Briink Intelligence GmbH
Updated May 3, 2023
These terms of service (the “Agreement”) govern the Customer’s acquisition and use of Services offered by Briink Intelligence GmbH, Max-Urich Straße 3, 13355 Berlin, Germany (“Briink”).
The Customer agrees to the terms of this Agreement by: (a) executing an Order Form that references this Agreement; or (b) using the Services as part of a trial evaluation, either for free or at a reduced service fee.
If the individual accepting this Agreement is accepting on behalf of a company or other legal entity, such individual represents that they have the authority to bind such entity and its Affiliates to this Agreement, and the term “Customer” shall refer to such entity and its Affiliates. If the individual accepting this Agreement does not have such authority or does not agree with the terms and conditions of this Agreement, such individual must not accept this Agreement and may not use the Services.
If Customer is provided with access to the Services for free or at a reduced service fee basis as part of a trial evaluation, the section of this Agreement entitled “Trial Services” will govern such access.
The Services may not be accessed for the purposes of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purposes. Briink’s competitors are prohibited from accessing the Services, except with Briink’s prior written consent.This Agreement is effective as of the date the Customer accepts this Agreement.
In addition to capitalized terms defined elsewhere in this Agreement, the following terms shall have the meanings set forth below:
1.1 “Affiliate” means an entity that controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership of control of more than 50% of the voting interests of the subject entity.
1.2. “Customer” means, in the case of an individual accepting this Agreement on his or her own behalf, such individual, or in the case of an individual accepting this Agreement on behalf of a company or other legal entity, the company or other legal entity for which such individual is accepting this Agreement, and Affiliates of that company or entity (while they remain Affiliates) which have entered into Order Forms.
1.3. “Customer Data” means electronic data and information submitted by or for the Customer to the Services.
1.4. “Customer Marks” means Customer’s trademarks, tradenames, service marks, and logos.
1.5. “Documentation” means all specifications, user manuals, and other materials relating to the Services and provided or made available by Briink to the Customer, as may be modified by Briink from time to time.
1.6. “Order Form” means each written order or online order specifying the Services to be provided under this Agreement and applicable Fees, that is entered into between the Customer and Briink. By entering into an Order Form, a Customer Affiliate agrees to be bound by the terms of this Agreement as if it were an original party hereto.
1.7. “Purchased Services” means Services that the Customer or the Customer’s Affiliate purchases under an Order Form, as distinguished from Trial Services.
1.8. “Reports” means analyses and recommendations for the Customer designed to improve its compliance with the applicable standards specified in the Services as may be provided by Briink via the Services from time to time.
1.9. “Services” means the products and services that are ordered by the Customer under an Order Form or provided to the Customer under a free trial or reduced service fee basis, including any associated offline components.
1.10. “Trial Services” means Services that Briink makes available to the Customer as part of a trial evaluation basis, for free or at a reduced service fee, including as part of an evaluation or proof of concept. Trial Services exclude Purchased Services.
1.11. “User” means, in the case of an individual accepting this Agreement on their own behalf, such individual, or, in the case of an individual accepting this Agreement on behalf of a company or other legal entity, an individual who the Customer authorizes to use the Services pursuant to the Customer’s rights under this Agreement, for whom the Customer has purchased a subscription (or, for Trial Services, for whom Services have been provisioned by Briink), and to whom the Customer (or, when applicable, Briink at the Customer’s request) has supplied a username and password. Users may include, for example, employees, consultants, contractors and agents of the Customer.
2. Briink Responsibilities
2.1. Purchased Services. Briink will: (a) make the Purchased Services available to the Customer under the terms of this Agreement, applicable Order Form(s) and the Documentation; (b) provide support for the Purchased Services in accordance with Briink’s standard support policy; and (c ) comply with laws and government regulations applicable to Briink’s provision of the Purchased Services to its customers, subject to the Customer’s and Users’ use of the Purchased Services in accordance with this Agreement, applicable Order Form(s) and the Documentation.
2.2. Security and Protection of Customer Data. Any processing of personal data of the Customer by Briink shall be governed by its Data Processing Addendum in accordance with Art. 28 GDPR, which is attached hereto as Appendix A.
2.3. Reports. As part of the Services, Briink may from time to time provide Reports to the Customer via the Services. The Customer may access and use such Reports for its own internal business purposes in accordance with the terms and conditions of this Agreement.
2.4. Trial Services. If the Customer has agreed with Briink to the provision of Trial Services, Briink will make the applicable Trial Services available to the Customer free of charge or at a reduced service fee basis until the earlier of: (a) the end of the trial period communicated by Briink to Customer; or (b) the start date of any Purchased Services subscriptions ordered by Customer for such Service(s); or (c ) termination by Briink in its sole discretion.
