cleaning staff, and managing cleaning schedules. Improves efficiency and communication within the housekeeping department.

1.2.5 Communications and emails
Allows for the exchange of messages between guests and staff, automated emails, and tracking of communication, including chat with the guest via the Concierge Mobile App.

1.2.6 Employee Tasks Management Module
Facilitates task assignment, tracking, and reporting for employees.

1.2.7 Cashbook
Allows digital recording of cash transactions, tracking of expenses, and creating reports.

1.2.8 Services & Orders
Manages the sales of services, guest orders, and tracking of order statuses.

1.2.9 Resources & Event Management
Enables resource assignment and management for events.

1.2.10 Restaurant Application
External application to manage guest orders in the restaurant, send orders to the kitchen, track order status on the kitchen monitor.

1.2.11 Booking Engine
Allows guests to book directly through the hotel website, reducing dependency on third-party booking platforms and associated commissions. Includes functions to manage room availability and accept online payments.

1.2.12 Concierge Mobile App
Provides guests with a mobile interface to access hotel services, request amenities, communicate with staff, and manage their stay. Improves guest experience and provides a convenient communication channel.

1.2.13 Revenue Management
Provides advanced tools for revenue optimization (independent from the basic rate management of the Select package) as Dynamic Rates with the possibility of setting room prices.

1.2.14 Channel Manager
Connects to Online Travel Agencies (OTAs) for the distribution of room availability and prices.

1.2.15 Google Hotels Ads
Connects to Google Hotels Ads for the distribution of room availability and rates.

1.2.16 Package Management
Allows for the creation and management of guest packages that include rooms and services.

1.2.17 Concierge Mobile App
Provides guests with a mobile interface to access hotel services, request services, communicate with staff, and manage their stay. Enhances the guest experience and provides a convenient communication channel.

1.2.18 Remote Reception Software
Facilitates remote check-in and checkout software application for kiosk hardware.

2 Support and Services

2.1 Basic Support
Under this contract, HotelFriend provides the following support and maintenance services (Basic Support):

2.1.1 Access to the knowledge database (FAQ)

2.1.2 Online ticket submission

2.1.3 Qualification of support inquiries

2.1.4 Provision of support

2.1.5 Solutions for project-specific support requests
Support in the form of assistance in avoiding errors and delivery of corrections (fixes).

2.1.6 Availability of support during working hours
Additional services may be booked separately.

2.2 Delegation to Partner
With the customer's consent, HotelFriend may delegate parts of the services to its partners.

2.3 Other services
All other services that HotelFriend provides in connection with the software, such as installation, training, administration, configuration modification, etc., must be ordered by the customer unless otherwise agreed.

2.3.1 Custom Development
Provision of cost estimates, analysis, and development of necessary features.

2.3.2 Custom Integration Development
Provision of necessary integration for estimation, research, and development.

2.3.3 Self-Service Kiosk (Hardware)
Hardware Kiosk for Remote Reception software. Delivery to hotels is available in the EU area.

2.3.4 Initial hotel setup
Configuration of the basic settings of a property.

2.3.5 Data Import
Import of reservations and guest master data.

2.3.6 Employee training
Training session for a customer's employees.

2.3.7 Initial Booking Engine (BE) setup
Configuration of BE basic information and instructions on how to embed the BE link on the property's website.

2.3.8 Website from template
Configure the basic information and provide the website via the HotelFriend template.

2.3.9 Initial Channel Manager Setup
Configuration of Channel Manager account and its connection with the HotelFriend system.

2.3.10 OTA channel activation
Connecting an OTA channel with the HotelFriend system.

2.3.11 HotelFriend Payment activation
Setting up the Adyen payment integration.

2.3.12 Interface activation
Activation of an existing interface in the HotelFriend system.

2.3.13 DATEV interface
Activation of DATEV reporting functions of HotelFriend.

2.3.14 POS Terminal
Integration of the POS terminal into the HotelFriend system.

2.3.15 Gastronovi integration
Integration of a Gastronovi account into the HotelFriend system.

2.3.16 Fiskaly integration
Integration of Fiskaly into the HotelFriend system.

2.3.17 Feratel integration
Interface between Feratel system and HotelFriend.

2.4 Chargeable Maintenance Work
Chargeable maintenance work comprises all services in connection with the software that are not defined as Basic Support pursuant to section 2.1 or as Other Services pursuant to section 2.3 and therefore must be separately ordered and remunerated, unless expressly agreed otherwise.

2.4.1 Regulatory and statutory changes
This includes tax adjustments required by governmental bodies as well as other changes to the software required by public authorities.

2.4.2 Layout, templates and invoices
This includes changes to logos, letterheads, footers and similar layout elements, adaptations and additions of e-mail and letter templates, changes to invoice templates and reports, including setup and user training.

