gridscale's security-center

here you will find all legally relevant documents explained by us in a simple and understandable way

Data protection explained in an understandable way

In gridscale’s data protection centre we provide you with all legally relevant documents. We have written a “translation” of each legal text in our own words. This way you can quickly understand how secure your infrastructure is with gridscale.
These documents have been independently translated and can therefore not be used for legal purposes. In all legal matters, please always refer to the original German documents.


GTC

General Terms and Conditions of gridscale GmbH

GTC

§1 Scope of application 1.1 These General Terms and Conditions (GTC) apply to the business relationship of gridscale GmbH (hereinafter referred to as "gridscale") with customers, in particular for services, for orders, information and advice in connection with the products. These GTC only apply if the purchaser is an entrepreneur (§ 14 BGB), a legal entity under public law or a special fund under public law.
1.2 Unless otherwise agreed, the GTC in the version valid at the time of the customer's order, or at least in the version most recently notified to the customer in text form, shall also apply as a framework agreement for similar future contracts without gridscale having to refer to them again in each individual case.
1.3 These GTC apply instead of any general terms and conditions of business of the customer - such as e.g. purchasing conditions - even if according to these the acceptance of the order is provided as unconditional acceptance of the general terms and conditions. By placing an order, the customer expressly acknowledges that he waives his objection derived from his own general terms and conditions.
1.4 In addition to these GTC, Service Level Agreements (SLA) for individual products or individual product parts only apply if they are agreed separately. Individual agreements made with the customer in individual cases (including other ancillary agreements, supplements and adjustments), in particular conditions stated in the order, shall take precedence over these GTC in all cases. Subject to evidence to the contrary, an agreement in text form or our confirmation in text form shall be authoritative for the content of such agreements.
1.5 Legally relevant declarations and notifications to be made by the customer to gridscale after conclusion of the contract (e.g. setting of deadlines, notifications of defects, declaration of withdrawal or reduction) must be in text form to be effective.
1.6 References to the validity of legal regulations have only clarifying meaning. Even without such clarification, the statutory provisions shall therefore apply, unless they are directly amended or expressly excluded in these GTC.
In other words, these GTC are the framework agreement that applies to our services towards you. We exclude all other contract texts as a whole, unless we have explicitly and individually agreed otherwise with you.
§2 Disclosure, specifications, service determination 2.1 Disclosures and advice as well as other services provided by gridscale are based exclusively on previous experience. The values given here are to be regarded as average values. All information on products and services, in particular the illustrations, contents and performance data and other information available in offers and on the gridscale website are to be regarded as approximate average values.
2.2 A reference to standards, similar technical regulations as well as technical data, descriptions and illustrations in offers, on the website in advertisements of gridscale only represent a statement of properties if the quality has been expressly declared as a "property"; otherwise it is a non-binding general description of services.
2.3 A guarantee shall only be considered accepted by gridscale if gridscale has designated a property or service as "guaranteed" in writing.
2.4 All services and products of gridscale are constantly updated and adapted to the state of the art. gridscale therefore reserves the right to make changes to services and products at its reasonable discretion (§ 315 BGB) even after the order or assignment.
2.5 Unless otherwise agreed in writing with the customer, gridscale shall not accept liability for the usability of gridscale's services and products for the purpose envisaged by the customer outside the legally binding liability.
2.6 gridscale reserves ownership rights and copyrights to illustrations, performance and other property descriptions as well as other documents concerning gridscale products and services. The customer agrees not to make the information and documents listed in the above sentence available to third parties unless gridscale has given its prior express written permission.
In other words, We would be happy to support you with your projects that you would like to implement with gridscale. We are looking forward to advise you and share our experiences with you. If we advise you, we would like to be your sparring partner at eye level. We brainstorm with you and consider how your project can be optimally implemented. However, we do not want you to take us into any liability for our free advice.
Guarantees are therefore only valid if we expressly confirm this guarantee to you.
We maintain a very agile product development and regularly publish new and updated functions for our customers. This can change the properties of a product or service. Usually this means that you can get higher performance and use advanced features. In rare cases, however, it may happen that we remove a property from our product or replace it with a similar one.
§3 Conclusion of contract, start of contract, scope of services 3.1 The offers of gridscale are subject to change and non-binding.
3.2 The order by the customer is considered a binding contractual offer. Unless otherwise stated in the order, gridscale is entitled to accept this contractual offer within 7 days from the date of receipt by gridscale.
3.3 Acceptance by gridscale can either be declared in writing (e.g. by order confirmation) or implied by the provision of the service or the product to the customer.
3.4 The customer will first be set up a test account (so-called "trial account"). The trial account can be converted into a full access (so-called "paid account") by entering a valid payment method (e.g. bank account, credit card) that can be selected in our online customer area. The customer guarantees gridscale the availability of the required fees on the specified means of payment at the time of the contractual offer. The customer is only entitled to order payable services and products from gridscale with full access.
3.4 gridscale provides the customer with flexible virtualized infrastructure (Infrastructure as a Service - IaaS) on servers, storage devices and networks over the Internet that cannot be used exclusively by the customer. These services are provided, managed and billed in real time.
3.5 The customer configures his individual IaaS solution via the website provided by us or alternatively via the provided programming interface (so-called API). When configuring the individual IaaS solution, the customer submits an offer within the meaning of Section 3.2 for the contractual service desired by him. Unless otherwise agreed, the performance data, conditions and prices stated on gridscale's website applicable at the time the contract is concluded shall apply. Further details can optionally be regulated in an SLA.
3.6 The concrete data and prices for the scope of services requested by the customer are stored at gridscale. The performance data can be called up at any time in the online customer area and adapted by the customer. Furthermore, the customer can contact gridscale's customer service via a contact form or by email to support@gridscale.io.
3.7 Unless otherwise agreed, gridscale shall provide the contractual services for the period specified by the customer ("on demand").
In other words, Our product is very versatile and can be individually adapted to your requirements. To convince yourself of our services, you start with a test account at gridscale. This access is completely free for you. In this access some of the functions are restricted to protect us from misuse. After you have convinced yourself that gridscale is the ideal partner, you can change your test access to a full-fledged account at any time. To do this, you simply deposit a payment method.
You can configure, start or stop the services you want to get from gridscale at any time via our user interface or our API interfaces. We provide you with the services in real time - i.e. OnDemand. Once you have configured and started an infrastructure, you will be charged according to the current price list. To give you a better overview, we always display the current prices in many places in the user interface and point out any fees that may arise.
§4 Duties and obligations of the customern 4.1 The customer assures that the data provided by him is correct and complete. He undertakes to reconfirm the correctness and completeness of the data to gridscale upon corresponding request from gridscale within 10 days of receipt.
4.2 The customer shall adequately support gridscale in the provision of services.
4.3 The customer must retrieve the messages received from gridscale in his e-mail inboxes, which he has stored with us as communication addresses, at regular intervals of no more than two weeks.
4.4 The customer undertakes to keep passwords received from gridscale for the purpose of access to its services strictly confidential, to inform gridscale immediately as soon as he becomes aware that unauthorised third parties are aware of the password and to change it immediately or have it changed by gridscale if he has reason to suspect that unauthorised third parties have gained knowledge of it. Should third parties use services of gridscale through misuse of passwords due to the fault of the customer, the customer is liable to gridscale for, among other things, the fees to be paid for the account as well as claims for damages resulting therefrom.
4.5 By way of an independent guarantee to gridscale, the customer is responsible for ensuring that the measures initiated by him in connection with the provision of services by gridscale, in particular with regard to the use and content of the infrastructure, do not violate legal prohibitions, morality and the rights of third parties (e.g. trademark, name, copyright, data protection rights).
4.6 If gridscale is held liable by third parties for any legal infringements which they assert due to the customer, in particular due to the customer's use and content of the infrastructure, the customer shall immediately release gridscale, offer gridscale the necessary support in legal defence and release gridscale from the costs of legal defense. The prerequisite for this is that gridscale informs the customer immediately about asserted claims, does not make any concessions or acknowledgements or similar declarations and enables the customer to conduct all judicial and extrajudicial negotiations on the claims at his own expense.