3. Use of Services
3.1. User Access. Each User will use a unique username and password to access the Services. The unique usernames and passwords cannot be shared or used by more than one individual User to access the Services. The Customer agrees to provide to Briink information and other assistance as necessary to enable Briink to establish Users’ access to the Services and will verify all User requests for access to the Services. The Customer is solely responsible for all activities that occur under User accounts.
3.2. Customer Responsibilities. The Customer will: (a) use the Services only in accordance with this Agreement, Order Forms, Documentation and applicable laws and government regulations; (b) be responsible for Users’ compliance with this Agreement, Order Forms and Documentation; (c )be responsible for the accuracy, quality and legality of the Customer Data, including the means by which the Customer acquired Customer Data, and the Customer’s use of Customer Data with the Services; and (d) use commercially reasonable efforts to prevent unauthorized access to or use of the Services, and notify Briink promptly of any such unauthorized access or use. Any use of the Services in breach of the foregoing by the Customer or Users that in Briink’s judgment threatens the security, integrity or availability of Briink’s services, may result in Briink’s immediate suspension of the Services, however Briink will use commercially reasonable efforts to provide notice and an opportunity to remedy such violation or threat prior to any such suspension.
3.3 Use Restrictions. The Customer will not, and will ensure its Users will not: (a) make the Services available to anyone other than the Customer or its Users, or use the Services for the benefit of anyone other than the Customer or its Affiliates, except as expressly allowed in an Order Form; (b) modify, adapt, alter or translate the Services; (c ) sublicense, lease, sell, resell, rent, loan, or distribute the Services, or any part thereof, or include the Services in a service bureau or outsourcing offering; (d) reverse engineer, decompile, disassemble, or otherwise derive or determine or attempt to derive or determine the source code (or the underlying ideas, algorithms, structure or organization) of the Services or any part thereof, except as permitted by law; (e) interfere in any manner with the operation of the the Services or the hardware and network used to operate the same, or attempt to probe, scan or test vulnerability of the Services without prior authorization of Briink; (f) use the Services to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party privacy rights; (g) modify, copy, disclose (except as expressly authorized in this Agreement) or make derivative works based on any part of the Services; (h) access or use the Services, or any feature, information or functionality thereof, to build a similar or competitive product or service or otherwise engage in competitive analysis or benchmarking; (i) attempt to access the Services through any unapproved interface; (j) use the Services in connection with any of Customer’s time-critical or mission-critical functions; (k) remove, alter, or obscure any proprietary notices (including copyright and trademark notices) of Briink or its licensors on the Services or any copies thereof; (l) upload to the Services any Customer Data that contains any sensitive personal information (such as financial, medical or other sensitive personal information such as government IDs, passport numbers, protected health information, credit card data, or social security numbers); or (m) otherwise use the Services in any manner that exceeds the scope of use permitted under applicable Order Forms.
3.4. Third-Party Integrations. The Services may integrate with certain third-party websites and applications. Third-Party Services shall be governed solely by the terms and conditions applicable to such Third-Party Services, as agreed to between the Customer and the Third-Party Services providers. Briink does not endorse or support and is not responsible for Third-Party Services, including without limitation, the privacy and data security policies and practices related to Third-Party Services. The Customer may enable integrations between the Services and Third-Party Services, and by doing so: (a) instructs Briink to share Customer Data (including, to the extent necessary, any Personal Data) with the providers of such Third-Party Services in order to facilitate the integration; and (b) grants Briink permission to allow Third-Party Services and its providers to access Customer Data and information about Customer’s usage of the Third-Party Services as appropriate for the interoperation of Third-Party Services with the Services. The Customer is responsible for providing all instructions to the Third-Party Services providers about the use and protection of Customer Data. Briink and Third-Party Services providers are not processors or sub-processors of Personal Data with respect to each other.
4. Fees and Payments
4.1. Fees. Customer will pay to Briink all fees set forth in Order Forms or Pilot Agreements (the “Fees”). Except as otherwise set forth in this Agreement or an Order Form, payment obligations are non-cancelable, and Fees paid are non-refundable. Except as otherwise set forth in an Order Form, Briink may increase the Fees upon renewal of each Order Form subscription term by providing written notice to Customer at least forty-five (45) days prior to the commencement of the applicable renewal subscription term.
4.2. Invoices and Payments. Except as otherwise set forth in the relevant Order Form, Briink will invoice Customer, or, where Customer has provided valid credit card information to Briink, Briink will charge Customer, for all Fees annually in advance. Unless otherwise stated in the Order Form, full payment for invoiced Fees is due within 30 days after the invoice date.
4.3. Late Payments. Customer will be responsible for reasonable costs and expenses incurred by Briink in the collection of any overdue Fees. If any Fees are 15 days or more overdue, Briink may, without limiting its other rights and remedies, immediately suspend Services until such amounts are paid in full, provided that Briink will use commercially reasonable efforts to give Customer at least 5 days’ prior written notice that its account is overdue before suspending Services.