2.4.3 Prices, seasons, categories and data imports
Entering and modifying prices, seasons, room categories, channel mappings, and importing guest data from Excel files.

2.4.4 System migrations, hardware and error analysis
Migration of software installations, configuration of hardware, analysis and correction of errors, support for audits, and troubleshooting for third-party interfaces.

2.4.6 Requirement of prior order
The services described in this section are provided exclusively on the basis of a separate customer order.

2.5 Liability for configurations

2.5.1 Responsibility for configurations
The customer is solely responsible for all system configurations, including those implemented by HotelFriend or third parties at the customer's request.

2.5.2 Exclusion of liability
HotelFriend is not liable for losses, revenue shortfalls or misbookings resulting from incorrect or unchecked configurations.

2.5.3 Verification obligation
It is the customer's responsibility to verify prices, restrictions and availabilities before release to booking channels.

2.5.4 Limitation of compensation claims
No compensation claims arise from faulty customer-side configurations except where mandatory by law.

2.5.5 Chargeable correction of errors
Analysis and correction of configuration errors are chargeable maintenance work and require a separate order.

2.6 System Administrator
Support and maintenance services may only be requested via the designated system administrator or their representative, who must be trained employees of the customer and communicated to HotelFriend in writing.

3 Provision of Customer Data

At the time of termination of the contract, HotelFriend will provide all data of the hotel on a data carrier in a common, readable format with standard programs within 30 days to the customer. For the release of data to the customer, a processing fee of sixteen (16) support hourly rates (two working days) will be charged. The processing fee is to be set lower if the customer proves a lower expenditure

4 Service Level Agreement

HotelFriend provides the services according to the availability (Service Level). The Service Levels allow the client to control and monitor the quality and timeliness of the services provided by HotelFriend.

4.1 Availability

4.1.1 System Availability
System availability per month: 99.8%

4.1.2 Calculation
System Availability (%) = (Monthly Total Time - Unplanned Downtime) / Monthly Total Time

4.1.3 Definitions

4.1.3.1 “Availability”
Availability is the customer's ability, as agreed in the contract, to access the functionalities of the contract software.

4.1.3.2 “Scheduled Downtime”
Scheduled Downtime is the total time (in minutes) in a calendar month in which the contract software is not available due to scheduled system maintenance or other planned downtimes. HotelFriend shall make all reasonable efforts to carry out the scheduled system maintenance between 23:00 and 5:00 CEST/CST and to announce this system maintenance with a reasonable lead time.

4.1.3.3 “System Availability”
System Availability is, in relation to availability in a calendar month, the ratio expressed as a percentage that results from subtracting the Unplanned Downtime in this month from the Monthly Total Time in this month and then dividing the difference obtained by the Monthly Total Time in this month (see formula above).

4.1.3.4 “Monthly Total Time”
Monthly Total Time includes all minutes of the relevant calendar month during the term of the contract.

4.1.3.5 “Unplanned Downtime”
Unplanned Downtime is the total time (in minutes) of non-availability in a calendar month without the Scheduled Downtime and without downtime due to circumstances beyond HotelFriend's control. These circumstances include, in particular: (i) breaches of the terms of the contract by the customer, (ii) non-compliance with the provisions of this SLA by the customer, (iii) incompatibility of the customer's resources or software with the agreed requirements for use of the services, including the requirements set out in the access protocols, (iv) poor or inadequate performance of the customer's systems or resources, (v) use of the services by the customer significantly exceeding the agreed volume, or (vi) force majeure (as defined in the contract).

4.1.4 Measuring Point
Place of performance by HotelFriend according to section 2.4 of the General Terms and Conditions (Annex 1).

4.1.5 Measuring Time
Calendar month during the term of the contract for the use of the HotelFriend AG internet-based hotel management software.

4.2 Support Services during Unplanned Downtime
During unplanned downtime, the following 24/7 support is provided for support requests directed to HotelFriend at support@hotelfriend.com.

4.2.1 Service Level 1
Classification: Urgent
Criterion: Software is not available at all.
Identification of the problem and confirmation of identification to customers (Response Time): 2 hours

4.2.2 Service Level 2
Classification: Medium
Criterion: Software is available, but its use is limited.
Identification of the problem and confirmation of identification to customers (Response Time): 4 hours

4.2.3 Service Level 3
Classification: Low
Criterion: Software is available, but usage is partially restricted.
Identification of the problem and confirmation of identification to customers (Response Time): 2 business days.

