General Terms and Conditions for Data Processing pursuant to Art. 28 (3) GDPR

1. Scope of application and contractual partners

The following General Terms and Conditions for Data Processing pursuant to Art. 28 para. 3 GDPR (hereinafter referred to as "GTC-DPA") specify the data protection obligations arising from a service agreement concluded between the controller (hereinafter referred to as the "Controller") and Mr. Sebastian Amann, Leopoldstraße 23, 80802, Munich, Germany (hereinafter referred to as the "Processor", together with the Controller also referred to as the "Parties") pursuant to Section 2.1 (hereinafter referred to as the "Main Agreement").

1. Subject matter and scope of order processing
   1. As part of the provision of services in accordance with the General Terms and Conditions of 14.11.2025 (hereinafter "Main Contract"), it is necessary for the Contractor to handle personal data as a processor for which the Client acts as the controller within the meaning of data protection regulations (hereinafter "Client Data"). This contract specifies the rights and obligations of the parties under data protection law in connection with the Contractor's handling of Client Data for the performance of the main contract.
   2. The Contractor processes the Client Data on behalf of and in accordance with the instructions of the Client within the meaning of Art. 28 GDPR (order processing). The client remains the controller within the meaning of data protection law.
   3. The processing of Client Data by the Contractor shall take place in the manner, scope and for the purpose specified in Annex 1 ("Object of the commissioned processing") to this Agreement; the processing concerns the types of personal data and categories of data subjects specified therein. The duration of the processing corresponds to the term of the main contract.
   4. The contractor reserves the right to anonymize or aggregate the client data so that it is no longer possible to identify individual data subjects and to use it in this form for the purpose of needs-based design, further development and optimization as well as the provision of the service agreed in accordance with the main contract. The parties agree that anonymized Client Data or Client Data aggregated in accordance with the above shall no longer be considered Client Data within the meaning of this Agreement.
   5. The Contractor may process and use the Client Data for its own purposes on its own responsibility within the scope of what is permitted under data protection law if this is permitted by a statutory authorization provision or a declaration of consent by the data subject. Accordingly, the Contractor is entitled in particular to collect information about the use of the service by the Client and its employees (hereinafter "usage data") and to process this for the purposes of fulfilling the main contract, designing the service to meet requirements, providing usage overviews, IT and data security and fault diagnosis and rectification. This contract does not apply to such data processing.
   6. The processing of the Client Data by the Contractor shall generally take place within the European Union or in another state party to the Agreement on the European Economic Area (EEA). The Contractor is nevertheless permitted to process Client Data outside the EEA in compliance with the provisions of this Agreement if it informs the Client in advance of the place of data processing and the requirements of Art. 44-48 GDPR are met or an exception pursuant to Art. 49 GDPR applies.
2. Powers of instruction of the client
   1. The Contractor shall process the Client Data in accordance with the instructions of the Client, unless the Contractor is obliged to do otherwise under the law of the European Union or its Member States to which the Contractor is subject. In the latter case, the Contractor shall notify the Client of these legal requirements prior to processing, unless the law in question prohibits such notification due to an important public interest.
   2. The Client's instructions are in principle conclusively defined and documented in the provisions of this contract. Individual instructions that deviate from the provisions of this contract or impose additional requirements shall require the prior consent of the Contractor and shall be carried out in accordance with the amendment procedure set out in the main contract, in which the instruction shall be documented and the assumption of any additional costs incurred by the Contractor as a result shall be regulated by the Client.
   3. The Contractor warrants that it processes the Client Data in accordance with the Client's instructions. If the Contractor is of the opinion that an instruction of the Client violates this Agreement or the applicable data protection law, it shall be entitled, after notifying the Client accordingly, to suspend the execution of the instruction until the Client confirms the instruction. The parties agree that the sole responsibility for processing the client data in accordance with the instructions lies with the client.
3. Obligations and legal position of the client
