Legal

Terms of use for basebox

Terms of use for basebox – “Public Beta”

1. Scope of application

1.1 The following General Terms and Conditions (hereinafter referred to as “Terms of Use”) apply to the free and paid use of the “basebox” product, provided by basebox GmbH (hereinafter referred to as “basebox GmbH”, “we”), and govern the legal relationship between basebox GmbH and its customers (hereinafter referred to as the “customer party” for ease of reading).

1.2 Any general terms and conditions of the customer party that deviate from these terms of use shall not apply unless their validity has been expressly confirmed by basebox GmbH.

1.3 The basebox product may only be used by business customers within the European Union (EU).

1.4 The language of the contract is German.

2. Definitions

The following definitions apply within the scope of these terms and conditions:

2.1. “Administrator”: a natural person who sets up the organization, invites users, manages them, preselects input prompts and can delete the organization. The role of an administrator can only be held by a natural person who is authorized to represent the customer alone in legal transactions.

2.2 “basebox”: consisting of a provided AI model and an associated interface for chat-based use of the AI model and user and billing management.

2.3. “Registration”: Creating a user account for an organization at the invitation of the organization’s administrator.

2.4. “Chat”: A conversation with the AI model. Users can have as many chats as they like on different topics with the AI model.

2.5. “Chat history”: Chronological collection of input prompts and output within a chat.

2.6. “Input Prompt”: The prompt that the user sends to the AI model using the chat window, including any uploaded files to be analyzed.

2.7. “AI Apps”: A pre-made prompt that the user selects and that is displayed in the prompt input field. The user can edit this prompt and add their own text before sending it to the model.

2.8. “RAG Apps”: AI apps that users can define, consisting of a prompt and optionally additional files that are available as context for the chat as part of the RAG function.

2.9. “AI model”: a machine learning model, in particular a large language model that can be used to generate text and that is provided for use in the context of basebox.

2.10. “On Premise”: The installation of basebox in the local infrastructure of the customer party.

2.11. “Organization”: virtual user group in basebox, created and managed by the customer party as administrator. The users invited by the administrator are assigned as members of this organization.

2.12. “Output”: the response of the AI model to the user’s request.

2.13. “Prompt”: a textual request to an AI model to perform a task.

2.14. “Registration”: the creation of a new organization.

2.15. “RAG”: a system for processing and storing data managed by basebox users. The data stored in the RAG system is sent to the AI model for inclusion in the generation of responses.

2.16. “Software”: the basebox system.

2.17. “System Prompt”: predefined prompts from basebox GmbH with a maximum of 2000 tokens, which are automatically sent to the AI model together with each input prompt and which cannot be influenced or viewed by the user. These system prompts are used to encourage the AI model to provide structured and appropriate output.

2.18. “Token”: a digital unit to measure the operating costs of the AI models. The token consumption is calculated in millions (per million token, “pmt”).

2.19. “User”: natural persons explicitly invited by the administrator, who, upon invitation, register with basebox and whose accounts are assigned to the organization and who may use basebox at the customer’s expense.

2.20. “Open Source Software”: is software that is licensed by the respective rights holders to everyone for comprehensive royalty-free use and whose source code is available, in accordance with the Open Source Definition of the Open Source Initiative.

3. Conclusion of contract

3.1. The text of these Terms of Use is also available for retrieval at basebox.ai/en/terms-of-use after the conclusion of the contract.

3.2. basebox in the cloud

3.2.1. The use of basebox requires customer registration including the setup of an organization. Registration is free of charge. All other users of an organization do not register with basebox independently, but are explicitly invited by the administrator to register with basebox and to choose a password.

3.2.2 When registering, an e-mail address must be provided. If the registration is made for a company, the person registering confirms that they are authorized to represent that company. This person registering the company is initially assigned the role of “Administrator”.

3.2.3 The contract is concluded by registering the organization on signup.basebox.ai, entering the email address and confirming it according to the information in the email sent, setting a password and choosing a name for the organization, and accepting the terms of use and the privacy policy by activating the checkbox.

3.3. basebox On-Premise

3.3.1 The contract is concluded by agreeing to the terms of use before downloading the software, or by instructing basebox GmbH to install basebox On Premise.

3.3.2 At least an e-mail address is required for use.

3.3.3 Registration at signup.basebox.ai is required to purchase license keys (use by additional users). Clauses 3.2.2 and 3.2.3 apply to registration, provided that the contract has been concluded in accordance with clause 3.3.1. The existing contract is extended with the purchase of (additional) license keys.

4. Term and Termination of the Contractual Relationship, Licenses

4.1. The contract is concluded for an indefinite period.

4.2. The contractual relationship shall end with the termination of the last license, without the need for a separate termination of the contractual relationship.

4.3. License Acquisition and Automatic Renewal

4.3.1. A valid license is required to use the basebox functionality.

4.3.2. During initial registration, the “Free” license is activated, which allows unlimited and free use for the administrator and one additional user, including one million tokens.

4.3.3 The list of license prices for further licenses can be viewed at https://basebox.ai/preis/. The license key purchased there must be entered in the product. The license period begins with the purchase, which is confirmed by an e-mail to the administrator.

4.3.4. To purchase a license, you must provide your name, company, address, VAT number and a billing address.

4.3.5 The customer’s attention shall be drawn to the expiry of the current license period before the end of that period. The license period shall be automatically extended and – with the exception of the “Free” license – shall be subject to a charge of 12 months if the license is not terminated up to 6 weeks before the end of the license period.

4.4. License termination

Licenses can be terminated by sending an e-mail to support@basebox.ai. The notice period is 6 weeks before the respective license expires.

5. Service description

5.1. basebox

basebox is an AI management system that makes it possible to use AI models in an environment that is as secure as possible, taking into account data protection aspects and with the aim of safeguarding trade secrets and personal rights. Currently, only large language models (LLM) are offered in basebox.

5.2. basebox in the cloud

5.2.1. basebox is hosted on basebox GmbH servers in Europe, preferably in Germany. basebox GmbH relies, among other things, on OpenIDConnect and self-hosted KeyCloak for authentication in order to be able to offer customer parties a high level of security. The use of these methods and the implementation of these concepts is at the discretion of basebox GmbH. basebox GmbH may decide to provide only a single language model. basebox GmbH does not guarantee or warrant absolute security.

5.2.2 The AI models are selected and operated by basebox GmbH. basebox GmbH reserves the right to change an offered AI model at any time, for example if more powerful AI models become available.

5.2.3 The use of the AI models is billed on a token basis. basebox GmbH provides a graphical overview of the token consumption with regular updates.

5.2.4 The output behavior of the AI models is influenced by basebox GmbH by means of system prompts that the customer parties and their users cannot change or prevent.

5.3. basebox On-Premise

5.3.1. basebox can also be installed locally on premise. For this purpose, the customer downloads the basebox software from the basebox website and installs it in its own infrastructure.

5.3.2 Alternatively, the customer party can commission basebox with installation and maintenance. A separate service contract is concluded for the installation.

5.3.3. basebox is delivered with an AI model such as Llama 3.3 (70B q4). However, basebox GmbH reserves the right to change the specific model at any time. Information on this can be found at… The customer party can decide to integrate other or their own AI models.

5.4. Prompts and AI app store

5.4.1. The use of the AI model in basebox is generally possible with prompts specifically created by the customer and their users.

5.4.2. basebox GmbH also offers an app store where pre-defined prompts are provided in the form of AI apps. The app store can be expanded by the customer to include their own AI apps and RAG apps.

5.4.3 The predefined AI apps map individual use cases and are designed to make it easier to use prompts. The prompts selected by users are displayed as text in the chat input window and can be edited by users before use.
5.4.4 When using RAG apps in the cloud, the files defined in the apps are stored on RAG servers of basebox GmbH. Technically, basebox GmbH has access to the data stored there. However, basebox GmbH will only use this access for maintenance purposes (see also section 7 on data confidentiality).

5.5 Output

basebox GmbH has no insight into the input prompts and the outputs generated by the AI models. basebox GmbH does not check the generated output and does not guarantee the correctness or quality of the results, nor that they are free of third-party rights.

5.6. User administration

basebox GmbH provides a rights- and role-based access control for the organization administration, in which administrators can manage their users themselves.

6. Prices, terms of payment, licenses

6.1. The stated prices are net prices plus sales tax at the respective statutory rate.

6.2. Payments are made by purchase on account.

6.3. In order to use the AI models provided, a license must be purchased (see section 4). The number of possible users and available tokens is specified by the license. It is possible to upgrade to a higher license at any time.

6.4. basebox in the cloud

6.4.1. The use of the AI models provided in basebox is billed based on the number of tokens used. The consumption is determined per million tokens (“pmt”). The token price is generally variable.

6.4.2. If the tokens included in the license have been used up, additional tokens can be purchased (each in packages of one million tokens).

6.4.3. A series of prompts is executed for an interaction with an AI model: a system prompt (max. 2000 tokens), the selected input prompt including any uploaded documents to be analyzed, and the generation of the output. The number of tokens and thus the basis for the consumption for an interaction consists of these prompts and is calculated accordingly, but not shown separately.

6.4.4. The AI models provided by basebox GmbH can be used with the acquired tokens using your own prompts and AI apps.

6.4.5. The token budget is available for a period of 12 months; any unused budget expires at the end of the period.

6.4.6. Once the inclusive tokens have been used up, the number of prompts that can be used is reduced to one per hour until the customer has purchased new tokens.

6.5. basebox On-Premise

6.5.1 The download and test use by an administrator are free of charge, but require the registration of a “Free” license (see Section 4).

6.5.2 Section 6.5 applies accordingly to use within the scope of the “Free” license.

6.5.3 The use of On-Premise outside of the “Free” license is not limited by the number of tokens used.

6.5.4 A license must be purchased for each additional user. The customer must send an e-mail to sales@basebox.ai for this purpose.

7. Data protection, confidentiality and security

7.1. basebox GmbH undertakes all economically reasonable measures to implement and maintain reasonable security measures, in particular to prevent unauthorized access to the services of basebox GmbH and the data of the customer party.

7.2. In order to fulfill the contract, personal data of the customer party and its users are processed by basebox GmbH. In addition, basebox GmbH analyzes the use of basebox by the customer and uses the knowledge gained to identify errors and problems and to improve basebox. In the context of the processing carried out for these purposes, basebox GmbH is generally solely responsible for data protection. Further information on data protection can be found in our data protection declaration, available at basebox.ai/de/datenschutzerklärung.

