Terms of use for basebox

1. Scope of application

1.1. The following General Terms and Conditions (hereinafter "Terms of Use") apply to the free and fee-based use of the product"basebox", provided by basebox GmbH (hereinafter "basebox GmbH", "we"), and govern the legal relationship between basebox GmbH and its customers (hereinafter referred to as the "Customer" for ease of reading).

1.2. General Terms and Conditions of Business of the Customer that deviate from these Terms of Use shall not apply unless their validity has been expressly confirmed by basebox GmbH.

1.3. The use of the basebox product is only permitted for business customers within the European Union (EU).

1.4. In deviation from the following provisions, the following conditions apply to the "Closed Beta" phase:

1.4.1. The contract ends in deviation from 4.1 automatically at the end of the "Closed Beta" phase.

1.4.2. During the beta phase, the services may differ from those described in section 5. In particular, errors or unexpected system behavior may occur.

1.4.3. The language of the contract is German.

2. Definitions

For the purposes of these Terms of Use, the following definitions apply:

2.1. "Administrator": Natural person who creates the organization, invites and manages users, preselects input prompts and can delete the organization. The role of administrator can only be held by a natural person who is authorized to represent the customer in legal transactions.

2.2. "basebox": consisting of a provided AI model and an associated interface for chat-based use of the AI model and user and billing management.

2.3. "Registration": Creation of a user account for an organization at the invitation of the organization's administrator.

2.4. "Chat": A conversation with the AI model. Users can have any number of chats on different topics with the AI model.

2.5. "Chat history": Chronological collection of input prompts and output within a chat.

2.6. "Input prompt": The prompt that the user sends to the AI model using the chat window, including any uploaded files to be analyzed.

2.7. "AI apps": A ready-made prompt that the user selects and that is displayed in the prompt input field. The user can edit this prompt and add their own text before sending it to the model.

2.8. "AI model": a machine learning model, in particular also a large language model, which can be used to generate text and which is made available for use within basebox.

2.9. "Organization": virtual user group in basebox, created and managed by the customer as administrator. The users that the administrator invites are assigned as members of this organization.

2.10. "Output": The AI model's response to the user's request.

2.11. "Prompt": a textual request to an AI model to perform a task.

2.12. "Registration": the creation of a new organization.

2.13. "Software": the basebox system.

2.14. "System Prompt": prompts predefined by basebox GmbH with a maximum of 2000 tokens, which are automatically sent to the AI model together with each input prompt and which cannot be influenced or viewed by the user. These system prompts are used to encourage the AI model to produce a structured and appropriate output.

2.15. "Token": a digital unit used to measure the operating costs of AI models. Token consumption is calculated in millions (per million tokens, "pmt").

2.16. "User": natural persons explicitly invited by the Administrator who register with basebox upon invitation and whose accounts are assigned to the Organization and who may use basebox on behalf of the Customer.

2.17. "Open Source Software": according to the Open Source Definition of the Open Source Initiative, software that is licensed by the respective rights holders to anyone for comprehensive royalty-free use and whose source code is available.

3. Conclusion of contract

3.1. The use of basebox requires customer registration, including the creation of an organization. Registration is free of charge. All other users of an organization do not register independently with basebox, but are explicitly invited by the administrator to register with basebox and choose a password.

3.2. An e-mail address must be provided when registering as a customer. If the registration is made for a company, the person making the registration confirms by registering that they are authorized to represent this company. This person registering the company is initially assigned the role of "Administrator".

3.3. The contract is concluded when the organization registers at signup.basebox.ai by entering the e-mail address and confirming it in accordance with the information in the e-mail sent,setting a password, choosing a name for the organization and accepting the terms of use and data protection provisions by activating the checkbox.

3.4. The text of these Terms of Use is also available for retrieval after conclusion of the contract at basebox.ai/en/terms of-use

4. Termination of the contractual relationship

4.1. The contract is concluded for an indefinite period.

4.2. Either party may terminate the contractual relationship with a notice period of 10 days to the end of the next calendar month. The termination can be made by the administrator on the website basebox.ai or by e-mail to support@basebox.ai. Remaining credit will not be paid out unless the termination is made by basebox GmbH.

4.3. The contract can also be terminated by the customer without notice by the authorized administrator deleting the organization in the organization administration. Remaining credit will not be paid out.

5. Service description

5.1. basebox

basebox is an AI management system that makes it possible to use AI models in the most secure environment possible, taking into account data protection aspects and with the aim of safeguarding business secrets and personal rights. Currently, only large language models (LLM) are offered in basebox.

5.2. Hosting in the cloud or on-premise operation

5.2.1. basebox is hosted on servers of basebox GmbH in Europe, preferably in Germany. basebox GmbH relies on OpenIDConnect and self-hosted KeyCloak for authentication, among other things, in order to be able to offer customers a high level of security. The use of these methods and the implementation of these concepts is at the discretion of basebox GmbH. basebox GmbH may decide to provide only a single language model. Absolute security is neither guaranteed nor warranted by basebox GmbH.

5.3. Use of the AI models

5.3.1. The AI models are selected and operated by basebox GmbH. basebox GmbH reserves the right to change an offered AI model at any time, for example if more powerful AI models become available.

5.3.2. You cannot currently run your own AI models in basebox.

5.3.3. The use of the AI models is billed on a token basis. basebox GmbH provides a graphical overview of token consumption with regular updates.

5.3.4. The output behavior of the AI models is influenced by basebox GmbH by means of system prompts that customers and their users cannot change or prevent.

5.4. Prompts and AI app store

5.4.1. The use of the AI model in basebox is generally possible with prompts written by the customer and its users.

5.4.2. Basebox GmbH also offers an app store in which ready-made prompts are made available in the form of AI apps.

5.4.3. These AI apps map individual use cases and are designed to make it easier to use prompts. The prompts selected by the users are displayed as texts in the chat input window and can be edited by the users before use.

5.5. Output

basebox GmbH has no insight into the input prompts and the outputs generated by the AI models. basebox GmbH does not check the generated output and does not guarantee the correctness or quality of the results or that they are free of third-party rights.

5.6. User administration

basebox GmbH provides rights- and role-based access control for organizational administration, in which administrators can manage their users themselves.

6. Prices, terms of payment

6.1. Prices quoted are net prices plus VAT at the applicable statutory rate.

6.2. Access to basebox and use of the organization and accounting management is generally free of charge.

6.3. The use of the AI models provided in basebox is billed based on token consumption. Consumption is calculated per million tokens ("pmt"). The token price is variable.

6.4. In order to use the AI models provided, the administrator must top up the budget, which is then used for token consumption-based billing and is available to all users in the organization.

Example: the token price could be €19 pmt (i.e. €19 for one million tokens). A budget of €100 is loaded. For a fictitious prompt and the output of the result, 4000 tokens could be incurred. The transaction would therefore cost €0.076 (€19 / 1,000,000 * 4000). After the transaction, the budget is €99.924.

The tokens are used in particular to finance the computing power required to use the model. The price for the computing power purchased by basebox GmbH is variable. Therefore, the Token price is also variable. basebox GmbH expressly points out that the quantity of Tokens that can be used with the fixed budget cannot be precisely determined in advance.

6.5. The current token price (pmt) is visible in the dashboard of the organization administration.

6.6. A series of prompts are executed for an interaction with an AI model: A system prompt (max. 2000 tokens), the selected input prompt including, for example, uploaded documents to be analyzed, as well as the generation of the output. The number of tokens and therefore also the basis for the price calculation for an interaction is made up of these prompts and is calculated accordingly, but not shown separately.

6.7. Payment is made by credit card. The customer defines a budget for tokens, which is debited from the credit card. There is no minimum amount, so the customer can define how much budget is available to the organization. Budget can be purchased at any time.

6.8. If the credit card payment fails due to insufficient funds or due to culpable behavior on the part of the customer, basebox GmbH can demand reimbursement of the chargeback fees charged by the banks and payment service providers involved.

6.9. With the token budget, the AI models provided by basebox GmbH can be used with your own prompts and AI apps can be used.

6.10. The budget can be used indefinitely.

6.11. If the budget is used up, the usage option is reduced to one prompt per hour until the customer has purchased new budget.

7. Data protection and security

7.1. Executed prompts, the contents of uploaded files and the chat history are only stored in the user's browser for a period of 30 days. Prompts and the content of uploaded files are also sent to the AI model to execute the services.

7.2. basebox GmbH has no access to the contents.

7.3. basebox GmbH takes all economically reasonable measures to implement and maintain reasonable security measures, in particular to prevent unauthorized access to the services of basebox GmbH and the Customer's data.

7.4. The models and basebox are hosted on basebox GmbH servers. For this purpose, basebox GmbH rents infrastructure from providers in Europe. basebox GmbH only uses servers that are located in Europe, preferably in Germany.

7.5. In order to fulfill the contract, personal data of the Customer and her Users are processed by basebox GmbH. In addition, basebox GmbH analyzes the use of basebox by the Customer and uses the knowledge gained to identify errors and problems and to improve basebox. Within the scope of the processing carried out for these purposes, basebox GmbH is in principle solely responsible under data protection law. Further information on data protection can be found in our data protection declaration, available at basebox.ai/en/terms#privacy-policy

7.6. In cases in which the Customer or its Users provide basebox GmbH with personal data in order to process them in the context of the use of basebox (e.g. in prompts, in the chat history or through uploaded documents), basebox GmbH processes personal data as a processor on behalf of the Customer. In this respect, the Annex ("Data Processing Agreement") to these Terms of Use shall apply as an integral part of these Terms of Use. The Customer is responsible under data protection law for all content used and data processed by it and its Users.

7.7. basebox GmbH reserves the right to implement filters that prevent inappropriate and illegal content from appearing in the results.

8. Rights of use and intellectual property

8.1. With the registration, basebox GmbH grants the Customer, to the extent necessary, the non-exclusive, non-transferable right, limited in time to the duration of the User Agreement, to use the basebox software and the prompts provided in this context and to make them available for use by its Users invited to basebox.

8.2. The basebox software may only be used by the customer and its invited users within the scope of their own business activities.

8.3. The transfer or public disclosure of basebox to third parties (other natural or legal persons outside the Customer's company) is not permitted.