4.4. Payment Disputes. Briink will not exercise its rights under the “Late Payments” section above if Customer is disputing the applicable charges reasonably and in good faith and is cooperating diligently to resolve the dispute.
4.5. Taxes. All amounts stated in or in relation to this Agreement are, unless the context requires otherwise, stated exclusive of any applicable value added taxes or other specific taxes such as withholding tax, which will be added to those amounts and are payable by the Customer to either Briink or, as applicable, directly to the local tax authorities.
5. Term and Termination
5.1. Term. This Agreement will begin on the commencement date of any Trial Services, if applicable, or the effective date of the first Order Form between the Parties, and will continue for as long as any Order Form remains in effect, unless earlier terminated in accordance with this Agreement (the “Term”).
5.2. Term of Order Forms. The initial term of each Order Form will begin on effective date of such Order Form and continue for the subscription term set forth therein. Except as set forth in such Order Form, each Order Form will automatically renew for successive renewal terms equal in length to the initial term of such Order Form, unless either party provides the other party with written notice of non-renewal at least thirty (30) days prior to the end of the then-current subscription term.
5.3. Termination for Cause. Either party may terminate this Agreement immediately upon notice to the other party if: (a) the other party materially breaches this Agreement, and such breach remains uncured more than thirty (30) days after receipt of written notice of such breach; or (b) the other party: (i) becomes insolvent; (ii) files a petition in bankruptcy that is not dismissed within sixty (60) days of commencement; or (c ) makes an assignment for the benefit of its creditors.
5.4. Effect of Termination. Upon the earlier of expiration or termination of this Agreement, the rights and licenses granted to the Customer hereunder will immediately terminate, the Customer will cease use of the Services and Documentation, and the Customer will return or destroy all copies of the Documentation in its possession or control. Termination or expiration will not relieve the Customer of its obligation to pay all Fees that accrued prior to such expiration or termination.
5.5. Return of Customer Data. Upon request by the Customer made within 30 days after the effective date of termination or expiration of this Agreement, Briink will make Customer Data available to the Customer. After such 30-day period, Briink will have no obligation to maintain any Customer Data, and will thereafter delete or destroy all copies of Customer Data in its systems or otherwise in its possession or control, unless legally prohibited.
5.6. Survival. The sections titled “Services Fees and Payments,” “Effect of Termination,” “Survival,” “Proprietary Rights and Licenses,” “Confidentiality,” “Disclaimers,” “Mutual Indemnification,” “Limitation of Liability,” and “Miscellaneous” will survive and termination or expiration of this Agreement, and the section titled “Security and Protection of Customer Data” will survive any termination or expiration of this Agreement for so long as Briink retains possession of Customer Data.
6. Proprietary Rights and Licenses
6.1. The Services. Briink, its Affiliates and licensors reserve all right, title and interest in and to the Services and Documentation, including all of their related intellectual property rights, and any and all related and underlying technology and documentation, and any derivative works, modifications, or improvements of any of the foregoing. No rights are granted to the Customer hereunder other than as expressly set forth herein.
6.2. Customer Data. The Customer Data is owned exclusively by the Customer. The Customer grants to Briink, its Affiliates and applicable contractors a non-exclusive, worldwide, royalty-free license to host, copy, use, display, transmit, analyze, and model Customer Data as appropriate for Briink to provide and ensure proper operation of the Services to the Customer, and for Briink’s internal research, development, and improvement purposes, including but not limited to, analytics and machine learning modeling.
6.3. Feedback. The Customer hereby grants Briink a perpetual, irrevocable, royalty-free and fully paid right to use and otherwise exploit in any manner any suggestions, ideas, enhancement requests, feedback, recommendations or other information provided by the Customer related to the Services or other Briink products or services, including for the purpose of improving and enhancing the Services, provided that Customer is not referenced in such use.
6.4. Aggregated Information. Briink may aggregate, collect and analyze information relating to the provision, use and performance of the Services and may use (during and after the Term) such information to develop and improve the Services and other Briink offerings, including disclosure of such information to third parties in an aggregated and anonymized format such that no Customer nor any individual or household can be identified.
6.5. Customer Marks. The Customer Marks are the exclusive property of the Customer. Briink may use Customer’s name and Customer Marks in its Customer list (including on Briink’s website, social media and in sales and marketing materials) in the same way it uses the names of its other customers. Briink shall use Customer Marks in accordance with Customer’s applicable branding guidelines if provided to Briink and Briink may not use Customer’s name or Customer Marks in any other way without Customer’s prior written consent (with email consent deemed sufficient).
