For Salesforce Professionals, by Salesforce Professionals
Legal Hub
Last updated: 1.1.2025
I. General Terms and Conditions
Hutte GmbH
Elsenheimerstr. 5, 80687 München, Germany
Local Court (Amtsgericht) of München, HRB 276891
VAT ID: DE354977027
-hereafter "Provider" -
and
the Customer
-hereafter "Customer" -
-both together also the "Party(ies)" -
Last updated: January 1, 2025
1. Subject Matter of the Contract
1.1. The Provider offers a web-based platform for the management and administration of Salesforce DevOps. The software ("Software") is used in particular as a DevOps Solution for a Git-based Salesforce Development Lifecycle.
1.2. These General Terms and Conditions ("GTC") govern the transfer of use of the Software as "Software as a Service" (SaaS) via the internet.
1.3. The GTC apply to all, including future, services of the Provider in connection with the provision of the Software, the operation of portals, interfaces and internet services as well as related support services to the Customer (hereinafter "Service"). The Parties acknowledge that the provision of the Software by way of software rental is the purpose and focus of the contract. For this purpose, the Customer shall receive a user name and password-protected access for each user.
1.4. Further details may result from one or more individual contracts to be concluded separately (each an "Individual Contract", collectively the "Individual Contracts").
1.5. The contractual relationship shall be governed by the following documents, whereby the higher-ranking document and, in the case of documents of equal ranking, the more recent document shall prevail:
a) Individual Contract
b) Data Processing Agreement
c) General Terms and Conditions
1.6. Subject to the provisions of this Section 1, conflicting or additional contractual terms and conditions of the Customer shall only apply if the Provider expressly confirms them in writing.
1.7. Subject to the provisions of this Section 1, other contracts concluded in writing or verbally in relation to the subject matter of the contract shall cease to be valid when this contract comes into force. Verbal collateral agreements do not exist.
2. Rights of Use to the Software
2.1. Subject to the provisions of these GTC and the full payment of agreed fees, the Provider grants the Customer the worldwide, non-exclusive, non-transferable and non-sublicensable right to access the Software for the duration of the Service Term in accordance with the scope agreed in the Individual Contract(s) and the GTC and, to the extent required to load, display or run the Software, to create temporary copies of the Software in whole or in part (hereinafter "SaaS License").
2.2. The Provider retains all transferable proprietary rights and all exclusive rights of use to the Software.
2.3. The client is entitled to invite employees and other service providers to their instance of Hutte by e-mail or other individual means of access.
2.3.1. The invitations are sent by the Software to the e-mail addresses stored.
2.3.2. In order to use the Software, the Customer's Contractual Partner must set a password to create a user account after receiving the invitation. This user account is linked to the e-mail address with which it is invited to the Software. In addition, the Contractual Partner must accept the Privacy Policy and Terms of Service of the Software, on its first visit and in the event of changes to these data protection and terms of use, in order to be able to use the platform.
2.4. The Customer is not entitled to make the Software available to third parties for use, either for a fee or free of charge. Subletting the Software is not permitted.
2.5. Beyond that, the Customer is not entitled to make permanent or temporary copies or reproductions of the Software, to make modifications or other alterations to the Software, to distribute it in modified or unmodified form, e.g. as white label software, for commercial or non-commercial purposes or to make it publicly accessible, to decompile or reverse-engineer the Software or to determine the mode of operation of the Software in any other way, unless the Provider has given its consent.
2.6. The Customer is prohibited from removing notices and information relating to copyrights, trademark rights, patent rights and other intellectual property rights of the Software or Services.
2.7. The Customer may not store any illegal content that violates the law, official requirements or the rights of third parties on the storage space provided.
2.8. Software components with an unrestricted scope of use (execution of custom scripts on Hutte’s infrastructure) may be subject to appropriate use, which is defined and communicated by the Provider ("fair use principle"). The fair use principle is applied by the Provider to ensure the availability of the corresponding functionality for all users. Inappropriate or excessive use of the relevant functionality entitles the Provider, after prior notice, to restrict the Customer's use of the relevant functionality.
3. Provision of the Software
3.1. The Provider shall make the Software available to the Customer for access via a browser on an instance assigned to the Customer, subject to the functionality and availability specified below. The Software is handed over at the router exit of the data center where the hosting provider, selected by the Provider, is located. The Customer is responsible for the internet connection between the location and the data center and the hardware and Software required for this (e.g. PC, internet connection).
3.2. The Provider makes the Software available "as is". Permitted conditions of use and scope of use are set out in the Individual Contract(s). The Provider shall maintain the Software in a condition suitable for use in accordance with the contract.