4.7. If claims are made against gridscale by third parties due to the customer, in particular due to the customer's use and content of the infrastructure and/or damages for violation of legal regulations, the customer shall immediately and unconditionally indemnify gridscale from damages (means of order, contractual penalties, costs of extrajudicial settlement of disputes etc.) due to violation of legal regulations, unless the customer proves that the violation is not based on his or his own conduct.
In other words, you assure us that all the information you provide about your company and yourself is correct and complete. We usually communicate with you via e-mail, so it is important that we always have an up-to-date e-mail address and that you regularly check your e-mails.
Passwords that we tell you so you can use gridscale should be kept strictly secret. You can invite other people to your personal gridscale account at any time and thus retain full control over who has which access and when. But never share your personal passwords with a third party.
If we are contacted by third parties for possible violations you may have committed, you undertake to assist us in the investigation and to avert damage to gridscale.
§5 Pricing and Payment 5.1 The fee owed by the customer is determined by gridscale's prices valid at the time the contract is concluded. The prices can be viewed on the gridscale website. In principle, use-dependent prices are calculated in the indicated unit (e.g. time) plus the statutory value-added tax.
5.2 Cashing up and billing takes place monthly in arrears, at the earliest on the first day of the month following the billing month.
5.3 gridscale is also entitled to invoice separately within one month if the current claim exceeds the usual invoice amount of the previous months by 50% or more and/or the threshold amount agreed with the customer or, if nothing has been agreed, an invoice amount of 500.00 €.
5.4 gridscale issues an electronic bill on the customer data provided by the customer in the online customer area. The bills are available in the customer area and can also be sent to the customer's e-mail address on request. Dispatch of the bill by post requires a supplementary agreement.
5.5 Payment of the fees can be made via the means of payment offered at the time (usually credit card and direct debit). The customer authorises gridscale to collect any fees incurred via the declared means of payment. He shall reimburse all costs incurred by non-executable payment transactions (so-called chargebacks), unless the customer has exercised the necessary care or the damage would have been incurred even if such care had been exercised.
5.6 All claims are due and payable upon presentation of the bill, unless gridscale states a payment deadline in the bill. If the customer does not pay within 5 days after receipt of the bill or within the payment period stated in the bill, he shall be in default without further reminder pursuant to § 286 para. 2 no. 1 or 2 BGB, with the consequence that default interest amounting to 9 percentage points above the base interest rate shall be owed pursuant to § 288 para. 2 BGB.
In other words, the billing amount you have to pay to gridscale is individually composed of all items you have used within a billing period (e.g. one month). Our bill is usually issued after one month for the previous period. We always make the bill available to you in your personal area at gridscale digital. Upon request, we will also send this bill to an e-mail address you have provided.
There are a few cases where we reserve the right to send you a bill before the end of a month. For example, if we are unsure whether you will pay our bills or if your growth at gridscale is unusually high.
If you receive a bill from us, we usually arrange for immediate charges to be made to your means of payment (e.g. your credit card). Please note that we can debit the bill from your payment method, otherwise our system could temporarily block your account.
If we first collect a bill from your means of payment but then make a chargeback, we will incur costs. We allow ourselves to pass these costs on to you in such a case.
$6 Contract terms, termination 6.1 A contractual relationship between the parties is generally deemed to have been concluded for an indefinite period.
6.2 There is basically no minimum contract term for the customer. The customer may terminate the contractual relationship as a whole or individually ordered contractual components at any time without notice with effect from the next working day.
6.3gridscale can properly terminate the contractual relationship as a whole or individually ordered contractual components subject to a period of notice of 4 weeks to the end of the month. If a longer period of notice is required by law for a service provided by gridscale, this longer period of notice shall apply in favour of the customer.
6.4 The right of both parties to terminate without notice for good cause remains unaffected.
6.5 An important reason for termination exists for gridscale in particular if the customer defaults on payment of the owed fees or a not insignificant part thereof (at least 50%) for a further 30 days despite reminder of payment. Furthermore, an important reason exists if an application for the opening of insolvency proceedings has been filed against the customer's assets or such an application has been rejected for lack of assets, enforcement proceedings against the customer have remained unsuccessful, or enforcement measures have been taken and have not been withdrawn within one month.
6.6 Any notice of termination must be in written form in order to be effective.
6.7 The validity of § 545 BGB is excluded.
6.8 If the content of individual provisions extends beyond the term of the contract (e.g. indemnifications, limitations of liability, copyrights, data protection), then these provisions shall also remain effective beyond the term of the contract.
6.9 Upon termination of the contract - for whatever legal reason - any rights of use or licenses granted by gridscale or third parties within the scope of the provision of services shall lapse.
6.10 Notwithstanding any existing right of termination, gridscale is entitled to withhold the performance of contractual performance obligations or several contracts linked in terms of time and content in whole or in part if the customer is in default of payment of the fees owed or a not insignificant part thereof (at least 50%) despite reminder of payment for a further 10 days and/or if there are concrete indications of a deterioration in the customer's financial circumstances. In this case, gridscale can demand payment or partial payment concurrently against performance, even if an advance performance obligation has been or is contractually agreed upon. This shall not affect any further claims for damages.
In other words, we're going to get married indefinitely. However, you don't tie yourself to gridscale all your life. Rather, you can cancel your contract with us at any time the next day.
So that you have a certainty that we will not terminate the marriage with you one day in advance, we have the right of termination with four weeks to the end of the month, unless there are other deadlines provided for by law. An important exception to this rule is if you do not pay your bills from gridscale. Then we can make use of an immediate special right of termination or temporarily stop the services towards you.
§7 Rights of third parties 7.1 If a third party asserts claims against the customer due to the infringement of an industrial property right or copyright through the use of the services owed by gridscale in the Federal Republic of Germany and if their use is affected or prohibited by this, the following provisions shall apply.
7.2 gridscale shall, at its discretion and expense, either modify or replace the agreed services in such a way that the property right is not infringed, but substantially corresponds to the agreed service in a manner that is reasonable for the customer or exempt the customer from license fees towards the property right owner or third parties.
7.3 Prerequisites for gridscale's liability according to section 7.2 are that the customer immediately notifies gridscale of the assertion of claims of third parties, does not acknowledge the alleged infringement of property rights and leaves any dispute including any out-of-court settlements to gridscale or only conducts such dispute in agreement with gridscale. If the customer ceases use for damage mitigation or other important reasons, he is obliged to point out to the third party that the cessation of use is not connected with an acknowledgement of the alleged infringement of property rights.
7.4 If the customer is responsible for the infringement of property rights, the claim of third parties is based on the fact that the service content owed by gridscale was changed without their knowledge, processed in another way and not used with services provided by gridscale, claims against gridscale of the customer in accordance with this item 7. are excluded.
7.5 To the extent applicable, legally binding liability regulations or the regulations in section 8. remain unaffected by this.
In other words, we don't actually need this paragraph and it's for your protection. However, if at any time a third party should take you into liability because you use gridscale itself or a technology provided by gridscale, then we will fight this dispute for you. In such a case, please inform us immediately so that we can jump to your side.
§8 Liability 8.1 gridscale is not liable to the customer for damages or reimbursement of expenses, for whatever legal reason.
8.2 The above exclusion of liability does not apply if liability is mandatory by law, as well as
  • for own intentional or grossly negligent breaches of duty by gridscale or intentional or grossly negligent breaches of duty by legal representatives or vicarious agents of gridscale;
  • for the violation of essential contractual obligations; "essential contractual obligations" are such obligations that protect the customer's legal positions which are essential to the contract and which this contract has to grant him according to its content and purpose; essential contractual obligations are also such contractual obligations, the fulfilment of which is essential for the proper execution of this contract and on whose compliance the customer has regularly relied and may rely;
  • in the event of injury to body, life and health also by legal representatives and vicarious agents of gridscale;
  • in the event of default, if a fixed delivery date had been agreed;
  • insofar as gridscale has assumed a guarantee for the quality of the services and products or for the existence of a performance success, or a procurement risk;
  • in the case of liability in accordance with the Product Liability Act or other legally binding liability circumstances.

  • 8.3 In the event that gridscale, its legal representatives or its vicarious agents are only guilty of slight negligence and there is no case of the preceding Clause 8.2, third, fourth, fifth and sixth indent, gridscale shall only be liable for contract-typical and foreseeable damage, even in the event of a breach of essential contractual obligations.
    8.4 Insofar as gridscale is liable in accordance with this Clause 8, its liability is limited to a maximum liability amount of EUR 100,000.00 for each individual case of damage. gridscale shall not be liable in the event of malice, intent or gross negligence, for claims due to injury to life, limb or health, or in the event of a claim based on an act of tort or an express, additional guarantee or the assumption of a procurement risk by gridscale or in the event of legally mandatory, deviating, higher liability amounts. Any further liability of gridscale is excluded.
    8.5 Liability of gridscale for indirect damages (in particular in the form of lost profit) is excluded. The above Clause 8.4, sentence 2, applies accordingly.
    8.6 Notwithstanding the cases mentioned in 8.1 to 8.5, gridscale is only liable for the loss of data or programs up to the amount of damage that would have occurred even with regular data backups. The above limitation of liability therefore applies in particular when the damage is based on the fact that the customer has failed to carry out regular data backups himself, which may not be stored in the gridscale data centre itself, and thereby ensure that lost data can be restored with justifiable effort. This does not apply if gridscale has taken over the data backup for the customer by contract.
    8.7 gridscale uses TSL/ SSL encryption for certain security-relevant data transmissions and connections. Despite this, data communication via the Internet cannot be guaranteed to be error-free and/or available at any time according to the current state of the art. Liability for permanent and uninterrupted availability is therefore excluded, notwithstanding the cases mentioned in 8.1 to 8.5, unless a separate contractual agreement exists with the customer.
    8.8 The above provisions do not imply a reversal of the burden of proof.
    In other words, we will not be liable to you for damages unless the law clearly provides otherwise. Regardless of this, we agree to limit the amount of any liability for anything.
    Please note that we are especially not liable for the loss of your data at gridscale if you fail to perform a suitable data backup yourself. We offer you numerous tools and functions that can protect (even fully automated) your data from unusual dangers. Use these functions!
    §9 Confidentiality, data protection 9.1 The customer and gridscale mutually undertake to treat all confidential information and trade secrets of the respective other contractual partner, which the other contractual partner makes accessible on the basis of the initiation and fulfilment of the contract, as confidential for an unlimited period of time and to use them only within the scope of the agreed purpose and to observe the applicable provisions of data protection and data security.
    9.2 All personal data provided (such as salutation, name, address, date of birth, e-mail address, telephone number, fax number, bank details) are collected, processed or used exclusively in accordance with the applicable data protection conditions.
    9.3 As far as personal data are necessary for the establishment, content arrangement or change of the contractual relationship (inventory data), these are used exclusively for the completion of the concluded contracts. Any other contractually required use of inventory data for advertising or market research purposes requires the express consent of the customer. It is possible to give your consent before declaring registration or claiming benefits. The declaration of consent is voluntary and can be revoked at any time.
    9.4 Personal data, which are necessary to enable the use of the offers and billing (traffic/usage data), are used to process the concluded contracts. Such traffic data are in particular the characteristics for identifying the customer as a user, information on the beginning and end as well as the extent of the respective use of the service.
    9.5 Furthermore, subscriber-related traffic data can be used for the purposes of advertising, market research, for the demand-oriented design of gridscale's services and for the creation of user profiles using pseudonyms, provided that the customer has consented to this use. The customer is entitled to object to this use of the data at any time.
    9.6 gridscale expressly points out to the customer that data protection for data transfers in open networks, such as the Internet, cannot be fully guaranteed according to the current state of the art.
    9.7 The customer is aware that the provision of services may involve order data processing in accordance with §§ 11, 9 BDSG. In this case, the customer is responsible for compliance with the provisions of the BDSG and other data protection regulations and is considered a "responsible party" within the meaning of § 3 paragraph 7 BDSG. gridscale also declares that the technical and organisational measures in accordance with § 9 in connection with the Annex to § 9 BDSG are complied with in principle.
    9.8 If the customer collects, processes or uses personal data, he shall be liable to gridscale by way of an independent guarantee that this is done in accordance with the data protection regulations and shall indemnify gridscale in full in the event of a violation of third-party claims. Sections 4.6 and 4.7 apply accordingly.
    9.9 gridscale will forward complaints as well as claims for information, correction, deletion and blocking to the customer (in particular § 6 BDSG). 42a BDSG applies accordingly to the customer and leads to an obligation to notify gridscale.
    In other words, we trust each other and protect all the secrets we learn from each other from the curious eyes of others. Data that we collect from you and your company in order to provide our services will be used exclusively for this purpose and will never be passed on to third parties.
    If you use our services yourself to process or store personal data, we can conclude a so-called agreement on order data processing. This ensures that you behave in accordance with the law and fulfil your control obligations.
    §10 Statute of Limitation, Place of Performance, Other 10.1 The limitation period for all contractual and legal claims against gridscale is one year.
    10.2 The shortening of the limitation period pursuant to Section 10.1 shall not apply if a longer limitation period is prescribed by law. In this case the longer limitation period applies.
    10.3 In accordance with the statutory provisions, claims based on intentional or grossly negligent acts of gridscale, a legal representative or vicarious agent of gridscale as well as claims for damages resulting from injury to life, body or health based on intentional or negligent breach of duty by gridscale, a legal representative or vicarious agent shall become statute-barred.
    10.4 gridscale can transfer its rights and/or obligations from the contractual relationship to one or more third parties (e.g. assumption of contract and/or debt, assignment). In this case and the simultaneous impairment of his interests, the customer has the right to terminate the contract extraordinarily.
    10.5 Waiver declarations by gridscale (such as for the assertion of contractual penalties) must be in writing. If gridscale does not insist on full and/or partial compliance or fulfilment of one of the conditions or provisions of these GTC and the supplementary provisions, this is not to be understood as an acknowledgement of the act of infringement or a waiver of a future application of the relevant condition, provision, option, law or legal remedy.
    10.6 The customer may only offset claims for remuneration of gridscale against claims which have become res judicata or are recognised by gridscale.
    10.7 The assignment or pledging of claims or rights to which the customer is entitled towards gridscale is excluded without the consent of gridscale.
    10.8 The transfer of use (in whole or in part) to third parties is only permitted with the prior consent of gridscale.
    10.9 The law of the Federal Republic of Germany shall apply exclusively, to the exclusion of the provisions of the EGBGB concerning private international law. The contractual languages are German and English.
    10.10 The place of performance and place of jurisdiction for all disputes arising from or in connection with this contract is gridscale's registered office. gridscale is also entitled to sue the customer at its general place of jurisdiction. Any exclusive place of jurisdiction shall remain unaffected.
    10.11 gridscale and the customer are entitled, in the event of a dispute arising from the contractual relationship, to carry out a conciliation in accordance with the conciliation rules of the competent IHK arbitration body for IT disputes in the version valid at the time a conciliation procedure is initiated (if there is no such version on the basis of the conciliation rules of the Hamburg arbitration body for IT disputes) before carrying out legal proceedings. The purpose of the conciliation procedure is to settle the dispute in whole or in part, provisionally or definitively.
    In other words, we agree on a limitation period of one year, unless the law explicitly stipulates otherwise.
    We live in Cologne. Therefore we agree on Cologne as place of jurisdiction, should there ever be a dispute between us. So that we both don't put an endless amount of money into costly legal proceedings, we can both insist on calling in a mediator to try to settle amicably before a court is called.
    §11 Subject to change without notice 11.1 We are entitled to change these GTC and the other contractual conditions with a period of 6 weeks in advance. We will notify the customer of the respective change by e-mail or in any other text form. At the same time, the customer is expressly informed that the respective amendment will become the subject matter of the existing contract between the contracting parties if the customer does not object to this amendment in text form within a period of 4 weeks from notification of the amendment. If the customer objects, each party has the right to terminate the contract with the period applicable to the ordinary termination.
    11.2 Insofar as the amendment pursuant to Section 11.1 above relates to the promised services of the contractual relationship, a change to the GTC is permissible if the agreement of the change is reasonable for the customer taking into account the interests of gridscale. The same applies if gridscale reserves the right to unilaterally change a service at any time in these GTC.
    11.3 By continuing to use a service or product after it has been announced and changed without notice from the customer, the customer declares his agreement with the contractual conditions and general terms and conditions valid at that time, currently available at https://gridscale.io/en/agb/.
    In other words, we can change these terms and conditions. We will then notify you of this change in good time so that you can inform yourself about the changed content. If you continue to use gridscale after changing the terms and conditions, you automatically accept the new terms and conditions.
    §12 Final clauses 12.1 Should a provision of this contract be or become wholly or partly ineffective/non-executable or unfeasible for reasons of the law of the General Terms and Conditions according to §§ 305 to 310 BGB, the statutory provisions shall apply.
    12.2 Should a current or future provision of the contract be or become wholly or partially invalid/non-executable for reasons other than the provisions concerning the law of the General Terms and Conditions in accordance with §§ 305 to 310 BGB, this shall not affect the validity of the remaining provisions of this contract, unless the execution of the contract - also taking into account the following provisions - would constitute an unreasonable hardship for one party. The same applies if there is a gap that needs to be filled in after conclusion of the contract.
    12.3 Contrary to the case law of the Federal Court of Justice, according to which a Salvatorian Preservation Clause is only intended to reverse the burden of proof in the absence of express declarations to the contrary by the parties, the validity of the remaining contractual provisions is to be maintained under all circumstances and thus § 139 BGB is to be waived in its entirety.
    12.4 The parties shall replace the invalid (void) or unenforceable provision or any gap that needs to be filled for reasons other than the provisions concerning the law of the General Terms and Conditions according to §§ 305 to 310 BGB with an effective provision that corresponds in its legal and economic content to the invalid (void) or unenforceable provision and to the overall purpose of the contract. 139 BGB (Partial Invalidity) is expressly excluded. If the invalidity of a provision is based on a measure of performance or time (period or date) specified therein, the provision shall be agreed with a legally permissible measure closest to the original measure.
    In other words, this is only a general conclusion clause. In the event that we have forgotten to regulate something or individual components of our terms and conditions are or become ineffective, this clause shall apply. We commit ourselves to finding an arrangement with which we can both live well.

    ADV

    Agreement on order data processing

    ADV

    Preamble The contractor offers its customers various data center services (so-called cloud IT services), in particular the operation of virtual server, network and data storage infrastructures (IaaS). These Cloud IT services are provided by the contractor on the basis of the terms of use and service descriptions agreed with the client.
    Insofar as the parties establish an order data processing relationship pursuant to Section 11 of the German Federal Data Protection Act (BDSG) or - from the date of application of the new version of the BDSG (hereinafter "BDSG new") in accordance with the provisions of the Basic Data Protection Ordinance (EU Regulation 2016/679, hereinafter "DSGVO") - pursuant to Art. 28 DSGVO, this agreement on order data processing specifies the data protection obligations of the contracting parties resulting from the individual services booked by the principal with the contractor (hereinafter summarised as "main contract"). It applies to all activities in connection with the main contract in which employees of the contractor or third parties commissioned by the contractor may come into contact with personal data of the client. The term of this agreement depends on the term of the main contract. Termination of the main contract automatically results in termination of this ADV agreement. Isolated termination of this ADV agreement is excluded. Termination for good cause remains unaffected.
    In other words, we offer you different services from the cloud. For this purpose, you have entered into a contractual relationship with us. Should you now collect, process and store personal data yourself with our services, we would like to offer you this "agreement for order data processing". This agreement governs important rights and obligations between us so that you can prove that you are acting in accordance with the law.
    1. Scope and responsibility 1.1. The agreement applies to all activities which are the subject of the service agreement and during the performance of which employees of the contractor or third parties commissioned by the contractor in accordance with this agreement come into contact with personal data for which the client is the body responsible in accordance with § 3 paragraph 7 BDSG or the person responsible in the sense of Art. 4 No. 7 DSGVO.
    1.2. In the event of any conflict between the Service Agreement and the Agreement on order data processing, the provisions of the Agreement on order data processing shall prevail.
    In other words, this agreement shall apply in addition to our concluded contractual relationship whenever we perform any activity for you or have it performed by a contractor and it is possible that we or someone else may come into contact with personal data.
    2. Definition of terms 2.1. This agreement relates only to the performance of the technical collection, processing and use of personal data within the meaning of § 3 Paragraph 1 BDSG or processing in accordance with Art. 4 No. 2 DSGVO (hereinafter referred to as "data") by the contractor on behalf of the client within the scope of the performance agreement (order data processing or order processing). This agreement does not include any further assignment of tasks in terms of content. In other words, this agreement only covers certain transactions in connection with personal data for which you explicitly instruct us.
    3. Specification of the content of the order, the type, scope and purpose of the order data processing.
    3.1. The subject matter and duration of the processing of order data as well as the extent, type and purpose of the intended collection, processing or use of data are regulated in the main contract.
    3.2. The subject matter of the collection, processing and/or use by the contractor are individual details of personal or material circumstances of a specific or identifiable natural person.
    3.3. The following data types or categories are the subject of the collection, processing and/or use by the contractor:
    Person master data, for example
  • Name, address, date of birth, employer, position
  • Customer master data, e.g:
  • Name, address, date of birth
  • Communication data, e.g:
  • Phone numbers, e-mail addresses
  • Company data, e.g:
  • Employees, addresses, bank details, business areas
  • Vendor master data, e.g:
  • Employees, addresses, bank details, ratings
  • Contract master data, e.g: Contact person, contractual relationships Contract-related documents, e.g:
  • GTC, contracts, purchase orders, invoices
  • Log data, e.g.: Change history, order history, logon history, credentials Communication data, e.g:
  • Chats, notes on conversations and phone calls, e-mail, other correspondence
  • In other words The duration of the validity of this Agreement depends on the term of our contractual relationship. Our contractual relationship and the cloud services you have booked determine in detail for what purpose and for what use personal data is stored.
    In addition to personal data that you store or process with the help of our services, we collect personal data about yourself and about any person you instruct to work with us.
    4. Responsibility and instructions of the client 4.1. The customer is responsible for compliance with data protection regulations, in particular for the legality of data transfer to the contractor and for the legality of data processing. He may at any time demand the surrender, correction, deletion and blocking of the data. If a data subject contacts the contractor directly for the purpose of deleting or reporting his data, the contractor will forward this request to the customer as quickly as possible.
    4.2. The contractor may only collect, process or use data in accordance with the instructions of the client. An instruction is the written order of the client in accordance with the law directed to a certain handling of personal data by the contractor. The instructions are first defined in the main contract and can then be amended, supplemented or replaced by the client in writing by a single instruction (individual instruction). Instructions that go beyond the contractually agreed performance are treated as a request for a change in performance.
    4.3. The contractor must inform the client immediately if he is of the opinion that an instruction violates data protection regulations. The contractor is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed in writing by the person responsible at the client.
    4.4. Changes to the object of processing with procedural changes must be agreed and documented jointly. The contractor may only provide information to third parties or the parties concerned with the prior written consent of the customer. The contractor does not use the data for any other purposes and is not entitled to pass them on to third parties. Copies will not be made without the knowledge of the client.
    4.5. The client shall keep a list of procedures in accordance with § 4g Paragraph 2 Sentence 2 BDSG or Art. 30 DSGVO. The contractor shall, at the request of the contracting authority, provide the necessary information for inclusion in the register of procedures.
    4.6. The persons of the client who are entitled to issue instructions in accordance with this regulation shall be determined by the client. If one of the aforementioned persons is prevented for a longer period of time, leaves the company or is no longer available for other reasons, a replacement person must be appointed in good time and notified to the other contractual party immediately in text form.
    4.7. Instructions in accordance with this regulation are reported to compliance@gridscale.io
    In other words, you are responsible for what you do in detail with our offers, which personal data you collect, process or store. We provide you with APIs and tools that give you full control over all the data you have stored on our services.
    We will never collect, process or change data for you without your explicit order.
    We will never use your data (whether confidential, personal or not) for purposes for which you did not instruct us or hand them over to any third party.
    5. Duties of the contractor 5.1 In addition to the contractual provisions of this agreement and the main contract, the contractor shall comply with all relevant statutory obligations within the framework of order data processing and order processing.
    5.2 The contractor is obliged to maintain data secrecy. Furthermore, he shall ensure that his employees involved in the processing of the Client's data are obliged to maintain confidentiality, in particular data secrecy and compliance with the rights and obligations of this ADV, or are subject to an appropriate statutory duty of confidentiality and have been instructed in the protective provisions of the BDSG or BDSG new. This also includes the instruction on the instruction and purpose binding existing in this order data processing relationship. At the request of the client, the contractor shall submit an explicit declaration in accordance with § 5 BDSG or Art. 28 para. 3 sentence 2 lit. b) DSGVO (e.g. by explicit confirmation that employment contract regulations have been concluded).
    5.3 The contractor must appoint a data protection officer in accordance with § 4f BDSG or Art. 37 DSGVO, who performs his duties in accordance with §§ 4f and 4g BDSG or Art. 39 DSGVO, provided a legal obligation exists. If the contractor has not appointed a data protection officer, he shall appoint an employee responsible for data protection. The contact details of an appointed data protection officer or the employee responsible for data protection will be provided to the client upon request.
    5.4 The contractor shall immediately inform the principal about inspections, investigations and measures by the supervisory authorities. The contractor is obliged to forward inquiries from the data protection supervisory authorities immediately to the data protection officer of the principal or to the principal. The contractor shall support the client in preparing the necessary data protection documentation and in responding to enquiries from data protection supervisory authorities in accordance with his possibilities for a fee after prior offer and commissioning by the client.
    5.5 Subject to a legal or official obligation, the contractor is not authorised to disclose information about the processed data to third parties or to the data subject without corresponding instructions from the client. The Contractor shall immediately forward requests for information to the Customer. The client is responsible for the protection of the rights of the persons concerned. However, in view of the type of processing, the contractor shall, if possible, support the contracting entity with appropriate technical and organisational measures to meet its obligation to respond to requests for the exercise of the rights of data subjects in Chapter III of the DSGVO.
    5.6 After the date of application of the DSGVO or the BDSG, the contractor shall support the principal, taking into account the type of processing and the information available to him, in complying with the obligations for the security of personal data specified in Articles 32 to 36 DSGVO in accordance with his possibilities for a fee after prior offer and commissioning by the principal.
    In other words, we obey the law. We are committed to maintaining data secrecy and ensure that all our employees are trained and particularly sensitized. If required by law, we will appoint a data protection officer. Otherwise, we will appoint an employee responsible for data protection. Should we ever get into an investigation by the responsible supervisory authorities, we will inform you immediately. We will help you if you have to provide information yourself (e.g. to an authority). Should we incur expenses as a result, we will discuss the costs with you beforehand.
    You are responsible for the so-called rights of those affected. This refers to the rights of the person whose data you store or process. If a person concerned contacts us, we cannot provide information or accept instructions. Instead, we will forward the request to you immediately.
    6.Technical-organizational measures and their control 6.1. The Contracting Parties shall agree on the specific technical and organisational security measures set out in the Annex "Technical-organisational measures" for such processing.
    6.2 The contractor shall provide the security pursuant to Art. 28 para. 3 lit. c, 32 DSGVO, in particular in connection with Art. 5 para. 1, para. 2 DSGVO. Overall, the measures to be taken are measures of data security and to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of technology, the implementation costs and the type, scope and purposes of processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 DSGVO must be taken into account. Details can be found in the appendix "Technical-organizational measures".
    6.3 Technical and organisational measures are subject to technical progress. In this respect, the contractor is permitted to implement alternative adequate measures. The safety level of the measures specified in the appendix "Technical-organizational measures" must not be undershot. Significant changes must be documented.
    6.4 Upon request, the contractor shall provide the customer with the information necessary to fulfil his obligation to check the order and confirm the implementation of the agreed technical and organisational measures.
    6.5 The customer has the right to carry out inspections in consultation with the contractor or to have them carried out by inspectors to be appointed in individual cases. He has the right to check the contractor's compliance with this agreement in his business operations by means of spot checks which must be registered in good time (usually with at least 20 working days' notice). An inspection must be carried out during normal business hours without disrupting operations. This also applies to the inspection of subcontractors who have been commissioned (in whole or in part) to provide the services owed by the contractor. In doing so, the customer must take appropriate account of the operating procedures and maintain secrecy regarding the contractor's trade and business secrets. The Contractor shall adequately support the Customer in checking the order and shall provide the information required for this purpose upon request. An inspection by third parties for the customer requires the prior written consent of the contractor. If the client commissions a third party to carry out the inspection with the contractor's consent, the client must oblige the third party in writing to maintain confidentiality, unless the third party is subject to a professional confidentiality obligation. At the request of the contractor, the contracting authority shall submit the commitment agreements with the third party to the contractor without delay, prior to the commencement of the inspection. The contracting authority may not appoint a competitor of the contractor to carry out the inspection.
    In other words , we agree with you on so-called technical-organizational measures, which specify our precautions for the protection of your data. We orientate ourselves with our technical-organizational measures at the current state of the technology and guarantee a very high level of protection of your data stored with us. To ensure that our measures remain effective, we adapt them from time to time and continue to develop them further. You have the right to control the measures installed with us. For this we ask you for some time in advance for the planning of your review.
    7. Notification of violations by the contractor 7.1. In case of data protection relevant disturbances or suspicion of data protection violations during the processing of personal data, the contractor is obliged to inform the customer or the data protection officer of the customer without delay. The customer shall issue the necessary instructions in writing upon notification to this effect by the contractor.
    7.2 In consultation with the principal, the contractor shall take appropriate measures to secure the data and to reduce possible adverse consequences for those affected. If, in connection with the data to be processed in this Agreement, the Client is subject to information or notification obligations pursuant to § 42a BDSG or Art. 33, 34 DSGVO, the Contractor shall support the Client to the extent possible for a fee after separate assignment.
    7.3 The persons of the principal who are to be informed in the event of such a violation shall be notified separately to the contractor. If one of the persons named therein is prevented for a longer period of time, leaves the company or is no longer available for other reasons, a replacement person must be ordered in good time and the contractor must be notified immediately by e-mail to compliance@gridscale.io
    In other words, if an incident occurs in which we violate our agreement on order data processing, we undertake to inform you immediately.
    Should such an incident occur, we will do everything in our power to minimize the consequences for those affected and to protect your data.
    8. Deletion and return of data 8.1. Copies or duplicates of data carriers or data records provided under the contract will not be made without the knowledge of the client. Excluded from this are backup copies, insofar as they are necessary to guarantee proper data processing, as well as data which are necessary with regard to compliance with legal storage obligations.
    8.2 After completion of the contractually agreed services or earlier upon request by the principal - at the latest upon termination of the main contract - the contractor must hand over to the principal all documents in his possession, processing and usage results created and data stocks in connection with the contractual relationship or, with the prior consent of the principal, destroy them in accordance with data protection law. The same applies to test and scrap material. Destruction in accordance with data protection regulations must be confirmed to the customer on request. The Contractor shall provide the Customer with a record of the deletion upon request and for a fee after a separate order has been placed prior to the start of the deletion process.
    8.3 Documentation that serves as proof of orderly and proper data processing must be kept by the contractor after the end of the contract in accordance with the respective retention periods. He can hand them over to the client at the end of the contract.
    In other words, Data that you store on cloud services of gridscale will never be duplicated without your knowledge and will be irrevocably deleted at the latest after termination of our contract or if you request us to do so.
    9. Subcontracting relationships 9.1. Sub-contractual relationships within the meaning of this provision shall be understood to mean those services which relate directly to the provision of the main contract. This does not include ancillary services which the contractor uses e.g. as telecommunication services, postal/transport services, maintenance and user services or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, in order to ensure data protection and data security of the client's data, the contractor is obliged to take appropriate and legally compliant contractual agreements and control measures, even in the case of outsourced ancillary services.
    9.2 The contractor is only entitled to commission third parties with the (complete or partial) performance of the services owed by him (sub-contractual relationships) with the prior written consent of the principal. The client will not refuse the consent for unreasonable reasons. Consent shall be deemed to have been given unless the contracting authority, within a period of three working days following notification by the contractor of the intended subcontracting, declares its reasoned rejection of the consent, at least in writing.
    9.3 If subcontractors are engaged by the contractor, the contractor shall ensure that his contractual agreements with the subcontractor are such that the level of data protection at least corresponds to the agreement between the principal and the contractor and that all legal and contractual obligations are observed. From the date of application of the DSGVO, the contractor shall comply with the conditions described in Art. 28 para. 2 and 4 DSGVO for the use of the services of another contract processor. If the subcontractor does not comply with his data protection obligations, the contractor shall be liable to the customer for compliance with the obligations of that subcontractor as for his own actions.
    9.4 If the subcontractor performs the agreed service outside the EU/EEA, the contractor shall take appropriate measures to ensure the admissibility under data protection law. The same applies if service providers within the meaning of para. 1 sentence 2 are to be used.
    In other words, in everyday life, we use various service providers whom we commission with so-called ancillary services - for example, the cleaning of our office or postal services. We carefully select secondary service providers and commit them to data protection and confidentiality. In addition to ancillary service providers, it may be appropriate in individual cases to commission service providers to perform part of the services that you order from us. So-called subcontracting relationships. In this case we will inform you about the assignment of such a service provider, so that you can agree to the assignment.
    In any case, we shall ensure that a subcontractor guarantees at least one level of safety that complies with this agreement. We ensure through control and contractual agreement that the subcontractor complies with legal regulations and protects your interests. If a subcontractor wishes to provide the services ordered outside Europe, we ensure compliance with data protection law.
    10. Inspection obligations 10.1. The client shall check the technical and organisational measures of the contractor and document the result regularly before starting data processing. For this purpose, he may obtain information from the contractor himself, have expert reports or test certificates obtained from the contractor submitted or have an examination carried out at his own expense by an expert bound to professional secrecy. Such an inspection must be carried out during normal business hours without disrupting the course of operations and requires an appropriate advance notice.
    10.2 Upon request, the contractor undertakes to provide the customer with all information required to carry out an inspection in text form (§ 126b BGB) within a reasonable period of time.
    In other words, before starting data processing on gridscale, you should conscientiously check us for suitability for your project. For example, start by going through our technical-organisational measures and contact us if you have any questions. Check our data center certificates and make sure we are the best provider for your project. We will be happy to support you in all this at any time.
    11. Written form clause, choice of law, final provisions 11.1 The place of jurisdiction for all disputes arising from this Agreement on order data processing is Cologne.
    11.2 This Agreement shall be governed by German law to the exclusion of private international law.
    11.3. Amendments and supplements to this appendix and all its components - including any warranties of the Contractor - require a written agreement and an express indication that these terms and conditions are to be changed or supplemented. This also applies to the waiver of this formal requirement.
    11.4 The customer as well as every user agrees that the contractor may send information relevant to the system or product by e-mail. This consent can be revoked at any time.
    11.5 Should individual provisions of this Agreement be or become invalid in whole or in part, this shall not affect the validity of the remaining provisions. In this case, the contracting parties undertake to replace the invalid provision with an effective provision that comes as close as possible to the economic purpose of the invalid provision. The same applies to any gaps in the agreement on order data processing.
    11.6 The appendix "Technical-organizational measures" is an integral part of this agreement.
    In other words, we live in Cologne. This agreement shall be governed by German law. Any changes to this agreement must be agreed with us in writing. The appendix "Technical-organizational measures" is an important part of this agreement.

    TOM

    Technical-organizational measures

    TOM

    Appendix "Technical-organizational measures"
    according to § 9 BDSG or Art. 32 DSGVO

    § 1. Technical and organisational security measures According to § 11 Paragraph 2 Sentence 2 No. 3 BDSG in conjunction with § 9 BDSG and Art. 32 DSGVO, the contracting parties are obliged to define the technical and organisational security measures. In other words, as a cloud and hosting provider, we are obliged to guarantee the highest level of security for the protection of sensitive, especially personal data.
    § 2. Internal organization of the contractor The contractor shall design his internal organisation in such a way that it meets the special requirements of data protection. Measures shall be taken which are appropriate depending on the type of personal data or categories of data to be protected. In other words, we will at all times take all measures to ensure the protection of confidential, personal and personal data.
    § 3. Specification of individual measures In detail, the following measures will be determined:
    Confidentiality (Art. 32 para. 1 lit. b. DSGVO)
  • admission control No unauthorized access to data processing systems. Rooms are secured by access control (only individual persons are granted access after prior registration), personal RFID cards plus a personal biometric feature (fingerprint), electric door openers, separation systems, 24/7 plant security, alarm systems and video systems at all entrances and exits and in the rooms themselves;
  • .
  • entry control No unauthorized system use. Every user has personal access data. Only secure passwords are used. Accesses are automatically blocked if there is suspicion of manipulation. Two-factor authentication is mandatory and all volumes are encrypted;
  • access control No unauthorized reading, copying, modification or removal within the system. In addition, authorization concepts are used. Access rights are granted according to the Deny Allow principle and limited to the most necessary. Every access is logged.
  • separation control No unauthorized system use. Every user has personal access data. Only secure passwords are used. Accesses are automatically blocked if there is suspicion of manipulation. Two-factor authentication is mandatory and all volumes are encrypted;
  • access control No unauthorized reading, copying, modification or removal within the system. In addition, authorization concepts are used. Access rights are granted according to the Deny Allow principle and limited to the most necessary. Every access is logged.
  • separation control separation control Separate processing of data collected for different purposes, e.g.: Multi-client capability, sandboxing, separation of test and product environments;
  • Pseudonymisation (Art. 32 para. 1 lit. a DSGVO; Art. 25 para. 1 DSGVO) The processing of personal data takes place in such a way that the data cannot be assigned to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to corresponding technical and organisational measures;
  • .
    In other words, To ensure confidentiality, we protect all our servers and data stores from unauthorized physical access by all available means. The use of our systems or services is excluded without personal access data. No one - not even our employees - has direct access to your data. In principle, we only grant user rights (if necessary temporary rights) that are absolutely necessary for the work of our employees and log every process. Information that we need for our development processes, for example, never contains personal data. We guarantee that data export of confidential data is never possible. Should we ever process personal data, we will use algorithmic measures to make this data so anonymous that no natural person can be identified from the data.
    Integrity (Art. 32 para. 1 lit. b DSGVO)
  • Forwarding control No unauthorized reading, copying, modification or removal during electronic transmission or transport. According to current scientific knowledge, this is achieved by encrypting data and transferring data via Virtual Private Networks (VPN). Checksums are added to data before transmission to validate the unchanged transmission;
  • Input control Determining whether and by whom personal data has been entered, modified or removed from data processing systems. For this purpose, changes and entries of data are logged. Documents are managed in a document management system.
    In other words, We ensure data integrity by always working with strong encryption and immediately identifying any unwanted changes to data through the use of checksums. We log the creation of new or modification of existing data for better traceability. We can therefore recognize "who" has done "what" "at which time".
    Availability and resilience (Art. 32 Par. 1 lit. b DSGVO) availability check Protection against accidental or deliberate destruction or loss through an online backup strategy (off-site), uninterruptible power supply (UPS), redundant hardware, network disconnections and the use of firewalls, as well as ensuring rapid recovery of services in the event of an error.
  • Fast recoverability (Art. 32 par. 1 lit. c DSGVO);
  • In other words, We monitor all our services and do everything in our power to ensure the highest possible availability and security. We back up our own data, but not your data. We regularly practice various events to prepare for a major disruption and then immediately know what we need to do.
    Procedures for regular review, analysis and evaluation (Art. 32 para. 1 lit. d DSGVO; Art. 25 para. 1 DSGVO)
  • Privacy Management;
  • Incident response management;
  • Data protection-friendly presettings (Art. 25 Par. 2 DSGVO);
  • Order control No processing of order data within the meaning of Art. 28 DSGVO without corresponding instructions from the principal. For this purpose, a clear contract design, formalized order management is available and possible service providers are selected according to strict criteria. Appropriate controls and follow-up checks are carried out.
  • In other words, we ensure very good data protection at all times and ensure data protection-friendly operation. We will never process your confidential or personal data without your order. We also ensure that 24/7 experienced engineers ensure the operation.

    ISO 27.001 – interxion

    information security management

    ISO 27.001 – interxion

    information security management

    ISO 27.001 – e-shelter

    Information security management

    ISO 27.001 – e-shelter

    ISO 27.018

    Information technology - Security techniques - Cloud

    ISO 27.018

    ISO 9.001

    Quality management

    ISO 9.001