8.4. Insofar as basebox is used to generate potentially copyrightable texts, basebox GmbH does not claim any copyrights to the generated outputs.

8.5. The customer will instruct its users not to use prompts that are intended to reproduce copyrighted texts for the benefit of third parties, and the customer will also refrain from doing so.

8.6. The customer is responsible for the behavior of its users and ensures that they comply with the provisions of the terms of use by monitoring and instructing them accordingly.

8.7. It is possible that users of different organizations that use similar input prompts will receive similar output. basebox GmbH does not guarantee that the output produced by the AI models is unique or does not infringe the rights of third parties. The use and verification of the Output is the responsibility of the Customer.

8.8. The Customer shall ensure that its Users only use such prompts and only enter such documents as input into the system for the use of which the necessary rights exist and grants basebox GmbH a worldwide, revocable, non-exclusive, non-sublicensable, non-transferable right, limited to the term of this contractual relationship, to use the prompts and documents for the performance of the service. The Customer shall indemnify basebox GmbH against any liability for claims asserted by third parties against basebox GmbH for infringement of their rights, insofar as these result from the prompts used by the Customer or its Users, the output or files uploaded to basebox.

9. Open Source

9.1. basebox contains components under open source licenses. In deviation from these terms of use, the respective open source license conditions apply to these, which can be viewed at basebox.ai/opensource.

9.2. The customer receives a simple right of use to the open source software used from the respective rights holders under the conditions set out in the applicable license terms. These terms of use only apply to those components that are not licensed as open source software.

9.3. These Terms of Use do not restrict the rights of use and user freedoms granted in the Open Source Licenses for use outside of basebox. The Open Source Licenses take precedence over these Terms of Use in this respect.

9.4. The warranty for defects in our products that are based on the processing of open source software is excluded if these defects are based on the processing. The customer shall bear the burden of proof that a defect in our product would also have occurred without the processing of the open source software contained therein.

9.5. The liability and warranty provisions of these terms of use apply to all software in relation to the licensor. The liability and warranty provisions of the open source licenses only apply in relation to the respective rights holders.

10. Technical requirements for use

10.1. A suitable digital device, a standard, sufficiently fast internet connection and an up-to-date browser are required to use our website.

11. Availability and warranty

11.1. basebox GmbH points out that restrictions or impairments of the services offered by way of the cloud offer may arise that are beyond the control of basebox GmbH. This includes, in particular, actions of third parties who are not acting on behalf of basebox GmbH, technical conditions of the Internet that cannot be influenced by basebox GmbH as well as force majeure.

11.2. basebox GmbH endeavors to ensure that the systems are available around the clock (24 hours a day, 7 days a week). However, basebox GmbH reserves the right to carry out maintenance work after giving appropriate notice and not to put the systems out of operation for a disproportionately long period of time.

11.3. The hardware, software and technical infrastructure used by the Customer can also have an influence on the services provided by basebox. Insofar as such circumstances have an influence on the availability or functionality of the services provided by basebox GmbH, this has no effect on the contractual conformity of the services provided.

11.4. The Customer is obligated to notify basebox GmbH immediately and as precisely as possible of any functional failures, malfunctions or impairments of the software. If you fail to cooperate, § 536c BGB shall apply accordingly.

11.5. In principle, the statutory provisions on warranty in rental agreements apply. Sections 536b BGB (knowledge of the tenant of the defect upon conclusion of the contract or acceptance), 536c BGB (defects occurring during the rental period; notification of defects by the tenant) apply. However, the application of Section 536a (2) BGB (tenant's right to rectify defects himself) is excluded. The application of Section 536a (1) BGB (landlord's liability for damages) is also excluded insofar as the standard provides for strict liability.

11.6. However, the warranty period with regard to any damage compensation claims is reduced to one year, unless it concerns damage compensation claims due to defects which are the result of the non-existence of a guaranteed quality of the object of performance, which are the result of culpable injury to health, body or life or for which liability is provided for under the Product Liability Act.

12. Liability

12.1. basebox GmbH shall only be liable for damages incurred by the Customer through the use of basebox if they were caused intentionally or through gross negligence, if they are the result of the non-existence of a guaranteed quality of the service, if they are based on a culpable breach of essential contractual obligations (see section 5), they are the result of culpable injury to health, body or life or for which liability is provided under the Product Liability Act. In the event of a merely negligent breach of a material contractual obligation (see clause 5), the liability of basebox GmbH is, however, limited to such damages, the occurrence of which must be typically and foreseeably expected in the context of the provision of the agreed services. This limitation does not apply if damages are the result of injury to health, body or life.

12.2. Material contractual obligations are those contractual obligations in clause 5whose fulfillment makes the proper execution of the contract possible in the first place and on whose compliance you may regularly rely and whose breach on the other hand jeopardizes the achievement of the purpose of the contract.

12.3. Otherwise, liability - regardless of the legal grounds - is excluded for both basebox GmbH and our vicarious agents and assistants.

12.4. If basebox GmbH is liable for the loss of the Customer's or its Users' data in consideration of the above provisions, the liability shall be limited to the typical recovery costs that would have been incurred even if the Customer or its Users had made regular and risk-appropriate backup copies.

13. Obligations of the customer and her users

The customer is obliged to instruct its users to comply with the following obligations and to monitor compliance. Any breach of the obligations by the users shall be attributed to the customer. The customer shall also comply with the obligations itself.

13.1. Checking the output

The output of the AI models may be incomplete, outdated or incorrect and is often unpredictable. It is therefore the client's responsibility to instruct its users accordingly,

guarantee the quality of the prompts used,
check the correctness and usability of the generated output before it is used or passed on,
insert appropriate specifications in the input prompts to better filter or adjust the result,
verify the information contained in the output, and in any case not to use the output as the sole source of information, not to expect it to be harmless and linguistically and ethically appropriate, or not to use it as a substitute for professional advice.

13.2. Using the basebox services

13.2.1. The Customer shall instruct its Users not to use the systems of basebox GmbH for unlawful purposes, in particular not to cause damage to third parties or basebox GmbH. The Customer shall also not carry out any such actions itself.

13.2.2. The Customer shall instruct its users not to make the services of basebox GmbH accessible to third parties outside its company or to use them for these third parties. The Customer shall also not carry out any such actions itself.

13.2.3. The Customer shall instruct its Users not to use the services of basebox GmbH in a manner that impairs the security, proper functioning and integrity of the systems of basebox GmbH or circumvents or compromises the security precautions taken. In particular, the Customer shall instruct its users not to use any malicious, harmful prompts or carry out prompt injection attacks in order to manipulate the behavior of the model or to carry out vulnerability or penetration or similar tests. The customer will also not carry out any such actions itself.

13.2.4. When using and creating prompts and uploading files to basebox GmbH, the Customer shall instruct its Users to respect and not violate the rights of third parties, in particular copyrights, trademark rights, personal rights and data protection rights, and to only use prompts and upload files for which the Customer or its Users have all necessary rights. The customer shall also act in accordance with these instructions.

13.3. Use of the output

The client will instruct its users not to pass off output generated using the AI models as having been created by a human and not to use the output if there is reason to believe that the use of the output could infringe the rights of third parties.

13.4. Reference to risks

The Client is responsible for informing its users of the potential risks of using basebox, in particular with regard to the use of the output provided by the AI model and the use of sensitive data for the input prompt.

14. Changes to these terms of use

If basebox GmbH wishes to amend these Terms of Use, basebox GmbH will send the Customer a notification and the amended Terms of Use by e-mail to the address provided for the administration and request the Customer's consent. If the Customer does not agree to the amended Terms of Use, basebox GmbH reserves the right to terminate the contract in compliance with the agreed notice period.

15. Other provisions

15.1. The User Agreement shall be governed by the laws of the Federal Republic of Germany to the exclusion of the UN Convention on Contracts for the International Sale of Goods and the German and European conflict of laws provisions.

15.2. If the Customer is a merchant, a legal entity under public law or a special fund under public law or has no general place of jurisdiction in the Federal Republic of Germany, the exclusive place of jurisdiction for all claims arising from the contractual relationship shall be Landsberg am Lech. basebox GmbH may, however, also assert claims against the Customer at its general place of jurisdiction.

15.3. basebox GmbH is neither obliged nor willing to participate in dispute resolution proceedings before a consumer arbitration board in the event of a dispute with the customer.

15.4. Contractual text and contractual language: The contract between the Customer and basebox GmbH is generally not set out in a separate contractual text, which you could then access later as such. The content of the contract results from these Terms of Use and the subject matter of the concluded contract. The German and English languages are available for the conclusion of the contract.

Landsberg am Lech, 29/04/2024. basebox Terms of Use v.0.1.

Privacy policy

General information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally. Detailed information on the subject of data protection can be found in our data protection declaration listed below this text.

Detailed information on the subject of data protection can be found in our privacy policy listed below this text. The privacy policy is the basis of our actions and part of the business relationship with customers, contractual partners, users and/or third parties and applies to our website, mobile applications and all our external online presences (e.g. our social media profiles) as well as in the context of the provision of our services.

Data collection on this website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator, basebox GmbH (basebox for short). Contact details can be found in the imprint.

How do we collect your data?

On the one hand, your data is collected when you provide it to us. This may, for example, be data that you enter in a contact form.

Other data is collected automatically by our IT systems when you visit the website. This is primarily technical data (e.g. internet browser, operating system or time of page view). This data is collected automatically as soon as you enter this website.

Data is also collected when you register for our services, such as your e-mail address and your name, as well as any billing and payment data.

What do we use your data for?

Some of the data is collected to ensure that the website is provided without errors. Other data may be used to analyze your user behavior. We process the data that we collect as part of your registration in order to provide our contractual services.

What rights do you have with regard to your data?

You have the right to receive information about the origin, recipient and purpose of your stored personal data free of charge at any time. You also have the right to request the correction or deletion of this data. You can contact us at any time at the address given in the legal notice if you have any further questions on the subject of data protection. You also have the right to lodge a complaint with the competent supervisory authority.

You also have the right to request the restriction of the processing of your personal data under certain circumstances. For details, please refer to the privacy policy under "Right to restriction of processing".

Analysis tools and tools from third-party provider

When you visit this website, your surfing behavior may be statistically evaluated. This is mainly done using cookies and so-called analysis programs. The analysis of your surfing behavior is usually anonymous; the surfing behavior cannot be traced back to you.

You can object to this analysis or prevent it by not using certain tools. You can find detailed information on these tools and on your options to object in the following privacy policy.

Hosting

External hosting

This website is hosted by an external service provider (hoster). Personal data collected on this website is stored on the hoster's servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated via a website.

The hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR). Our hoster will only process your data to the extent necessary to fulfill its performance obligations and follow our instructions with regard to this data.

Conclusion of a contract for data processing order

In order to guarantee data protection-compliant processing, we have concluded an order processing contract with our hoster.

Services used and service providers

Provider: Telekom Deutschland GmbH, Landgrabenweg 151, 53227 Bonn
Website: https://www.open-telekom-cloud.com
Privacy policy: https://www.open-telekom cloud.com/de/datenschutz

Provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
Website: https://www.hetzner.com/
Privacy policy: https://www.hetzner.com/de/legal/privacy-policy

General notes and mandatory information

Data protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. When you use this website, various personal data is collected. Personal data is data that can be used to identify you personally. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done.

We would like to point out that data transmission over the Internet (e.g. when communicating by email) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible.

Person responsible

The controller responsible for data processing on this website is:

basebox GmbH
Bahnhofplatz 3
D-86919 Utting am Ammersee

Phone: +49 8806 9590600
E-mail: support@basebox.ai

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, email addresses, etc.).

We have appointed a data protection officer for our company. The company data protection officer of basebox can be contacted at the above address, for the attention of the data protection officer, or by email at datenschutz@basebox.ai.

Many data processing operations are only possible with your express consent. You can withdraw your consent at any time. All you need to do is send us an informal e-mail. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

IF THE DATA PROCESSING IS BASED ON ART. 6 ABS. 1 LIT. E OR F GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA CONCERNED UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENSE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21 PARA. 1 GDPR).

IF YOUR PERSONAL DATA ARE PROCESSED FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING; THIS ALSO APPLIES TO PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR THE PURPOSE OF DIRECT MARKETING (OBJECTION PURSUANT TO ART. 21 PARA. 2 GDPR).

Right to lodge a complaint with the competent supervisory authority

In the event of breaches of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement. The right to lodge a complaint is without prejudice to other administrative or judicial remedies.

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place if it is technically feasible. SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Information, deletion and correction

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of the data processing and, if necessary, a right to correction or deletion of this data. You can contact us at any time at the address given in the legal notice if you have further questions on the subject of personal data.

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. To do so, you can contact us at any time at the address given in the legal notice. The right to restriction of processing exists in the following cases:

If you dispute the accuracy of your personal data stored by us, we generally need time to check this. For the duration of the review, you have the right to request that the processing of your personal data be restricted.
If the processing of your personal data was/is carried out unlawfully, you can request the restriction of data processing instead of erasure.
If we no longer need your personal data, but you need it for the exercise, defense or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
If you have lodged an objection in accordance with Art. 21 (1) GDPR, your interests and our interests must be weighed up. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

Objection to advertising e-mails

We hereby object to the use of contact data published as part of our obligation to provide a legal notice for the purpose of sending unsolicited advertising and information material. The operators of this website expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam e-mails.

Data collection on this website

Cookies

Some of the Internet pages use so-called cookies. Cookies do not damage your computer and do not contain viruses. Cookies are used to make our website more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and saved by your browser.

Most of the cookies we use are so-called "session cookies". They are automatically deleted at the end of your visit. Other cookies remain stored on your end device until you delete them. These cookies enable us to recognize your browser on your next visit.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

Cookies that are required to carry out the electronic communication process or to provide certain functions that you have requested (e.g. shopping cart function) are stored on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the storage of cookies for the technically error-free and optimized provision of its services. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

Insofar as other cookies (e.g. cookies to analyze your surfing behavior) are stored, these are treated separately in this privacy policy.

Server log files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are

Browser type and browser version
Operating system used
Referrer URL
Host name of the accessing computer
Time of the server request
IP address

This data is not merged with other data sources.

This data is collected on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website - the server log files must be recorded for this purpose.

The log files are deleted after 90 days.

Contact us

If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the inquiry and in the event of follow-up questions. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested.

We will retain the data you provide on the contact form until you request its deletion, revoke your consent for its storage, or the purpose for its storage no longer pertains (e.g. after fulfilling your request). Mandatory statutory provisions - in particular retention periods - remain unaffected.

Request by e-mail or telephone

If you contact us by e-mail or telephone, we will store and process your inquiry, including all personal data (name, inquiry), for the purpose of processing your request. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on your consent (Art. 6 para. 1 lit. a GDPR) and/or on our legitimate interests (Art. 6 para. 1 lit. f GDPR), as we have a legitimate interest in the effective processing of the inquiries addressed to us.

The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

Processing of data (customer and contract data)

We collect, process and use personal data only insofar as it is necessary for the establishment, content or modification of the legal relationship (inventory data). This is done on the basis of Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures. We collect, process and use personal data about the use of this website (usage data) only insofar as this is necessary to enable or charge the user for the use of the service.

The customer data collected will be deleted after completion of the order or termination of the business relationship. Statutory retention periods remain unaffected.

Transfer and disclosure of personal data

As part of our processing of personal data, the data may be transferred to other bodies, companies, legally independent organizational units or persons or disclosed to them. The recipients of this data may include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and in particular conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data. Data processing in third countries

If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.

Subject to express consent or transfer required by contract or law, we only process or have the data processed in third countries with a recognized level of data protection, including US processors certified under the "Data Privacy Framework", or on the basis of special guarantees, such as contractual obligations through so-called standard protection clauses of the EU Commission, the existence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Analysis tools and advertising

Umami Analytics

We use the open source program Umami Analytics on our website, which is hosted on our local server, to track general trends in the use of our website. This is open source software that enables us to analyze the use of our website. Your IP address, the website(s) you visit on our website, the website from which you came to our website (referrer URL), the time you spend on our website and the frequency with which you visit one of our websites are processed. All data is collected anonymously so that no conclusions can be drawn about your person. The data is stored on our local server in Germany and is not passed on.

Umami Analytics only collects aggregated information that does not allow us to identify a visitor to our website. Further information can be found in the Umami Analytics documentation at: https://umami.is/.

The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in the analysis and optimization of our website.

Semrush

For analysis and optimization, especially for SEO optimization, we use Semrush from the service provider: Semrush Inc, 800 Boylston Street, Suite 2475, Boston, MA 02199, USA. In particular, the following information is processed IP address and device ID.

The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in the analysis and optimization of our website.

Website: https://de.semrush.com, privacy policy: https://de.semrush.com/company/legal/privacy-policy/

Google Tag Manager

Google Tag Manager is a solution with which we can manage so-called website tags via an interface (and thus integrate Google Analytics and other Google marketing services into our online offering, for example). The Tag Manager itself (which implements the tags) does not process any personal user data. With regard to the processing of users' personal data, please refer to the following information on Google services. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Privacy Shield (Safeguarding the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses so-called "cookies". These are text files that are stored on your computer and enable your use of the website to be analyzed. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there.

The storage of Google Analytics cookies and the use of this analysis tool are based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the analysis of user behavior in order to optimize both its website and its advertising. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

The following table describes all cookies that are set by gtag.js. Further information on the data collected in Analytics can be found at https://support.google.com/analytics/answer/6004245.

Cookie Name	Standard Expiry Time	Description
`_ga`	2 years	Used to differentiate between individual users.
`_ga_<container-id>`	2 years	Used to save the session status.

IP anonymization

We have activated the IP anonymization function on this website. This means that your IP address will be truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of this website for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Browser plugin

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

Objection to data collection

You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set to prevent your data from being collected on future visits to this website: Deactivate Google Analytics.

You can find more information on how Google Analytics handles user data in Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

Order processing

We have concluded an order processing contract with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.

Demographic characteristics in Google Analytics

This website uses the "demographic characteristics" function of Google Analytics. This allows reports to be created that contain statements about the age, gender and interests of site visitors. This data comes from interest-based advertising from Google and from visitor data from third-party providers. This data cannot be assigned to a specific person. You can deactivate this function at any time via the ad settings in your Google account or generally prohibit the collection of your data by Google Analytics as described in the section "Objection to data collection".

Storage duration

Data stored by Google at user and event level that is linked to cookies, user IDs or advertising IDs (e.g. DoubleClick cookies, Android advertising ID) is anonymized or deleted after 14 months. Details can be found at the following link: https://support.google.com/analytics/answer/7667196?hl=de; https://support.google.com/analytics/answer/6004245/ and https://support.google.com/analytics/answer/11397207

Name	Runtime	Domain	Description
`_ga`	2 years	basebox.ai	Used to differentiate between individual users.
`_ga_<container-id>`	2 years	basebox.ai	Used to save the session status.

Google Ads

If you have given your consent to the use of cookies for marketing purposes, Google Ads is used on this website. Google Ads enables us to display advertisements in the Google search engine or on third-party websites when the user enters certain search terms on Google (keyword targeting). Furthermore, targeted advertisements can be displayed based on the user data available at Google (e.g. location data and interests) (target group targeting). We can evaluate this data quantitatively, for example by analyzing which search terms have led to the display of our advertisements and how many advertisements have led to corresponding clicks. Insofar as data is processed outside the EU/EEA, we have also concluded the applicable standard contractual clauses of the European Union with Google as part of our order processing agreement in order to establish an adequate level of data protection.

Google Ads is provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google may use sub-processors who process data outside the EU/EEA, where the level of data protection may not meet European standards.

The legal basis is your consent in accordance with § 25 Para. I S. 1, 2 TTDSG, Art.6 Para.1 S.1 lit. a) GDPR.

You can withdraw your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. This does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.

We have not stored any personal data in this context.

Posthog

We use the services of PostHog Inc, 2261 Market Street #4008, San Francisco, CA 94114, USA (hereinafter referred to as "PostHog"). Posthog collects certain data to analyze the behavior of users on our website and to provide us with information on how we can improve our website. The data collected by Posthog includes the user's IP address, date and time of access, browser type and version, the user's operating system, referrer URL, host name of the accessing computer and event data that we define ourselves (e.g. clicks, visits).

PostHog transfers and stores the data exclusively on servers in the EU, but is a US company. We have therefore concluded standard contractual clauses of the European Commission with Posthog as suitable guarantees, so that an appropriate level of protection is ensured when processing your data. You can access the standard contractual clauses at https://docs.google.com/document/d/1xfpP1SCFoI1qSKM6rEt9VqRLRUEXiKj9_0Tvv2mP928/edit and at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_de.

The processing of the data is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke this consent at any time. The data collected by Posthog will be stored for as long as necessary to fulfill the purpose for which it was collected. The data will not be passed on to third parties unless this is required by law or necessary for the performance of a contract.

You have the right to information about the data stored by us, the correction of incorrect data and the deletion of your data, provided that there are no statutory retention requirements. You also have the right to request the restriction of the processing of your data and to object to the processing of your data. If you wish to exercise your rights, please contact us.

Tawk (live support chat system)

We utilize tawk.to, Inc., located at 187 E Warm Springs Rd, SB298, Las Vegas, Nevada 89119, USA (hereinafter referred to as "tawk.to") to manage user inquiries through our support channels or live chat systems. Messages you send to us may be stored in the tawk.to ticket system or addressed in the live chat by our team. Additionally, with the assistance of tawk.to, we can determine the region from which the inquirer originates, how long they have been communicating with us, and how satisfied they are with the communication process, among other things. The messages sent to us are retained by us until you request us to delete them or the purpose for storing the data no longer applies (e.g., after your query has been resolved). Mandatory legal requirements, such as retention periods, remain unaffected. The use of tawk.to is based on Article 6(1)(f) of the GDPR. We have a legitimate interest in processing your requests as quickly, reliably, and efficiently as possible. In cases where corresponding consent has been requested, the processing is carried out exclusively on the basis of Article 6(1)(a) of the GDPR; consent may be revoked at any time. Data transfer to the USA is based on the standard contractual clauses of the EU Commission. More information can be found here: https://www.tawk.to/privacy-policy/ and https://www.tawk.to/data-protection/gdpr/. For further details, please refer to the privacy policy of tawk.to: https://www.tawk.to/privacy-policy/ and https://www.tawk.to/data-protection/.

Agreement on commissioned data processing

We have entered into a commissioned data processing agreement with tawk.to. This is a required agreement under data protection law that ensures tawk.to only processes the personal data of our website visitors according to our instructions and in compliance with the GDPR.

If you subscribe to our company's newsletter, the data in the respective input mask will be transmitted to the controller. Subscription to our newsletter takes place in a so-called double opt-in procedure. This means that after registering, you will receive an email asking you to confirm your registration. This confirmation is necessary so that no-one can register with other people's email addresses. When registering for the newsletter, the user's IP address and the date and time of registration are stored. This serves to prevent misuse of the services or the e-mail address of the person concerned. The data is not passed on to third parties. An exception is made if there is a legal obligation to pass on the data. The data is used exclusively for sending the newsletter. Subscription to the newsletter can be terminated by the data subject at any time. Consent to the storage of personal data can also be revoked at any time. There is a corresponding link for this purpose in every newsletter. The legal basis for the processing of data after registration for the newsletter by the user is Art. 6 para. 1 lit. a) GDPR if the user has given consent. The legal basis for sending the newsletter as a result of the sale of goods or services is Section 7 (3) UWG.

Use of rapidmail

Description and purpose: We use rapidmail to send newsletters. The provider is rapidmail GmbH, Wentzingerstraße 21, 79106 Freiburg, Germany. Among other things, rapidmail is used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter is stored on rapidmail's servers in Germany. If you do not wish to be analyzed by rapidmail, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. For the purpose of analysis, the emails sent with rapidmail contain a so-called tracking pixel, which connects to the rapidmail servers when the email is opened. In this way, it can be determined whether a newsletter message has been opened. We can also use rapidmail to determine whether and which links in the newsletter message have been clicked on. Optionally, links in the email can be set as tracking links, with which your clicks can be counted.

Legal basis: The legal basis for data processing is Art. 6 para. 1 lit. a) GDPR.

Recipient: The recipient of the data is rapidmail GmbH.

Transfer to third countries: Data is not transferred to third countries.

Duration: The data stored by us as part of your consent for the purpose of the newsletter will be stored by us until you unsubscribe from the newsletter and deleted from both our servers and the servers of rapidmail after you unsubscribe from the newsletter. Data stored by us for other purposes (e.g. e-mail addresses for the member area) remain unaffected by this.

Revocation option: You have the option to revoke your consent to data processing at any time with effect for the future. The legality of the data processing operations that have already taken place remains unaffected by the revocation.

We have profiles on social networks. Our social media accounts complement our website and offer you the opportunity to interact with us. As soon as you access our social media profiles in the social networks, the terms and conditions and data processing guidelines of the respective operators apply. The data collected about you when you use the services is processed by the networks and may also be transferred to countries outside the European Union where there is no adequate level of protection for the processing of personal data. In principle, we have no influence on data processing in the social networks, as we, like you, are users of the network. Information on this and on what data is processed by the social networks and for what purposes the data is used can be found in the privacy policy of the respective network listed below. We use the following social networks:

Facebook

Our website is available at: https://www.facebook.com/profile.php?id=61555336381194

The operator of the network is: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.

Privacy policy of the network: https://www.facebook.com/about/privacy Privacy policy of the network: https://privacycenter.instagram.com/

Our website is available at: https://www.linkedin.com/company/basebox/

The operator of the network is: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

Our website is available at: https://www.reddit.com/user/baseboxio/

The operator of the network is: Reddit, Inc., 1455 Market Street, Suite 1600, San Francisco, CA 94103, United States

X

Our website is available at: https://twitter.com/basebox_io

The operator of the network is: Twitter International Unlimited Company, One Cumberland Place, Fenian Street Dublin 2

Shared responsibility

Purposes:

We process personal data as our own controller when you send us inquiries via the social media profiles. We process this data in order to respond to your inquiries. In addition, we are joint controllers with the following networks and jointly responsible for the following processing operations (Art. 26 GDPR). As part of visiting our profile on the LinkedIn network as well as Facebook and Instagram, the network collects aggregated statistics ("Insights data") created from certain events logged by their servers when you interact with our profiles and related content. We receive these aggregated and anonymous statistics from the network about the use of our profile. We are generally not in a position to assign the data to specific users. To a certain extent, we can define the criteria according to which the network compiles these statistics for us. We use these statistics to make our profiles more interesting and informative for you.

Further information on this data processing at LinkedIn can be found in the Joint Controller Agreement at https://legal.linkedin.com/pages-joint-controller-addendumlegal.linkedin.com/pages-joint-controller-addendum. Otherwise, the network is solely responsible for the processing of your data.

Further information on this data processing by Facebook and Instagram can be found in the joint controller agreement at: https://www.facebook.com/legal/terms/information_about_page_insights_data

Legal basis:

The processing is carried out on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR). The interest lies in the respective purpose.

Storage period:

We do not store any personal data ourselves within the scope of joint responsibility. With regard to contact requests outside the network, the above information on contacting us applies accordingly.

Plugins and tools

YouTube with enhanced data protection

This website integrates videos from YouTube. The operator of the pages is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube in extended data protection mode. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they watch the video. However, the transfer of data to YouTube partners is not necessarily excluded by the extended data protection mode. For example, YouTube establishes a connection to the Google DoubleClick network regardless of whether you watch a video.

As soon as you start a YouTube video on this website, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, YouTube can store various cookies on your end device after starting a video. With the help of these cookies, YouTube can obtain information about visitors to this website. This information is used, among other things, to record video statistics, improve user-friendliness and prevent fraud attempts. The cookies remain on your device until you delete them.

After the start of a YouTube video, further data processing operations may be triggered over which we have no influence.

The use of YouTube is in the interest of an appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

You can find more information about data protection at YouTube in their privacy policy at: https://policies.google.com/privacy?hl=de.

Own services

Handling applicant data

We offer you the opportunity to apply to us (e.g. by e-mail, post or via the online application form). In the following, we inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that your data will be collected, processed and used in accordance with applicable data protection law and all other statutory provisions and that your data will be treated in strict confidence.

Scope and purpose of data collection

If you send us an application, we process your associated personal data (e.g. contact and communication data, application documents, notes taken during job interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. The legal basis for this is § 26 BDSG under German law (initiation of an employment relationship), Art. 6 para. 1 lit. b GDPR (general contract initiation) and - if you have given your consent - Art. 6 para. 1 lit. a GDPR. Consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.

If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of § 26 BDSG-new and Art. 6 para. 1 lit. b GDPR for the purpose of implementing the employment relationship.

Data retention period

If we are unable to make you a job offer, you reject a job offer or withdraw your application, we reserve the right to retain the data you have submitted on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed. The retention serves in particular as evidence in the event of a legal dispute. If it is apparent that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), the data will only be deleted when the purpose for further storage no longer applies.

Data may also be stored for longer if you have given your consent (Art. 6 para. 1 lit. a GDPR) or if statutory retention obligations prevent deletion.

Data processing agreement

The customer - as defined in the terms of use - hereinafter referred to as the "Client"- and basebox GmbH, Bahnhofplatz 3, 86919 Utting am Ammersee -hereinafter referred to as "basebox" - one of them hereinafter referred to as "the Party"; both together hereinafter referred to as "the Parties" - have concluded the following data processing agreement (DPA) in order to fulfill your obligations under Art. 28 para. 3 GDPR.

Preamble

The parties have agreed on the provision of services in connection with the provision and use of AI models and have concluded a contractual agreement in the form of terms of use (the "Agreement"). In order to provide the services in accordance with the Agreement, it is necessary for basebox to process personal data on behalf of and on the instructions of the Customer. The purpose of this Data Processing Agreement (the "Agreement") is to define the obligations of the parties in connection with the processing of personal data by basebox as processor on behalf of the Customer as controller.

1. Standard contractual clauses

1.1 The parties agree on the standard contractual clauses attached in Annex 1 in accordance with the implementing decision of the European Commission of June 4, 2021 [C(2021) 3701 final].

1.2 Insofar as the transfer of personal data by basebox to the Customer constitutes a transfer of personal data to a third country outside the EU, e.g. because the Customer is based outside the EU, the parties agree to the Standard Contractual Clauses for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679, as agreed by the European Commission in its Implementing Decision (EU) 2021/914 of June 4, 2021 and attached to this Agreement as Annex 2 (the "International Standard Contractual Clauses"). Annexes I (I.A "SCC International"), II (I.B. "SCC International"), III (II. "SCC International") and IV (III. "SCC International") of Annex 1 shall apply accordingly.

1.3 The standard contractual clauses and the international standard contractual clauses are supplemented by the provisions of this data processing agreement.

1.4 Insofar as a provision in this data processing agreement or other terms and conditions between the parties contradicts the provisions in the standard contractual clauses or the international standard contractual clauses, the provisions of the standard contractual clauses or the international standard contractual clauses shall take precedence over the other provisions. Insofar as a provision of the standard contractual clauses from section 1.1 contradicts the international standard contractual clauses from section 1.2, the international standard contractual clauses shall take precedence.

2. Supplementary regulations

2.1 Instructions and obligations of the client

2.1.1 The instructions are initially determined by the Contract and this Agreement (including annexes and appendices) and can be amended, supplemented or replaced by the Customer in writing or in an electronic format (text form, e.g. via e-mail) to basebox by individual instructions (individual instruction). Instructions that are not provided for in the underlying contract shall be treated as a request for a change in performance. Verbal instructions must be confirmed immediately in writing or in text form.

2.1.2 basebox has the right to supplement or amend the technical and organizational measures set out in the Data Processing Agreement and its appendices and annexes at any time, although the level of security may not fall below the level originally agreed.

2.1.3 The Customer must inform basebox immediately and completely if it discovers errors or irregularities in the processing of personal data with regard to data protection regulations.

2.1.4 The person who is registered as Admin for the Customer assumes the role of contact person for basebox for data protection issues arising within the scope of the Contract and the Agreement.

2.2 Transfers of data to a third country

An instruction within the meaning of section 7.8 also includes, in particular, the authorization to appoint a subprocessor.

2.3 Inspections

2.3.1 Should inspections by the client or an inspector commissioned by the client be necessary in individual cases, these will be carried out during normal business hours without disrupting operations after notification and taking into account a reasonable lead time.

2.3.2 Should basebox decide to engage a competent, independent external inspector or auditor, the client agrees to this engagement on the condition that he receives a copy of the report.

2.4 Liability and indemnification

2.4.1 The liability provisions of the contract shall apply unless expressly agreed otherwise.

2.4.2 In the event of a claim against the Customer by a data subject with regard to any claims under Art. 82 GDPR, the Customer shall indemnify basebox insofar as basebox is not responsible for the underlying breach of data protection regulations.

2.5 Miscellaneous

2.5.1 Amendments and supplements to this DPA and all their components including any assurances made by the Contractor - require a written agreement, which may also be made in an electronic format (text form), and an express reference to the fact that it is an amendment or supplement to these terms and conditions. This also applies to the waiver of this formal requirement.

2.5.2 The law chosen in the underlying contract shall apply.

Appendix 1 STANDARD CONTRACTUAL CLAUSES

SECTION I

Clause 1

Purpose and scope of application

a) These standard contractual clauses (hereinafter referred to as "clauses") are intended to ensure compliance with: Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC].

b) The controllers and processors listed in Annex I have agreed to these clauses to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.

c) These clauses apply to the processing of personal data in accordance with Annex II.

d) Annexes I to IV are an integral part of the clauses.

e) These clauses are without prejudice to the obligations to which the controller is subject under Regulation (EU) 2016/679.

f) These clauses do not in themselves ensure that the obligations relating to international data transfers under Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725 are fulfilled.

Clause 2

Unalterability of the clauses

a) The parties undertake not to amend the clauses except to supplement or update the information provided in the annexes.

(b) This shall not prevent the parties from incorporating the standard contractual clauses set out in these clauses into a wider contract and adding further clauses or additional safeguards, provided that these do not directly or indirectly conflict with the clauses or infringe the fundamental rights or freedoms of data subjects.

Clause 3

Interpretation

a) Where terms defined in Regulation (EU) 2016/679 are used in these clauses, those terms shall have the same meaning as in that Regulation.

b) These clauses are in the light of the provisions of Regulation (EU) 2016/679.

c) These clauses shall not be interpreted in a manner contrary to the rights and obligations provided for in Regulation (EU) 2016/679 or in a manner that restricts the fundamental rights or freedoms of data subjects.

Clause 4

Priority

In the event of any conflict between these clauses and the provisions of any related agreements existing or subsequently entered into or concluded between the parties, these clauses shall prevail.

Clause 5 {discontinued)

SECTION II - OBLIGATIONS OF THE PARTIES

Clause 6

Description of the processing

The details of the processing operations, in particular the categories of personal data and the purposes for which the personal data are processed on behalf of the controller, are set out in Annex II.

Clause 7

Obligations of the parties

7.1 Instructions

a) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In such a case, the processor shall inform the controller of these legal requirements prior to processing, unless the law in question prohibits this due to an important public interest. The controller may issue further instructions for the entire duration of the processing of personal data. These instructions must always be documented.

b) The processor shall inform the controller immediately if it believes that instructions issued by the controller violate Regulation (EU) 2016/679 or applicable Union or Member State data protection provisions.

7.2 Earmarking

The processor shall process the personal data only for the specific purposes set out in Annex II, unless it receives further instructions from the controller.

7.3 Duration of the processing of personal data

The data shall only be processed by the processor for the duration specified in Annex II.

7.4 Security of processing

a) The Processor shall implement at least the technical and organizational measures listed in Annex III to ensure the security of the Personal Data. This shall include the protection of data against a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of or access to the data, whether accidental or unlawful (hereinafter "Personal Data Breach"). In assessing the appropriate level of protection, the parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing and the risks presented to the data subjects.

b) The Processor shall grant its personnel access to the personal data subject to processing only to the extent strictly necessary for the performance, management and monitoring of the Contract. The Processor shall ensure that the persons authorized to process the personal data received have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.

7.5 Sensitive data

If the processing concerns personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or containing genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning an individual's health, sex life or sexual orientation, or data relating to criminal convictions and offenses (hereinafter "sensitive data"), the Processor shall apply specific restrictions and/or additional safeguards.

7.6 Documentation and compliance with the clauses

a) The parties must be able to prove compliance with these clauses.

b) The Processor shall deal promptly and appropriately with requests from the Controller regarding the processing of data under these Clauses.

c) The processor shall provide the controller with all information necessary to demonstrate compliance with the obligations set out in these Clauses and arising directly from Regulation (EU) 2016/679. At the request of the controller, the processor shall also allow and contribute to an audit of the processing activities covered by these clauses at appropriate intervals or where there are indications of non-compliance. When deciding on an inspection or audit, the controller may take into account relevant certifications of the processor.

d) The controller may carry out the audit itself or commission an independent auditor. The audits may include inspections of the processor's premises or physical facilities and shall be carried out with reasonable prior notice where appropriate.

e) The parties shall make the information referred to in this clause, including the results of audits, available to the competent supervisory authority upon request.

7.7 Use of sub-processors

a) The Processor has the Controller's general authorization to engage sub-processors included in an agreed list. The Processor shall expressly inform the Controller in writing at least 3 weeks in advance of any intended changes to this list by adding or replacing sub-processors, thereby giving the Controller sufficient time to object to these changes before engaging the sub processor(s) concerned. The Processor shall provide the Controller with the necessary information to enable the Controller to exercise its right to object.

b) Where the Processor engages a sub-processor to carry out certain processing activities (on behalf of the Controller), such engagement shall be by way of a contract which imposes on the sub-processor substantially the same data protection obligations as those applicable to the Processor under these Clauses. The Processor shall ensure that the Sub-Processor complies with the obligations to which the Processor is subject under these Clauses and under Regulation (EU) 2016/679.

c) The Processor shall provide the Controller with a copy of any such subcontracting agreement and any subsequent amendments at the Controller's request. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Processor may redact the wording of the agreement before providing a copy.

d) The Processor shall be fully liable to the Controller for ensuring that the Sub-Processor fulfills its obligations under the contract concluded with the Processor. The Processor shall notify the Controller if the Sub-Processor fails to fulfill its contractual obligations.

e) The processor agrees a third-party beneficiary clause with the sub processor, according to which the controller - in the event that the processor factually or legally ceases to exist or is insolvent - has the right to terminate the subcontracting agreement and instruct the sub-processor to delete or return the personal data.

7.8 International data transfers

a) Any transfer of data by the processor to a third country or an international organization shall take place exclusively on the basis of documented instructions from the controller or to comply with a specific provision under Union law or the law of a Member State to which the processor is subject and shall comply with Chapter V of Regulation (EU) 2016/679.

b) The controller agrees that in cases where the processor uses a sub processor pursuant to clause 7.7 for the performance of certain processing activities (on behalf of the controller) and that these processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor may ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission pursuant to Article 46(2) of Regulation (EU) 2016/679, provided that the conditions for the application of these standard contractual clauses are met.

Clause 8

Support of the person responsible

a) The processor shall inform the controller without undue delay of any request received from the data subject. It shall not respond to the request itself unless it has been authorized to do so by the controller.

b) Taking into account the nature of the processing, the processor shall assist the controller in fulfilling the controller's obligation to respond to requests from data subjects to exercise their rights. In fulfilling its obligations under points (a) and (b), the processor shall follow the instructions of the controller.

c) In addition to the Processor's obligation to assist the Controller pursuant to Clause 8(b), the Processor shall also assist the Controller in complying with the following obligations, taking into account the nature of the data processing and the information available to the Processor:

1) Obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (hereinafter "data protection impact assessment") if a form of processing is likely to result in a high risk to the rights and freedoms of natural persons;

2) Obligation to consult the competent supervisory authority(ies) prior to processing if a data protection impact assessment indicates that the processing would result in a high risk, unless the controller takes measures to mitigate the risk;

3) Obligation to ensure that the personal data is accurate and up to date by the processor informing the controller without undue delay if it becomes aware that the personal data it is processing is inaccurate or out of date;

4) Obligations under Article 32 of Regulation (EU) 2016/679].

d) The Parties shall set out in Annex III the appropriate technical and organizational measures to assist the Controller by the Processor in the application of this Clause, as well as the scope and extent of the assistance required.

Clause 9

Notification of personal data breaches

In the event of a personal data breach, the Processor shall cooperate with and assist the Controller to enable the Controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679, taking into account the nature of the processing and the information available to the Processor.

9.1 Violation of the protection of data processed by the controller

In the event of a personal data breach in connection with the data processed by the controller, the processor shall assist the controller as follows:

(a) the notification of a personal data breach to the competent supervisory authority without undue delay after the controller has become aware of it, where relevant (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);

(b) when obtaining the following information to be included in the controller's notification pursuant to Article 33(3) of Regulation (EU) 2016/679, which shall include at least the following information:

1) the nature of the personal data, where possible, indicating the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

2) the likely consequences of the personal data breach;

3) the measures taken or proposed to be taken by the controller to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

If and to the extent that not all such information can be provided at the same time, the initial notification will contain the information available at that time and further information will be provided as soon as it becomes available without undue delay thereafter;

(c) when complying with the obligation pursuant to Article 34 of Regulation (EU) 2016/679] to notify without undue delay the data subject of a personal data breach where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2 Violation of the protection of data processed by the processor

In the event of a personal data breach in connection with the data processed by the processor, the processor shall notify the controller without undue delay after becoming aware of the breach. This notification must contain at least the following information:

(a) a description of the nature of the breach (where possible, specifying the categories and approximate number of data subjects concerned and the approximate number of data records concerned);

b) Contact details of a contact point where further information on the personal data breach can be obtained;

(c) the likely consequences and the measures taken or proposed to address the personal data breach, including measures to mitigate its possible adverse effects.

The Parties shall specify in Annex III any other information to be provided by the Processor to assist the Controller in fulfilling its obligations under Articles 33 and 34 of Regulation (EU) 2016/679].

SECTION III - FINAL PROVISIONS

Clause 10

Breaches of the clauses and termination of the contract

a) Without prejudice to the provisions of Regulation (EU) 2016/679, if the Processor fails to comply with its obligations under these Clauses, the Controller may instruct the Processor to suspend the processing of personal data until it complies with these Clauses or the contract is terminated. The processor shall inform the controller immediately if, for whatever reason, it is unable to comply with these clauses.

b) The controller is entitled to terminate the contract insofar as it concerns the processing of personal data in accordance with these clauses if

1) the controller has suspended the processing of personal data by the processor in accordance with point (a) and compliance with these clauses has not been restored within a reasonable period and in any event within one month of the suspension;

2) the processor materially or persistently breaches these clauses or fails to comply with its obligations under Regulation (EU) 2016/679;

3) the Processor fails to comply with a binding decision of a competent court or the competent supervisory authority relating to its obligations under these Clauses, Regulation (EU) 2016/679.

c) The Processor shall be entitled to terminate the Contract insofar as it relates to the Processing of Personal Data under these Clauses if the Controller insists on the fulfillment of its instructions after being informed by the Processor that its instructions violate applicable legal requirements under Clause 7.1(b).

d) Upon termination of the contract, the processor shall, at the choice of the controller, erase all personal data processed on behalf of the controller and certify to the controller that this has been done, or return all personal data to the controller and erase existing copies, unless there is an obligation to retain the personal data under Union or Member State law. Until the deletion or return of the data, the processor shall continue to ensure compliance with these clauses.

ANNEX I - LIST OF PARTIES

Controller: [Identity and contact details of the controller(s) and, where applicable, of the controller's data protection officer].

The client is responsible:

The customer, as defined in the terms of use

Processor: [Identity and contact details of the processor and, if applicable, the processor's data protection officer].

basebox GmbH

Contact details of the data protection officer of the processor:

Bahnhofsplatz 3
86919 Utting am Ammersee
Germany
Phone: +49 8806 9590600
E-Mail: contact@basebox.ai

ANNEX II - DESCRIPTION OF THE PROCESSING

Categories of data subjects whose personal data are processed

The customer
Users invited by the customer
People whose data is contained in the input prompts that thecustomer or their users have processed by the AI model.

Categories of personal data that are processed

The processing of relevant personal data extends to:

Names,
Business addresses,
E-mail addresses,
Telephone numbers,
Bank details,
Other data contained in the prompts.

Sensitive data processed (if applicable) and restrictions or safeguards applied that take full account of the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for employees who have undergone specific training), recording of access to the data, restrictions on disclosure or additional security measures.

Sensitive data is not processed in connection with the provision of the agreed services.

Type of processing

The processor provides the controller with the agreed services. The type of processing of personal data includes any processing that is necessary to enable the processor to provide these services to the controller. It includes in particular the collection, organization, structuring, storage and provision of personal data, but may also include any other operation such as the adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction of personal data.

Purpose for which the personal data are processed on behalf of the controller

The processor processes personal data to provide its services as agreed with the controller. This includes in particular the provision of basebox for the use of the AI models offered and contract management.

Duration of processing

Processing continues for as long as the processor provides its services to the controller and ends with the termination of the contract.

ANNEX III - TECHNICAL AND ORGANIZATIONAL MEASURES, INCLUDING MEASURES TO ENSURE THE SECURITY OF DATA

Measures for pseudonymization and encryption of personal data

Protection of secret keys with strong passwords
State-of-the-art encryption (asymmetric/symmetric)
Encryption of systems
Encryption of storage media
Encryption of data carriers
Encryption of communication (e.g. e-mail encryption)

Measures to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services in connection with the processing

Documentation of authorizations
Use of authentication procedures
Secure WLAN
Individual log-in and password procedures
Special protective measures for the server room (Hetzner, Telekom)
Use of strong passwords (e.g. at least 10 digits)
Preventing the selection of weak passwords for applications
Confidentiality obligations of employees
Administration activities on the servers are only carried out by competently trained persons
Use of suitable firewalls
Use of logging and evaluation systems that ensure the traceability and documentation of data management
Use of two-factor or multi-factor authentication procedures for high-risk processing activities
Creation of role profiles/definition of functional responsibilities*
Use of access rights

Measures to ensure the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident

Back-up procedure
Suitable measures for data backup: Backups are stored in different locations and kept for different lengths of time depending on the application
Mirroring hard disks
Substitution rules

Procedures for regularly reviewing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing

Penetration tests (comprehensive security test of individual computers or networks)
Regular sensitization of employees (at least annually)
Regular test to ensure that all relevant data is included in the backup process and that the restore works
Checking the effectiveness of the technical measures (at least annually)

Measures to identify and authorize users

Instruction of all employees in the use of authentication procedures and mechanisms
Regulated process for centralized management of user identities, in particular for creation (e.g. new employee), change (e.g. change of name after marriage) and deletion (e.g. employee leaves)
Assignment of unique identifiers for each user
Avoidance of group identifiers

Measures to protect data during transmission

Provision via encrypted connections: e.g: Use HTTPS according to the state of the art
SSL certificate from trusted certification authorities
Data hashing (transformation of personal data into a specific character string)
Use of cryptographic tools

Measures to protect data during storage

Protection of secret keys with strong passwords
State-of-the-art encryption (asymmetric/symmetric)
Encryption of systems
Encryption of storage media
Encryption of data carriers
Encryption of communication (e.g. e-mail encryption)

Measures to ensure the physical security of places where personal data is processed

There is a concept for access regulations and physical access control (perimeter protection)
Clear rules for dealing with visitors (e.g. escort, security zones, visitor passes, logging, employee responsible for visitors) as part of the concept
Secure locking systems including documented key management
Fire-retardant cabinets/safes for storing essential components (e.g. backup tapes, important original documents)

Measures to ensure the logging of events

Logging and blocking of IOCs (Indicators of Compromise)
Logging at firewall level to detect and analyze unauthorized access between the networks
Logging of visitors
Logging the entry, modification and deletion of data

Measures to ensure the system configuration, including the default configuration

Automatic installation of security updates for the operating system and installed software
Carrying out regular data recovery tests and logging the results
Regular evaluation of information on security gaps in the software used
Regular evaluation of log files without cause to detect unusual entries

Measures for the internal governance and management of IT and IT security

Role profiles for employees, including the entries in the record of processing activities
Regular review (once a year) of whether the role assignments comply with the specifications and whether the roles still meet the requirements of the business activity
No administrator IDs for users who do not perform administrative tasks
The use of superuser (e.g. root under Linux) is not used as far as possible
Determination of contact persons and responsible project managers for the specific order
Conducting data protection training for all employees (including regular refresher training for existing staff)
Implementation of internal company data protection guidelines
Consistent involvement of the data protection officer (DPO) in security issues
Knowledge of the competent data protection supervisory authority and knowledge of the reporting obligation pursuant to Art. 33 and 34 GDPR
Relevant guidelines (e.g. on e-mail/Internet use, use of encryption technologies) are kept up to date and are easy to find
Obligation of employees to maintain data secrecy
Existence of a suitable organizational structure for information security

Measures for certification/quality assurance of processes and products

Regular sensitization of employees (at least annually)
Regular tests to ensure that all relevant data is included in the backup process and that the recovery works
Checking the effectiveness of the technical measures (at least annually)

Measures to ensure data minimization

Reduction of attributes
Reduction of processing options in processing steps
Definition of default settings for data subjects that limit the processing of their data to what is necessary for the processing purpose. Default settings)
Definition and implementation of an extinguishing concept

Measures to ensure data quality

Removing or correcting incorrect, duplicate and incomplete data records
Use of software tools that check data entries to ensure that they comply with certain standards or formats
Application of standardized formats and conventions across all data sources to ensure consistency
Training and sensitization of employees regarding the importance of data quality and correct data management

Measures to ensure limited data retention

Collecting and storing only the data that is absolutely necessary for the intended purpose
Definition of a clear expiry time for the storage of data, after which the data is automatically deleted or anonymized
Conducting regular audits to ensure that data is reliably deleted after its retention period has expired.
Ensure that all data storage measures comply with local data protection laws and regulations.

Measures to ensure accountability

A processing directory is kept.
Deletion and storage concepts are maintained.
Regular review of the effectiveness of technical and organizational measures according to the PDCA cycle (Plan-Do-Check-Act).
Conducting data protection training for all employees (including regular refresher training for existing staff)
Implementation of internal company data protection guidelines.
Consistent involvement of the data protection officer (DPO) in security issues.
Knowledge of the competent data protection supervisory authority and knowledge of the reporting obligation pursuant to Art. 33 and 34 GDPR.
Relevant guidelines (e.g. on e-mail/Internet use, use of encryption technologies) are kept up to date and are easy to find.
Obligation of employees to maintain data confidentiality.

Measures to enable data portability and to ensure erasure

Deletion and storage concepts are maintained.
Definition of a clear expiry time for the storage of data, after which the data is automatically deleted or anonymized
Conducting regular audits to ensure that data is reliably deleted after its retention period has expired.
No storage of archive data in production databases, but transfer of archive data from production systems to the archive systems
Archive data must be effectively deleted after the retention period has expired.
Implementation of data protection training for all employees

TOM of the sub-processors used:

The Processor uses sub-processors to provide its services (see Annex IV). All sub-processors rely on appropriate technical and organizational measures. Further information can be found at:

For Hetzner: https://www.hetzner.com/AV/TOM.pdf
For the Telekom Cloud: https://www.open-telekom cloud.com/de/sicherheit/datenschutz-compliance

ANNEX IV - LIST OF SUB-PROCESSORS

The controller has authorized the use of the following sub-processors:

Subcontractor	Type of Processing
Hetzner Online GmbH Industriestr. 25 91710 Gunzenhausen	Hosting and provision of the basebox product, including the customer data processed therein.
Telekom Deutschland GmbH Landgrabenweg 151 53227 Bonn	Hosting of the model and processing of the prompts entered as well as creation and transmission of the responses.

Appendix 2 MODULE FOUR: Transmission from processors to controllers

STANDARD CONTRACTUAL CLAUSES

SECTION I

Clause 1

Purpose and scope of application

a) These standard contractual clauses are intended to ensure that the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ¹ are complied with when transferring personal data to a third country.

b) The parties:

i) the natural or legal person(s), public authority(ies), agency(ies) or other body(ies) listed in Annex I.A (hereinafter "entity(ies)") that transfers the personal data (hereinafter "data exporter"), and

ii) the entity or entities in a third country listed in Annex I.A that receive the personal data directly or indirectly through another entity that is also a party to these Clauses (each a "data importer"), have agreed to these standard contractual clauses (hereinafter referred to as "clauses").

c) These clauses apply to the transfer of personal data in accordance with Annex I.B.

d) The appendix to these clauses and the annexes contained therein form an integral part of these clauses.

Clause 2

Effect and unalterability of the clauses

a) These Clauses shall contain appropriate safeguards, including enforceable data subject rights and effective legal remedies in accordance with Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, in relation to data transfers from controllers to processors and/or from processors to processors, standard contractual clauses in accordance with Article 28(7) of Regulation (EU) 2016/679, unless amended, except for the selection of the module or modules or the addition or update of information in the Annex. This does not prevent the parties from including the standard contractual clauses set out in these clauses in a more comprehensive contract and/or adding further clauses or additional safeguards, provided that they do not directly or indirectly conflict with these clauses or restrict the fundamental rights or freedoms of the data subjects.

b) These clauses are without prejudice to the obligations to which the data exporter is subject under Regulation (EU) 2016/679.

Clause 3

Third party beneficiaries

a. Data subjects may invoke and enforce these clauses as third-party beneficiaries against the data exporter and/or the data importer, with the following exceptions:

i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7

ii) Clause 8 - Module One: Clause 8.5(e) and Clause 8.9(b) Module Two: Clause 8.1(b), Clause 8.9(a), (c), (d) and (e) Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g) Module Four: Clause 8.1(b) and Clause 8.3(b)

iii) Clause 9 - Module two: Clause 9 (a), (c), (d) and (e) Module three: Clause 9 (a), (c), (d) and (e)

iv) Clause 12 - Module one: Clause 12(a) and (d) Modules two and three: Clause 12(a), (d) and (f)

v) Clause 13

vi) Clause 15.1 letters c, d and e

vii) Clause 16 letter e

viii) Clause 18 - Modules one, two and three Clause 18 letters a and b Module four: Clause 18

b) The rights of data subjects under Regulation (EU) 2016/679 remain unaffected by point (a).

Clause 4

Interpretation

a) Where terms defined in Regulation (EU) 2016/679 are used in these clauses, these terms shall have the same meaning as in this Regulation.

b) These clauses must be interpreted in light of the provisions of Regulation (EU) 2016/679.

c) These clauses may not be interpreted in a way that conflicts with the rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Priority

In the event of any conflict between these clauses and the terms of any related agreements between the parties existing at the time these clauses are agreed or entered into, these clauses shall prevail.

Clause 6

Description of the data transfer(s)

The details of the data transfer(s), in particular the categories of personal data transferred and the purpose(s) for which they are transferred, are set out in Annex I.B.

Clause 7 - optional

Tying clause

a) An entity that is not a party to these Clauses may accede to these Clauses as either a data exporter or a data importer at any time with the consent of the Parties by completing the Appendix and signing Annex I.A.

b) After completing the Appendix and signing Annex I.A, the acceding entity becomes a party to these Clauses and has the rights and obligations of a data exporter or a data importer according to its designation in Annex I.A.

c) No rights or obligations shall accrue to the acceding entity under these clauses for the period prior to its accession as a party.

SECTION II - OBLIGATIONS OF THE PARTIES

Clause 8

Data protection guarantees

The data exporter represents that it has satisfied itself, to the extent reasonably practicable, that the data importer is able to comply with its obligations under these clauses by implementing appropriate technical and organizational measures.

8.1 Instructions

a) The data exporter processes the personal data only on the documented instructions of the data importer, who acts as its controller.

b) The data exporter shall inform the data importer without undue delay if it is unable to comply with such instructions, including where such instructions are contrary to Regulation (EU) 2016/679 or other Union or Member State data protection law.

c) The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in relation to subprocessing or cooperation with the competent supervisory authorities.

d) At the choice of the data importer, the data exporter shall, upon completion of the data processing services, either erase all personal data processed on behalf of the data importer and certify to the data importer that this has been done, or return to the data importer all personal data processed on its behalf and erase existing copies.

8.2 Security of processing

a) The parties shall implement appropriate technical and organizational measures to ensure the security of the personal data, including during transmission, and to protect against any breach of security which, whether accidental or unlawful, results in the destruction, loss, alteration, unauthorized disclosure of, or access to, the personal data (hereinafter "Personal Data Breach"). In assessing the appropriate level of protection, they shall take due account of the state of the art, the cost of implementation, the nature of the personal data ² , the nature, scope, context and purpose(s) of the processing and the risks to the data subjects posed by the processing, and in particular consider encryption or pseudonymization, including during transmission, where this enables the purposes of the processing to be fulfilled.

b) The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with point (a). In the event of a personal data breach involving personal data processed by the data exporter pursuant to these Clauses, the data exporter shall notify the data importer of the breach without undue delay after becoming aware of it and assist the data importer in remedying the breach.

c) The data exporter warrants that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.

8.3 Documentation and compliance with the clauses

a) The parties must be able to prove compliance with these clauses.

b) The data exporter shall provide the data importer with all information necessary to demonstrate compliance with its obligations under these Clauses and shall facilitate and contribute to audits.

Clause 9 [deleted]

Clause 10

Rights of data subjects

The Parties shall assist each other in responding to requests and inquiries made by data subjects in accordance with the local law applicable to the data importer or, in the case of data processing by the data exporter in the Union, in accordance with Regulation (EU) 2016/679.

Clause 11

Legal remedy

a) The data importer shall inform the data subjects in a transparent and easily accessible manner by means of individual notification or on its website of a contact point authorized to handle complaints. It shall immediately process all complaints it receives from a data subject.

Clause 12

Liability

a) Each party shall be liable to the other party(ies) for any damage caused to the other party(ies) by a breach of these clauses.

b) Each party shall be liable to the data subject and the data subject shall be entitled to compensation for any material or non-material damage caused by the party to the data subject by infringing its rights as a third party beneficiary under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

c) If more than one party is responsible for damage caused to the data subject as a result of a breach of these clauses, all responsible parties shall be jointly and severally liable and the data subject shall be entitled to take legal action against any of the parties.

d) The parties agree that a party that is held liable pursuant to subparagraph c) shall be entitled to recover from the other party/parties that part of the compensation that corresponds to their responsibility for the damage.

e) The data importer cannot rely on the conduct of a processor or sub-processor to avoid its own liability.

Clause 13 [deleted]

SECTION III - LOCAL LEGISLATION AND OBLIGATIONS IN THE CASE OF ACCESS TO DATA BY PUBLIC AUTHORITIES

Clause 14

Local laws and customs that affect compliance with the clauses

a) The parties warrant that they have no reason to believe that the laws and practices applicable to the processing of personal data by the data importer in the third country of destination, including requirements to disclose personal data or measures allowing public authorities access to such data, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of fundamental rights and freedoms and do not go beyond measures that are necessary and proportionate in a democratic society to ensure one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679 are not in conflict with these clauses.

b) The parties declare that they have duly considered the following aspects in particular with regard to the assurance in letter a):

i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used, intended data onward transfers, the nature of the recipient, the purpose of the processing, the categories and format of the personal data transferred, the economic sector in which the transfer takes place, the location of the transferred data,

ii) the relevant laws and practices of the third country of destination in view of the specific circumstances of the transfer (including those requiring disclosure of data to public authorities or permitting access by public authorities to such data) and the applicable restrictions and safeguards, ³

iii) any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during the transfer and processing of personal data in the country of destination.

c) The data importer represents that it has used its best efforts to provide the data exporter with relevant information in the context of the assessment referred to in point (b) and agrees that it will continue to cooperate with the data exporter to ensure compliance with these Clauses.

d) The parties agree to document the assessment in accordance with letter b and to make it available to the competent supervisory authority on request.

e) The data importer agrees to notify the data exporter without undue delay during the term of the contract if, after agreeing to these clauses, it has reason to believe that it is subject to laws or practices that are inconsistent with the requirements in point (a), including a change in the laws of the third country or an action (e.g. a disclosure request) relating to an application of those laws in practice that is inconsistent with the requirements in point (a). Following a notification under point (e) or if the data exporter otherwise has reason to believe that the data importer can no longer comply with its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organizational measures to ensure security and confidentiality) to be taken by the data exporter and/or the data importer to remedy the situation. The data exporter shall suspend the data transfer if it considers that appropriate safeguards for such a transfer cannot be ensured or if it is instructed to do so by the competent supervisory authority. In this case, the data exporter is entitled to terminate the contract as far as the processing of personal data under these clauses is concerned. If more than two parties are involved in the contract, the data exporter may exercise this right of termination only against the responsible party, unless the parties have agreed otherwise. If the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in the event of access to the data by authorities

15.1 Notification

a) The data importer agrees to notify the data exporter and, where possible, the data subject (where appropriate with the assistance of the data exporter) without undue delay,

i) when it receives a legally binding request from a public authority, including judicial authorities, under the law of the country of destination for disclosure of personal data transmitted pursuant to these clauses (such notification shall include information about the personal data requested, the requesting authority, the legal basis of the request and the response provided), or

ii) if it becomes aware that an authority under the law of the country of destination has direct access to personal data transferred pursuant to these Clauses; such notification shall include all information available to the data importer.

b) Where the law of the country of destination prohibits the data importer from notifying the data exporter and/or the data subject, the data importer agrees to use its best efforts to lift the prohibition so that as much information as possible can be communicated as soon as possible. The data importer undertakes to document its efforts in order to be able to demonstrate them at the request of the data exporter.

c) To the extent permitted by the laws of the country of destination, the data importer agrees to provide the data exporter at regular intervals during the term of the contract with as much relevant information as possible about the requests received (in particular, number of requests, type of data requested, requesting authority or authorities, whether requests have been challenged and the outcome of such challenges, etc.).

d) The data importer agrees to retain the information referred to in points (a) to (c) for the duration of the contract and to make it available to the competent supervisory authority upon request.

e) Points (a) to (c) are without prejudice to the data importer's obligation under Clause 14(e) and Clause 16 to inform the data exporter without undue delay if it is unable to comply with these clauses.

15.2 Verification of legality and data minimization

a) The data importer agrees to review the legality of the disclosure request, in particular whether the request is within the scope of the powers conferred on the requesting authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to believe that the request is unlawful under the laws of the country of destination, under applicable obligations under international law and under the principles of international jurisdiction. Subject to the above conditions, the data importer may seek legal remedies. When challenging a request, the data importer shall obtain interim measures to suspend the effect of the request until the competent judicial authority has decided on its merits. It shall only disclose the personal data requested if this is required by the applicable procedural rules. These requirements are without prejudice to the data importer's obligations under Clause 14(e).

b) The data importer agrees to document its legal assessment and any challenge to the disclosure request and to make these documents available to the data exporter to the extent permitted by the laws of the country of destination. Upon request, it shall also make these documents available to the competent supervisory authority.

c) The data importer agrees to provide the minimum amount of information permitted based on a reasonable interpretation of the request when responding to a disclosure request.

SECTION IV - FINAL PROVISIONS

Clause 16

Breaches of the clauses and termination of the contract

a) The data importer shall inform the data exporter immediately if it is unable to comply with these clauses for any reason whatsoever.

b) If the data importer breaches or is unable to comply with these clauses, the data exporter shall suspend the transfer of personal data to the data importer until the breach is remedied or the contract is terminated. This is without prejudice to Clause 14(f).

c) The data exporter shall be entitled to terminate the contract insofar as it relates to the processing of personal data under these Clauses if i) the data exporter has suspended the transfer of personal data to the data importer pursuant to point (b) and compliance with these clauses has not been restored within a reasonable period of time and in any event within one month of the suspension,

ii) the data importer materially or persistently breaches these clauses, or

iii) the data importer fails to comply with a binding decision of a competent court or competent supervisory authority relating to its obligations under these Clauses.

In such cases, the data exporter shall notify the competent supervisory authority of such breaches. If more than two parties are involved in the contract, the data exporter may only exercise this right of termination against the responsible party, unless the parties have agreed otherwise.

d) Personal data collected by the data exporter established in the EU and transferred before the termination of the contract referred to in point (c) shall be erased immediately and completely, including any copies thereof. The data importer shall certify the erasure to the data exporter. Until the deletion or return of the data, the data importer shall continue to ensure compliance with these Clauses. Where the data importer is subject to local law prohibiting it from returning or deleting the personal data transferred, the data importer warrants that it will continue to ensure compliance with these Clauses and process such data only to the extent and for as long as is necessary under such local law.

e) Either party may withdraw its consent to be bound by these Clauses if (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 relating to the transfer of personal data to which these Clauses apply, or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data are transferred. This is without prejudice to other obligations applicable to the processing in question under Regulation (EU) 2016/679.

Clause 17

Applicable law

These clauses shall be governed by the law of a country that allows rights as a third party beneficiary. The parties agree that this is the law of the Federal Republic of Germany.

Clause 18

Jurisdiction and competence

Disputes arising from these clauses shall be settled by the courts of the Federal Republic of Germany.

1: Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, the use of these clauses when engaging another processor (subprocessor) not covered by Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), insofar as these clauses and the data protection obligations laid down in the contract or other legal instrument between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This is particularly the case where the controller and the processor rely on the standard contractual clauses contained in Decision [...].

2: This includes whether the transfer and further processing includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health, sex life or sexual orientation, or data relating to criminal convictions or offenses.

3: Various elements may be included in the overall assessment to determine the impact of such legislation and practice on compliance with these clauses. These elements may include relevant and documented practical experience as to whether there have been previous requests for disclosure from authorities covering a sufficiently representative timeframe or whether there have been no such requests. This includes, in particular, internal records or other evidence that has been compiled with due diligence on an ongoing basis and confirmed by senior management, provided that this information can be lawfully disclosed to third parties. Where it is concluded on the basis of this practical experience that it is not impossible for the data importer to comply with these clauses, this must be supported by other relevant objective elements; it is for the parties to carefully consider whether all these elements are sufficiently reliable and representative to support the conclusion reached. In particular, the parties must consider whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible reliable information on the existence or non-existence of requests within the same industry and/or on the application of the legislation in practice, such as case law and reports of independent supervisory bodies.

Terms of use for basebox ​

1. Scope of application ​

2. Definitions ​

3. Conclusion of contract ​

4. Termination of the contractual relationship ​

5. Service description ​

6. Prices, terms of payment ​

7. Data protection and security ​

8. Rights of use and intellectual property ​

9. Open Source ​

10. Technical requirements for use ​

11. Availability and warranty ​

12. Liability ​

13. Obligations of the customer and her users ​

14. Changes to these terms of use ​

15. Other provisions ​

Privacy policy ​

General information ​

Data collection on this website ​

Who is responsible for data collection on this website? ​

How do we collect your data? ​

What do we use your data for? ​

What rights do you have with regard to your data? ​

Analysis tools and tools from third-party provider ​

Hosting ​

External hosting ​

Conclusion of a contract for data processing order ​

Services used and service providers ​

General notes and mandatory information ​

Data protection ​

Person responsible ​

Revocation of your consent to data processing ​

Right to object to the collection of data in special cases and to direct marketing (Art. 21 GDPR) ​

Right to lodge a complaint with the competent supervisory authority ​

Right to data portability ​

Information, deletion and correction ​

Right to restriction of processing ​

Objection to advertising e-mails ​

Data collection on this website ​

Cookies ​

Server log files ​

Contact us ​

Request by e-mail or telephone ​

Processing of data (customer and contract data) ​

Transfer and disclosure of personal data ​

Analysis tools and advertising ​

Umami Analytics ​

Semrush ​

Google Tag Manager ​

Google Analytics ​

IP anonymization ​

Browser plugin ​

Objection to data collection ​

Order processing ​

Demographic characteristics in Google Analytics ​

Storage duration ​

Google Ads ​

Posthog ​

Tawk (live support chat system) ​

Agreement on commissioned data processing ​

Newsletter ​

Newsletter data ​

Use of rapidmail ​

Use of social media ​

Facebook ​

LinkedIn ​

Reddit ​

X ​

Shared responsibility ​

Purposes: ​

Legal basis: ​

Storage period: ​

Plugins and tools ​

YouTube with enhanced data protection ​

Own services ​

Handling applicant data ​

Scope and purpose of data collection ​

Data retention period ​

Data processing agreement ​

Preamble ​

Terms of use for basebox

1. Scope of application

2. Definitions

3. Conclusion of contract

4. Termination of the contractual relationship

5. Service description

6. Prices, terms of payment

7. Data protection and security

8. Rights of use and intellectual property

9. Open Source

10. Technical requirements for use

11. Availability and warranty

12. Liability

13. Obligations of the customer and her users

14. Changes to these terms of use

15. Other provisions

Privacy policy

General information

Data collection on this website

Who is responsible for data collection on this website?

How do we collect your data?

What do we use your data for?

What rights do you have with regard to your data?

Analysis tools and tools from third-party provider

Hosting

External hosting

Conclusion of a contract for data processing order

Services used and service providers

General notes and mandatory information

Data protection

Person responsible

Revocation of your consent to data processing

Right to object to the collection of data in special cases and to direct marketing (Art. 21 GDPR)

Right to lodge a complaint with the competent supervisory authority

Right to data portability

Information, deletion and correction

Right to restriction of processing

Objection to advertising e-mails

Data collection on this website

Cookies

Server log files

Contact us

Request by e-mail or telephone

Processing of data (customer and contract data)

Transfer and disclosure of personal data

Analysis tools and advertising

Umami Analytics

Semrush

Google Tag Manager

Google Analytics

IP anonymization

Browser plugin

Objection to data collection

Order processing

Demographic characteristics in Google Analytics

Storage duration

Google Ads

Posthog

Tawk (live support chat system)

Agreement on commissioned data processing

Newsletter

Newsletter data

Use of rapidmail

Use of social media

Facebook

LinkedIn

Reddit

X

Shared responsibility

Purposes:

Legal basis:

Storage period:

Plugins and tools

YouTube with enhanced data protection

Own services

Handling applicant data

Scope and purpose of data collection

Data retention period

Data processing agreement

Preamble