3.3. The Software and its mode of operation shall be continuously analyzed, optimized and further developed and expanded with additional features and modules. The Provider shall provide the Customer with the latest version of the Software where possible and subject to contractual agreements in accordance with Section 1 (hereinafter "Product Updates"). The Provider is free to add functions to the Software and the Service at any time, taking into account the interests of the Customer, or to remove functions that are no longer useful, as well as to make necessary adjustments due to changes in the legal situation, technical developments or for reasons of IT security.
3.4. The Provider is not responsible for adapting the Software to the Customer's individual needs or IT environment.
4. Customer Obligations
4.1. If the provision of Services by the Provider requires cooperation in the Customer's sphere of operation, the Customer shall support the Provider by taking all necessary technical, organizational and other measures. In particular, the Customer shall submit the necessary information and documents to the Provider in good time and grant the Provider's employees access to the Customer's premises or information technology infrastructure in good time. The Provider shall not be responsible for delays in the provision of Services by the Provider that are due to the Customer's failure to cooperate or delayed cooperation.
4.2. The Customer is obliged to appoint a qualified contact person and a deputy who is authorized to make or immediately bring about all decisions necessary for the contractual provision of Services. The Customer is obliged to inform the Provider immediately of any change of contact person (including deputy).
4.3. The Customer undertakes to keep their contact information up to date, correct and complete so that the Provider can send notifications, invoices and other information.
4.4. Irrespective of the Provider's obligation to back up data, the Customer is responsible for entering and maintaining the data and information required to use the Software. The Customer is obliged to use the Software only in accordance with the contract and within the framework of the applicable statutory provisions and not to infringe any third-party rights when using it. The Customer shall inform the Provider immediately in text form about: (i) misuse or suspected misuse of the Software and Services; (ii) a risk or the suspicion of a risk to data protection or data security that arises in the course of the provision of the contractually agreed Service; (iii) a risk or the suspicion of a risk to the Service provided by the Provider, e.g. through loss of access data or hacker attack.
4.5. The Customer must ensure the following technical requirements for optimum operation, in particular
4.5.1. The Customer is responsible for ensuring a connection to the internet with sufficient bandwidth and latency.
4.5.2. For optimal use of the offers and functions of the Software, the Customer shall use the latest versions of the following browser types: Google Chrome, Microsoft Edge or Mozilla Firefox or another browser notified by the Provider. Functional cookies are required for the usability of the Software. If these are not permitted by the Customer, the Provider accepts no liability for any resulting restrictions.
4.5.3. The Customer is responsible for taking state-of-the-art IT security measures to ensure that the use of the Software in its own organization is subject to appropriate security standards.
4.5.4. The Customer must take suitable precautions to prevent unauthorized access by third parties to the protected areas of the Software.
4.5.5. The use of joint accounts, so-called shared accounts (e.g. [email protected]), is prohibited and only permitted with the consent of the Provider.
4.5.6. The Customer is obliged to ensure that its users of the Software keep their access data secret and do not pass it on.
4.5.7. The Customer must ensure the security of the internet connection used, in particular for the use of company-owned instead of public Virtual Private Networks (VPN) and for the use of VPN connections in public networks.
4.5.8. The Customer is obliged to check data and information for viruses or other harmful components before entering them and to use state-of-the-art precautions (e.g. virus protection programs) for this purpose.
4.5.9. The Customer is responsible for setting up and administering his instance and the authorized accounts ("account(s)"). This applies regardless of whether the Provider supports the Customer in any way in setting up the account. This includes:
(i) the technical setup of the account, in particular the possible migration of data, configuration of processes and products;
(ii) the technical setup of integrations in the account and in third-party systems;
(iii) checking the correct functioning of any integration using test cases (e.g. with regard to the text length of free text fields) before going live;
(iv) the technical connection of interfaces on the Customer side in accordance with the specification of the incoming and outgoing data, including the entry of API keys and the activation of interfaces in third-party systems;
(v) the administration of the account, in particular the creation of users and roles and the allocation of access.
4.6. The Customer shall inform the Provider immediately of any errors occurring in the Software and undertakes to support the Provider in troubleshooting and rectifying errors within reasonable limits. This includes, in particular, sending the Provider error reports in written or text form upon request and providing other data and logs that are suitable for analyzing the error.
4.7. The Customer shall ensure that all its employees authorized to use the Software exercise the necessary care when using it.
5. Terms of Payment
5.1. The Customer shall pay the Provider the fees agreed in the Individual Contract(s) for the provision of the Services.
5.2. The amount of the fee for the use of the Software depends on the amount of seats specified on the Individual Contract(s).
5.3. If the Customer requires further technical services in addition to those described here, their feasibility and remuneration shall be governed by Individual Contracts.