4.2.4 Classification and Fees
The customer communicates the problem to HotelFriend, indicating the corresponding classification (see table above). Regardless of this, within the scope of this Service Level, HotelFriend determines the final classification of the problem and thus the corresponding steps (step 1, 2 or 3 as indicated in the table). If the customer reports a problem twice during the term of the contract, indicating a higher level (classification) than it is subsequently determined by HotelFriend, the customer has to compensate HotelFriend for the expenses of classifying the respective problem on a time and material basis for all future problem reports.

4.2.5 Qualification
Support Step 1 – Identification:
HotelFriend confirms that the problem exists, begins to collect information and conducts an analysis.
Support Step 2* – Interim Solution:
HotelFriend addresses the problem and provides an interim solution as far and as soon as possible, so that the respective service is at least partially available.
Support Step 3* – Problem Resolution:
HotelFriend provides a final solution to the problem, so that the respective service is fully available again.
* Support steps 2 and 3 are not offered as a service level.

4.2.6 Measurement Time
Per Incident

4.3 Rights in case of Non-Compliance

4.3.1 General
In the event of unplanned downtime, HotelFriend will make commercially reasonable efforts to rectify the unplanned downtime within a reasonable period.

4.3.2 Service Credits
If HotelFriend fails to meet the Service Level set out in clause 4.2 for one of the services, the customer is entitled to the following service credits ("Service Credits"). The service credits for Unplanned Outages are capped at a maximum of 5% of the total fees paid by the customer to HotelFriend for all services provided in the respective service month.
System Availability / Service Credit *
<99.5% – 2.5%
<99.0% – 5.0%
<98.0% – 7.5%
<97.0% – 10%
<96.0% – 15%
<95.0% – 20%
* % of the monthly price for the contract

4.3.3 Receipt of Service Credits
To receive a service credit, the customer must claim it in writing from HotelFriend within five (5) business days of receiving the Service Level report for the period for which the customer is claiming the service credit. This written claim must include exact details of the days, times, and duration of each unplanned downtime. If HotelFriend accepts the claim, the service credit will be offset against the fees in the next monthly invoice. Service credits cannot be credited retroactively. If the customer does not claim a service credit in time, the entitlement expires. Service credits owed will be offset against any claims for damages due to non-compliance with the Service Level.

4.4 Measurement and Report

4.4.1 System Monitoring and Measurement
HotelFriend ensures continuous monitoring of the Service Levels. All measurements are carried out on a monthly basis for each calendar month during the term of the contract.

4.4.2 System Performance Reports
Upon the customer's request, HotelFriend provides monthly reports on Unplanned Downtime and system availability for the relevant previous month. Any objections must be submitted in writing within five (5) calendar days of receipt. If no objection is made, the report is deemed accepted. Each notification must specify the disputed measurement and describe the dispute in detail. HotelFriend and the customer commit to resolving such differences promptly and amicably.

5. Customer Requirements

5.1 Minimum System Requirements
The service standards listed under point 4 (Availability) assume that the customer meets the following minimum system requirements set by HotelFriend, as applicable:

a) Internet connection with sufficient bandwidth,
b) Microsoft Windows, MacOS, Android, or iOS as the operating system in the latest version,
c) Google Chrome, Mozilla Firefox, or Apple Safari as the web browser in the latest version. Partial support for Microsoft Internet Explorer and Microsoft Edge.

5.2 Additional Obligations of the Customer
Unless otherwise agreed between the parties, the customer is responsible for:

a) the maintenance and support of their computer networks, servers, software, and resources used for the use of the services or for service support for this maintenance and support,
b) the correct configuration of the customer's systems in accordance with the access protocols, and
c) the internet connection for access to the services.

5.3 Reporting Unplanned Downtime
In the event of unplanned downtime, the customer must immediately notify HotelFriend. The start of an unplanned downtime is deemed to be the time when HotelFriend receives the customer's detailed report, or the time when HotelFriend first becomes aware of the unplanned downtime.

5.4 Consequences of Non-compliance by the Customer
HotelFriend is exempt from fulfilling its obligations listed in this SLA to the extent it is unable to fulfil these obligations wholly or in part because the customer has not met the contractually agreed requirements or other cooperation duties.

6. Translation and Legal Application

This English version of the document has been translated using Artificial Intelligence (AI). In the event of any discrepancies or misunderstandings caused by the translation, the original German language version of this document shall prevail.

Data Processing Agreement of the Internet-Based Hotel Management Software

This Data Processing Agreement is Appendix 3 to the contract for the use of the internet-based hotel management software of HotelFriend Service GmbH between HotelFriend ("Contractor") and the customer ("Client"). Unless otherwise defined in this contract, the terms used herein have the meaning given to them in the contract for the use of the internet-based hotel management software of HotelFriend Service GmbH. The terms and definitions of Regulation (EU) 2016/679 (hereafter "GDPR"), particularly Art. 4 GDPR, also apply to this Data Processing Agreement.