7.1. Definition of Confidential Information. “Confidential Information” shall mean any information disclosed by either party (the “Disclosing Party”) to the other party (the “Receiving Party”), either directly or indirectly in writing, orally, or by inspection of tangible objects (a) that the disclosing party identifies as confidential or proprietary; or (b) that reasonably appears to be confidential or proprietary because of legends or other markings, the circumstances of disclosure, or the nature of the information itself. Confidential Information of the Customer includes Customer Data; Confidential Information of Briink includes the Services, all technical information relating thereto, and the terms and conditions of this Agreement and all Order Forms (including pricing). Confidential Information does not include information that the Receiving Party can document: (i) is or becomes generally available to the public other than through a wrongful act of the Receiving Party; or (ii) was lawfully in its possession or known by it prior to receipt from the Disclosing Party; or (iii) was rightfully disclosed to it without restriction by a third party who is not bound by any confidentiality obligations with respect thereto; or (iv) is independently developed by the Receiving Party, its employees or third-party contractors without use of or reference to the Confidential Information. For clarity, the non-disclosure obligations set forth in this “Confidentiality” section apply to Confidential Information exchanged between the parties in connection with the evaluation of additional Briink services and offerings.
7.2. Protection of Confidential Information. All Confidential Information disclosed by Disclosing Party shall remain the property of the Disclosing Party. The Disclosing Party reserves all rights in its Confidential Information. The Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care) to: (a) not use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement; and (b) except as otherwise authorized by the Disclosing Party in writing, limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ employees and contractors who need that access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections not materially less protective of the Confidential Information than those herein. Neither party will disclose the terms of this Agreement or any Order Form to any third party other than its Affiliates, legal counsel and accountants without the other party’s prior written consent, provided that a party that makes any such disclosure to its Affiliate, legal counsel or accountants will remain responsible for such Affiliate’s, legal counsel’s or accountant’s compliance with this “Confidentiality” section. Notwithstanding the foregoing, Briink may disclose the terms of this Agreement and any applicable Order Form to a contractor to the extent necessary to perform Briink’s obligations under this Agreement, under terms of confidentiality materially as protective as set forth herein.
7.3. Compelled Disclosure. Either party may disclose Confidential Information to the extent required by law, provided that the Receiving Party gives the Disclosing Party reasonable advance notice of such required disclosure and cooperates with the Disclosing Party so that the Disclosing Party may obtain appropriate confidential treatment for such Confidential Information.
8. Representations, Warranties and Disclaimers
8.1. Representations. Each party represents that it has validly entered into this Agreement and has the legal power to do so.
8.2. Briink Warranties. Briink warrants that during the applicable subscription term Briink will not: (a) materially decrease the overall functionality of the Services; or (b) materially decrease the overall security of the Services.
8.3. Warranty Remedies. The Customer will notify Briink of any non-conformance of the Services under a warranty above within 30 days. Provided that the Customer notifies Briink within such time, Briink will use commercially reasonable efforts to correct the non-conformance at no additional charge. If Briink is unable to correct such non-conforming Services as warranted within a reasonable time, the Customer will be entitled to terminate the applicable Order Form and receive a prorated refund of any prepaid, unused Fees covering the remainder of the subscription term. The foregoing remedy is the Customer’s sole remedy in case of a breach of the limited warranties above.
9. Mutual Indemnification
9.1. Indemnification by Briink. Briink will defend the Customer against any claim, demand, suit or proceeding made or brought against the Customer by a third party alleging that the Purchased Services infringe or misappropriate such third party’s intellectual property rights in Germany (each, a “Claim Against Customer”), and will indemnify the Customer from any damages, attorney fees and costs finally awarded against the Customer as a result of, or for amounts paid by the Customer under a settlement approved by Briink in writing of, a Claim Against Customer, provided Customer: (a) promptly gives Briink written notice of the Claim Against Customer; (b) gives Briink sole control of the defense and settlement of the Claim against the Customer; and (c ) gives Briink all reasonable assistance, at Briink’s expense. If Briink receives information about an infringement or misappropriation claim related to the Services, Briink may in its discretion and at no cost to the Customer: (i) modify the Services so that they are no longer claimed to infringe or misappropriate; (ii) obtain a license for the Customer’s continued use of the Services in accordance with this Agreement; or (iii) terminate the Customer’s subscriptions for the Services upon 30 days’ written notice and refund the Customer any prepaid fees covering the remainder of the subscription term of the terminated Services. The above defense and indemnification obligations do not apply if a Claim Against Customer arises from: (I) the use or combination of the Services or any part thereof with software, hardware, data, or processes not provided by Briink, if the Services or use thereof would not infringe without such combination; (II) modifications to the Services not made by Briink; or (III) the Customer’s breach of this Agreement, applicable Order Forms or the Documentation.
9.2. Indemnification by the Customer. The Customer will defend Briink and its Affiliates against any claim, demand, suit or proceeding made or brought against Briink by a third party arising from: (a) the Customer’s use of the Services in an unlawful manner or in violation of this Agreement, an Order Form or the Documentation; or (b) any Customer Data or the Customer’s use of Customer Data with the Services (each, a “Claim Against Briink”), and will indemnify Briink from any damages, attorney fees and costs finally awarded against Briink as a result of, or for any amounts paid by Briink under a settlement approved by the Customer in writing of, a Claim Against Briink, provided Briink: (i) promptly gives the Customer written notice of the Claim Against Briink; (ii) gives the Customer sole control of the defense and settlement of the Claim Against Briink; and (iii) gives the Customer all reasonable assistance, at the Customer’s expense. The above defense and indemnification obligations do not apply if a Claim Against Briink arises from Briink’s breach of this Agreement, applicable Order Forms or the Documentation.
9.3. Sole and Exclusive Remedy. This Section 9 sets forth the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for the third-party claims described herein.
10. Limitation of Liability
10.1. Wilful Misconduct. In case of wilful misconduct, Briink shall be liable according to the statutory provisions of applicable law.
10.2. Gross Negligence. In case of gross negligence, Briink shall be liable according to the statutory provisions of applicable law.
10.3 Ordinary Negligence. In case of ordinary negligence, Briink shall – provided that the standard of liability is not limited according to statutory provisions of applicable law (such as any limitation to the duty of care observed in own affairs) – only be liable for breach of material contractual obligations (material contractual obligations are obligations the breach of which endangers the purpose of the agreement and the fulfilment of which the Customer generally relies and may reasonably rely on); in this case Briink’s liability shall be limited to the typical damages that were reasonably foreseeable. Therefore, indirect and consequential damages resulting from defects of the delivered goods and/or work are only eligible for compensation if such damages are typical and reasonably foreseeable and when the goods and/or work are used in conformity with its intended purpose.
10.4 Exceptions to Ordinary Negligence. The aforementioned limitations do not apply to: (i) damages resulting from injury to life, body or health; (ii) liability pursuant to the German Product Liability Act; (iii) the assumption of a guarantee for the condition of goods and/or work or fraudulent concealment of defects by Briink
10.5. The aforementioned limitations of liability shall, subject to the provisions of Section 10.4, apply to (i) any liability claims for whatever legal reason but in particular due to impossibility, default, defective or incorrect delivery, breach of contract, breach of obligations in contractual negotiations and tort, as far as such claims are subject to fault, and (ii) any breach of duty by vicarious agents or any other person for whose conduct Briink can be held liable according to the statutory provisions of applicable law.
11.1. Relationship Between the Parties. Briink is an independent contractor; nothing in this Agreement will be construed to create a partnership, joint venture, or agency relationship between the parties.
11.2. Anti-Bribery. Neither party has received or been offered any illegal or improper bribe, rebate, payoff, influence payment, kickback, or other thing of value from an employee or agent of the other party in connection with this Agreement.
11.3. Assignment. Neither party may assign or transfer its rights or obligations under this Agreement without the prior written consent of the other party, and any assignment or transfer in derogation of the foregoing shall be null and void, provided, however that either party shall have the right to assign the Agreement, without the prior written consent of the other party, to the successor entity in the event of merger, corporate reorganization or a sale of all or substantially all of such party’s assets. This Agreement shall be binding upon the parties and their respective successors and permitted assigns.
11.4. Notices. All notices required or permitted under this Agreement must be delivered in writing, if to Briink, by emailing firstname.lastname@example.org and if to the Customer by emailing the Customer Point of Contact email address listed on the Order Form, provided, however, that with respect to any notices relating to breaches of this Agreement or termination, a copy of such notice will also be sent in writing to the other party at the party’s address as listed on the Order Form by courier, by certified or registered mail (postage prepaid and return receipt requested), or by a nationally-recognized express mail service. Each party may change its email address and/or address for receipt of notice by giving notice of such change to the other party.
11.5. Governing Law and Jurisdiction. This Agreement shall be governed by the laws of the Federal Republic of Germany, excluding the conflict of laws rules of private international law. The applicability of the UN Convention on Contracts for the International Sale of Goods (CISG) is excluded.
11.6. Waivers; Severability. Any waivers shall be effective only if made by a writing signed by representatives authorized to bind the parties. Any waiver or failure to enforce any provision of this Agreement on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion. If any provision of this Agreement is unenforceable, such provision will be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law and the remaining provisions will continue in full force and effect.
11.7. Construction. The headings of Sections of this Agreement are for convenience and are not to be used in interpreting this Agreement. As used in this Agreement, the word “including” means “including but not limited to.”
11.8. Force Majeure. Any delay in the performance of any duties or obligations of either Party (except for the obligation to pay Fees owed) will not be considered a breach of this Agreement if such delay is caused by a labor dispute, shortage of materials, war, fire, earthquake, typhoon, flood, natural disasters, governmental action, pandemic/epidemic, cloud-service provider outages any other event beyond the control of such Party, provided that such Party uses reasonable efforts, under the circumstances, to notify the other Party of the circumstances causing the delay and to resume performance as soon as possible.
11.9. Entire Agreement; Amendment. This Agreement and any applicable Order Form constitutes the complete agreement between the Parties and supersedes all previous and contemporaneous agreements, proposals, or representations, written or oral, concerning the subject matter of this Agreement. To the extent that a conflict arises between the terms and conditions of an Order Form or SOW and the terms of this Agreement, the terms and conditions of the Order Form or SOW will govern. It is expressly agreed that the terms and conditions of this Agreement and any Order Form supersede the terms any of Customer’s purchase order.
Briink Intelligence GmbH
Data Processing Addendum
1.1 This addendum (the “Data Processing Addendum“) forms part of the subscription agreement between the Customer and Briink relating to the services offered to the Customer by Briink pursuant to its terms of service (the “Terms of Service”).
2. Object and Term
2.1 This Data Processing Addendum specifies the rights and obligations of the Parties that result from processing by Briink of Customer Data (as defined in the Terms of Service).
2.2. For this purpose, the Customer hereby retains Briink as processor within the meaning of Art. 28 GDPR. Any terms used in this Data Processing Addendum shall have the meanings defined in the GDPR.
3. Principle of Processing Based on a Contract (Art. 28(1) GDPR) and Processing Abroad
3.1 Briink ensures that it will implement suitable technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensures protection of the rights of data subjects. The details result from section 8 of this Data Processing Addendum.
4. Subcontracting (Art. 28 (2), (3) Point (d), (4) GDPR)
4.1 Briink shall not engage any further contractor ("Subcontractor") without the prior specific or general written authorization of the Customer.
4.2. The Customer hereby grants its specific authorisation to engage the following Subcontractors:
- Compute Servers & Logging: Google Cloud Platform, 1600 Amphitheatre Pkwy, Mountain View, California, United States
- Web Servers & Databases: HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, United States
- Data Warehouse & Product Analytics: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland
- Project Management: GSuite by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
- Customer Relationship Management: Slack Technologies, Inc., 500 Howard St, San Francisco, CA 94105, USA
- Credentials Management: 1password by AgileBits Inc., a Canadian company located at 4711 Yonge St, 10th Floor, Toronto, Ontario, M2N 6K8, Canada
- Data Warehouse: Neo4j Legal111 East 5th AvenueSan Mateo, CA. 99401
- Product analytics: June Inc. 5 Villa Terrace, San Francisco, CA, 9411, United States
4.3 The Customer hereby grants its general authorisation to the engagement of Subcontractors.
4.4 Briink informs the Customer in respect of the above general authorisation of any intended changes concerning the addition or replacement of Subcontractors, thereby giving the Customer the opportunity to object to such changes.
4.5 Where Briink engages another Subcontractor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in this Data Processing Addendum shall be imposed on the Subcontractor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient safeguards to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. The parties clarify that in order to impose the same data protection obligations it is sufficient if the level of protection under the subcontract corresponds to the level of protection under this Data Processing Addendum.
4.6 Subcontracting within the meaning of this provision shall not include such services that Briink utilizes from third parties as ancillary services for support when performing its services. This applies to e.g. telecommunication services, maintenance and user services, cleaning personnel, auditors or disposal of data carriers. However, also in case such services are outsourced, Briink is obliged to provide for appropriate and legally compliant contractual agreements and to take control measures in order to ensure the protection and security of the data of the Customer.
5. Categories of Data Subjects, Type of Personal Data as well as Scale and Purpose of Processing (Art. 28(3) GDPR)
Schedule 1 of this Data Processing Addendum lists the following information that must be observed as a proviso for processing by Briink:
1. the categories of data subjects;
2. the types of personal data; and
3. the scale and purpose of processing.
6. Instruction Rights of the Customer (Point (a) of Art. 28(3) GDPR)
6.1 The personal data are only processed on documented instructions from the Customer, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which Briink is subject. In such a case, Briink shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
6.2 The instruction right of the Customer concerning the type, scale and procedure of processing of its personal data is limited to the scope of the order provided for in this Data Processing Addendum. As far as Briink agrees to follow instructions exceeding the scope of the order as provided for in this Data Processing Addendum, the Customer will have to reimburse Briink for the corresponding expenditure.
6.3 The Customer shall issue its instructions in writing or by email (in text form).
6.4 Briink shall use the personal data covered by this Data Processing Addendum for no other purposes than to perform the Terms of Service. This shall not include backup copies as far as these are required to ensure proper processing activities, as well as data that are required for compliance with statutory archiving obligations.
7. Control Rights of Customer
7.1 Upon written request and within a reasonable period of time, Briink commits to providing the Customer with all information required for the verification of compliance with the contractual agreements under this Data Processing Addendum, if and to the extent required under Art. 28 GDPR.
7.2 For this, Briink may also submit current certificates, reports or excerpts from reports from independent instances (e.g. public accountants, auditors, data protection officer, IT security department, data protection auditors, quality auditors) or suitable certification by an IT security or data protection audit.
7.3 The Customer shall reimburse Briink for the expenses incurred in providing the information.
8. Obligation to Confidentiality and Data Secrecy (Point (b) of Art. 28(3) GDPR)8.1 Briink shall ensure that persons authorized to process the personal data under this contract have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
9. Technical and Organizational Measures (Point (c) Art. 28(3), and Art. 32 GDPR)
9.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Briink and the Customer shall – each in their sphere of responsibility – implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
9.2. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
9.3 The technical and organizational measures to be taken by Briink result from Schedule 2 of this Data Processing Addendum. The Customer acknowledges that the adherence to the measures described in Schedule 2 will suffice to meet the requirements of this section 8.
9.4 Briink shall be entitled at any time to replace the technical and organizational measures specified in Schedule 2 to this Data Processing Addendum with other measures, provided that Briink meets the requirements set out in section. 8 para. 1.
9.5 Briink shall ensure that any natural person acting under its authority who has access to personal data does not process them except on instructions from the Customer, unless he or she is required to do so by Union or Member State law.
10. Briink’s Notification Obligations (Art. 33 GDPR)10.1 Briink shall inform the Customer without undue delay pursuant to Art. 33 (2) GDPR if he or she becomes aware of a breach of the protection of Customer Data (as defined in the Terms of Service). 10.2 The Customer shall reimburse Briink for the expenses incurred in providing the information, unless the breach of the protection of Customer Data is due to Briink’s fault.
11. Obligations to Support the Controller (Points (e), (f), (h) of Art. 28(3) GDPR
11.1 Briink is obligated to assist the Customer with appropriate technical and organizational measures, insofar as this is possible, taking into account the nature of the processing, for the fulfillment of the Customer's obligation to respond to requests for exercising the data subject's rights ("Data Subject's Rights") laid down in Chapter III of the GDPR.
11.2 Briink shall be obligated to assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of processing and the information available to it.
11.3 Briink shall be obligated to make all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR available to the Customer and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
11.4 Briink shall immediately inform the Customer if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.
11.5 The Customer shall reimburse Briink for the expenses incurred in providing the support pursuant to this section 11
12.1 The confidentiality rules of the Terms of Service shall remain unaffected.
13.1 This Data Processing Addendum shall enter into effect upon the Customer agreeing to the Terms of Service and shall apply for the duration of the Term, as set out in the Terms of Service.
13.2 The termination of the Terms of Service, no matter the reason, shall lead to the corresponding premature termination of this Data Processing Addendum.
14. Erasure Obligation and Return Obligation after Termination (Point (g) Art. 28(3) GDPR)
14.1 After completion of rendering of processing services, Briink shall be obligated to, at the choice of the Customer, either delete all Customer Data or return them, unless Union or Member State law requires storage of the personal data.
14.2 The Customer shall reimburse Briink for the expenses incurred in providing the services pursuant to this section 14.
15. Data Protection Officer
15.1 Briink shall designate a data protection officer in writing, under observation of Art. 37 to 39 GDPR, except if designation is not required according to the provisions of the GDPR or the BDSG.
15.2 The respective current contact details of the data protection officer shall be filed and made easily accessible on the homepage of the website of Briink in accordance with Art. 37(7) GDPR and must be disclosed to the Customer separately, except if designation is not required according to the provisions of the GDPR or the BDSG.
15.3 Briink shall not have any claim to any further remuneration and/or reimbursement for any expenses under this Data Processing Addendum, unless otherwise expressly stipulated.
15.4 Insofar as services of Briink under this Data Processing Addendum are marked as subject to remuneration, the corresponding services of Briink shall be remunerated per expense on the basis of the remuneration rates agreed in the Terms of Service. If no remuneration rates have been agreed for certain services, the general remuneration rates of the Customer in the version valid at the time the services are provided shall apply.
16.1 The liability provisions of Sec. 10 of the Terms of Service shall apply accordingly to this Data Processing Addendum.
17. Final Provisions
17.1 This Data Processing Addendum shall be an integral part of the Terms of Service.
17.2 In case of deviations between the provisions of the Terms of Service and this Data Processing Addendum, the provisions of this Data Processing Addendum shall take precedence.
Categories of data subjects, types of personal data, scale and purpose of processing
1. Categories of Data Subjects
Data of the Customer's investees, investors, end-customers and their employees, if applicable.
2. Types of Personal Data
The types of personal data will be environmental, social, and governance data, purchase order data, marketing data, sales data, session data, and financial reporting data, always provided such data constitutes personal data.
3. Scale of Processing
The scale of processing is determined by the Terms of Service.
4. Purpose of Processing
The purpose of processing is the performance of the Terms of Service.
Technical and Organizational Measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, Briink shall, in its capacity as processor, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to the following:
1. Confidentiality (Art. 32 para. 1 lit. b DS-GVO)
1.1. Physical Access Control. Briink shall prevent unauthorized persons from gaining access to data processing systems in which the Customer’s personal data are processed and used. To this end, Brink shall take the following precautions:
1. Alarm system
2. Automatic access control system
3. Locking system with code lock
4. Video surveillance of the entrances
5. Security locks
6. Key regulation (key issue etc.)
7. Personal check at the gatekeeper / reception
8. Logging of visitors
9. Careful selection of cleaning personnel
10. Careful selection of security guards
11. Obligation to carry credentials
2. Authentication Control
Briink shall ensure that data processing systems cannot be used by unauthorized persons. To this end, Briink shall take the following precautions, in particular by using state-of-the-art encryption procedures:
1. Assignment of user rights
2. Create user profiles
3. Password assignment
4. Authentication with username / password and a second factor
5. Use of VPN technology
6. Encryption of mobile data carriers
7. Encryption of data carriers in laptops / notebooks
8. Deployment of a hardware/software firewall
9. SSH key rotation
3. Authorization Control
Briink shall ensure that the persons authorized to use the data processing systems can only access the personal data subject to their access authorisation and that Customer Data cannot be read, copied, changed or removed without authorisation during processing, use and after storage. To this end, Briink shall take the following precautions, in particular by using state-of-the-art encryption procedures:
1. Creation of an authorization concept
2. Administration of rights by system administrator
3. Reduction in the number of administrators
4. Password policy incl. password length, password change
5. Logging of accesses to applications
6. Encryption of data carriers
4. Separation Control
Briink shall ensure that personal data of the Customer collected for different purposes can be processed separately. To this end, Briink shall take the following precautions:
1. Software-based client separation
2. Creation of an authorization concept
3.Encryption of data sets processed for the same purpose
4. Setting database rights
5. Integrity (Art. 32 para. 1 lit. b DS-GVO)
5.1 Disclosure Control: Briink shall ensure that personal data of the Customer cannot be read, copied, changed or removed by unauthorized persons during electronic transmission or during their transport or storage on data carriers, and that it is possible to check and establish to which bodies a transmission of personal data is intended by data transmission facilities. To this end, Brink shall take the following precautions, in particular by using state-of-the-art encryption procedures:
1. Establishment of dedicated lines or VPN tunnels
2. Disclosure of personal data in anonymised or pseudonymised form
3. Email encryption
4. Creation of an overview of regular call-off and transmission processes
5. Virtual Private Cloud
6.Documentation of the recipients of data and the time periods of the planned transfer or agreed deletion periods
5.2 Input Control: Briink shall ensure that it is possible to check and establish retrospectively whether and by whom personal data of the Customer have been entered into data processing systems, changed or removed. For this purpose, Briink shall take the following precautions:
1. Logging of the entry, modification and deletion of personal data
2. Create an overview of which applications can be used to enter, change and delete which personal data.
3.Traceability of input, modification and deletion of personal data through individual user names
4. Retention of forms from which personal data have been transferred to automated processing operations
5. Assignment of rights to enter, change and delete personal data on the basis of an authorization concept
6.Software dependency auditing
6. Availability and Resilience (Art. 32(1)(b) DS-GVO)
6.1 Availability Control: Briink shall ensure that personal data of the Customer is protected against accidental destruction or loss. To this end, Briink shall take the following precautions:
1. Uninterruptible power supply (UPS)
2. Fire and smoke detection systems
3. Creation of a backup concept
4. Keeping backups in a secure, off-site location
7. Rapid Recoverability (Art. 32(1)(c) DS-GVO);
Briink shall ensure that personal data of the Client and access to them are quickly restored in the event of a physical or technical incident. To this end, Briink shall take the aforementioned measures.
8. Procedures for Periodic Review, Assessment and Evaluation (Article 32(1)(d) of the GDPR; Article 25(1) of the GDPR)
Briink shall implement procedures to regularly review, assess and evaluate the effectiveness of the technical and organizational measures to ensure the security of the processing. For this purpose, Briink shall take the following measures:
2.Incident Response Management;
3. Data protection-friendly default settings (Art. 25(2) DS-GVO);
4. Order control, i.e. no commissioned data processing within the meaning of Art. 28 DS-GVO without corresponding instructions from the client, e.g.: clear contract design, formalized order management, strict selection of the service provider, obligation to convince in advance, follow-up checks.