5.4. The amount of the fees may be adjusted in the event of cost changes. In the case of an adjustment, the Provider shall take into account cost changes that have occurred in the meantime, e.g. in the area of wages, salaries, costs of purchasing IT services and other prime costs. An adjustment shall take effect on the date specified by the Provider, but no earlier than one month after the Customer receives notification of the adjustment. The Customer's ordinary right of termination in accordance with Section 6 shall remain unaffected. The Provider is also entitled and, in the event of changes in favor of the Customer, obliged to adjust the fees if and insofar as the statutory value added tax changes or taxes are introduced that relate to the Service and affect the Provider.
6. Term and Termination
6.1. The contract is concluded for an indefinite period.
6.2. Either Party may terminate the contractual relationship with a notice period of at least three months to the end of the month, for the first time after 12 months from the conclusion of the contract.
6.3. This shall not affect the right of either Party to the contract to terminate the contract without notice for good cause.
6.4. The Provider is entitled to terminate without notice in particular if the Customer fails to make payments due despite a reminder and the setting of a grace period or violates the contractual provisions on the use of the Software under this Agreement. In any case, termination without notice requires that the Customer has been warned in text form (e.g. e-mail) and requested to remedy the (alleged) reason for termination without notice within a reasonable period of time. To clarify: The Customer's obligation to pay the agreed fee continues to exist even in the event of extraordinary termination without notice by the Provider.
6.5. These GTC shall also apply to the provision of Services to (also indirectly) affiliated companies and shareholders of the Customer (the "Affiliate(s)"), insofar as these affiliated companies come into contact with the Provider's Services as intended and the Provider has declared its consent.
6.6. Termination of separately concluded Individual Contracts between the parties does not lead to automatic termination of this contract. However, the termination of this contract shall lead to the automatic termination of any Individual Contracts.
7. IT Security, Troubleshooting
7.1. The Provider has taken all reasonable security measures to ensure that no third party will have access to the data in the Customer's protected area.
7.2. The Provider has also taken suitable precautions against data loss and makes daily backups for this purpose. The Provider's system checks the Customer's data for viruses. In addition, a state-of-the-art firewall is installed.
7.3. The Provider shall eliminate any software errors that occur without delay, insofar as this is technically possible. A software error exists if the Software delivers faulty results or does not work properly in any other way, so that the use of the Software is impossible or restricted. The Provider shall be grateful to receive suggestions and proposals regarding the Software at any time and shall take these into account in the further development of the Software.
8. Data Collection and Processing
8.1 The parties agree that personal data of Customers will be processed within the scope of the above cooperation and agree to this:
8.1.1. The Provider acts as the processor for the Customer data stored and processed in the respective Customer instance of the Software. The Customer is the controller of this data. For Customers who have already concluded a separate Data Processing Agreement before January 1st 2025, this Data Processing Agreement shall remain valid unless otherwise agreed. For all other Customers, the Data Processing Agreement on the Provider's website (https://hutte.io/legal-hub) ("Data Processing Agreement ") is hereby agreed and incorporated and forms an integral part of the contract. In the event of a conflict, the Data Processing Agreement shall take precedence over these GTC.
8.1.2. The Provider acts as the controller within the meaning of Art. 4 No. 7 GDPR with regard to the processing of the personal data of the Customer's Contractual Partners, insofar as the Customer's Contractual Partners store data in their own accounts, irrespective of its use in the Customer's workflows, and have expressly consented to the data processing.
8.1.3. The Customer and the Provider are otherwise responsible for determining the means and purposes of processing, subject only to the above provisions of this agreement. There is no joint responsibility.
9. Blocking Access
9.1 The Provider is entitled, following a prior fruitless warning to the Customer, to temporarily or permanently block access to the Service if
- there are concrete indications that the Customer or one of its employees is in breach of material obligations under this contract or applicable law;
- there are concrete indications that user IDs or passwords are being misused;
- this is absolutely necessary for technical reasons;
- this is necessary for compelling legal, judicial or official reasons;
- the Customer is more than two weeks in arrears with the payment of fees;
- the Customer has entered incorrect contact or bank details.
9.2. When deciding on blocking, the Provider shall take appropriate account of the Customer's legitimate interests. The Provider shall notify the Customer of the blocking no later than five (5) working days before it comes into effect, provided that the notification does not conflict with the purpose of the blocking.
9.3 The blocking shall continue until the circumstance justifying the blocking has been remedied in an appropriate manner.
10. Warranty
10.1. With regard to the provision of Services, the warranty provisions of tenancy law, Sections 535 et seq. BGB (German Civil Code), apply.
10.2. A defect shall be deemed to exist if the contractual use agreed in accordance with the Service description and Service level is not only insignificantly impaired.
10.3. The Customer must notify the Provider immediately of any defects.
10.4. Strict liability in accordance with Section 536a (1) BGB (German Civil Code) for defects that already existed when the contract was concluded is excluded. Subject to the limitation of liability pursuant to Section 11, the Customer's statutory claims shall remain unaffected.
11. Liability
11.1. The Provider is liable without limitation for damages caused intentionally or through gross negligence.
11.2. In the event of a negligent breach of a contractual obligation, the breach of which jeopardizes the achievement of the purpose of the contract or the fulfilment of which makes the proper execution of the contract possible in the first place and on the observance of which the Customer may therefore rely (so-called cardinal obligation), the liability of the Provider is limited to the damage foreseeable at the time of conclusion of the contract and typical for the contract. The parties agree that the foreseeable damage typical for the contract in the event of a breach of a cardinal obligation (i) shall not exceed the amount of 1/4 of the annually agreed fees per claim and (ii) shall not exceed the amount of the total amount of the annually agreed fees for the total number of claims to be expected within one year. The Provider is not liable for negligent breach of a contractual obligation that is not a cardinal obligation.
11.3. The Provider is not responsible for damages resulting from technical malfunctions or unauthorized access by third parties, unless these were caused intentionally or through gross negligence by the Provider, its legal representatives or employees.
11.4. The Provider is not liable for the loss of data insofar as the damage is due to the fact that the Customer has not carried out the necessary data backups and thus has not ensured that lost data can be restored with reasonable effort.
11.5. The above exclusions of liability in this Section 11 do not affect the liability of the Provider for a guarantee of quality, for fraudulent intent, for damages resulting from injury to life, body and health, for product defects in accordance with the Act on Liability for Defective Products ("Produkthaftungsgesetz") and for liability under the GDPR. This does not imply a change in the burden of proof to the detriment of the Customer.
11.6. Insofar as liability is excluded or limited in accordance with this Section 11, this also applies to the personal liability of the Provider's employees, staff, corporate bodies, representatives and vicarious agents.
11.7. In particular in the event of disruptions to the technical infrastructure or the internet connection, the Provider is released from its obligation to perform. This also applies if the Provider is prevented from providing the Service due to force majeure or other circumstances which the Provider is unable or cannot reasonably be expected to rectify.
12. Confidentiality
12.1. "Confidential Information" for the purposes of this Agreement means any information shared by the Disclosing Party with the Receiving Party in the course of preparing and performing this Agreement that (i) is clearly marked as confidential Information, designated as such or otherwise made recognizable as such, (ii) is obviously or reasonably considered confidential because of its content, or (iii) is derived from confidential Information provided by the Disclosing Party.
12.2. Confidential information of the Provider is also in particular:
- access data, user IDs and passwords for the Software;
- the design of the Software in terms of UI/UX, user guidance, look & feel and other elements;
- pricing and price calculations, including the respective calculation bases;
12.3. Confidential information is not information that is demonstrably
- already or becomes publicly accessible to the receiving party without violating this agreement;
- in the lawful possession of the Receiving Party or comes into its possession from a source other than the Disclosing Party, provided that such source lawfully acquired the information and is not prohibited by law or contract from disclosing such information; or
- developed or will be developed by the Receiving Party independently of and without reference to confidential information of the Disclosing Party.
12.4. All confidential information exchanged between the Parties during the term of the contract, unless contractually permitted,
12.4.1. shall be treated in strict confidence and the Receiving Party shall take all reasonable technical and organizational measures to protect the other Party's confidential information from unauthorized disclosure, including, but not limited to, at least such measures as the Receiving Party takes to protect its own confidential or proprietary information;
12.4.2. may only be used in connection with the provision of the Services and the Receiving Party will not commercially exploit the confidential information in its own interests or those of a third party;
12.4.3. shall not be transferred, disclosed or divulged by the Receiving Party in any manner or form to any person other than those who reasonably need to know such confidential information in connection with the performance of this Agreement; shall remain the property of the Disclosing Party; in particular, nothing in this Agreement shall be deemed to transfer or grant to
12.4.4. the Receiving Party any rights or licenses to the Confidential Information or to any Intellectual Property Rights of the Disclosing Party; and shall, notwithstanding the use of the Confidential Information by the Receiving Party in connection with the provision of the Services, not be used by the Receiving Party for its own purposes or for the purposes of any third party, and the Receiving Party shall not apply for or claim any intellectual property rights or other rights in the Confidential Information or any part thereof.
12.5. The Receiving Party shall refrain from obtaining confidential information through reverse engineering of goods, products or Services containing confidential information. In particular, the Customer shall refrain from using reverse engineering to determine the functionality and mode of operation of the Software.
12.6. The Provider is entitled to draw attention to the fact of the contractual relationship between the Parties, the essential subject matter of the contract and the role of the Provider in public form (e.g. for the purpose of pitches etc.), provided that these facts are not recognizably confidential. All public communication and marketing must be agreed in writing in advance.
12.7. Upon request, but at the latest upon termination of the business relationship, all confidential information obtained by the Receiving Party in this context must be returned to the Disclosing Party or irretrievably destroyed at the latter's instruction. Electronic data must be completely deleted. No rights of retention may be asserted in this respect. The destruction shall be confirmed in writing to the Disclosing Party upon request. Retention periods due to statutory retention obligations shall remain unaffected by the obligations pursuant to this Section 12.7.
12.8. Both Parties undertake to inform the other Party immediately in the event of a breach of the obligations set out herein or if there are indications of such a breach and to cooperate in limiting any damage. Notwithstanding the foregoing, in the event of a breach of the provisions of this section, the Provider shall have the right to demand from the Customer that the employee acting in breach of duty no longer be employed in the performance of the contract.
12.9. The duty of confidentiality ends five (5) years after termination of the contract.
13. Reservation of a Right to Make Amendments
13.1. The Provider has the right to amend these GTC at any time or to amend regulations for the use of newly introduced additional Services or functions of the Software or Services. Amendments and supplements to these GTC shall be notified to the Customer by e-mail to the e-mail address provided at least four weeks before the planned entry into force of the amendments. The Customer shall be deemed to have consented to the amendment of the GTC if the Customer does not object to the amendment in text form within a period of two weeks, beginning on the day following the announcement of the amendment. The announcement must refer to the amendment, the possibility of objection, the objection period, the text form requirement and the result of the objection.
13.2. The Provider reserves the right to change the Software and/or Services in order to offer different functionalities, unless the changes or deviations are unreasonable for the Customer. If the provision of a modified version of the Software or a change in the functionality of the Software is accompanied by significant changes to the Customer's work processes supported by the Software and/or restrictions in the usability of the data generated to date, the Provider shall notify the Customer of this in text form no later than four weeks before the date on which such a change comes into effect. If the Customer does not object to the change in text form within a period of two weeks after receipt of the notification of change, the change shall become part of the contract. The notification of change shall refer to the change, the possibility of objection, the objection period, the text form requirement and the result of the objection.
13.3. Furthermore, the Provider reserves the right to change the Software and/or the Services in order to offer different functionalities (i) insofar as this is necessary to bring the Services offered by the Provider into compliance with the (case) law applicable to these Services, in particular if the legal situation changes; (ii) insofar as the Provider complies with a court or official decision addressed to the Provider; (iii) insofar as this is necessary to eliminate security gaps in the Software; (iv) due to significant changes to the Services or contractual conditions of third-party providers or subcontractors or (v) insofar as this is predominantly advantageous for the Customer. In particular, the Provider reserves the right to restrict or discontinue the provision of additional functionalities or integrations if the technical partners for these additional functionalities or the providers of the partner integrations significantly change or restrict their Services or contractual terms and conditions and the Provider can therefore no longer be reasonably expected to continue providing them, e.g. because the additional expense incurred by the Provider is disproportionately high. In the case of an annual contract period, the Customer shall receive an appropriate pro rata refund of the fees paid in advance, provided that the additional functionality or integration was invoiced separately.
13.4. If the Customer objects to a change within the meaning of this Section 13 in accordance with the respective notification obligations, the proposed change shall not take effect and the contract shall continue under the previous conditions. In this case, the Provider reserves the right to terminate the contract extraordinarily with one month's notice.
13.5. With the exception of the amendments specified in Clauses 16.1 to 16.4, the Parties must agree any amendment to the contract in text form.
14. Final Provisions
14.1. No verbal collateral agreements have been made. Amendments, supplements and additions to this contract must be made at least in text form in order to be valid. This also applies to the amendment of this contractual provision.
14.2. The Provider may use other Service Providers for the purpose of fulfilling the contract.
14.3. Should a provision of this contract be or become invalid, this shall not affect the validity of the remainder of the contract. The invalid provision shall be deemed to be replaced by a valid provision that comes closest to the economic purpose of the invalid provision. The same shall apply in the event of a gap in the contract.
14.4. Annexes referred to in this contract are an integral part of the contract.
14.5. The authoritative text for this contract and its annexes is the German text. In the event of discrepancies between the German and English texts, the German text shall take precedence.
14.6. The exclusive place of jurisdiction for all disputes arising from or in connection with the contract is Berlin, Germany. The Provider is also entitled to sue at the Customer's place of business or any other competent court.
14.7. The law applicable to this contract and its annexes as well as to the implementation and interpretation of the contractual provisions is the law of the Federal Republic of Germany to the exclusion of private international law.
II. Data Protection Information
Last updated: January 1st, 2025
1. Name/Contact Details of the Controller and the Data Protection Officer
This data protection information applies to data processing by the following controller ("Controller"):
Hutte GmbH, Elsenheimerstr. 5, 80687 München; E-Mail: [email protected]
2. Collection and Storage of Personal Data and the Nature and Purpose of Their Use
We collect the following customer data when an order is placed:
- title(s), first name(s), surname(s);
- e-mail address(es);
- address(es);
- telephone number(s) (landline, mobile).
This data is collected:
- to be able to identify you as our customer;
- in order to be able to offer you our services appropriately;
- for the purpose of correspondence with you;
- for the purpose of invoicing;
- for the purpose of asserting any claims against you.
The data processing takes place at your request and is required in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR for the stated purposes for the appropriate processing of the order and for the mutual fulfillment of obligations arising from the contract. The personal data collected by us for the assignment will be stored until the expiry of the statutory retention obligation and then deleted, unless we are obliged to store it for a longer period in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR or you have consented to further storage in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
3. Disclosure of Data to Third Parties
Your personal data will not be transferred to third parties for purposes other than those listed below. This also includes any necessary disclosure to courts and other public authorities for the purpose of correspondence. The data passed on may be used by the third party exclusively for the stated purposes.
4. Rights of Data Subjects
You have the right:
- in accordance with Art. 7 para. 3 GDPR, to withdraw your consent once given to us at any time. As a result, we may no longer continue the data processing that was based on this consent in the future;
- to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
- in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or incomplete personal data stored by us;
- in accordance with Art. 17 GDPR, to demand the deletion of your personal data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
- in accordance with Art. 18 GDPR, to demand the restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful, but you refuse to delete it and we no longer need the data, but you need it to assert, exercise or defend legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR;
- in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller; and
- to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. As a rule, you can contact the supervisory authority at your usual place of residence or workplace or at the registered office of the Controller.
5. Right of Objection
If your personal data is processed on the basis of legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR, provided that there are reasons for this arising from your particular situation. If you wish to exercise your right to object, simply send an email to [email protected].
III. Data Processing Agreement
Last updated: January 1st, 2025
1. Preamble
This addendum regulates the rights and obligations of the customer ("Controller or "Customer") and the provider ("Processor" or "Provider") in the context of the processing of personal data on behalf of the Customer ("DPA"). This Data Processing Agreement ("DPA") is part of the General Terms and Conditions and specifies legal rights and obligations arising for the parties from the GDPR if and to the extent that the Provider processes personal data on behalf of the Customer pursuant to Art. 28 GDPR or a service provider acting on behalf of the Provider may have contact with the Customer's personal data. Unless otherwise defined in this DPA, the definitions of the contract or the GDPR shall apply. In the event of a conflict between the provisions of this DPA and the contract, the provisions of this DPA shall prevail.
2. Object of the Contract and Term
2.1 The subject matter of the contract includes the electronic processing of personal data to provide the services rendered by the Provider in accordance with the General Terms and Conditions and its annexes.
2.2 The Provider processes personal data on behalf of the Customer on the basis of this DPA and in accordance with Art. 4 para. 1, para. 2 and Art. 28 GDPR.
2.3 This DPA is concluded for an indefinite period. However, if the General Terms and Conditions end, this DPA shall also end.
3. Purpose, Scope and Types of Processing, Type of Personal Data and Categories of Data Subjects
3.1 Personal data may only be processed within the scope of this DPA for the stated purpose.
3.2 The purpose, scope and type of data processing are: 3.2.1. electronic processing of the contract signature (if applicable).
3.3 Categories of Data Types concerned:
3.3.1 Potential user data
3.3.2 Contract master data
3.4 Types of personal data: 3.4.1 The Provider collects all personal data contained in the registration form. The scope of the data collected by the Provider does not generally exceed the scope described here.
3.5 The provision of the contractually agreed data processing takes place exclusively in a member state of the European Union, another state party to the Agreement on the European Economic Area or a state with an adequate level of data protection in accordance with Art. 45 GDPR, which is determined by the European Commission.
3.6 The Provider may only carry out an international transfer of personal data to a country outside the European Economic Area in accordance with the GDPR and must take appropriate protective measures to the extent required by the GDPR.
4. Rights, Obligations and Authority of the Customer to Issue Instructions
4.1 The Customer bears sole responsibility for assessing the lawfulness of the processing pursuant to Art. 6 para. 1 GDPR and for compliance with the rights of the data subject pursuant to Art. 12-22 GDPR.
4.2 The Customer shall issue all orders, partial orders and instructions in text form or documented electronic form. Verbal instructions must be confirmed immediately in text form or documented electronic form.
4.3 The Customer is entitled to regularly and appropriately check how the Provider is fulfilling the technical and organizational measures (TOM) and the obligations set out in this Agreement.
4.4 If the Customer discovers errors or irregularities when checking the work results, he must inform the Provider immediately.
4.5 The Customer is obliged to treat as confidential all business secrets of which it becomes aware in the context of the contractual relationship and to comply with the Provider's data security measures. This obligation shall remain in force even after termination of this contract.
5. Persons Authorized to Issue Instructions in the Customer's Company and Persons Who Receive Instructions in the Provider's Company
5.1 The persons who receive instructions from the Provider are:
5.1.1 Organizational unit: Hutte GmbH
5.1.2 Communication channels used for issuing instructions: [email protected]
5.2 In the event of a change or prolonged absence of the contact point, the parties shall immediately appoint a representative or successor and inform the other party of any changes in text form or documented electronic form. The instructions shall be retained for their duration and subsequently for at least three calendar years.
6. Obligations of the Provider
6.1 The Provider shall appoint a data protection officer. The contact details (updated from time to time) of the data protection officer(s) shall be published on the Provider's website.
6.2 The Provider shall process personal data exclusively within the framework of the agreements made and in accordance with the Customer's instructions, unless it is obliged to process data separately on the basis of a law of the Union or the Member States applicable to the Provider (e.g. investigations by national security authorities or law enforcement authorities); in such a case, the Provider shall inform the Customer of these legal requirements prior to the commissioned processing, unless the applicable law prohibits such disclosure for reasons of public interest and public security (Art. 28 para. 3, sentence 2, lit. a) GDPR).
6.3 The Provider shall cooperate with the Customer to the extent necessary and support the Customer, as far as possible, in fulfilling the Customer's obligation to respond to requests to exercise data subject rights within the meaning of Art. 12-22 GDPR and in drawing up records of processing activities and necessary data protection impact assessments (Art. 28 para. 3 sentence 2 lit. e) and f) GDPR).
6.4 If, in the opinion of the Provider, an instruction issued by the Customer violates legal regulations, the Provider shall inform the Customer immediately (Art. 28 para. 3 sentence 3 GDPR). The Provider is entitled to cease compliance with the respective instruction until the Customer confirms or changes this instruction.
6.5 If the Customer requests the correction or deletion of personal data or the restriction of their processing by means of a special instruction and if this does not conflict with any legitimate interests of the Provider (e.g. fraud prevention), the Provider shall carry out this instruction.
6.6 The Provider agrees that the Customer (after commissioning) is authorized to check compliance with the regulations on data protection and data security as well as the contractual agreements to an appropriate and necessary extent himself or through third parties commissioned by him (Art. 28 para. 3 sentence 2 lit. h) GDPR).
6.7 The Provider confirms that it is familiar with the data protection provisions of the GDPR that apply to data processing and that it complies with the following confidentiality rules incumbent on the Customer: 6.7.1 Secrecy of telecommunications
6.8 The Provider is obliged to maintain the confidentiality of all personal data of the Customer that is processed within the scope of this contract. This confidentiality obligation shall remain in force even after termination of the contract.
6.9 The Provider shall ensure that the employees authorized to process the personal data are instructed prior to data processing on compliance with all relevant data protection provisions and are bound to secrecy in an appropriate manner both for the duration of the activity and after termination of the employment relationship (Art. 28 para. 3 sentence 2 lit. b) and Art. 29 GDPR). The Provider monitors compliance with data protection regulations.
7. Rights of the Data Subject
7.1 The Provider cooperates with the Customer to the extent necessary and supports the Customer, as far as possible, in fulfilling its obligation to respond to requests to exercise the rights of data subjects within the meaning of Art. 12-22 GDPR (Art. 28 para. 3 sentence 2 lit. e) and f) GDPR). Corresponding requests should be sent to: [email protected].
7.2 If a data subject contacts the Provider directly regarding their data subject rights such as information or deletion, the Provider shall forward these requests to the Customer without delay, provided that they are addressed exclusively to the Customer. Such requests shall be addressed to the data protection officer in accordance with Section 7 above.
7.3 The Provider may only provide information about personal data from the contractual relationship to third parties or to the data subject with the prior instruction or consent of the Customer.
8. Reporting Obligation in the Event of Disruptions in the Processing or Breach of the Protection of Personal Data
The Provider shall inform the Customer immediately in the event of disruptions or violations of data protection regulations or contractual obligations by the Customer or its employees, as well as in the event of suspected data protection violations or irregularities in the processing of personal data. This applies in particular to any reporting obligations of the Customer pursuant to Art. 33 and Art. 34 GDPR. The Provider assures that it will support the Customer in fulfilling its obligations to the extent necessary within the meaning of Art. 33 and Art. 34 GDPR (Art. 28 para. 3 sentence 2 lit. f) GDPR). Notifications for the Customer within the meaning of Art. 33 or 34 GDPR can only be sent by the Provider after prior instruction in accordance with Section 5 of this Agreement.