7.3 If the customer is subject to professional confidentiality and as such must observe the provisions of § 203 of the German Criminal Code (StGB), it shall outsource secrets to basebox GmbH as a contributing party to the extent necessary to fulfill the contract. As part of this outsourcing, basebox GmbH is bound by the “Confidentiality Agreement” attached as an appendix.

7.4. basebox GmbH reserves the right to implement filters to prevent inappropriate and illegal content from appearing in the results.

7.5. basebox in the cloud

7.5.1. Executed prompts, the contents of uploaded files and the chat history are only stored in the user’s browser. Prompts and the contents of uploaded files are also sent to the AI model to execute the services.

7.5.2. basebox GmbH has no access to the prompts and content. When using the RAG function, the provided files are stored on basebox GmbH servers. basebox GmbH may access these files for maintenance, troubleshooting, and diagnostic purposes, among others.

7.5.3 The models and basebox are hosted on servers of basebox GmbH. For this purpose, basebox GmbH leases infrastructure from providers in Europe. basebox GmbH exclusively uses servers located in Europe, preferably in Germany.

7.5.4 In cases in which the customer party or its users provide personal data to basebox GmbH for processing in the context of using basebox (e.g. in prompts, in chat conversations or through uploaded documents), basebox GmbH processes personal data as a processor on behalf of the customer party. In this respect, the appendix (“Data Processing Agreement”) to these Terms of Use shall be deemed an integral part of these Terms of Use. The Customer Party is responsible for all content and data processed by it and its Users in accordance with data protection law.

7.6. basebox On-Premise

7.6.1. Executed prompts, the contents of uploaded files and the chat history are only stored in the user’s browser.

7.6.2. When using the supplied AI model, the prompts and the contents of uploaded files are transferred to the locally hosted AI model. The data is not processed by basebox GmbH.

7.6.3 If the customer integrates its own or third-party AI models, basebox GmbH is not responsible for any processing by these AI models under data protection law.

7.6.4 When using RAG, the data provided is stored on the customer’s RAG server.

7.6.5 In cases where basebox GmbH carries out installation, support or maintenance activities on behalf of the customer and may come into contact with personal data, basebox GmbH processes personal data as a processor on behalf of the customer. In this respect, the appendix (“Data Processing Agreement”) to these Terms of Use shall be deemed an integral part of these Terms of Use.

8. Rights of use and intellectual property

8.1. Upon conclusion of the contract, basebox GmbH grants the customer, to the extent necessary, the non-exclusive, non-transferrable right, limited to the duration of the usage contract, to use the basebox software and the prompts provided in this context and to make them available to users invited to the basebox.

8.2 The basebox software may only be used by the customer and their invited users in the context of their own business activities.

8.3 It is not permitted to pass on basebox or make it publicly available to third parties (other natural or legal persons outside the customer’s company).

8.4 Insofar as basebox is used to create texts that are potentially protected by copyright, basebox GmbH does not claim any copyrights to the generated output.

8.5 The client party will instruct its users not to use prompts that aim to reproduce texts protected by copyright in favor of third parties, and the client party will also refrain from doing so.

8.6 The client party is responsible for the behavior of its users and ensures that they comply with the terms of use by monitoring and instructing them accordingly.

8.7 It is possible that users of different organizations that use similar input prompts receive similar output. basebox GmbH does not guarantee that the output produced by the AI models is unique or does not infringe the rights of third parties. The use and verification of the output is the responsibility of the customer.

8.8 The customer shall ensure that their users only use such prompts and only enter such documents into the system as they are authorized to use, and grants basebox GmbH a worldwide, revocable, non-exclusive, non-sublicensable, non-transferrable right, limited to the duration of this contractual relationship, use the prompts and documents to provide the service. The client party releases basebox GmbH from any liability for claims asserted by third parties against basebox GmbH for infringement of their rights, insofar as these result from the prompts used by the client party or its users, the output or files uploaded to basebox.

9. Open Source

9.1. basebox contains components under open source licenses. These are subject to the respective open source license conditions, which can be viewed at https://downloads.basebox.ai/files/opensource/credits.html, in deviation from these terms of use.

9.2 The customer party shall receive a simple right of use from the respective rights holders for the open source software used, under the conditions provided for in the respective valid license conditions. These terms of use shall only apply to the components that are not licensed as open source software.

9.3 These terms of use do not restrict the rights of use and freedoms granted in the open source licenses for use outside of basebox. In this respect, the open source licenses shall take precedence over these Terms of Use.

9.4 There shall be no warranty for defects in our products that are based on the processing of open source software, provided that these defects are based on the processing. The customer shall bear the burden of proof that a defect in our product would have occurred even without the processing of the open source software contained therein.

9.5 The liability and warranty provisions of these terms and conditions of use apply to all software in relation to the licensor. The liability and warranty provisions of the open source licenses apply only in relation to the respective rights holders.

10. Technical requirements for use

10.1. basebox in the cloud

To use our services, you need a suitable digital device, a standard, sufficiently fast internet connection and an up-to-date browser.

10.2. basebox On-Premise

To use basebox in the on-premise version, you need the appropriate hardware. The following minimum configuration is recommended if you want to use the AI model supplied with basebox:

10.2.1. For the basebox AI Management Server

24GB RAM
14vCPUs
Ubuntu 22.04,
Docker Engine 27
CPU: Intel Xeon Silver 4410Y 2 GHz (or similar)
Memory: 512 GB
Storage: 2 x 1.92 TB NVMe SSD
Network: Dual 100GbE NICs

10.2.2. For the AI Server

80 – 96 GPU RAM, 200 GB SSD
Ubuntu 22.04
Docker Engine 27
CPU: AMD EPYC 9454 (96 Cores, 192 threads) (or similar)
Memory: 1 TB
Storage:
2 x 3.84 TB NVMe SSD in RAID1
8 x 7.68 TB NVMe SSD in RAID10
GPU: 1 x NVIDIA L40S, or 1 x NVIDIA H100, 80 GB (recommended), or similar NVIDIA cards (subject to availability)
Network: Dual 100GbE NICs

10.2.3. External AI model

If an external AI model is to be used, the basebox installation consists of the basebox AI Management Server (see 10.2.1. above) and the RAG server, which is equipped with at least the following:

16 GB RAM
8 vCPUs
200 GB SSD
Ubuntu 22.04
Web Server: Nginx 1.18.0
Docker Engine 27

11. Availability and warranty

11.1. basebox GmbH points out that restrictions or impairments of the offered services may arise as a result of the cloud offering that are beyond the control of basebox GmbH. These include, in particular, actions by third parties not acting on behalf of basebox GmbH, technical conditions of the Internet that cannot be influenced by basebox GmbH, and force majeure.

11.2. basebox GmbH endeavors to ensure that the systems are available around the clock (24 hours a day, 7 days a week). However, basebox GmbH reserves the right to carry out maintenance work after giving appropriate notice and to keep the systems out of operation for a disproportionately short period of time.

11.3 The hardware and software and technical infrastructure used by the customer may also affect the services provided by basebox. Insofar as such circumstances affect the availability or functionality of the services provided by basebox GmbH, this has no effect on the contractual conformity of the services provided.

11.4 The customer is obliged to notify basebox GmbH of any functional failures, malfunctions or impairments of the software immediately and as precisely as possible. If the customer fails to do so, § 536c BGB applies accordingly.

11.5 In principle, the statutory provisions for warranty in rental contracts apply. §§ 536b BGB (Tenant’s knowledge of the defect at the time of conclusion of the contract or acceptance), 536c BGB (Defects occurring during the rental period; notification of defects by the tenant) apply. However, the application of § 536a para. 2 BGB (Tenant’s right of self-remedy) is excluded. The application of § 536a para. 1 BGB (Landlord’s liability for damages) is also excluded insofar as the standard provides for no-fault liability.

11.6 However, the warranty period for any claims for damages is reduced to one year, except for claims for damages due to defects that result from the absence of a guaranteed property of the service, that result from a culpable injury to health, body or life or for which liability is provided under the Product Liability Act.

12. Liability

12.1. basebox GmbH is only liable for damages incurred by the customer through the use of basebox if these were caused intentionally or through gross negligence by basebox GmbH, if they are the result of the absence of a guaranteed quality of the service, if they are based on a culpable violation of essential contractual obligations (see section 5), if they are the result of a culpable injury to health, or bodily harm or for which liability is provided under the Product Liability Act. However, in the event of a merely negligent breach of a material contractual obligation (see Section 5), the liability of basebox GmbH is limited to such damages as can typically and foreseeably be expected to occur in the course of providing the agreed services. This limitation does not apply if the damages are the result of injury to health, body or life.

12.2 Significant contractual obligations are those contractual obligations in Section 5 whose fulfillment is essential to the proper execution of the contract and on whose compliance you may regularly rely and whose violation, on the other hand, endangers the achievement of the purpose of the contract.

12.3 Otherwise, basebox GmbH and our vicarious agents shall not be held liable, regardless of the legal basis.

12.4 If basebox GmbH is liable for the loss of data belonging to the client or its users, in accordance with the above provisions, liability is limited to the typical costs of recovery that would have been incurred had the client or its users regularly made backup copies in line with the risk.

13. Obligations of the client and its users

The client is obliged to instruct its users to comply with the following obligations and to monitor compliance. Any violation of the obligations by the users will be attributed to the client. The client will also comply with the obligations itself.

13.1. Checking the output

The output of the AI models may be incomplete, outdated or incorrect and is often unpredictable. It is therefore the responsibility of the customer to instruct their users accordingly to

ensure the quality of the prompts used,
check the correctness and usability of the generated output before it is used or passed on,
to insert appropriate specifications in the input prompts to better filter or adapt the result,
to check the information contained in the output, and in any case not to use the output as the only source of information, not to be expected to be unobjectionable and linguistically and ethically appropriate, or not to be used as a substitute for professional advice.

13.2. Use of basebox services

13.2.1. The customer shall instruct its users not to use the systems of basebox GmbH for illegal purposes, in particular not to harm third parties or basebox GmbH. The customer shall also not carry out any such actions itself.

13.2.2 The client shall instruct its users not to make the services of basebox GmbH accessible to third parties outside of their company or to use them for such third parties. The client shall also not carry out any such actions itself.

13.2.3 The client shall instruct its users not to use the services of basebox GmbH in a way that compromises the security, proper functioning and integrity of the systems of basebox GmbH or that circumvents or compromises the security measures taken. In particular, the client will instruct its users not to use malicious, harmful prompts or to carry out prompt injection attacks in order to manipulate the behavior of the model or to carry out vulnerability, penetration or similar tests. The client will also not carry out any such actions itself.