   1. The client is solely responsible for the lawfulness of the processing of the client data and for safeguarding the rights of the data subjects in the relationship between the parties. Should third parties assert claims against the Contractor due to the processing of Client Data in accordance with this Agreement, the Client shall indemnify the Contractor against all such claims upon first request.
   2. The Client shall be responsible for making the Client Data available to the Contractor in good time for the provision of services in accordance with the main contract and shall be responsible for the quality of the Client Data. The Client must inform the Contractor immediately and in full if it discovers errors or irregularities with regard to data protection regulations or its instructions when checking the Contractor's order results.
   3. Upon request, the Client shall provide the Contractor with the information specified in Art. 30 para. 2 GDPR, unless the Contractor has this information itself.
   4. If the Contractor is obliged to provide information about the processing of Client data to a government agency or a person or to cooperate with these agencies in any other way, the Client shall be obliged to support the Contractor in providing such information or fulfilling other obligations to cooperate upon first request.
4. Requirements for personnel
   1. In accordance with Art. 29 GDPR, the Contractor shall ensure that the persons under its authority process the Client Data in accordance with this Agreement and the Client's instructions.
   2. The Contractor shall oblige all persons who process Client Data to maintain confidentiality with regard to the processing of Client Data.
5. Security of the processing
   1. The Contractor shall take the necessary, appropriate technical and organizational measures in accordance with Art. 32 GDPR, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing of the Client Data as well as the varying likelihood and severity of the risk to the rights and freedoms of the data subjects, in order to ensure a level of protection for the Client Data appropriate to the risk.
   2. The Contractor shall be permitted to change or adapt technical and organizational measures, in particular the measures listed in more detail in Annex 2 ("Technical and Organizational Measures") to this Agreement, during the term of the Agreement as long as they continue to meet the legal requirements.
6. Utilization of further processors
   1. The Client hereby grants the Contractor general authorization to involve additional processors with regard to the processing of Client data. The other processors involved at the time of the conclusion of the contract are listed in Annex 3 ("Sub-processors"). In general, contractual relationships with service providers that involve the testing or maintenance of data processing procedures or systems by other bodies or other ancillary services are not subject to approval, even if access to client data cannot be ruled out, as long as the contractor makes appropriate arrangements to protect the confidentiality of the client data.
   2. The Contractor shall inform the Client of any intended changes with regard to the involvement or replacement of other processors. In individual cases, the Client shall have the right to object to the commissioning of a potential additional processor. An objection may only be raised by the client for good cause to be proven to the contractor. If the Client does not raise an objection within 14 days of receipt of the notification, its right of objection to the corresponding assignment shall expire. If the Client raises an objection, the Contractor shall be entitled to terminate the main contract and this contract with a notice period of 3 months.
   3. The contract between the Contractor and the additional processor must impose the same obligations on the latter as are incumbent on the Contractor under this contract. The parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this contract or if the obligations set out in Art. 28 para. 3 GDPR are imposed on the additional processor.
   4. Subject to compliance with the requirements of Section 2.6. of this Agreement, the provisions of this Section 7. shall also apply if another processor in a third country is involved. In this case, the parties agree that the requirements of Section 7.3. above are met if the standard contractual clauses for the transfer of personal data to third countries in accordance with the decision of the EU Commission of June 4, 2021 ("Standard Contractual Clauses") are concluded with the additional processor in the third country. The client agrees to cooperate to the extent necessary to fulfill the requirements of Art. 49 GDPR.
7. Rights of the data subjects
   1. The Contractor shall support the Client with technical and organizational measures to the extent reasonable in fulfilling its obligation to respond to requests to exercise the rights of data subjects to which they are entitled.
   2. If a data subject asserts a request to exercise their rights directly to the Contractor, the Contractor shall forward this request to the Client in a timely manner.
   3. The contractor shall provide the client with information about the stored client data, the recipients of client data to whom the contractor passes it on in accordance with the order and the purpose of the storage, unless the client has this information itself or can obtain it itself.