9. Subcontracting Relationships with Service Providers for Core Services (Art. 28 para. 3 sentence 2 lit. d) GDPR)
9.1 The Provider may commission service providers to process the Customer's data. The Provider shall inform the Customer about the commissioning of a service provider. In addition, the Provider shall ensure that, when selecting service providers, it pays particular attention to their suitability for the technical and organizational measures described in Art. 32 GDPR.
9.2 The Provider shall contractually ensure that the provisions agreed between the Customer and the Provider also apply to service providers. The provisions in the contracts with the service providers shall be defined so precisely and specifically that the responsibilities of the Provider and the service provider can be clearly delineated. If several service providers are commissioned, this also applies to the responsibilities between these service providers.
9.3 The contract with the service providers must be concluded in writing; it may also be concluded in electronic form (Art. 28 (4) and (9) GDPR).
9.4 The Provider shall inform the Customer of any intended changes regarding the addition or replacement of service providers and give the Customer the opportunity to object to such changes (Art. 28 para. 2 GDPR).
10. Technical and Organizational Measures pursuant to Art. 32 GDPR (Art. 28 para. 3 sentence 2 lit. c) GDPR)
10.1 A level of protection appropriate to the risk to the rights and freedoms of individuals (data subjects) must be ensured for the specific processing. For this purpose, the purposes of protection referred to in Art. 32 para. 1 GDPR, such as confidentiality, integrity and availability of systems and services and their resilience with regard to the nature, scope, circumstances and purpose of data processing, shall be taken into account in such a way that the risk is kept low in the long term by means of appropriate technical and organizational measures. For the proper processing of personal data, an appropriate and comprehensible risk assessment methodology is applied that takes into account the likelihood and severity of the risks to the rights and freedoms of data subjects.
10.2 The described data protection concept specifies the minimum requirements for the technical and organizational measures (TOM) that correspond to the assessed risk. The protection objectives are considered in detail and according to the state of the art - in particular with regard to the Provider's IT systems and processes. The concept also describes procedures for the regular review, assessment and evaluation of the effectiveness of the TOM in order to ensure data processing in compliance with data protection regulations.
10.3 The Provider shall regularly review, assess and evaluate the effectiveness of the TOM in order to ensure the security of the processing (Art. 32 para. 1 lit. d) GDPR).
11. Obligations of the Provider after Completion of the Order (Art. 28 para. 3 sentence 2 lit. g) GDPR)
After termination of the contract, the Provider shall delete or return to the Customer all order-related data, documents and reports that have been created in the course of data processing and are in the possession of the Provider or its service providers, unless Union law or the law of a Member State requires the storage of personal data.
12. Liability
12.1 Both parties shall be liable pursuant to Art. 82 GDPR for damages caused by a breach of this DPA or the GDPR.
12.2 If both parties are responsible for claims by data subjects or third parties pursuant to Art. 82 (4) GDPR, the Customer shall be solely liable for the damage, unless part of the total damage is attributable to the Provider. The Customer shall bear the burden of proof that the damage is not attributable to circumstances for which the Customer is responsible.
12.3 Any limitations of liability in this DPA shall not apply in the event of intent or gross negligence or in the event of injury to life or limb.
12.4 In all other respects, liability shall be governed by the General Terms and Conditions..
13. Miscellaneous
13.1 All ancillary agreements must be made in writing or in a documented electronic format.
13.2 If the Customer's property or the personal data to be processed is jeopardized by actions of third parties (e.g. by seizure or confiscation), by composition or insolvency proceedings or by other events, the Provider must inform the Customer immediately.
13.3 With regard to the data processed for the Customer and the respective data carrier, the defense of the right of retention within the meaning of Section 273 BGB (German Civil Code) is excluded.
13.4 Amendments and additions to this Addendum and all its components - including any assurances given by the Processor - shall be made in text form (including e-mail) in accordance with the GDPR, which may also be in electronic form, and require an express reference to the fact that these terms and conditions have been amended or supplemented. This also applies to the waiver of this formal requirement. The parties agree that amendments to this addendum may be made in an electronic format in accordance with Art. 28 para. 9 GDPR.
13.5 Should the Controller's data be jeopardized by seizure or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, the Processor shall inform the Controller immediately. The Processor shall immediately inform all parties involved in this context that ownership of the data lies exclusively with the Controller.
13.6 The law of the Federal Republic of Germany shall apply. The UN Convention on Contracts for the International Sale of Goods (CISG) shall not apply. The exclusive place of jurisdiction for all disputes in connection with this addendum is, as far as permissible, Berlin.
13.7 Should any provision of this contract be invalid, this shall not affect the validity of the remaining provisions of the contract.