13.2.4 The customer shall instruct its users to take into account and not to violate the rights of third parties, in particular copyrights, trademark rights and personal rights, as well as data protection, when using and creating prompts and uploading files to basebox, and to use only those prompts and upload only those files for which the customer or its users hold all necessary rights. The client party will also act in accordance with these instructions.

13.3. Use of output

The client party will instruct its users not to pass off output generated by the AI models as human-generated output and not to use the output if there is reason to believe that the use of the output could violate the rights of third parties.

13.4. Note on risks

The Customer Party is responsible for informing its users of the potential risks of using basebox, in particular with regard to the use of the output issued by the AI model and the use of sensitive data for the input prompt.

13.5. Updates

For the on-premise version of basebox, basebox GmbH will provide regular updates. The customer is responsible for implementing these updates or having them implemented by a specialist.

14. Changes to these terms of use

If basebox GmbH wishes to change these terms of use, basebox GmbH will send the customer a message and the changed terms of use by e-mail to the address provided for administration and request the customer’s consent. If the customer does not agree to the changed terms of use, basebox GmbH reserves the right to terminate the contract in compliance with the agreed notice period.

15. Miscellaneous

15.1. The law of the Federal Republic of Germany shall apply to the usage agreement, excluding the UN Convention on Contracts for the International Sale of Goods and German and European conflict of laws.

15.2 If the customer is a merchant, a legal entity under public law or a special fund under public law, or if it has no general place of jurisdiction in the Federal Republic of Germany, the exclusive place of jurisdiction for all claims arising from the contractual relationship is Landsberg am Lech. However, basebox GmbH can also take legal action against the customer at its general place of jurisdiction.

15.3. basebox GmbH is neither obliged nor willing to participate in dispute resolution proceedings before a consumer arbitration board in the event of a dispute with the customer.

15.4. Contract text and contract language: The contract between the customer and basebox GmbH is generally not set out in a separate contract text that you can access later. The content of the contract is derived from these terms of use and the subject matter of the contract concluded. The contract can be concluded in German or English.

Landsberg am Lech, March 28, 2025, basebox Terms of Use v.0.2.

Obligation to secrecy

Appendix

Obligation to maintain professional secrecy (Section 203 of the German Criminal Code)

1. Scope of application

1.1 This appendix “Obligation to maintain professional secrecy (§ 203 StGB)” (hereinafter the “Additional Agreement”) is concluded between the customer and basebox GmbH if the customer or persons working for the customer are subject to professional confidentiality in the sense of § 203 StGB.

1.2 The parties agree that this additional agreement supplements the terms of use. In the event of a conflict, the provisions of this appendix shall take precedence. All terms used and not defined shall have the same meaning as in the terms of use.

2. Instruction and obligation

2.1 To fulfill the contract, data and information may be processed that may fall under professional confidentiality in the sense of § 203 of the German Criminal Code. basebox GmbH is therefore instructed as follows:

If basebox GmbH discloses a third-party secret that has become known to it in the course of or in connection with its activities, namely a secret belonging to the personal sphere or a trade or business secret that has been entrusted to the client’s professionals, this may be punishable by imprisonment for up to one year or a fine (§ 203 para. 1, para. 4 sentence 1 StGB). The threat of punishment also applies to persons who work for basebox GmbH in the provision of services (§ 203 para. 4 sentence 1 StGB).

Secrets are all information that is only known to a limited group of people and in whose confidentiality the person to whom the information relates (secret holder) has a justified interest. This includes, in particular, all information regarding client, patient and/or customer relationships.
The penalty applies to natural persons working for basebox GmbH.
In the event of the involvement of third parties (e.g. subcontractors), basebox GmbH or the person acting on its behalf is punishable by imprisonment for up to one year or a fine if the third party discloses a secret that has become known in the course of or in connection with his work without authorization and basebox GmbH has not ensured that the third party has been obliged to maintain confidentiality (§ 203 para. 1, para. 4 sentence 2 no. 2 StGB).
The penalty for this is up to two years imprisonment or a fine if the perpetrator acts in return for payment or with the intention of enriching himself or harming another through the act (Section 203 (6) StGB). The same applies if the perpetrator makes unauthorized use of a third-party secret entrusted to the professional (Section 204 StGB).

2.2 In awareness of this, basebox GmbH is obliged as follows:

basebox GmbH acts as a service provider for the activities of the professional secret-keepers, who are subject to a professional confidentiality obligation. basebox GmbH is aware of the criminal consequences of a breach of confidentiality and maintains the confidentiality of third-party secrets made accessible to it.
basebox GmbH is authorized to involve other persons (third parties) in the fulfillment of the contract. When using third parties (e.g. further processors), basebox GmbH is obliged to oblige them to maintain confidentiality in writing, informing them of the criminal consequences of a breach of duty, insofar as these third parties could gain knowledge of third-party secrets in the course of their activities. basebox GmbH will inform the client of any intended involvement of further third parties. In justified individual cases, the customer can prohibit such involvement.
basebox GmbH is obliged to gain knowledge of third-party secrets only to the extent necessary to fulfill the contract. basebox GmbH will comply with appropriate organizational and technical measures to protect third-party secrets and confidential information, applying accepted security standards according to the current state of the art.
The obligation of confidentiality continues to exist for an unlimited period of time even after the contractual relationship has ended.
The confidentiality obligation as per the above paragraphs does not apply if basebox GmbH is obliged to disclose the client’s confidential information due to an official or judicial decision. If permissible and possible in individual cases, basebox GmbH will inform the client in advance of the disclosure obligation.
basebox GmbH is obliged to ensure that the service is provided only by a group of people bound to secrecy.

Privacy policy

General information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally. Detailed information on the subject of data protection can be found in our data protection declaration listed below this text.

Detailed information on the subject of data protection can be found in our privacy policy listed below this text. The privacy policy is the basis of our actions and part of the business relationship with customers, contractual partners, users and/or third parties and applies to our website, mobile applications and all our external online presences (e.g. our social media profiles) as well as in the context of the provision of our services.

Data collection on this website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator, basebox GmbH (basebox for short). Contact details can be found in the imprint.

How do we collect your data?

On the one hand, your data is collected when you provide it to us. This may, for example, be data that you enter in a contact form.

Other data is collected automatically by our IT systems when you visit the website. This is primarily technical data (e.g. internet browser, operating system or time of page view). This data is collected automatically as soon as you enter this website.

Data is also collected when you register for our services, such as your e-mail address and your name, as well as any billing and payment data.

What do we use your data for?

Some of the data is collected to ensure that the website is provided without errors. Other data may be used to analyze your user behavior. We process the data that we collect as part of your registration in order to provide our contractual services.

What rights do you have with regard to your data?

You have the right to receive information about the origin, recipient and purpose of your stored personal data free of charge at any time. You also have the right to request the correction or deletion of this data. You can contact us at any time at the address given in the legal notice if you have any further questions on the subject of data protection. You also have the right to lodge a complaint with the competent supervisory authority.

You also have the right to request the restriction of the processing of your personal data under certain circumstances. For details, please refer to the privacy policy under “Right to restriction of processing”.

Analysis tools and tools from third-party provider

When you visit this website, your surfing behavior may be statistically evaluated. This is mainly done using cookies and so-called analysis programs. The analysis of your surfing behavior is usually anonymous; the surfing behavior cannot be traced back to you.

You can object to this analysis or prevent it by not using certain tools. You can find detailed information on these tools and on your options to object in the following privacy policy.

Hosting

External hosting

This website is hosted by an external service provider (hoster). Personal data collected on this website is stored on the hoster’s servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated via a website.

The hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR). Our hoster will only process your data to the extent necessary to fulfill its performance obligations and follow our instructions with regard to this data.

Conclusion of a contract for data processing order

In order to guarantee data protection-compliant processing, we have concluded an order processing contract with our hoster.

Services used and service providers

Provider: Telekom Deutschland GmbH, Landgrabenweg 151, 53227 Bonn
Website: https://www.open-telekom-cloud.com
Privacy policy: https://www.open-telekom-cloud.com/de/datenschutz

Provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
Website: https://www.hetzner.com/
Privacy policy: https://www.hetzner.com/de/legal/privacy-policy

General notes and mandatory information

Data protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. When you use this website, various personal data is collected. Personal data is data that can be used to identify you personally. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done.

We would like to point out that data transmission over the Internet (e.g. when communicating by email) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible.

Person responsible

The controller responsible for data processing on this website is:

basebox GmbH
Bahnhofplatz 3
D-86919 Utting am Ammersee

Phone: +49 8806 9590600
E-mail: support@basebox.ai

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, email addresses, etc.).

We have appointed a data protection officer for our company. The company data protection officer of basebox can be contacted at the above address, for the attention of the data protection officer, or by email at datenschutz@basebox.ai.

Many data processing operations are only possible with your express consent. You can withdraw your consent at any time. All you need to do is send us an informal e-mail. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

IF THE DATA PROCESSING IS BASED ON ART. 6 ABS. 1 LIT. E OR F GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA CONCERNED UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENSE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21 PARA. 1 GDPR).

IF YOUR PERSONAL DATA ARE PROCESSED FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING; THIS ALSO APPLIES TO PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR THE PURPOSE OF DIRECT MARKETING (OBJECTION PURSUANT TO ART. 21 PARA. 2 GDPR).

Right to lodge a complaint with the competent supervisory authority

In the event of breaches of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement. The right to lodge a complaint is without prejudice to other administrative or judicial remedies.

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place if it is technically feasible. SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Information, deletion and correction

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of the data processing and, if necessary, a right to correction or deletion of this data. You can contact us at any time at the address given in the legal notice if you have further questions on the subject of personal data.

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. To do so, you can contact us at any time at the address given in the legal notice. The right to restriction of processing exists in the following cases:

If you dispute the accuracy of your personal data stored by us, we generally need time to check this. For the duration of the review, you have the right to request that the processing of your personal data be restricted.
If the processing of your personal data was/is carried out unlawfully, you can request the restriction of data processing instead of erasure.
If we no longer need your personal data, but you need it for the exercise, defense or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
If you have lodged an objection in accordance with Art. 21 (1) GDPR, your interests and our interests must be weighed up. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, this data – apart from its storage – may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

Objection to advertising e-mails

We hereby object to the use of contact data published as part of our obligation to provide a legal notice for the purpose of sending unsolicited advertising and information material. The operators of this website expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam e-mails.

Data collection on this website

Cookies

Some of the Internet pages use so-called cookies. Cookies do not damage your computer and do not contain viruses. Cookies are used to make our website more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and saved by your browser.

Most of the cookies we use are so-called “session cookies”. They are automatically deleted at the end of your visit. Other cookies remain stored on your end device until you delete them. These cookies enable us to recognize your browser on your next visit.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

Cookies that are required to carry out the electronic communication process or to provide certain functions that you have requested (e.g. shopping cart function) are stored on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the storage of cookies for the technically error-free and optimized provision of its services. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

Insofar as other cookies (e.g. cookies to analyze your surfing behavior) are stored, these are treated separately in this privacy policy.

Server log files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are

Browser type and browser version
Operating system used
Referrer URL
Host name of the accessing computer
Time of the server request
IP address

This data is not merged with other data sources.

This data is collected on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website – the server log files must be recorded for this purpose.

The log files are deleted after 90 days.

Contact us

If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the inquiry and in the event of follow-up questions. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested.

We will retain the data you provide on the contact form until you request its deletion, revoke your consent for its storage, or the purpose for its storage no longer pertains (e.g. after fulfilling your request). Mandatory statutory provisions – in particular retention periods – remain unaffected.

Request by e-mail or telephone

If you contact us by e-mail or telephone, we will store and process your inquiry, including all personal data (name, inquiry), for the purpose of processing your request. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on your consent (Art. 6 para. 1 lit. a GDPR) and/or on our legitimate interests (Art. 6 para. 1 lit. f GDPR), as we have a legitimate interest in the effective processing of the inquiries addressed to us.

The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

Processing of data (customer and contract data)

We collect, process and use personal data only insofar as it is necessary for the establishment, content or modification of the legal relationship (inventory data). This is done on the basis of Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures. We collect, process and use personal data about the use of this website (usage data) only insofar as this is necessary to enable or charge the user for the use of the service.

The customer data collected will be deleted after completion of the order or termination of the business relationship. Statutory retention periods remain unaffected.

Transfer and disclosure of personal data

As part of our processing of personal data, the data may be transferred to other bodies, companies, legally independent organizational units or persons or disclosed to them. The recipients of this data may include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and in particular conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data. Data processing in third countries

If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.

Subject to express consent or transfer required by contract or law, we only process or have the data processed in third countries with a recognized level of data protection, including US processors certified under the “Data Privacy Framework”, or on the basis of special guarantees, such as contractual obligations through so-called standard protection clauses of the EU Commission, the existence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Analysis tools and advertising

Semrush

For analysis and optimization, especially for SEO optimization, we use Semrush from the service provider: Semrush Inc, 800 Boylston Street, Suite 2475, Boston, MA 02199, USA. In particular, the following information is processed IP address and device ID.

The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in the analysis and optimization of our website.

Website: https://de.semrush.com, privacy policy: https://de.semrush.com/company/legal/privacy-policy/

Google Tag Manager

Google Tag Manager is a solution with which we can manage so-called website tags via an interface (and thus integrate Google Analytics and other Google marketing services into our online offering, for example). The Tag Manager itself (which implements the tags) does not process any personal user data. With regard to the processing of users’ personal data, please refer to the following information on Google services. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (Safeguarding the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses so-called “cookies”. These are text files that are stored on your computer and enable your use of the website to be analyzed. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there.

The storage of Google Analytics cookies and the use of this analysis tool are based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the analysis of user behavior in order to optimize both its website and its advertising. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

The following table describes all cookies that are set by gtag.js. Further information on the data collected in Analytics can be found at https://support.google.com/analytics/answer/6004245.

Cookie Name	Standard Expiry Time	Description
`_ga`	2 years	Used to differentiate between individual users.
`_ga_<container-id>`	2 years	Used to save the session status.

IP anonymization

We have activated the IP anonymization function on this website. This means that your IP address will be truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of this website for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Browser plugin

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

Objection to data collection

You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set to prevent your data from being collected on future visits to this website: Deactivate Google Analytics.

You can find more information on how Google Analytics handles user data in Google’s privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

Order processing

We have concluded an order processing contract with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.

Demographic characteristics in Google Analytics

This website uses the “demographic characteristics” function of Google Analytics. This allows reports to be created that contain statements about the age, gender and interests of site visitors. This data comes from interest-based advertising from Google and from visitor data from third-party providers. This data cannot be assigned to a specific person. You can deactivate this function at any time via the ad settings in your Google account or generally prohibit the collection of your data by Google Analytics as described in the section “Objection to data collection”.

Storage duration

Data stored by Google at user and event level that is linked to cookies, user IDs or advertising IDs (e.g. DoubleClick cookies, Android advertising ID) is anonymized or deleted after 14 months. Details can be found at the following link: https://support.google.com/analytics/answer/7667196?hl=de; https://support.google.com/analytics/answer/6004245/ and https://support.google.com/analytics/answer/11397207

Name	Runtime	Domain	Description
`_ga`	2 years	basebox.ai	Used to differentiate between individual users.
`_ga_<container-id>`	2 years	basebox.ai	Used to save the session status.

If you have given your consent to the use of cookies for marketing purposes, Google Ads is used on this website. Google Ads enables us to display advertisements in the Google search engine or on third-party websites when the user enters certain search terms on Google (keyword targeting). Furthermore, targeted advertisements can be displayed based on the user data available at Google (e.g. location data and interests) (target group targeting). We can evaluate this data quantitatively, for example by analyzing which search terms have led to the display of our advertisements and how many advertisements have led to corresponding clicks. Insofar as data is processed outside the EU/EEA, we have also concluded the applicable standard contractual clauses of the European Union with Google as part of our order processing agreement in order to establish an adequate level of data protection.

Google Ads is provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google may use sub-processors who process data outside the EU/EEA, where the level of data protection may not meet European standards.

The legal basis is your consent in accordance with § 25 Para. I S. 1, 2 TTDSG, Art.6 Para.1 S.1 lit. a) GDPR.

You can withdraw your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. This does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.

We have not stored any personal data in this context.

Posthog

We use the services of PostHog Inc, 2261 Market Street #4008, San Francisco, CA 94114, USA (hereinafter referred to as “PostHog”). Posthog collects certain data to analyze the behavior of users on our website and to provide us with information on how we can improve our website. The data collected by Posthog includes the user’s IP address, date and time of access, browser type and version, the user’s operating system, referrer URL, host name of the accessing computer and event data that we define ourselves (e.g. clicks, visits).

PostHog transfers and stores the data exclusively on servers in the EU, but is a US company. We have therefore concluded standard contractual clauses of the European Commission with Posthog as suitable guarantees, so that an appropriate level of protection is ensured when processing your data. You can access the standard contractual clauses at https://docs.google.com/document/d/1xfpP1SCFoI1qSKM6rEt9VqRLRUEXiKj9_0Tvv2mP928/edit and at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_de.

The processing of the data is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke this consent at any time. The data collected by Posthog will be stored for as long as necessary to fulfill the purpose for which it was collected. The data will not be passed on to third parties unless this is required by law or necessary for the performance of a contract.

You have the right to information about the data stored by us, the correction of incorrect data and the deletion of your data, provided that there are no statutory retention requirements. You also have the right to request the restriction of the processing of your data and to object to the processing of your data. If you wish to exercise your rights, please contact us.

If you subscribe to our company’s newsletter, the data in the respective input mask will be transmitted to the controller. Subscription to our newsletter takes place in a so-called double opt-in procedure. This means that after registering, you will receive an email asking you to confirm your registration. This confirmation is necessary so that no-one can register with other people’s email addresses. When registering for the newsletter, the user’s IP address and the date and time of registration are stored. This serves to prevent misuse of the services or the e-mail address of the person concerned. The data is not passed on to third parties. An exception is made if there is a legal obligation to pass on the data. The data is used exclusively for sending the newsletter. Subscription to the newsletter can be terminated by the data subject at any time. Consent to the storage of personal data can also be revoked at any time. There is a corresponding link for this purpose in every newsletter. The legal basis for the processing of data after registration for the newsletter by the user is Art. 6 para. 1 lit. a) GDPR if the user has given consent. The legal basis for sending the newsletter as a result of the sale of goods or services is Section 7 (3) UWG.

Use of rapidmail

Description and purpose: We use rapidmail to send newsletters. The provider is rapidmail GmbH, Wentzingerstraße 21, 79106 Freiburg, Germany. Among other things, rapidmail is used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter is stored on rapidmail’s servers in Germany. If you do not wish to be analyzed by rapidmail, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. For the purpose of analysis, the emails sent with rapidmail contain a so-called tracking pixel, which connects to the rapidmail servers when the email is opened. In this way, it can be determined whether a newsletter message has been opened. We can also use rapidmail to determine whether and which links in the newsletter message have been clicked on. Optionally, links in the email can be set as tracking links, with which your clicks can be counted.

Legal basis: The legal basis for data processing is Art. 6 para. 1 lit. a) GDPR.

Recipient: The recipient of the data is rapidmail GmbH.

Transfer to third countries: Data is not transferred to third countries.

Duration: The data stored by us as part of your consent for the purpose of the newsletter will be stored by us until you unsubscribe from the newsletter and deleted from both our servers and the servers of rapidmail after you unsubscribe from the newsletter. Data stored by us for other purposes (e.g. e-mail addresses for the member area) remain unaffected by this.

Revocation option: You have the option to revoke your consent to data processing at any time with effect for the future. The legality of the data processing operations that have already taken place remains unaffected by the revocation.

We have profiles on social networks. Our social media accounts complement our website and offer you the opportunity to interact with us. As soon as you access our social media profiles in the social networks, the terms and conditions and data processing guidelines of the respective operators apply. The data collected about you when you use the services is processed by the networks and may also be transferred to countries outside the European Union where there is no adequate level of protection for the processing of personal data. In principle, we have no influence on data processing in the social networks, as we, like you, are users of the network. Information on this and on what data is processed by the social networks and for what purposes the data is used can be found in the privacy policy of the respective network listed below. We use the following social networks:

Facebook

Our website is available at: https://www.facebook.com/profile.php?id=61555336381194

The operator of the network is: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.