   4. The Contractor shall enable the Client to correct, delete or restrict the further processing of Client Data within the scope of what is reasonable and necessary against reimbursement of the expenses and costs incurred by the Contractor in this respect, or to carry out the correction, blocking or restriction of further processing itself at the request of the Client, if and to the extent that this is impossible for the Client itself.
   5. Insofar as the data subject has a right to data portability vis-à-vis the Client with regard to the Client Data pursuant to Art. 20 GDPR, the Contractor shall support the Client in providing the Client Data in a common and machine-readable format within the scope of what is reasonable and necessary against reimbursement of the expenses and costs to be proven to the Contractor if the Client cannot obtain the data in any other way.
8. Notification and support obligations of the Contractor
   1. Insofar as the Client is subject to a statutory reporting or notification obligation due to a breach of the protection of Client Data (in particular pursuant to Art. 33, 34 GDPR), the Contractor shall inform the Client promptly of any reportable events in its area of responsibility. The Contractor shall support the Client in the fulfillment of the reporting and notification obligations at the Client's request within the scope of what is reasonable and necessary against reimbursement of the expenses and costs incurred by the Contractor to be proven.
   2. The Contractor shall support the Client, to the extent reasonable and necessary, in any data protection impact assessments to be carried out by the Client and any subsequent consultations with the supervisory authorities pursuant to Art. 35, 36 GDPR against reimbursement of the expenses and costs to be proven to the Contractor as a result.
9. Deletion of data
   1. The Contractor shall delete the Client Data after completion of the provision of the processing services, unless the Contractor is obliged to continue storing the Client Data under the law of the European Union or its Member States to which the Contractor is subject.
   2. Documentation that serves as proof of the proper processing of Client Data in accordance with the contract may be retained by the Contractor even after the end of the contract.
10. Evidence and checks
    1. At the Client's request, the Contractor shall provide the Client with all necessary information available to the Contractor to prove compliance with its obligations under this Agreement.
    2. The Client is entitled to review the Contractor with regard to compliance with the provisions of this contract, in particular the implementation of the technical and organizational measures, including through inspections.
    3. In order to carry out inspections in accordance with Section 11.2, the Client shall be entitled to enter the Contractor's business premises where Client Data is processed during normal business hours (Monday to Friday from 08:00 to 16:00, with the exception of public holidays at the Contractor's registered office) at its own expense, without disrupting operations and subject to strict confidentiality of the Contractor's business and trade secrets, after giving due notice in accordance with Section 11.5.
    4. The Contractor is entitled, at its own discretion, taking into account the Client's legal obligations, not to disclose information that is sensitive with regard to the Contractor's business or if the Contractor would violate legal or other contractual regulations by disclosing it. The Client is not entitled to obtain access to data or information about other customers of the Contractor, to information regarding costs, to quality inspection and contract management reports and to any other confidential data of the Contractor that is not directly relevant to the agreed inspection purposes.
    5. The Client shall inform the Contractor in good time (generally at least two weeks in advance) of all circumstances relating to the performance of the review. The client may carry out one inspection per calendar year. Further inspections shall be carried out against reimbursement of costs and after consultation with the Contractor.
    6. If the Client commissions a third party to carry out the inspection, the Client must obligate the third party in writing in the same way as the Client is obligated to the Contractor under this clause 11. of this contract. In addition, the Client shall oblige the third party to maintain confidentiality and secrecy, unless the third party is subject to a professional obligation of confidentiality. At the request of the Contractor, the Client shall immediately submit to the Contractor the obligation agreements with the third party. The Client may not commission a competitor of the Contractor with the inspection.
    7. At the Contractor's discretion, proof of compliance with the obligations under this contract may also be provided by the submission of a suitable, current certificate or report from an independent body (e.g. auditor, internal audit, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit - e.g. in accordance with BSI basic protection - ("audit report") instead of an inspection, if the audit report reasonably enables the Client to satisfy itself of compliance with the contractual obligations.
11. Contract term and termination