1. Subject of the Contract

1.1 The subject of this Data Processing Agreement is to define the data protection framework for the contractual relations between the parties.

1.2 The subject of the order results from the software contract, which is referred to here (hereinafter referred to as "Service Agreement") as well as from the contracts yet to be concluded.

2. Support and Services

2.1 The provision of the contractually agreed data processing takes place exclusively in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area.

2.2 Any transfer of processing to a third country requires the prior consent of the Client in written form and may only occur if the specific conditions for transfer to a third country under Art. 44 and following of the GDPR are met.

3. Duration

3.1 The duration of this order corresponds to the term of the Service Agreement.

3.2 The Client can terminate this contract without notice if there is a serious breach by the Contractor of data protection regulations or the provisions of this contract. In particular, non-compliance with the obligations agreed in this contract and derived from Art. 28 GDPR constitutes a severe breach.

4. Scope, Type & Purpose of Data Processing (Art. 4 No. 2 GDPR)

4.1 Processing is necessary for the performance of a contract or pre-contractual measures in accordance with Art. 6 Para. 1 lit. b GDPR. The processing is also necessary to protect the legitimate interests of the data controller or a third party in accordance with Art. 6 Para. 1 lit. f GDPR.

4.2 The subject of the processing of personal data includes the following types/categories of data:

4.2.1 Personal master data (name, address, possible date of birth)

4.2.2 Contact details of the employees and service providers of the client who are affected

4.2.3 Communication data (e.g., telephone, email)

4.2.4 Contract master data (contractual relationship, order status information, product or contractual interests)

4.2.5 Customer history (data from offers, order confirmations and invoices)

4.2.6 Contract accounting and payment data (bank, payment and account information data, tax-relevant data)

4.2.7 Planning and control data

5. Categories of Affected Individuals

The following groups of the Client's affected individuals are subject to processing:

5.1 Existing customers and interested parties in the products and/or services

5.2 Employees, as well as external service providers of the Client, who are commissioned with the fulfillment of the above mentioned processing purposes

5.3 Trade representatives and other contacts on the part of the client and contractor who are involved in the fulfillment of the above mentioned processing purposes

5.4 Tax consultants

6. Instructions

6.1 The Contractor processes personal data only within the scope of instructions issued by the Client. This does not apply insofar as the Contractor is obliged to process under the law of the EU or the Member States to which the Contractor is subject. In this case, the Contractor informs of these legal requirements before processing, unless such notification is prohibited by the relevant law due to an important public interest.

6.2 Regardless of the form of issuing, both the Contractor and the Client shall document each instruction of the Client in text form. The instructions are to be kept for the duration of this contract and another three years thereafter.

6.3 The Contractor shall immediately inform the Client if, in their opinion, an instruction issued by the Client violates statutory provisions. In such a case, the Contractor is entitled, after timely prior notice to the Client, to suspend the execution of the instruction until the Client has changed or confirmed it. If the Contractor can demonstrate that processing per the Client's instruction could lead to the Contractor's liability under Article 82 of the GDPR, the Contractor reserves the right to suspend further processing until the issue of liability has been clarified between the parties.

6.4 The Client determines the person or persons authorized to issue instructions. The Contractor identifies the recipient of instructions. In the event of a change or longer-term prevention of the contact persons, the successor or representative must be immediately informed in written or electronic form to the contractual partner.

7. Contractor's Support Obligations

7.1 Given the nature of the processing, the Contractor takes appropriate technical and organizational measures to assist the Client in fulfilling his duty to respond to requests from data subjects under Articles 12 to 22 of the GDPR.

7.2 Considering the nature of the processing and the information available to him, the Contractor assists the Data Controller in complying with his obligations under Articles 32 to 36 of the GDPR. Specifically, in the security of processing, in reporting violations to the supervisory authority, in notifying affected persons of a violation, in the data protection impact assessment, and in consulting the competent supervisory authority.

7.3 If a data subject or a data protection supervisory authority directly contacts the Contractor in relation to the personal data processed under this Agreement, the Contractor shall promptly inform the Client and coordinate further steps with him.

8. Client's Audit Rights

8.1 The Contractor shall provide the Client, upon request, with all necessary information to verify compliance with the obligations stipulated in this contract and Article 28 of the GDPR. In particular, the Contractor shall provide the Client with information about the stored data and data processing programs.

8.2 The Client or third parties appointed by the Client are—usually subject to making an appointment—entitled to check compliance with the obligations from this contract and from Article 28 of the GDPR and to carry out on-site inspections at the Contractor's premises. The Contractor facilitates this and contributes to it.

8.3 The Contractor is obligated to provide the Client, upon request, with suitable evidence of compliance with the obligations as per Article 28, Paragraph 1 and 4 of the GDPR. This evidence can be provided by submitting documents and certificates that represent approved codes of conduct in accordance with Article 40 of the GDPR, or approved certification procedures in accordance with Article 42 of the GDPR.

9. Notification of Contractor's Violations

9.1 The Contractor assists the Client in complying with the duties referred to in Articles 32 to 36 of the GDPR concerning the security of personal data, notification duties in the event of data breaches, data protection impact assessments, and prior consultations. Among others, these include:

9.1.1 Ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing, the projected probability and severity of a possible legal violation due to security gaps, and allow for instant identification of relevant violation events

9.1.2 Obligation to immediately report any violations of personal data to the Client

9.1.3 Obligation to support the Client in fulfilling his duty to provide information to the data subject and to immediately provide him with all relevant information in this context

9.1.4 The support of the Client in his data protection impact assessment

9.1.5 Supporting the Client in the context of prior consultations with the supervisory authority

9.2 The Contractor may claim compensation for support services that are not included in the service description or that are not attributable to the Contractor's misconduct.

10. Quality Assurance and Other Obligations of the Contractor

10.1 In addition to complying with the provisions of this contract, the Contractor has legal obligations under Articles 28 to 33 of the GDPR; in this respect he especially guarantees compliance with the following requirements:

10.1.1 Preservation of confidentiality as per Art. 28 Para. 3 Sentence 2 lit. b, 29, 32 Para. 4 GDPR. The Contractor employs only staff members in the execution of the work who have been committed to confidentiality and previously familiarized with the data protection provisions relevant to them. The Contractor and every person under his authority who has access to personal data may only process this data as instructed by the Client, including the powers granted in this contract, unless they are legally required to do the processing.

10.1.2 Implementation and adherence to all necessary technical and organizational measures for this order as per Art. 28 Para. 3 Sentence 2 lit. c, 32 GDPR [details in Chapter 13].

10.1.3 The Client and the Contractor, on request, cooperate with the supervisory authority in compliance with its tasks.

10.1.4 Immediate notification of the Client regarding inspections and actions of the supervisory authority, insofar as they relate to this contract. The same applies if a competent authority carries out investigations with the Contractor in the course of an administrative offense or criminal procedure concerning the processing of personal data in contract processing.

10.2 If the Client is subject to an inspection by the supervisory authority, an administrative offense or criminal procedure, the liability claim of a data subject or third party, or any other claim in connection with the contract processing at the Contractor, the Contractor shall assist the Client to the best of his abilities. The Contractor may charge for support services that are not included in the service description or are not attributable to misconduct by the Contractor.

10.3 The Contractor regularly reviews the internal processes as well as the technical and organizational measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.

10.4 The Contractor ensures the demonstrability of the implemented technical and organizational measures to the client as part of his control powers.

11. Data Protection Officer

11.1 The Contractor ensures the provision of a Data Protection Officer / Contact Person / Representative via the written appointment of a Data Protection Officer who carries out his duties in accordance with Articles 38 and 39 of the GDPR. The contact details will be communicated to the Client for the purpose of direct contact. A change in the Data Protection Officer will be promptly reported to the Client.

11.2 The Contractor's Data Protection Officer is: Mr. Dr. Wilfried Röder, E-mail: datenschutz@infai.org

12. Confidentiality

12.1 The Contractor confirms that he is aware of the data protection regulations pertinent to the order processing under the GDPR. He preserves the data secrecy and confidentiality when processing the personal data of the Client. This obligation continues even after the termination of this contractual relationship.

12.2 The Contractor assures that he will familiarize the employees involved in the execution of the work with the regulations of data protection pertinent to them. He obliges these employees through a written agreement to maintain confidentiality for the duration of their activity and beyond the termination of their employment relationship, unless they are subject to an appropriate statutory obligation of secrecy. The Contractor monitors compliance with data protection regulations in his company.

12.3 The Contractor may only provide information to third parties or those affected with the prior written consent of the Client, or consent in an electronic format.

13. Technical and Organizational Measures

13.1 The Contractor shall document the implementation of the technical and organizational measures outlined and required before the order was placed prior to the start of the processing, particularly with regard to the specific order execution, and submit it to the Client for review. Upon acceptance by the Client, the documented measures become the basis of the contract. If an inspection or audit by the Client reveals a need for adjustment, this is to be implemented by mutual agreement.

13.2 The Contractor is responsible for ensuring security according to Art. 28 Para. 3 lit. c, 32 GDPR, especially in connection with Art. 5 Para. 1, Para. 2 GDPR. Overall, the measures to be taken involve data security measures and ensuring a protection level appropriate to the risk in terms of confidentiality, integrity, availability, and resilience of the systems. The state of the art, the implementation costs, and the nature, scope, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons according to Art. 32 Para. 1 GDPR, must be taken into account.

13.3 The technical and organizational measures are subject to technical progression and further development. The Contractor is therefore allowed to implement alternative suitable measures. However, the security level of the defined measures must not be undershot. Significant changes must be documented.

13.4 Documentation of technical and organizational measures according to Art. 32 GDPR

13.4.1 At HotelFriend Service GmbH, the technical and organizational measures described below are taken to ensure the protection and security of personal data and the right to privacy of the persons concerned.

13.4.2 These measures are regularly reviewed and continuously updated within the framework of the data protection concept. In designing these measures, the statutory protection objectives – confidentiality, integrity and availability of systems and services – were comprehensively taken into consideration, so that an appropriate action plan could be developed.

13.4.3 All processing processes are essentially based on the requirements of Articles 24, 25 and 32 GDPR. This also allows the potential risk associated with handling personal data to be effectively contained in the long term, considering the resilience of the systems, with regard to the type, extent, circumstances, and purpose of the data processing activities.

13.5 Confidentiality (Art. 32 para. 1 lit.b GDPR)

13.5.1 Access and entrance control

13.5.1.1 Technical measures: Fences, gates and other spatial boundaries; securing of windows and doors; Secure VPN connection; Encryption of data carriers and mobile devices, firewall, file servers; Front-end and application systems, and antivirus software are used, if applicable; Logging of access rights; Authentication via password input or biometric scans; Central locking plan with documentation of the keys issued.

13.5.1.2 Organizational measures: Visitor management; key regulations; password rules, including specifications for password complexity (policy); Reliable staff for security and cleaning areas; Creation of user profiles; Assignment of user rights; Role and authorization concept; Control of maintenance, repair, and cleaning staff; Employees are instructed according to GDPR; Employees are instructed to lock windows and doors outside office hours; Employees are required to activate the automatic desktop lock; All employees are instructed on the clean-desk policy; There is a formal user registration and deregistration for all information systems and services to grant and revoke access permissions.

13.5.2 Access control

13.5.2.1 Technical measures: GDPR-compliant destruction of data carriers; encryption of data carriers and mobile devices; Identification and authentication system (two-factor authentication); Secure storage of data carriers; GDPR-compliant destruction of data carriers; Encryption of data carriers and mobile devices.

13.5.2.2 Organizational measures: Password rules (policy, central password assignment); Authorization concepts; Adjustment to the number of administrators with full access permissions; Authentication with a user profile, password, or certificate is required to access data processing systems; A personal user administration is carried out for all systems worth protecting; Access permissions and profiles are created in a differentiated and task-based manner. The management of user rights is carried out by administrators; There is a regulation with consequences to be initiated in case of the loss of IDs and keys; The IT operations department maintains a record of access using logs of changes and deletions relating to data, timestamps of processing and users; Paper files (if any) are on-site destroyed using a shredder of DIN security level 3. There is a clear instruction for disposal or reuse of devices equipped with storage media; The verification of access rights is continuously carried out by the system administrator.

13.6 Integrity (Art. 32 para. 1 GDPR)

13.6.1 Input control

13.6.1.1 Technical measures: Digital authorization concept; Electronic signature; Email encryption.

13.6.1.2 Organizational measures: Setting up and using individual usernames; Granting of access permissions; Rights for entering, modifying, and deleting data are granted based on an authorization concept.

13.6.2 Separation control

13.6.2.1 Technical measures: Clear separation of data stored for different purposes; The systems for the test and production environment are separate; if applicable, data records are provided with purpose attributes; All personal data is assigned an individual customer number. A logical separation is ensured.

13.6.2.2 Organizational measures: Client separation; Control via authorization concept; Visitor management (here: guest access); The target of the separation requirement is ensured by restrictive access and order control; Private use of company devices is prohibited in writing for all employees.

13.6.3 Dissemination control

13.6.3.1 Technical measures: Digital authorization concept; Secure VPN technology; Email encryption; The IT operations department ensures restricted, encrypted data transmission possibilities; Remote data transmission is encrypted.

13.6.3.2 Organizational measures: Regulations and instructions for data destruction and deletion exist; Granting of access permissions; Archived documents are stored in a locked archive with limited access permissions; Upon departure or transfer of an employee, no longer needed access permissions are revoked or access to IT systems is blocked; Service providers are committed in writing to maintain data secrecy. There are no service providers who have unauthorized access to the office premises.

13.7 Availability and resilience (Art.32 para. 1 GDPR)

13.7.1 Technical measures: Fire and smoke detectors, fire extinguishers, alarm system; Firewall; Emergency management; Virus protection; All IT systems are redundantly available.

13.7.2 Organizational measures: A backup & recovery concept exists; Documents and data carriers, whose legal, contractual or statutory retention period has expired, are destroyed (deletion concept); Load tests of the systems are carried out as needed.

13.8 Pseudonymization and encryption (Art. 32 para. 1 lit. a GDPR)

13.8.1 Technical measures: External access to the corporate LAN is exclusively via VPN; Access to systems is always encrypted (TLS, SSL); Data transmission on the website is encrypted (TLS, SSL); Electronic communication occurs using SSL/TLS encryption.

13.8.2 Organizational measures: Internal instruction to anonymize or pseudonymize personal data, if possible, in case of transfer or after the legal deletion period has expired; There is an independent WLAN guest access; The individual details that can lift anonymity are stored separately from the other data. Depending on the linkability and the client, the personal reference is restored, if applicable; There are internal instructions to anonymize or pseudonymize personal data, if possible, in case of transfer or after the legal deletion period has expired, if applicable.

13.9 Procedures for regular testing, assessment, and evaluation (Art. 32 para. 1 GDPR; Art. 25 para. 1 GDPR)

13.9.1.1 A written agreement for processing operations according to Art. 28 of the GDPR is concluded, each defining the rights and obligations of the contractor and client.

13.9.1.2 There is a prior examination of the security measures taken by the contractor and their documentation.

13.9.1.3 There are contractually established regulations for the use of further subcontractors.

13.9.1.4 There are contractually established responsibilities.

13.9.1.5 Assurance of data destruction after termination of the contract.

13.9.1.6 If the collaboration is of a longer duration: Ongoing review of the contractor and his level of protection.

13.9.1.7 All employees are committed to data secrecy and regularly receive training and instructions on data protection and data security. Data protection training takes place at least every 2 years.

13.9.2 Data protection management

13.9.2.1 A data protection officer has been appointed in writing.

13.9.2.2 The record of processing activities is complete and up-to-date.

13.9.2.3 Service providers are listed and regularly checked for their compliance with data protection.

13.9.2.4 There is a deletion concept to limit the storage period (deletion rules, responsible persons, deletion periods).

13.9.2.5 The data protection impact assessment (DPIA) is conducted as necessary.

13.9.2.6 The organization adheres to the information obligations according to Art. 13 and 14 GDPR.

13.9.2.7 There is a formalized process for handling information requests from affected individuals and for dealing with data protection incidents.

13.9.2.8 Employees receive confidentiality and data secrecy training annually, or basic data protection training every 2 years. Individual data protection trainings take place in the event of changes in the company context.

13.9.2.9 Central documentation of all procedures and regulations related to data protection with access for employees as needed/authorised (e.g. wiki, intranet ...).

13.9.2.10 No more personal data than necessary for the respective purpose is collected.

13.9.2.11 Declarations regarding the data protection obligations of the processing staff are available.

13.10 Privacy by design and privacyfriendly default settings (Art. 25 para. 2 GDPR)

13.10.1 Limitation of storage period

13.10.2 Restriction of accessibility

13.10.3 Limitation of the scope of processing the data collected

13.10.4 Monitoring of external access (log files)

13.10.5 Use of spam filter and regular updates.

13.10.6 Use of virus scanner and regular updates.

13.10.7 Documented procedure (emergency plans) for dealing with security incidents and formal process and responsibilities for post-processing of security incidents and data breaches.

14. Obligations of the contractor and violation of the protection of personal data

14.1 The contractor shall immediately inform the client about any violations or suspected violations against this contract or regulations concerning the protection of personal data.

14.2 The contractor assists the client in the investigation, limitation, and remedy of the violations.

14.3 Should the personal data, which is processed under this agreement, be endangered by the contractor due to seizure, bankruptcy or composition proceedings or by other events or measures by third parties, the contractor must immediately inform the client. The contractor will immediately inform all relevant parties that the control over the data lies with the client.

14.4 In the event of inspections by the data protection supervisory authorities, the contractor undertakes to communicate the result to the client, as far as it affects the processing of personal data under this contract. The deficiencies found in the audit report will be immediately rectified by the contractor and the client will be informed about it.

15. Subcontractors

15.1 Subcontracting relationships within the meaning of this regulation are understood to be those services that directly relate to the provision of the main service. This does not include ancillary services which the contractor might use, such as telecommunications services, post / transport services, maintenance and user service, or the disposal of data carriers and other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the contractor is obliged to take appropriate and legally compliant contractual arrangements and control measures to ensure data protection and data security of the client's data, even in outsourced ancillary services.

15.2 Outsourcing to subcontractors or changing the existing subcontractor is permissible if the contractor notifies such outsourcing to subcontractors to the client a reasonable time in advance in writing or text form and the client does not object to the planned outsourcing in writing or text form up to the time the data is transferred to the contractor and a contractual agreement in accordance with Art. 28 para. 2–4 GDPR is applied. If the client refuses to consent to the objection for reasons other than important ones, the contractor may terminate the contract at the time of the planned use of the subcontractor.

15.3 The client agrees to the appointment of subcontractors provided a contractual agreement in accordance with Art. 28 para. 2–4 GDPR. He already agrees to the appointment of the subcontractor named in this chapter.

15.4 The transfer of personal data of the client to the subcontractor and its initial performance is only permitted when all conditions for subcontracting are met.

15.5 If the subcontractor provides the agreed service outside the EU/EEA, the contractor ensures the data protection legality through appropriate measures, No. 2, para. 2. The same applies if service providers in the sense of para. 1 sentence 2 should be used.

15.6 The following subcontractors are part of the approved circle at the conclusion of this contract:

15.6.1 Amazon Web Services, Inc. Address: 410 Terry Avenue North, Seattle WA 98109, United States; Purpose: Hosting; Location of data processing: Germany; Guarantee: Adequacy decision is available. Amazon.com Inc. is DPF-certified. The use of the tool Amazon Web Services is permissible.

15.6.2 fiskaly GmbH Address: Mariahilfer Straße 36/5, 1070 Vienna, Austria; Purpose: Fiscability of invoices; Location of data processing: EU, Austria; Guarantee: Order processing contract, tested TOM, listing of tested subcontractors, confidentiality agreement, ISO 27001 certification.

15.6.3 Adyen N.V. Address: Simon Carmiggeltstraat 6, 1011 DJ, Amsterdam, Netherlands; Purpose: Payment processing; Location of data processing: Amsterdam, Netherlands; Guarantee: Order processing contract, tested TOM, listing of tested subcontractors, confidentiality agreement.

16. Deletion and Return of Personal Data

16.1 Upon completion of the processing services agreed upon in the main contract, the Contractor is obliged, at the discretion of the Client, to return or delete all personal data which he received in the course of contract processing. This specifically includes the results of data processing, documents provided and data carriers, as well as copies of personal data. The obligation to delete or return does not apply if the Contractor is legally obligated under EU law or the law of the Member States to continue to store the data. If there is a further obligation to store, the Contractor must restrict the processing of personal data and only use the data for the purposes that require retention. The obligations for the security of processing continue for the duration of the storage. The Contractor must delete the data promptly as soon as the obligation to store expires.

16.2 The deletion must be carried out in such a way that the data cannot be restored.

16.3 The processes must be documented with details regarding the date and the person performing the task. The logs, as well as a written proof of implementation, must be provided to the Client after the processes have been completed.

17. Liability

17.1 The Client ensures within his area of responsibility the implementation of the regulations arising from the relevant applicable legal provisions regarding the processing of personal data.

17.2 In principle, the liability limitations from the main contract apply. The Client indemnifies the Contractor from all claims made by third parties against the Contractor due to the violation of their rights based on the Client's commissioning of personal data, unless the third party's claim is based on the illegal processing of personal data by the Contractor. Article 82 of the GDPR remains unaffected.

18. Miscellaneous, General

18.1 If the personal data of the Client at the Contractor's premises are jeopardized by seizure or confiscation, through insolvency or settlement proceedings, or by other events or measures by third parties, the Contractor shall immediately inform the Client.

18.2 The Contractor will immediately inform all responsible parties in this context that sovereignty over the Client's personal data lies with the Client.

18.3 Irrespective of the Client's right to issue instructions in accordance with paragraph 11 of this Agreement, changes and additions to this Agreement and all its components require a written Agreement and explicit indication that it is an amendment or supplement to these conditions. This also applies to the waiver of this formal requirement.

18.4 The provisions of this Agreement remain in effect even after the termination of the primary service relationship, up to the complete destruction or return of all the Client's personal data to the Client.

18.5 If individual parts of this Agreement are invalid, it does not affect the validity of the rest of this Agreement. The parties agree to replace the invalid provision with a legally permissible provision that most closely fulfills the purpose of the invalid provision.

19. Final Provisions

19.1 Amendments or side agreements require the written form or an electronic format. This also applies to changes to this form requirement.

19.2 If a provision of this Agreement proves to be invalid, this does not affect the validity of the remaining provisions of the Agreement.

19.3 This agreement has been translated into English using artificial intelligence. In case of any discrepancies, ambiguities or disputes, the original German version shall govern and be considered as the definitive and binding document.