Privacy policy of the network: https://www.facebook.com/about/privacy Privacy policy of the network: https://privacycenter.instagram.com/

Our website is available at: https://www.linkedin.com/company/basebox/

The operator of the network is: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

Our website is available at: https://www.reddit.com/user/baseboxio/

The operator of the network is: Reddit, Inc., 1455 Market Street, Suite 1600, San Francisco, CA 94103, United States

X

Our website is available at: https://twitter.com/basebox_ai

The operator of the network is: Twitter International Unlimited Company, One Cumberland Place, Fenian Street Dublin 2

Shared responsibility

Purposes:

We process personal data as our own controller when you send us inquiries via the social media profiles. We process this data in order to respond to your inquiries. In addition, we are joint controllers with the following networks and jointly responsible for the following processing operations (Art. 26 GDPR). As part of visiting our profile on the LinkedIn network as well as Facebook and Instagram, the network collects aggregated statistics (“Insights data”) created from certain events logged by their servers when you interact with our profiles and related content. We receive these aggregated and anonymous statistics from the network about the use of our profile. We are generally not in a position to assign the data to specific users. To a certain extent, we can define the criteria according to which the network compiles these statistics for us. We use these statistics to make our profiles more interesting and informative for you.

Further information on this data processing at LinkedIn can be found in the Joint Controller Agreement at https://legal.linkedin.com/pages-joint-controller-addendumlegal.linkedin.com/pages-joint-controller-addendum. Otherwise, the network is solely responsible for the processing of your data.

Further information on this data processing by Facebook and Instagram can be found in the joint controller agreement at: https://www.facebook.com/legal/terms/information_about_page_insights_data

Legal basis:

The processing is carried out on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR). The interest lies in the respective purpose.

Storage period:

We do not store any personal data ourselves within the scope of joint responsibility. With regard to contact requests outside the network, the above information on contacting us applies accordingly.

Plugins and tools

YouTube with enhanced data protection

This website integrates videos from YouTube. The operator of the pages is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube in extended data protection mode. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they watch the video. However, the transfer of data to YouTube partners is not necessarily excluded by the extended data protection mode. For example, YouTube establishes a connection to the Google DoubleClick network regardless of whether you watch a video.

As soon as you start a YouTube video on this website, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, YouTube can store various cookies on your end device after starting a video. With the help of these cookies, YouTube can obtain information about visitors to this website. This information is used, among other things, to record video statistics, improve user-friendliness and prevent fraud attempts. The cookies remain on your device until you delete them.

After the start of a YouTube video, further data processing operations may be triggered over which we have no influence.

The use of YouTube is in the interest of an appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

You can find more information about data protection at YouTube in their privacy policy at: https://policies.google.com/privacy?hl=de.

Own services

Handling applicant data

We offer you the opportunity to apply to us (e.g. by e-mail, post or via the online application form). In the following, we inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that your data will be collected, processed and used in accordance with applicable data protection law and all other statutory provisions and that your data will be treated in strict confidence.

Scope and purpose of data collection

If you send us an application, we process your associated personal data (e.g. contact and communication data, application documents, notes taken during job interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. The legal basis for this is § 26 BDSG under German law (initiation of an employment relationship), Art. 6 para. 1 lit. b GDPR (general contract initiation) and – if you have given your consent – Art. 6 para. 1 lit. a GDPR. Consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.

If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of § 26 BDSG-new and Art. 6 para. 1 lit. b GDPR for the purpose of implementing the employment relationship.

Data retention period

If we are unable to make you a job offer, you reject a job offer or withdraw your application, we reserve the right to retain the data you have submitted on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed. The retention serves in particular as evidence in the event of a legal dispute. If it is apparent that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), the data will only be deleted when the purpose for further storage no longer applies.

Data may also be stored for longer if you have given your consent (Art. 6 para. 1 lit. a GDPR) or if statutory retention obligations prevent deletion.

Data Processing Agreement

The customer — as defined in the terms of use — hereinafter “client” — and basebox GmbH, Bahnhofplatz 3, 86919 Utting am Ammersee — hereinafter “basebox” — one of them hereinafter “the party”; both together hereinafter “the parties” — have entered into the following data processing agreement (DPA) in order to fulfill their obligations under Art. 28 (3) GDPR.

Preamble

The parties have agreed to provide services in connection with the provision and use of AI models, either in the cloud or on-premise, and have entered into a contractual agreement in the form of terms of use (the “Agreement”). In order to provide the services as agreed, it is necessary for basebox to process personal data on behalf of and at the instruction of the client. The purpose of this data processing agreement (the “Agreement”) is to define the obligations of the parties in connection with the processing of personal data by basebox as a processor on behalf of the client as a controller.

1. Standard Contractual Clauses

1.1 The parties agree to the attached standard contractual clauses in **Appendix 1 in accordance with the European Commission’s implementing decision of June 4, 2021 [C(2021) 3701 final].

1.2 Insofar as the transfer of personal data by basebox to the client constitutes a transfer of personal data to a third country outside the EU, for example because the client is based outside the EU, the parties agree on the standard contractual clauses for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679, as agreed by the European Commission in its implementing decision (EU) 2021/914 of June 4, 2021, and attached to this agreement as Appendix 2 (the “International Standard Contractual Clauses”). Annexes I (I.A “SCC International”), II (I.B. “SCC International”), III (II. “SCC International”) and IV (III. “SCC International”) of Appendix 1 shall apply accordingly.

1.3 The standard contractual clauses and the international standard contractual clauses are supplemented by the provisions of this data processing agreement.

1.4 Insofar as a provision in this data processing agreement or other terms and conditions between the parties contradicts the provisions in the standard contractual clauses or the international standard contractual clauses, the provisions of the standard contractual clauses or the international standard contractual clauses shall take precedence over the other provisions. Insofar as a provision of the standard contractual clauses from Section 1.1 contradicts the international standard contractual clauses from Section 1.2, the international standard contractual clauses shall take precedence.

2. Supplementary provisions

2.1 Instructions and duties of the client

2.1.1 The instructions are initially defined by the contract and this agreement (including appendices and annexes) and can subsequently be amended, supplemented or replaced by the client in writing or in an electronic format (text form, e.g. via email) to basebox (individual instruction). Instructions that are not provided for in the underlying contract will be treated as a request for a change in performance. Verbal instructions must be confirmed in writing or text form without undue delay.

2.1.2 basebox has the right to supplement or amend the technical and organizational measures set out in the data processing agreement and its annexes and appendices at any time, although the security level must not fall below the originally agreed level.

2.1.3 The client must inform basebox immediately and in full if it discovers errors or irregularities with regard to data protection regulations when processing personal data.

2.1.4 The person registered as the admin for the customer will act as the point of contact for basebox for data protection issues arising in connection with the contract and the agreement.

2.2 Transfer of data to a third country

The approval of the use of a subcontractor is also considered to be an instruction in the sense of point 7.8.

2.3 Inspections

2.3.1 Should inspections by the client or an authorized inspector be necessary in individual cases, these will be carried out during normal business hours without disrupting operations, after registration and with an appropriate lead time.

2.3.2 Should basebox decide to commission a competent, independent external inspector or auditor, the client agrees to this commission on condition that he receives a copy of the report.

2.4 Liability and indemnity

2.4.1 The liability provisions of the contract shall apply unless otherwise expressly agreed.

2.4.2 In the event of a claim against the client by a data subject with regard to any claims under Art. 82 DS-GVO, the client shall indemnify basebox insofar as basebox is not responsible for the underlying violation of data protection regulations.

2.5 Miscellaneous

2.5.1 Amendments and supplements to this GTC and all its components – including any warranties of the Contractor – require a written agreement, which can also be in an electronic format (text form), and an explicit reference to the fact that it is an amendment or supplement to these terms. This also applies to the waiver of this formal requirement.

2.5.2 The law chosen in the underlying contract shall apply.

Appendix 1 STANDARD CONTRACTUAL CLAUSES

SECTION I

Clause 1

Purpose and Scope

a) These Standard Contractual Clauses (hereinafter referred to as “Clauses”) are intended to ensure compliance with: Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

b) the controllers and processors listed in Annex I have agreed to these clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725

(d) Annexes I to IV are an integral part of the clauses.

(e) These clauses are without prejudice to the obligations to which the controller is subject under Regulation (EU) 2016/679.

(f) These Clauses do not, on their own, ensure compliance with the obligations in relation to international transfers under Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

Clause 2

Immutability of the Clauses

a) The parties undertake not to modify the Clauses, except to supplement or update information provided in the Annexes.

b) This shall not preclude the parties from incorporating the standard contractual clauses set out in these clauses into a larger contract and adding further clauses or additional safeguards, provided that these do not directly or indirectly contradict the clauses or undermine the fundamental rights or freedoms of the data subjects.

Clause 3

Interpretation

(a) Where the terms defined in Regulation (EU) 2016/679 are used in these clauses, those terms shall have the same meaning as in that Regulation.

(b) These clauses shall be interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) these clauses shall not be interpreted in a way that is contrary to the rights and obligations provided for in Regulation (EU) 2016/679 or that adversely affects the fundamental rights or freedoms of data subjects.

Clause 4

Primacy

In case of conflict between these Clauses and the provisions of related agreements existing or to be entered into or concluded between the parties, these Clauses shall prevail.

Clause 5 {deleted)

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 6

Description of the processing

Details of the processing operations, in particular the categories of personal data and the purposes for which the personal data are processed on behalf of the controller, are set out in Appendix II.

Clause 7

Obligations of the parties

7.1 Instructions

(a) the processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In such a case, the processor shall inform the controller of that legal requirement before processing, unless the law concerned prohibits it because of an important public interest. The controller may give further instructions throughout the processing of personal data. Such instructions shall always be documented.

b) The processor shall immediately inform the controller if it considers that instructions from the controller infringe Regulation (EU) 2016/679 or applicable Union or Member State data protection provisions.

7.2 Purpose limitation

The processor shall process the personal data only for the specific purposes set out in Appendix II, unless it receives further instructions from the controller.

7.3 Duration of the processing of personal data

The data shall be processed by the processor only for the duration specified in Appendix II.

7.4 Security of processing

a) The Processor shall, as a minimum, take the technical and organizational measures set out in Appendix III to ensure the security of the personal data. This includes protecting the data against a breach of security that, whether unintentional or unlawful, results in the destruction, loss, alteration, or unauthorized disclosure of, or access to, the data (hereinafter referred to as a “personal data breach”). When assessing the appropriate level of protection, the parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, as well as the risks for the data subjects.

b) The Processor shall only grant its personnel access to the personal data that is the subject of the processing to the extent that this is strictly necessary for the execution, administration and monitoring of the Agreement. The Processor warrants that the persons authorized to process the personal data received have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.

7.5 Sensitive data

If the processing concerns personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, sex life or sexual orientation of a person or data concerning criminal convictions and offenses (hereinafter “sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

7.6 Documentation and compliance with the clauses

a) The parties must be able to demonstrate compliance with these clauses.

b) The Processor shall promptly deal with in a reasonable manner any requests from the Controller concerning the processing of data under these clauses.

c) The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in these clauses and arising directly from Regulation (EU) 2016/679. At the request of the controller, the processor shall also allow for and contribute to the audit of the processing activities covered by these clauses at appropriate intervals or when there are indications of non-compliance. When deciding whether to carry out an audit or inspection, the controller may take into account relevant certifications held by the processor.

d) The controller may conduct the audit itself or engage an independent auditor. The audits may include inspections at the premises or physical facilities of the processor and, where appropriate, shall be carried out with reasonable notice.

e) The parties shall make the information referred to in this clause, including the results of audits, available to the competent supervisory authority upon request.

7.7 Use of subprocessors

a) The processor has the general approval of the controller for the appointment of subprocessors, who are included in an agreed list. The Processor shall inform the Controller expressly in writing at least three weeks in advance of any intended changes to this list by adding or replacing Sub-Processors, thereby giving the Controller sufficient time to object to such changes before the relevant Sub-Processor(s) are engaged. The processor shall provide the controller with the information necessary to enable the controller to exercise its right to object.

(b) Where the processor engages a subprocessor for carrying out specific processing activities (on behalf of the controller), such engagement shall be by way of a contract imposing essentially the same data protection obligations on the subprocessor as those imposed on the processor under these clauses. The Processor shall ensure that the Sub-processor performs the obligations to which the Processor is subject under these Clauses and under Regulation (EU) 2016/679.

(c) The processor shall make available to the controller, upon its request, a copy of such subcontracting agreement and any subsequent modifications. To the extent necessary to protect trade secrets or other confidential information, including personal data, the processor may redact the text of the agreement prior to providing a copy.

(d) the processor shall be fully liable to the controller for the performance by the subprocessor of its obligations under the contract entered into with the processor. The processor shall notify the controller if the subprocessor fails to fulfill its contractual obligations.

e) The processor shall agree with the subprocessor on a third-party beneficiary clause, whereby the controller, in the event that the processor ceases to exist in fact or in law or is insolvent, has the right to terminate the subprocessing agreement and to instruct the subprocessor to delete or return the personal data.

7.8 International data transfers

a) Any transfer of data by the processor to a third country or an international organization shall be carried out only on the basis of documented instructions from the controller or to comply with a specific provision of Union or Member State law to which the processor is subject and must comply with Chapter V of Regulation (EU) 2016/679.

b) The controller consents to the fact that in cases where the processor uses a subprocessor in accordance with clause 7.7 for the performance of certain processing activities (on behalf of the controller) and these processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the subprocessor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with Article 46(2) of Regulation (EU) 2016/679, provided that the conditions for the application of these standard contractual clauses are met.

Clause 8

Assistance to the controller

a) The processor shall inform the controller without undue delay of any request it has received from the data subject. It shall not respond to the request itself unless authorized to do so by the controller.

b) Taking into account the nature of the processing, the processor shall assist the controller in fulfilling its obligation to respond to requests from data subjects to exercise their rights. In performing its obligations under points (a) and (b), the Processor shall comply with the Controller’s instructions.

(c) Apart from the Processor’s obligation to assist the Controller in accordance with Clause 8(b), the Processor shall, taking into account the nature of the data processing and the information available to it, also assist the Controller in complying with the following obligations:

1) the obligation to carry out an assessment of the impact of the planned processing operations on the protection of personal data (hereinafter referred to as “data protection impact assessment”) if a form of processing is likely to result in a high risk to the rights and freedoms of natural persons;

2) the obligation to consult the competent supervisory authority or authorities prior to processing where a data protection impact assessment indicates that the processing would result in a high risk if the controller does not take measures to mitigate the risk;

3) the duty to ensure that personal data are accurate and up to date by requiring the Processor to inform the Controller without undue delay if it becomes aware that the personal data it processes are inaccurate or out of date;

4) obligations pursuant to Article 32 of Regulation (EU) 2016/679.

d) The parties shall specify in Annex III the appropriate technical and organizational measures to be taken by the Processor in support of the Controller in the application of this clause, as well as the scope and extent of the assistance required.

Clause 9

_Personal Data Breach Notification

In the event of a personal data breach, the Processor shall cooperate with the Controller and provide assistance to enable the Controller to meet its obligations under Articles 33 and 34 of Regulation (EU) 2016/679, taking into account the nature of the processing and the information available to the Processor.

9.1 Personal data breach concerning the data processed by the Controller

In the event of a personal data breach in relation to the data processed by the controller, the processor shall assist the controller by:

a) in notifying the personal data breach to the competent supervisory authority without undue delay after the controller has become aware of the breach, where relevant (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);

b) the following information, to be provided in the controller’s notification pursuant to Article 33(3) of Regulation (EU) 2016/679, which shall include at least the following:

1) the nature of the personal data, where possible, with an indication of the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

2) the likely consequences of the personal data breach;

3) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where and to the extent that not all of this information can be provided at the same time, the initial notification shall consist of the information available at that time, with further information subsequently provided without undue delay as it becomes available;

c) to comply with the obligation under Article 34 of Regulation (EU) 2016/679 to notify the data subject without undue delay of the personal data breach where that breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2 Personal data breach of data processed by the processor

In the event of a personal data breach in relation to the data processed by the processor, the processor shall notify the controller without undue delay after having become aware of the breach. This notification must include at least the following information:

a) a description of the nature of the breach (if possible, stating the categories and the approximate number of data subjects and the approximate number of data records concerned);

b) the contact details for a point of contact from which further information about the personal data breach may be obtained;

(c) the likely consequences and the measures taken or proposed to be taken to address the personal data breach, including measures to mitigate its possible adverse effects.

Where, and in so far as, not all of this information can be provided at the same time, the initial notification shall consist of the information available at that time, with further information subsequently provided without undue delay as it becomes available.

The parties shall specify in Annex III any additional information to be provided by the Processor to assist the Controller in fulfilling its obligations pursuant to Articles 33 and 34 of Regulation (EU) 2016/679.

SECTION III – FINAL PROVISIONS

Clause 10

Breaches of the Clauses and Termination of the Contract

a) In the event that the Processor fails to comply with its obligations under these Clauses, the Controller may, without prejudice to the provisions of Regulation (EU) 2016/679, instruct the Processor to suspend the processing of Personal Data until it complies with these Clauses or the Agreement is terminated. The Processor shall immediately inform the Controller if, for whatever reason, it is unable to comply with these Clauses.

b) The controller shall have the right to terminate the contract insofar as it relates to the processing of personal data under these clauses if

1) the controller has suspended the processing of personal data by the processor under point (a) and compliance with these clauses has not been restored within a reasonable period, and in any case within one month of the suspension;

2) the processor is in substantial or persistent breach of these clauses or fails to fulfil its obligations under Regulation (EU) 2016/679;

3) the processor fails to comply with a binding decision of a competent court or supervisory authority concerning its obligations under these clauses or Regulation (EU) 2016/679.

c) The Processor is entitled to terminate the Agreement insofar as it concerns the processing of Personal Data pursuant to these Clauses, if the Controller insists on following its instructions after it has been brought to the attention of the Processor that its instructions violate applicable legal requirements pursuant to Clause 7.1 letter b.

d) Upon termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that this has been done, or return all personal data to the controller and delete existing copies, unless there is an obligation under Union or national law to store the personal data. Until the data is deleted or returned, the processor continues to ensure compliance with these clauses.

ANNEX I – LIST OF PARTIES

Controller: [Identity and contact details of the controller and, where applicable, the controller’s data protection officer].

The controller is the client:

The customer, as defined in the terms of use.

Processor: [Identity and contact details of the processor and, if applicable, the processor’s data protection officer].

basebox GmbH

Contact details of the processor’s data protection officer:

Bahnhofsplatz 3
86919 Utting am Ammersee
Germany
Telephone: +49 8806 9590600
Email: contact@basebox.ai

ANNEX II — DESCRIPTION OF PROCESSING

Categories of data subjects whose personal data are processed

The customer
Users invited by the customer
Persons whose data are contained in the input prompts that the customer or its users have processed by the AI model.

Categories of personal data being processed

The processing of relevant personal data includes:

Names,
Business addresses,
Email addresses,
Telephone numbers,
Bank details,
Other data contained in the prompts,
Insofar as installation and/or support is provided, all data categories with which the processor comes into contact.

RAG data

Sensitive data processed (if applicable) and the restrictions or safeguards applied, which take full account of the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for employees who have completed special training), recording of access to the data, restrictions on disclosure or additional security measures.

The processing of sensitive data in connection with the provision of the agreed services does not take place. Insofar as the controller uses the processor’s services for the processing of sensitive data, the controller shall inform the processor accordingly.

Type of processing

The Processor shall provide the agreed services to the Controller. The nature of the processing of personal data includes all processing necessary for the Processor to provide these services to the Client. It includes, in particular, the collection, organization, structuring, storage and provision of personal data, but may also include any other operation such as adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction of personal data.

Purpose for which personal data is processed on behalf of the controller

basebox in the cloud

The processor processes personal data in order to provide its services, as agreed with the controller. This includes, in particular, providing basebox for the use of the AI models offered and contract management.

basebox on-premise

The processor processes personal data for the purpose of providing its services as agreed with the controller in the contract. This may include, in particular, the installation and maintenance of the basebox software and the provision of support.

Duration of processing

The processing will continue for as long as the processor provides its services to the controller and will end when the contract is terminated.

ANNEX III – TECHNICAL AND ORGANIZATIONAL MEASURES, INCLUDING THOSE TO ENSURE THE SECURITY OF THE DATA

Measures for pseudonymization and encryption of personal data

Protection of secret keys with strong passwords
Encryption (asymmetric/symmetric) according to the state of the art
Encryption of systems
Encryption of storage media
Encryption of data carriers
Encryption of communication (e.g. email encryption)
Measures to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services
Documentation of authorizations
Use of authentication procedures
Secured WLAN
Individual log-in and password procedures
Special protective measures for the server room (Hetzner, Telekom)
Use of strong passwords (e.g. at least 10 digits)
Prevention of the selection of weak passwords for applications
Confidentiality obligations of employees
Administration activities on the servers may only be carried out by suitably trained persons
Use of appropriate firewalls
Use of logging and evaluation systems that ensure the traceability and documentation of data management
Use of two- or multi-factor authentication procedures for high-risk processing activities
Creation of role profiles/definition of functional responsibilities
Use of access rights
Measures to ensure the ability to quickly restore the availability and access to personal data in the event of a physical or technical incident
Back-up procedures
Appropriate data backup measures: Backups are stored in different locations and kept for different periods of time depending on the application
Mirroring of hard disks
Substitution rules
Procedures for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of data processing
Penetration tests (comprehensive security tests of individual computers or networks)
Regular awareness training for employees (at least once a year)
Regular tests to ensure that all relevant data is included in the back-up process and that recovery works
Review of the effectiveness of technical measures (at least once a year)
Measures for user identification and authorization
Instruction of all employees in the use of authentication procedures and mechanisms
Regulated process for the central administration of user identities, in particular for the creation (e.g. of new employees), modification (e.g. name change after marriage) and deletion (e.g. departure of employees)
Allocation of unique identifiers for each user
Avoiding group identifiers
Measures for protecting data during transmission
Provision via encrypted connections: e.g. use HTTPS according to the state of the art
SSL certificate from trustworthy certification authorities
Data hashing (transformation of personal data into a specific character sequence)
Use of cryptographic tools
Measures for protecting data during storage
Protection of secret keys with strong passwords
Encryption (asymmetric/symmetric) using state-of-the-art technology
Encryption of systems
Encryption of storage media
Encryption of data carriers
Encryption of communication (e.g. email encryption)
Measures to ensure the physical security of locations where personal data is processed
There is a concept for access regulations and for physical access control (perimeter protection)
Clear rules for dealing with visitors (e.g. accompaniment, security zones, visitor badges, logging, employee responsible for visitors) as part of the concept
Secure locking systems including documented key management
Fire-resistant cabinets/safes for storing essential components (e.g. backup tapes, important original documents)
Measures to ensure the logging of events
Logging and blocking of indicators of compromise (IOCs)
Logging at firewall level to also detect and analyze unauthorized access between networks
Logging of visitors
Logging of data input, modification and deletion
Measures to ensure the system configuration, including the standard configuration
Automatic installation of security updates for the operating system and installed software
Regular data recovery tests and logging of the results
Regular evaluation of information on security vulnerabilities of the software used
Regular, unprompted evaluation of log files to detect unusual entries
Measures for internal governance and administration of IT and IT security
Role profiles for employees, including the entries in the directory of processing activities
Regular review (once a year) of whether the assignments of roles meet the requirements and whether the roles still meet the requirements of the business activity
No administrator IDs for users who do not perform administrative tasks
The use of superuser (e.g. root under Linux) is not used as far as possible
Determination of contact persons and responsible project managers for the specific order
Implementation of data protection training for all employees (including regular refresher training for existing personnel)
Implementation of internal company data protection guidelines
Consistent involvement of data protection officers (DPO) in security matters
Knowledge of the responsible data protection supervisory authority and knowledge of the reporting obligation under Art. 33 and 34 GDPR
Relevant guidelines (e.g. for e-mail/internet use, use of encryption techniques) are kept up to date and are easy to find
Commitment of employees to data secrecy
Existence of a suitable organizational structure for information security
Measures for certification/quality assurance of processes and products
Regular awareness-raising among employees (at least annually)
Regular testing to ensure that all relevant data is included in the back-up process and that recovery works
Review of the effectiveness of technical measures (at least annually)
Measures to ensure data minimization
Reduction of attributes
Reducing the processing options in processing steps
Defining default settings for data subjects that limit the processing of their data to what is necessary for the purpose of the processing. Default settings)
Defining and implementing a deletion concept
Measures to ensure data quality
Removing or correcting incorrect, duplicate and incomplete data records
Use of software tools that check data entries to ensure that they meet certain standards or formats
Application of uniform formats and conventions across all data sources to ensure consistency
Training and raising awareness among employees regarding the importance of data quality and proper data management
Measures to ensure limited data retention
Collect and store only the data that is strictly necessary for the intended purpose*
Establish a clear expiration time for data storage, after which the data is automatically deleted or anonymized
Conduct regular audits to ensure that data is reliably deleted after its retention period has expired.
Ensure that all data storage measures comply with local data protection laws and regulations.
Measures to ensure accountability
A record of processing activities is maintained.
Erasure and retention concepts are maintained.
Regular review of the effectiveness of technical and organizational measures according to the PDCA cycle (Plan-Do-Check-Act).
Implementation of data protection training for all employees (including regular refresher training for existing staff)
Implementation of internal company data protection guidelines.
Consistent involvement of data protection officers (DPO) in security matters.
Knowledge of the responsible data protection supervisory authority and knowledge of the reporting obligation under Art. 33 and 34 GDPR.
Relevant guidelines (e.g. for e-mail/Internet use, use of encryption techniques) are kept up to date and are easy to find.
Obligation of employees to maintain data secrecy.
Measures to enable data portability and to ensure deletion
Retention and deletion concepts are maintained.
A clear expiration period for the storage of data is set, after which the data is automatically deleted or anonymized.
Regular audits are carried out to ensure that data is reliably deleted after its retention period has expired.
No storage of archive data in productive databases, but transfer of archive data from productive systems to archive systems.
Archive data must be effectively deleted after the retention period has expired.
Implementation of data protection training for all employees.
TOMs of the employed sub-processors:

The processor uses sub-processors to provide its services (see Appendix IV). All sub-processors implement appropriate technical and organizational measures. Further information can be found at:

ANNEX IV – LIST OF SUBCONTRACTORS

The controller has authorized the use of the following subcontractors:

Subcontractor	Type of processing
Hetzner Online GmbH Industriestr. 25 91710 Gunzenhausen	Hosting and provision of the basebox product, including the customer data processed therein.
Google Ireland Ltd. Google Building Gordon House, Barrow St, Grand Canal Dock, Dublin 4, D04 V4X7, Ireland	Hosting of the model and processing of the entered prompts as well as creation and transmission of the answers.

Appendix 2 MODULE VI: Transfer from processors to controllers

STANDARD CONTRACTUAL CLAUSES

SECTION I

Clause 1

Purpose and Scope

a) These Standard Contractual Clauses are intended to ensure ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 1 when personal data are transferred to a third country.

b) The parties:

i) the natural or legal person(s), agency(ies), agency(ies) or other body(ies) listed in Appendix IA (hereinafter referred to as the “body(ies)”) that transfers the personal data (hereinafter referred to as the “data exporter”), and

(ii) the entity or entities in a third country listed in Appendix I.A to which the personal data are disclosed, directly or indirectly through another entity that is also a party to these clauses (each, a “data importer”),

have agreed to be bound by these standard contractual clauses (the “Clauses”).

c) These clauses shall apply to the transfer of personal data as specified in Appendix I.B.

d) The Appendix to these clauses, including the Appendices therein, is an integral part of these clauses.

Clause 2

Effect and immutability of the clauses

a) These clauses contain appropriate safeguards, including enforceable data subject rights and effective legal remedies as required by Article 46(1) and point (c) of Article 46(2) of Regulation (EU) 2016/679 and, in relation to transfers from controllers to processors and/or from processor to processors, standard contractual clauses as referred to in Article 28(7) of Regulation (EU) 20 16/679, provided that these are not modified, except for the selection of the relevant module or modules or the addition or update of information in the appendix. This shall not preclude the parties from incorporating the Standard Contractual Clauses set out in these clauses into a larger agreement and/or adding other clauses or additional safeguards as long as they do not directly or indirectly conflict with these clauses or impair the fundamental rights or freedoms of the data subjects.

(b) These Clauses are without prejudice to the data exporter’s obligations under Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may rely upon and enforce these Clauses as third-party beneficiaries against the data exporter and/or the data importer, with the exception of the following: (i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7

(ii) Clause 8 – Module one: Clause 8.5 e and Clause 8.9 b Module two: Clause 8.1 b, Clause 8.9 a, c, d, e Module three: Clause 8.1 a, c, d, and Clause 8.9 a, c, d, e, f, g Module four: clause 8.1(b) and clause 8.3(b)

(iii) Clause 9 – module two: clause 9(a), (c), (d) and (e) module three: clause 9(a), (c), (d) and (e)

(iv) Clause 12 – module one: clause 12(a) and (d) modules two and three: clause 12(a), (d) and (f)

(v) Clause 13

(vi) Clause 15.1(c), (d) and (e)

(vii) Clause 16(e)

(viii) Clause 18 – modules one, two and three Clause 18(a) and (b) Module four: Clause 18

(b) The rights of data subjects under Regulation (EU) 2016/679 shall not be affected by point (a).

Clause 4

Interpretation

(a) Where terms defined in Regulation (EU) 2016/679 are used in these Clauses, those terms shall have the same meaning as in that Regulation.

b) These Clauses shall be interpreted in light of the provisions of Regulation (EU) 2016/679.

c) These Clauses shall not be interpreted in a manner that is inconsistent with the rights and obligations set forth in Regulation (EU) 2016/679.

Clause 5

_Supersession

In case of conflict between these clauses and the provisions of related agreements between the parties in place at the time these clauses are agreed or entered into, these clauses shall prevail.

Clause 6

Description of the data transfer(s)

The details of the data transfers, in particular the categories of personal data transferred and the purpose(s) for which they are transferred, are specified in Appendix I.B.

Clause 7 – Optional

Coupling Clause

(a) At any time, an organization that is not a party to these clauses may, with the consent of the parties, join these clauses, either as a data exporter or a data importer, by completing the Appendix and signing Appendix I.A.

b) Upon completing the Appendix and signing Addendum I.A, the Adhering Entity shall become a party to these Clauses and shall have the rights and obligations of a data exporter or a data importer, as applicable, as designated in Addendum I.A.

c) The Adhering Entity shall have no rights or obligations under these Clauses for the period prior to its adherence as a party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer — through implementation of appropriate technical and organizational measures — is able to satisfy its obligations under these clauses.

8.1 Instructions

a) The data exporter shall process the personal data only on documented instructions from the data importer, who shall act as its data controller.

b) The data exporter shall promptly inform the data importer if it cannot comply with such instructions, including where such instruction would violate Regulation (EU) 2016/679 or other Union or Member State data protection provisions.

(c) The data importer shall refrain from any action that would impede the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in relation to subprocessing or cooperation with the competent supervisory authorities.

d) At the choice of the data importer, the data exporter shall, after the end of the data processing services, delete all personal data processed on behalf of the data importer and certify to the data importer that this has been done, or return all personal data processed on behalf of the data importer to the data importer and delete existing copies.

8.2 Security of processing

a) The parties shall take appropriate technical and organizational measures to ensure the security of the personal data, including during transmission, as well as protection against a breach of security that, whether unintentional or unlawful, results in the destruction, loss, alteration, or unauthorized disclosure of, or access to, the personal data (hereinafter “personal data breach”). When assessing the appropriate level of protection, they shall take into account the state of the art, the costs of implementation, the nature of the personal data 2, the nature, scope, context and purposes of the processing as well as the risks posed to data subjects by the processing, and shall consider in particular encryption or pseudonymization, including during transmission, if this can fulfill the purpose of the processing.

b) The data exporter shall assist the data importer in ensuring adequate security of the data in accordance with point a. In the case of a personal data breach relating to personal data processed by the data exporter under these clauses, the data exporter shall notify the data importer of the breach without undue delay after having become aware of it and shall assist the data importer in addressing the breach.

c) The data exporter warrants that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3 Documentation and compliance with the clauses

a) The parties must be able to demonstrate compliance with these clauses.

b) The data exporter shall make available to the data importer all information necessary for demonstrating compliance with its obligations under these clauses and shall allow for and contribute to audits.

Clause 9 [deleted]

Clause 10

Rights of data subjects

The parties shall provide each other with mutual assistance in responding to requests and demands made by data subjects in accordance with local laws applicable to the data importer or, with respect to data processing by the data exporter in the Union, in accordance with Regulation (EU) 2016/679.

Clause 11

Redress

a) The data importer shall inform data subjects in a transparent and easily accessible manner, by means of individual notifications or a website with a contact point, of a contact point authorized to handle complaints. It shall promptly handle any complaints received from a data subject.

Clause 12

Liability

a) Each party shall be liable to the other party(ies) for damages it causes the other party(ies) by any breach of these clauses.

b) Each party shall be liable to the data subject, and the data subject shall be entitled to recover damages from that party, for any actual or consequential damages that party causes the data subject, in breach of that party’s third-party beneficiary rights under these clauses. This is without prejudice to the data exporter’s liability under Regulation (EU) 2016/679.

c) If more than one party is responsible for damages incurred by the data subject as a result of a breach of these clauses, all responsible parties shall be jointly and severally liable, and the data subject shall be entitled to take legal action against any of the parties.

d) The parties agree that a party held liable under paragraph c shall be entitled to seek contribution from the other party(ies) for that portion of the damages corresponding to such party’s responsibility for the damage.

e) The data importer shall not be able to rely on a behavior of a processor or sub-processor in order to avoid its own liability.

Clause 13 (deleted)

SECTION III – LOCAL LAWS AND OBLIGATIONS REGARDING GOVERNMENT ACCESS TO DATA

Clause 14

Local laws and practices affecting compliance

a) The parties warrant that they have no reason to believe that the laws and practices governing the processing of personal data by the data importer in the third country of destination, including requirements to disclose personal data or measures allowing public authorities to access such data, will prevent the data importer from fulfilling its obligations under these clauses. It is understood that these Clauses do not preclude legislation or practices that respect the essence of the fundamental rights and freedoms and that do not go beyond what is necessary and proportionate in a democratic society to ensure one of the objectives mentioned in Article 23(1) of Regulation (EU) 2016/679.

(b) the parties declare that, in particular, they have taken due account of the following aspects in providing the assurance in point (a):

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and of transmission channels used, intended data onward transfers, the nature of the recipient, the purpose of the processing, the categories and format of personal data transferred, the industry sector in which the transfer takes place, the location of transferred data;

(ii) the relevant laws and practices of the third country of destination (including those requiring or permitting disclosure or access to data) relevant to the special circumstances surrounding the transfer, as well as the applicable restrictions and safeguards; 3

(iii) any relevant contractual, technical or organizational safeguards implemented to supplement the safeguards under these Clauses, including measures applied during transfers and to processing of Personal Data in the country of destination.

c) The data importer warrants that it has used its best efforts, as part of its assessment under paragraph b, to provide relevant information to the data exporter and agrees that it will continue to cooperate with the data exporter to ensure compliance with these clauses.

d) The parties agree to keep the assessment referred to in point (b) documented and make it available to the competent supervisory authority on request.

e) The data importer agrees to notify promptly during the duration of the contract the data exporter if it has reason to believe, after having given its consent to these clauses, that it is subject to legislation or practices that do not comply with the requirements referred to in point (a), including a change in the third country’s legislation or an action, such as a request for disclosure, that relates to an application of that legislation that does not comply with the requirements referred to in point (a). Upon notice under paragraph (e), or if the data exporter otherwise becomes aware that the data importer is likely to be unable to comply with its obligations under these clauses, the data exporter shall promptly determine appropriate measures, such as technical and organizational measures to ensure security and confidentiality, to be taken by the data exporter and/or the data importer to remedy the situation. The data exporter shall suspend the data transfer if it believes that no appropriate safeguards can be provided for such transfer or if instructed to do so by the relevant supervisory authority. In such an event, the data exporter is entitled to terminate the contract insofar as it relates to the processing of personal data pursuant to these clauses. If there are more than two parties to the contract, the data exporter may exercise this right of termination only with respect to the responsible party, unless the parties have agreed otherwise. If the contract is terminated pursuant to this clause, Clause 16(d) and (e) shall apply.

Clause 15

Data importer’s obligations in the event of access to the data by public authorities

15.1 Notification

a) The data importer agrees to notify the data exporter and, where possible, the data subject (with the data exporter’s assistance, as appropriate) without undue delay where it receives a legally binding request for disclosure of Personal Data transferred pursuant to these Clauses from an authority, including a judicial authority, in accordance with the laws of the country of destination (such notification shall include information as to the Personal Data requested, the requesting authority, the legal basis for the request and the response provided); or

(ii) it becomes aware that an authority under the laws of the country of destination has direct access to personal data transferred under these clauses; such notification shall include all information available to the data importer.

b) If the law of the country of destination prohibits the data importer from notifying the data exporter and/or the data subject, the data importer agrees to use its best efforts to seek to have the prohibition lifted, so that as much information as possible is provided as quickly as possible. The data importer undertakes to document its efforts in order to be able to prove these at the request of the data exporter.

c) To the extent permitted by the laws of the country of destination, the data importer agrees to provide as much relevant information as possible about the requests received (including, but not limited to, the number of requests, the nature of the data requested, the requesting authority or authorities, whether any request has been challenged and the outcome of any such challenge) to the data exporter periodically during the term of the contract.

d) The data importer agrees to keep the information referred to in letters a) to c) during the term of the contract and to make it available to the competent supervisory authority upon request.

e) Paragraphs a) to c) are without prejudice to the data importer’s obligation under Clause 14 e) and Clause 16 to promptly inform the data exporter if it is unable to comply with these Clauses.

15.2 Legality and data minimization checks

a) The data importer agrees to check the legality of the request for disclosure, in particular, whether the request is within the powers delegated to the requesting authority, and to challenge the request if, after careful assessment, it concludes that there are substantial grounds to believe that the request is unlawful under the laws of the country of destination, applicable international law obligations and the principles of international comity. In such circumstances, the data importer shall seek any available remedies. If contesting a request, the data importer shall seek interim measures to suspend the effect of the request pending an outcome on the merits by the competent judicial authority. It shall not disclose the personal data requested until required to do so by applicable procedural requirements. These requirements are without prejudice to the data importer’s obligations under Clause 14(e).

b) The data importer agrees that it will document its legal assessment and any challenge to the disclosure request and make these documents available to the data exporter to the extent permitted by the laws of the country of destination. Upon request, it will also make these documents available to the competent supervisory authority.

c) The data importer agrees that it will make the minimum amount of information reasonably necessary to respond to a disclosure request.

SECTION IV — FINAL PROVISIONS

Clause 16

Breach of the Clauses and Termination of the Contract

a) The data importer shall promptly inform the data exporter if it is unable for any reason to comply with these clauses.

b) If the data importer is in breach or is unable to comply with these clauses, the data exporter shall suspend the transfer of personal data to the data importer until the breach is remedied or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall have a right to terminate the contract as it relates to the processing of personal data under these clauses if

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to point (b) and compliance with these clauses has not been re-established within a reasonable period, and in any event within a one-month suspension;

(ii) the data importer is in substantial or persistent breach of these clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or a competent supervisory authority concerning its obligations under these clauses.

In such cases, the data exporter shall inform the competent supervisory authority of such violations. If more than two parties are involved in the contract, the data exporter may only exercise this right of termination against the responsible party, unless the parties have agreed otherwise.

d) Personal data collected by the data exporter established in the EU and transferred prior to the termination of the contract in accordance with clause c) must be completely deleted without delay, including all copies. The data importer shall certify the deletion to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these clauses. In the event that the data importer is subject to local legislation prohibiting the return or deletion of the personal data transferred, the data importer warrants that it will continue to ensure compliance with these clauses and will only process such data to the extent and for so long as required by such local legislation.

(e) Either party may withdraw its consent to be bound by these clauses if (i) the European Commission adopts an decision pursuant to Article 45(3) of Regulation (EU) 2016/679, which covers the transfer of personal data subject to these Clauses; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data are transferred. This is without prejudice to any other obligations applicable to the processing in question under Regulation (EU) 2016/679.

Clause 17

Applicable law

These Clauses shall be governed by the law of a country that allows third-party beneficiary rights. The parties agree that this is the law of the Federal Republic of Germany.

Clause 18

Jurisdiction and Venue

Any dispute arising under these Clauses shall be resolved by the courts of the Federal Republic of Germany.

1: Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting as a controller on behalf of a Union institution or body, recourse to these clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 shall ensure also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), insofar as these clauses and the data protection obligations laid down in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This is particularly the case if the controller and the processor rely on the standard contractual clauses set out in Commission Decision […]

2: This includes whether the transfer and further processing will involve personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person’s sex life or sexual orientation or data concerning criminal convictions or offenses.

3: In assessing the impact of such laws and practices on compliance with these Clauses, various elements may be considered in the overall evaluation. These elements may include relevant and documented practical experience as to whether there have been prior requests for disclosure by public authorities covering a sufficiently representative time frame or whether there have been no such requests. This concerns in particular internal records or other evidence, established and maintained with due care and endorsed by senior management, provided that such information can be legitimately disclosed to third parties. Insofar as this practical experience leads to the conclusion that it is not impossible for the data importer to comply with these clauses, this must be supported by other relevant objective elements; the parties must carefully consider whether all these elements are sufficiently reliable and representative to support the conclusion reached. In particular, parties must consider whether their practical experience is corroborated, rather than contradicted, by publicly available or otherwise accessible reliable information on the existence or non-existence of requests within the same industry sector and/or on the application of the legislation in practice, such as jurisprudence and reports by independent oversight bodies.

Legal

Terms of use for basebox