The term and termination of this contract shall be governed by the provisions on the term and termination of the main contract. Termination of the main contract shall automatically result in termination of this contract. Isolated termination of this contract is excluded.

1. Liability
   1. The Contractor's liability under this contract shall be subject to the exclusions and limitations of liability set out in the main contract. Insofar as third parties assert claims against the Contractor which have their cause in a culpable breach of this contract by the Client or against one of its obligations as a data controller under data protection law, the Client shall indemnify the Contractor against these claims upon first request.
   2. The Client also undertakes to indemnify the Contractor against any fines imposed on the Contractor on first demand to the extent that the Client bears a share of the responsibility for the breach sanctioned by the fine.
2. Final provisions
   1. The applicable law shall be determined by the main contract.
   2. The place of jurisdiction shall be determined by the main contract.
   3. In the event of contradictions between this contract and other agreements between the parties, in particular the main contract, the provisions of this contract shall take precedence.
   4. Should individual provisions of this contract be or become invalid or contain a loophole, the remaining provisions shall remain unaffected. The parties undertake to replace the invalid provision with a legally permissible provision that comes closest to the purpose of the invalid provision and meets the requirements of Art. 28 GDPR.
   5. This order processing contract is part of the main contract and becomes effective upon its conclusion.

Annex 1: Object of the order processing

Purposes of the order processing

Personal data of the client will be processed on the basis of this data processing agreement for the following purposes:

The subject matter of the contract is the provision of the AI-supported Software-as-a-Service solution "AiAuditBuddy" (hereinafter "Software") in digital form for use by the Client via the Internet and the provision of storage space on the Contractor's servers for a fee and for a limited period of time during the term of the contract.

Types and categories of data

The types and categories of personal data processed on the basis of this data processing agreement include

• Inventory data.
• Contact data.
• Contract data.
• Payment and billing data.
• Usage data.
• Log data.
• Meta and connection data.
• Telemetry data.

Categories of data subjects

The categories of data subjects affected by the processing of personal data on the basis of this data processing agreement include

• Website visitors.
• Software users and users.
• Recipients of marketing measures.
• Subscribers.
• Interested parties.
• Business customers.
• Business partners.

Sources of the processed data

The data processed on the basis of this data processing agreement is collected or otherwise received from the sources listed below or as part of the procedures mentioned:

• Collection from data subjects.
• Inputs or information from the client.
• Collection in the context of the use of software, applications, websites and other online services.
• Collection via interfaces to services of other providers.
• Receipt by way of transmission or other communication by or on behalf of the client.

Appendix 2: Technical and organizational measures

For the specific order processing and the personal data processed therein, an appropriate level of protection is guaranteed that corresponds to the risk to the rights and freedoms of the natural persons concerned. The focus here is particularly on the protection goals of confidentiality, integrity and availability of the systems and services. The resilience is taken into account according to the type, scope, circumstances and purpose of the processing, whereby the risk is reduced in the long term through suitable technical and organizational measures.

Organizational measures

We take the following organizational measures to secure personal data and to maintain and ensure an appropriate level of data protection.

• Evaluation of log files - Regular evaluation of log files without cause to detect unusual entries.
• Appropriate organizational structure - A suitable organizational structure for information security and data protection is in place and integrated into company-wide processes and procedures.
• Hardware and software updates - The software and hardware used is always kept up to date and software updates are carried out without delay within a reasonable period of time given the level of risk and any need for testing.
• Concept for safeguarding data subject rights - Creation of a concept and guarantee of the safeguarding of data subject rights by the contractor (in particular with regard to information, correction, deletion or restriction of processing, data transfer, revocations & objections).
• Paperless office - running a paperless office, i.e. documents are generally only stored digitally and only kept in paper form in exceptional cases.
• Vulnerability analyses - Carrying out regular IT vulnerability analyses (e.g. penetration tests).
• Security reporting - Consistent documentation of security incidents (even in the event of no external reporting, e.g. to the supervisory authority, affected persons).
• Security concept according to the state of the art - Further development of the security concept according to the state of the art. The state of the art as well as developments, threats and security measures are continuously monitored and derived in an appropriate manner for the company's own security concept.
• Software default settings - use of software with data protection-friendly default settings in accordance with (Art. 25 para. 2 GDPR)
• Careful selection of service providers - Careful selection of service providers to fulfill ancillary business tasks (e.g. maintenance, security, transport and cleaning services, freelancers, etc.) and ensuring compliance with the protection of personal data and, if necessary, a commitment to secrecy and confidentiality.
• Trusted sources - standard software and corresponding updates are only obtained from trusted sources.

Access control

Physical access control measures have been implemented to prevent unauthorized persons from physically accessing the systems, data processing equipment or procedures used to process personal data.

• Alarm system - Use of an alarm system.
• Visitor escort - Visitors only accompanied by employees.
• Visitor control - Visitor control at reception.
• Electronic locking system - Electronic locking system with security locks.
• Locking system with PIN - Use of a locking system with PIN code blocking.
• Key and access card management - Key control with documentation.
• Server systems - Data processing of the client only stored with external server providers in compliance with the specifications for order processing (only workstation computers and mobile devices on the client's own business premises).
• Locking devices and securing the work environment - obligation for employees to lock devices or secure them when they leave their work environment or devices.
• Video surveillance - video surveillance of access points.

Access control

Electronic access control measures have been taken to ensure that unauthorized persons are denied access to data processing equipment used for processing or procedures. This includes traditional physical security measures that prevent unauthorized, direct physical access to processing equipment. We have taken the following measures to protect access to our data processing systems.

• Anti-virus software - use of anti-virus software.
• Authentication with user + password - Data processing systems are password-protected.
• User authorizations - Manage user authorizations (e.g. when employees join, change or leave).
• Encrypted passwords - No storage of passwords in plain text, only hashed or encrypted transmission.
• Password concept - Passwords in accordance with the state of the art and security requirements through appropriate minimum length and complexity.
• Blocking of external interfaces - Blocking of external interfaces against unauthorized hardware access (e.g. blocking of USB ports).
• Blocking of login data - Failed login attempts to internal systems are limited to a reasonable number.
• Software firewall - Use of software firewall(s).
• Encryption of backups - Backups are stored in encrypted form.
• Encryption of data carriers - Encryption of data carriers using state-of-the-art procedures.
• Two-factor authentication - Use of two-factor authentication for access to data processing systems.

Internal access control and input control (authorizations for user rights to access and change data)

Access control measures have been taken to ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing. Furthermore, input control measures have been taken to ensure that it is subsequently possible to check and determine whether and by whom personal data has been entered, modified, removed or otherwise processed in data processing systems.

• Administrators - The activities of administrators are appropriately monitored and logged to the extent permitted by law and technically reasonable.
• Storage of documents - Files, documents, etc. are stored securely, e.g. in filing cabinets or other appropriately secured containers, and adequately protected against access by unauthorized persons.
• Authorization concept control - Regular review of the rights and roles concept and updating if necessary (e.g. violations of access restrictions).
• Authorization concept assignment - Creation and use of a rights and roles concept (access to personal data is only possible to the extent required and by a selected group of people).
• Data deletion - Secure deletion of data carriers before they are reused (e.g. by multiple overwriting).
• Use of service providers - Use of service providers for file and data destruction (if possible with DIN 66399 certificate).
• Password guidelines - Password guidelines including length, complexity and frequency of change.
• Personalized user names - Traceability of entry, modification and deletion of data through individual user names (not user groups).
• Logging of logins to data processing systems - Logins to data processing systems or processing systems are logged.
• Logging access by employees or authorized persons - Traceability of which employees or authorized persons had access to which data and when (e.g. by logging software usage or drawing conclusions from access times and the authorization concept).
• Logging access to files - Access to individual files of the client is logged.
• Logging access input, modification and deletion - Input, modification and deletion of individual client data is logged.
• Protection of log files against access - The log files are protected against modification, loss and unauthorized access.
• Secure storage - Secure storage of data carriers.
• Separation of contact data - Separation of contact data and other data.
• Separation of master data - separation of customer master data and order data.
• Encryption of data carriers - Encryption of data carriers using state-of-the-art technology.
• Encryption of smartphones - Encryption of smartphones using state-of-the-art procedures.
• Access rights - Personal access rights for traceability of access.

Transfer control

Sharing control measures have been taken to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or during its transport or storage on data carriers, and that it is possible to check and determine to which bodies personal data is intended to be transmitted by data transmission devices.

• Mobile data carriers - Mobile data carriers are encrypted.
• Storage - Files are encrypted before being transferred to cloud storage services.
• SSL / TLS encryption - Use of SSL / TLS encryption for data transmission on the internet
• Transmission - Encrypted data transmission (e.g. email encryption using PGP or S/Mime, VPN, encrypted internet connections using TLS/SSL, use of FTAPI data transfer tool)
• VPN tunnels - setting up VPN tunnels to dial into the network from outside.

Annex 3: Sub-processors

The Contractor uses the following sub-processors to process data for the Client: