General Terms & Conditions
Proximity DMP Master Services Agreement
Square Metrics GmbH, Köpenicker Straße 154, 10997 Berlin (hereinafter “Square Metrics”), has developed a technology registered as “Proximity DMP”, which the Client wishes to use to analyze the behavior of the Client’s customers.
For this purpose, the Parties hereby enter into the following Agreement:
1. General Provisions
1.1. This Master Services Agreement (hereinafter referred to as the “Agreement”) shall apply to all contractual relationships between Square Metrics and Client regarding the Proximity DMP service.
1.2. Any deviating terms and conditions of the Client as well as any deviations and/or amendments to this Agreement shall only become part of the Agreement if they have been expressly acknowledged by Square Metrics in writing (email is sufficient). This Agreement shall also apply exclusively if Square Metrics has not explicitly objected to any contrary terms and conditions.
1.3. Square Metrics reserves the right to modify these General Terms and Conditions with effect forthe future (starting at the date of the renewal of the contract period) at any time. In this case, Square Metrics will notify the Client of these changes (at least 3 weeks before the ending of the period of notice). The changes shall be deemed to be accepted if the Client does not object within three weeks after receipt of the amendment notification. Square Metrics will inform the Client in its amendment notification about the Client’s right to object and the effects of a lack of objection. If the Client rejects the changes, the contract can not automatically be renewed and the agreement will be terminated after the contract period.
2. Formation of contract
2.1. Offers by Square Metrics are subject to change. The subject matter of the Agreement are the Square Metrics products and services as detailed below at the time the contract is concluded. Square Metrics reserves the right to make technical changes and improvements to its products and services within reason.
2.2. The Agreement between Square Metrics and the Client is entered into upon signature of the Square Metrics Purchase Order by the Client. Alternatively, the Client can register on the Square Metrics website, which also constitutes acceptance of this Agreement. The Square Metrics Purchase Order that the Client has signed, this Master Services Agreement and its respective Annexes shall jointly comprise the “Contract”.
2.3. The Client represents and warrants that all personal information as well as other relevant contractual data provided by Client during the conclusion of the Agreement are complete and correct. The Client is obliged to promptly inform Square Metrics about any changes to this data and/or to update altered data in its user account. In the event of a culpable breach of this obligation, Square Metrics is entitled to suspend the contractual services upon giving prior notice.
2.4. The Client is aware that contractual declarations (e.g. confirmation emails, amendments to the General Terms and Conditions as well as other notifications) may be sent via email. They are deemed to have been received when they can be retrieved in the email inbox which was specified by the user during the registration under normal circumstances.
3.1. Square Metrics shall render the service in accordance with the Service Description in Annex 1. Unless expressly specified otherwise in the Service Description and in this Agreement, including the Service Level Agreement in Annex 3, Square Metrics ensures the provision of the service with an availability customary within the industry.
3.2. Square Metrics is entitled to use the assistance of third parties in order to fulfill its contractual obligations.
4. Client rights and obligations
4.1. The Client is entitled to use the service and the software provided by Square Metrics only to the extent described hereafter.
4.2. The Client must follow Square Metrics’ instructions as well as the protocols and specifications as requested by Square Metrics with regard to the telecommunication/data transmission.
4.3. Specifically, Client must implement the Proximity DMP SDK according to Annex 2, and use program code provided by Square Metrics without any modifications for its intended use.
4.4. The Client’s app must offer substantive services that go beyond the mere functionality of the Proximity DMP SDK.
4.5. If Square Metrics has protected its services by technical means (e.g. security codes, firewalls, etc.), the Client is not allowed to circumvent or remove such security measures.
4.6. The Client may upload data regarding infrastructure, buildings, and campaigns, including images. The Client assumes all responsibility for all such uploaded data.
4.7. The Client is obliged to protect its own data by taking appropriate measures and by regularly making backups of its data.
4.8. The Client agrees to keep the passwords and login data provided by Square Metrics for access to the services confidential and to inform Square Metrics immediately as soon as the Client becomes aware of unauthorized third parties gaining access to these passwords. If, due to the Client’s fault, unauthorized third parties use any services provided by Square Metrics by using the passwords, the Client is liable to Square Metrics for usage fees and damages.
4.9. The Client shall not make the software provided by Square Metrics available to any third parties, except for Affiliated Companies according to sec. 14 German Companies Act (Aktiengesetz). In addition, the Client shall not
4.9.1. modify, translate, reverse engineer, decompile, disassemble or otherwise create derivative works from the Square Metrics software or documentation. Information pursuant to Section 69e of the German Copyright Act which is required to achieve interoperability with other programs created independently can be purchased from Square Metrics for a fee upon request;
4.9.2. transfer, lend, rent, lease, distribute the software provided by Square Metrics or the service, or use them for providing services to a third party, or grant any rights in and to the Square Metrics software or documentation to a third party in any form, without Square Metrics’s express prior written and unless all respective fees have been paid and all of Square Metrics’s other conditions have been met; or
4.9.3. remove, modify or make illegible the labels, markers or designations regarding copyrights and other intellectual property rights of the Square Metrics software or documentation.
5. Prices and Payment Conditions
5.1. The fees for the service that the Client makes use of are set out in Square Metrics’s current valid price list. Unless explicitly stated otherwise, all fees are quoted in Euros and are exclusive of the statutory value-added tax (VAT) applicable at the time. Any customs duties and similar public charges shall be borne by the Client.
5.2. Invoices will be sent to the Client via mail or in electronic form, unless expressly agreed otherwise.
5.3. The payment of the invoices shall be due within 30 days of the invoice date. In the event of the Client’s default of payment, Square Metrics is allowed to charge default charges up to €5.00 as well as default interest in accordance with the statutory provisions. Square Metrics reserves the right to prove and assert greater damages due to default. If the Client’s payments are considerably delayed, Square Metrics reserves the right to suspend the provision of any further services, in particular the Client’s access to the service, at the expense of the Client until all due payments have been made. In the event of suspended services, the Client is nevertheless obliged to pay the agreed fees. After having set the Client a reasonable deadline and expiration of that deadline, Square Metrics has the right to terminate the Agreement with immediate effect. In case of returned direct debits or unpaid checks, the Client shall reimburse Square Metrics for the costs incurred to the extent that the Client was responsible for the event given rise to these costs. Further claims and rights to which Square Metrics may be entitled in this respect shall remain unaffected. Even if the Client does not use the provided service, the Client is still obliged to pay the agreed fees.
5.4. Any complaints relating to an invoice must be submitted to Square Metrics in writing or by email to invoice@Square Metrics.com within four weeks upon receipt of the invoice. If no such complaint has been made within four weeks upon receipt of invoice, the invoice is deemed to be accepted. Square Metrics will inform the Client in the invoice about the consequences of failing to submit a timely complaint.
5.5. The Client shall have a right to offset against claims only if its counterclaim has been established by a final and binding decision or is undisputed. The same shall apply to the right of retention, the valid exercise of which shall further require that the counterclaim of the Client must arise under the same contractual relationship.
6. Term and Termination
6.1. The term of the Agreement is determined in the Purchase Order. The termination must be made in writing and be submitted via mail or fax.
6.2. The right to immediate termination for cause shall remain unaffected. In particular, Square Metrics has the right to immediately terminate the Agreement
6.2.1. if the Client breaches its obligations pursuant to sections 4.3, 4.5, 4.8, or 4.9 of this Agreement,
6.2.2. if the Client is in default of payment and does not settle the outstanding payment upon receipt of a warning letter with a deadline for payment and expiration of that deadline to no avail,
6.2.3. if the Client publishes racist, pornographic, immoral or illegal content on its website and/or content which glorifies or trivializes violence,
6.3. Either party has the right to immediately terminate the Agreement
6.3.1. if the other party breaches its obligations pursuant to sections 7.3 or 10 of this Agreement,
6.3.2. if the other party is insolvent, subject to insolvency proceedings, insolvency proceedings have been commenced or the commencement of insolvency proceedings is dismissed due to lack of assets,
6.3.3. if the other party violates the provisions of these Terms and Conditions and fails to remedy this violation upon receipt of a written request with an adequate deadline. No such request is necessary if it has no prospect of success or if the violation is so serious that the terminating party cannot be reasonably expected to adhere to the Agreement. A violation is also be deemed serious if the other party has received notices of warnings several times because of similar violations.
6.4. Upon termination of the Agreement, the Client is obliged to delete all copies of the codes that were provided by Square Metrics.
6.5. The right of termination is excluded prior to the end of the Term. If the Client terminates the Agreement disregarding such exclusion, then the Client shall be subject to a contractual penalty in the amount of the outstanding payments.
7. Intellectual property
7.1. Upon conclusion of the Agreement, Square Metrics grants the Client the non-exclusive, non-transferable and non-sublicensable right to use the service during the term of the Agreement, insofar as this is necessary to use the service according to the respective Purchase Order. The right of use shall expire once the Client defaults with any payments due.
7.2. Square Metrics shall retain all intellectual property rights as well as any other property rights in and to the Square Metrics software, the service as well as other services that are provided under this contract, including source codes, databases, hardware and/or any other material (e.g. documentations, developments, functions, report templates, preparatory material, etc.).
7.3. The Client undertakes to not violate any applicable laws regarding IP-rights, in particular third party rights (e.g. copyrights, personality rights, intellectual property rights) or the terms of this Agreement while using the service. If applicable, this also includes the provisions of the US Children’s Online Privacy Protection Act (“COPPA”). Insofar, the Client shall, subject to analogous application of the rules laid out in secs. 7.4.1. et seqq., indemnify and hold Square Metrics harmless from any and all third party claims (including but not limited to all costs and expenses, incl. reasonable attorney’s fees) that are being asserted against Square Metrics upon first request.
7.4. Unless agreed otherwise, Square Metrics shall perform its contractual services free from third-party intellectual property rights and copyright (hereinafter referred to as: IP Rights) regarding the country of performance. If a third party asserts justified claims against the Client based on an infringement of IP Rights with respect to services that were performed by Square Metrics and were used in accordance with the contract, Square Metrics shall be liable to the Client as follows within the time period set forth above:
7.4.1. Square Metrics shall, at its own selection and expense, either acquire a license to use the supplies in question, to modify them such that they no longer infringe the IP Right, or replace them. If it would be unreasonable for Square Metrics to do this, the Client may rescind the contract or reduce the fee in accordance with statutory rules.
7.4.2. Square Metrics’s liability to pay damages shall be governed by the according section of this Agreement.
7.4.3. The above obligations of Square Metrics shall only apply if the Client informs Square Metrics of claims asserted by the third party without delay and in writing, does not acknowledge any infringement and leaves any defense measures and settlement negotiations to the discretion of Square Metrics. If the Client ceases to use the supplies for damage limitation purposes or for any other significant reasons, it shall be obliged to point out to the third party that no acknowledgement of infringement may be inferred from the fact that use has been discontinued.
7.5. Claims of the Client shall be excluded if the Client is itself responsible for the infringement of an IP Right.
7.6. Claims of the Client shall also be excluded if the infringement of the IP Right is caused by specifications stipulated by the Client, by a type of use not foreseeable by Square Metrics or by the delivery being modified by the Client or being used together with products not supplied by Square Metrics.
7.7. Square Metrics hereby fully reserves any proprietary rights and/or copyrights with regard to the use of cost estimates, drawings, manuals and other documents (hereinafter referred to as: “Documents”). The Documents shall not be made accessible to third parties, except for Affiliated Companies, without the Square Metrics’s prior consent and shall, upon request, be returned without delay to Square Metrics if the contract is not awarded to Square Metrics.
8.1. Square Metrics shall be responsible that the Square Metrics Proximity DMP correspond to the use permitted by Square Metrics. Square Metrics does not assume any liability for any damages resulting from a usage other than the intended use. The same applies to any damages resulting from a use that is not in accordance with Square Metrics’s instructions and recommendations or any other unauthorized usage.
8.2. Square Metrics does not assume any liability for any disturbances, limitations, interruptions or disruptions of the service which are caused by circumstances beyond Square Metrics’s area of responsibility.
8.3. In particular, Square Metrics’s liability for faulty SDK implementation or bad data input is excluded.
8.4. Notwithstanding the foregoing, either party shall only be liable for any damages which can be attributed to a willful or gross negligent violation of a duty by the violating party, its legal representatives or employees, as a result of grave organizational neglect or which are based on defects of a warranted quality of the Square Metrics Products, pursuant to the statutory provisions. This limitation shall not apply to any damages resulting from injury of life, body or health.
8.5. Irrespective of the legal grounds, either party shall only be liable for damages that have been caused by the culpable breach of a cardinal contractual obligation by its legal representatives or vicarious agents. Liability in this regard shall be limited to the typical damages that were reasonably foreseeable at the time the contract was concluded. Liability pursuant to the German Product Liability Act shall remain unaffected. Either party’s liability for indirect damages, in particular loss of profit, is hereby excluded.
8.6. The aforementioned liability provisions shall apply accordingly to either party’s employees and agents.
8.7. Any claims for damages arising from a simple negligence by either party shall become time-barred within one year upon occurrence of the damage. This limitation shall not apply to any damages resulting from injury of life, body or health. All other claims for damages shall become time-barred within the statutory period.
9. Data protection
9.1. The Client is obliged to comply with the applicable data protection law when using the service and Square Metrics Software. If applicable, the Client is also obliged to comply with the US Children’s Online Privacy Protection Act (“COPPA”) when using the service and Square Metrics Software.
9.2. The Client is obliged to ensure that its websites and apps clearly provide appropriate and sufficiently prominent notice to users regarding the collection and use of location and other personal data by Square Metrics, and gather the according consent (opt-in) of the affected users. The Client will also ensure that the websites and apps provide facilities for users to opt out of tracking. Until a user opts in and as soon as a user opts out, the tracking mechanisms provided by Square Metrics must be fully disabled.
9.3. The processing of personal data by Square Metrics on behalf of the Client requires a data processing agreement, which the parties agree to as laid out in Annex 4.
9.4. For the purposes of this Agreement, Client owns the data collected on his behalf. Square Metrics shall process Client data only in aggregated and anonymized form to maintain and improve Square Metrics’s products and services.
9.5. Square Metrics may save and process any data relating to the Client to the extent necessary for the purpose of the execution and implementation of the ontract and as long as Square Metrics is required to keep such data in accordance with applicable law.
9.6. Square Metrics shall have the right to submit personal data relating to the Client to credit agencies, to the extent necessary for a credit check. Square Metrics shall not make available any personal data relating to the Client to other third parties without the express consent of the Client, except to the extent that a disclosure is required under applicable law.
10.1. The parties shall keep all documents, information and data which have been disclosed during the course of the cooperation strictly confidential during the term of the Agreement and for two years thereafter. The parties undertake to use the same degree of care in safeguarding the documents, information and data of the other party that is used for its own confidential information, but a least with the due care of a prudent business man. All such documents, information and data shall be used exclusively to perform the contractual services.
10.2. These confidentiality obligations also apply to documents, information and data that relate to companies affiliated with the parties, other cooperation partners or contractors and to documents, information and data about clients and sales representatives of the parties.
10.3. These confidentiality obligations do not apply to documents, information and data that are in the public domain or later become part of the public domain through no breach of contract by a party, is required to be disclosed by operation of law, court or administrative order or that has been subsequently exempted from this confidentiality obligation by an Agreement in writing, per fax or via email.
11.1. Any modifications to and or amendments of this Agreement must be made in writing (email is sufficient). This also applies in case of a nullification of the written form requirement.
11.2. If any provision of this Agreement or part thereof is invalid or becomes invalid at a later time, the validity of the remaining provisions shall remain unaffected. The relevant provision shall be replaced by a provision that as closely as possible reflects the economic purpose of the invalid provision. The foregoing shall apply analogously if any provision has inadvertently been omitted.
12. Venue and applicable law
12.1. The legal relationship between Square Metrics and the Client shall be governed by German law.
12.2. The exclusive venue for all disputes arising directly or indirectly out of or in connection with the contract shall be Berlin. However, Square Metrics may also bring an action at the Client’s registered seat.
Annex 1: Service Description
Annex 2: SDK Implementation
Annex 3: Service Level Agreement
Annex 4: Data Processing Agreement
Annex 5: Hardware Sales and Liability for Defects and Warranty
Annex 1 – Service Description
Under the Agreement, Square Metrics shall deliver the following services:
The use of the Proximity DMP is subject to successful implementation of the SDK in the Client’s mobile app
The Square Metrics SDK for Android (version 4.3 and higher) and iOS (version 9 and higher) apps recognizes beacons from different hardware manufacturers using signal strengths (iBeacon, Eddystone and proprietary formats), user location (using GPS, Wi-Fi location, cellular networks, device sensors), and user context:
Data collection is subject to the users’ consent to the app accessing the Bluetooth interface and location services (user opt-in).
The DMP offers analytics like a dashboard for visitor statistics and campaign evaluation.
Data security using market standards, https encryption.
4. Partner network
APIs and interfaces for third parties are developed upon request. Data control and security are Client’s responsibility. Third-party fees may apply. Square Metrics does not guarantee continuous service availability.
Annex 2 – SDK Implementation
The SDK must be implemented as follows:
The SDK binary file and sample integration source code may be downloaded from Github at github.com/Square Metrics/sdks
The SDK must be tested in a Sandbox environment before deploying to a production audience. The SDK requires testing in real-world situations not just using device simulators.
The SDK must be tested with respect to energy consumption and resource usage (e.g. bandwidth, memory).
3. User permissions
The SDK requires app-level user permissions for location services to work properly. Requesting these permissions is outside of the scope of the SDK.
Annex 3 – Service Level Agreement
Square Metrics agrees the following level of service:
- Square Metrics does not guarantee a general availability of its servers and APIs.
- Square Metrics points out that the services may be interrupted or disrupted by circumstances beyond Square Metrics’s area of responsibility, including but not limited to acts of third parties that do not act on Square Metrics’s behalf, technical conditions of the internet that Square Metrics cannot influence or force majeure. If such circumstances interfere with the availability or functionality of the services provided by Square Metrics, this has no effect on the contractual conformity of the services provided by Square Metrics.
- In case of unforeseen events, Square Metrics is entitled to suspend the service for maintenance or repair purposes if this is necessary to ensure the proper operation of the service.
- Scheduled interruptions of service will be announced at least three days in advance.
Annex 4 – Data Processing Agreement pursuant to art. 28 General Data Protection Regulation (GDPR)
between the Client (Controller) and Square Metrics (the Processor)
1. Subject matter and duration of this Data Processing Agreement
1.1. Subject matter
The Subject matter of this Data Processing Agreement results from the Master Services Agreement.
The duration of this Data Processing Agreement corresponds to the duration of the Master Services Agreement.
2. Specification of the data processing
2.1. Nature and Purpose of the intended Processing of Data
Nature and Purpose of Processing of personal data by the Square Metrics for the Client are precisely defined in the Master Services Agreement.
The undertaking of the contractually agreed Processing of Data shall be carried out exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Each and every Transfer of Data to a State which is not a Member State of either the EU or the EEA requires the prior agreement of the Client and shall only occur if the specific Conditions of arts. 44 et seq. GDPR have been fulfilled.
2.3. Type of Data
The type of personal data used will be precisely defined during the services performed under this Agreement. The processing of personal data comprises in general the following data types/categories (List/Description of the Data Categories)
- mobile identifiers, including the IDFA, Android Advertising ID, IDFV, and/or Google Advertising ID
- pseudonymous identifiers
- IP address and log files
2.4. Categories of Data Subjects
The Data Subjects comprise of users of the Client’s mobile apps.
3. Technical and Organizational Measures
3.1. Before the commencement of processing, the Square Metrics shall document the execution of the necessary Technical and Organizational Measures, set out in advance of the awarding of this Data Processing Agreement, specifically with regard to the detailed execution of the Data Processing Agreement, and shall present these documented measures to the Client for inspection. Upon acceptance by the Client, the documented measures become the foundation of this Data Processing Agreement. Insofar as the inspection/audit by the Client shows the need for amendments, such amendments shall be implemented by mutual agreement.
3.2. Square Metrics shall establish the security in accordance with art. 28(3)(c) and art. 32 GDPR in particular in conjunction with art. 5(1) and (2) GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of art. 32(1) GDPR must be taken into account.
3.3. The Technical and Organizational Measures are subject to technical progress and further development. In this respect, it is permissible for Square Metrics to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented.
4. Rectification, restriction and erasure of data
4.1. Square Metrics may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only on documented instructions from the Client.
4.2. Insofar as a Data Subject contacts Square Metrics directly concerning a rectification, erasure, or restriction of processing, Square Metrics will immediately forward the Data Subject’s request to the Client.
4.3. Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by Square Metrics in accordance with documented instructions from the Client without undue delay.
5. Quality assurance and other duties of Square Metrics
In addition to complying with the rules set out in this Data Processing Agreement, Square Metrics shall comply with the statutory requirements referred to in arts. 28–33 GDPR; accordingly, Square Metrics ensures, in particular, compliance with the following requirements:
5.1. Appointed Data Protection Officer, who performs his/her duties in compliance with arts. 38 and 39 GDPR. His/Her current contact details are always available and easily accessible on the website of Square Metrics.
5.2. Confidentiality in accordance with art. 28(3)(2)(b, arts. 29 and 32(4) GDPR. Square Metrics entrusts only such employees with the data processing outlined in this Data Processing Agreement who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. Square Metrics and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Client, which includes the powers granted in this Data Processing Agreement, unless required to do so by law.
5.3. Implementation of and compliance with all Technical and Organizational Measures necessary for this Data Processing Agreement in accordance with art. 28(3)(2)(c), art. 32 GDPR.
5.4. The Client and Square Metrics shall cooperate, on request, with the supervisory authority in performance of its tasks.
5.5. The Client shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this Data Processing Agreement. This also applies insofar as Square Metrics is under investigation or is party to an investigation by a competent authority in connection with infringements to any civil or criminal law, or administrative rule or regulation regarding the processing of personal data in connection with the processing of this Data Processing Agreement.
5.6. Insofar as the Client is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with this Data Processing Agreement data processing by Square Metrics, Square Metrics shall make every effort to support the Client.
5.7. Square Metrics shall periodically monitor the internal processes and the Technical and Organizational Measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.
5.8. Verifiability of the Technical and Organizational Measures conducted by the Client as part of the Client’s supervisory powers referred to in section 7 of this Data Processing Agreement.
6.1. Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal/transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. Square Metrics shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Client’s data, even in the case of outsourced ancillary services.
6.2. Square Metrics may commission subcontractors (additional contract processors) only after prior explicit written or documented consent from the Client. Outsourcing to subcontractors or changing an existing subcontract are permissible when the subcontracting is based on a contractual agreement in accordance with art. 28(2)–(4) GDPR.
6.3. The transfer of personal data from the Client to the subcontractor and the subcontractor’s commencement of the data processing shall only be undertaken after compliance with all requirements has been achieved.
6.4. If the subcontractor provides the agreed service outside the EU/EEA, Square Metrics shall ensure compliance with EU Data Protection Regulations by appropriate measures. The same applies if service providers are to be used within the meaning of para. 6.1(2).
6.5. Further outsourcing by the subcontractor is permitted under the same requirements. All contractual provisions in the contract chain shall be communicated to and agreed with each and every additional subcontractor.
7. Supervisory powers of the Client
7.1. The Client has the right, after consultation with Square Metrics, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this agreement by Square Metrics in his business operations by means of random checks, which are ordinarily to be announced in good time.
7.2. Square Metrics shall ensure that the Client is able to verify compliance with the obligations of Square Metrics in accordance with art. 28 GDPR. Square Metrics undertakes to give the Client the necessary information on request and, in particular, to demonstrate the execution of the Technical and Organizational Measures.
7.3. Evidence of such measures, which concern not only the specific Data Processing Agreement, may be provided by compliance with approved Codes of Conduct pursuant to art. 40 GDPR, certification according to an approved certification procedure in accordance with art. 42 GDPR, current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, Data Protection Officer, IT security department, data privacy auditor, quality auditor), or a suitable certification by IT security or data protection auditing (e.g. according to BSI-Grundschutz (IT Baseline Protection certification developed by the German Federal Office for Security in Information Technology (BSI)) or ISO/IEC 27001).
7.4. Square Metrics may claim remuneration for enabling Client inspections.
8. Communication in the case of infringements by Square Metrics
8.1. Square Metrics shall assist the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in arts. 32 to 36 GDPR. These include:
8.1.1 Ensuring an appropriate level of protection through Technical and Organizational Measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
8.1.2. The obligation to report a personal data breach immediately to the Client.
8.1.3. The duty to assist the Client with regard to the Client’s obligation to provide information to the Data Subject concerned and to immediately provide the Client with all relevant information in this regard.
8.1.4. Supporting the Client with its data protection impact assessment.
8.1.5. Supporting the Client with regard to prior consultation of the supervisory authority.
8.2. Square Metrics may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of Square Metrics.
9. Authority of the Client to issue instructions
9.1. The Client shall immediately confirm oral instructions (at the minimum in text form).
9.2. Square Metrics shall inform the Client immediately if Square Metrics considers that an instruction violates Data Protection Regulations. Square Metrics shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or changes them.
10. Deletion and return of personal data
10.1. Copies or duplicates of the data shall never be created without the knowledge of the Client, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.
10.2. After conclusion of the contracted work, or earlier upon request by the Client, at the latest upon termination of the Master Services Agreement, Square Metrics shall hand over to the Client or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to this Data Processing Agreement that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.
10.3. Documentation which is used to demonstrate orderly data processing in accordance with this Data Processing Agreement shall be stored beyond the contract duration by Square Metrics in accordance with the respective retention periods. It may hand such documentation over to the Client at the end of the contract duration to relieve Square Metrics of this contractual obligation.
11. Technical and Organizational Measures
11.1. Confidentiality (art. 32(1)(b) GDPR)
11.1.1. Physical Access Control
All servers are operated in locked rooms protected by access control systems. Only authorized employees have access to the premises.
Square Metrics ensures access to the premises via mandatory access authentication for all individuals. There is a logged role and group-based determination of persons with the right of access.
At Square Metrics, each employee has access to IT systems and services via their own employee access. The access rights are limited to the responsibilities of the respective employee or team.
Access to your own systems is regulated by Square Metrics via password procedures and the use of SSH keys with at least 2048 bits. The SSH keys defend the productive systems against attacks that target weak passwords because the password-based access to the corresponding systems is disabled.
Authentication secrets are only transmitted encrypted over the web.
In addition, Square Metrics has a requirement for the creation of passwords. This ensures high security even in systems that provide password-based access. The passwords must meet the following characteristics:
- at least 8 characters long
- at least 1 letter in capital letters
- at least 1 letter in small notes
- at least 1 number
- at least 1 non-alphanumeric character
Workstations are protected against unauthorized use by manual and automatic activation of a password-protected screen protector.
The systems of Square Metrics are protected by firewalls, which discard all incoming connections as standard. Exclusively defined exceptions are accepted.
11.1.2. Electronic Access Control
All servers and services of Square Metrics are subject to continuous monitoring. This includes the logging of personal access in the user interface.
The work stations of Square Metrics are also secured with the usual measures. For example, virus scanners are installed, and laptops are encrypted.
11.1.3. Internal Access Control (permissions for user rights of access to and amendment of data)
Access rights holders can only access data that is set up in the individual authorization profile. The scope of the authorizations is limited to the logical and temporal minimum necessary for the respective task or function fulfillment. Logging out of the workplace is required in writing and is practiced.
11.1.4. Isolation Control
There is a secure and encrypted storage of data carriers.
11.1.5. Pseudonymisation (art. 32(1)(a) GDPR; art. 25(1) GDPR)
11.2. Integrity (art. 32(1)(b) GDPR)
11.2.1. Data Transfer Control
All data is encrypted during data transmission over the internet. The transfer of data between backend systems is protected. Data with high protection requirements is encrypted.
Square Metrics requires the logging of each transmission of received or transmitted data with high protection requirements.
The handling of local data carriers such as USB sticks is regulated.
The complete, safe and permanent deletion of data or data carriers with customer data of the customer is recorded. The logs are archived for at least 24 months with revision security.
11.2.2. Data Entry Control
The granting of rights to enter, modify and delete data with a high level of required protection is based on an authorization concept with a logging obligation.
The employees of Square Metrics do not work directly on the database level, but use applications to access the data.
The entry, modification and deletion of data by individual user names is traceable.
There is documentation of the administrative activities, e.g. create, modify, delete users.
11.3. Availability and Resilience (art. 32(1)(b) GDPR)
11.3.1. Availability Control
Square Metrics ensures availability of the data in several respects. The use of ISO 27001, ISO 27017 and ISO 27018-certified data centers from Google Inc. is the result of the highest availability and the use of redundant data centers.
11.3.2. Rapid Recovery (art. 32(1)(c) GDPR)
There is a daily backup of the entire system. This can be used in when the other availability measures should fail.
11.3.3. Procedures for regular testing, assessment and evaluation (art. 32(1)(d) GDPR; art. 25 (1) GDPR)
11.3.4. Data Protection Management;
Square Metrics has process documentation and a functional separation, which is ensured by a documented two-eyes principle. Test system and live system are separate instances.
Employees have guidelines and work instructions, which clearly define which systems are used for which purpose.
11.3.5. Incident Response Management
11.3.6. Data Protection by Design and Default (Article 25 Paragraph 2 GDPR)
11.3.7. Order or Contract Control
Square Metrics examines and documents the safety measures taken by contractors.
In addition, contractors and their activity are monitored continuously.
Square Metrics obliges the employees of the contractor to confidentiality.
Annex 5 – Proximity DMP
Hardware Sales and Liability for Defects and Warranty
1. Additional separate conditions for the sale of hardware
(1) Depending on the individual Purchase Order, the Service Agreement may include the transfer of hardware to the Client for the use of Bluetooth technology and beacon devices (“Beacons”) against a one-off payment.
(2) Delivery. If Square Metrics sells hardware to the Client, the goods shall be delivered to the address specified on the Purchase Order by the Client unless otherwise specified.
(3) Retention of title. The delivered hardware shall remain property of Square Metrics until it has been paid in full. Before the transfer of ownership of such goods, they may not be pledged or transferred as security.
2. Liability for hardware defects
Unless expressly agreed otherwise, the Client’s claims for defects when purchasing hardware shall comply with the statutory provisions, with the following modifications:
(1) The Client undertakes to have a knowledgeable person inspect the goods according to commercial regulations immediately after delivery or from the moment it has been made accessible to him, and to immediately notify Square Metrics of any defects identified, providing a detailed description of the identified defects. The purchaser shall thoroughly test each module for usability in the specific situation before they begin using it productively. This shall also apply for hidden defects identified later, from the time they are discovered. In the event of a violation of the obligation to inspect and give notice of defects, the assertion of warranty claims shall be excluded.
(2) If defects are discovered, Square Metrics shall guarantee at its discretion warranty through rectification or replacement (supplementary performance). In the case of rectification, Square Metrics is not obliged to bear the increased costs which result from bringing the goods to a place other than the place of performance, unless the act of bringing the goods to such other place corresponds to the proper use of the goods.
(3) As Square Metrics is not a producer of hardware itself, the defect is always caused by the defective products of a supplier. Generally, our Suppliers require that the hardware is returned in perfect condition and the product has not been used, within 15 calendar days from receipt of the product to return it. Square Metrics shall also not be responsible for defects, which are caused by improper use or improper operation or the use of unsuitable means of operation by the Client. Shipment coordination and costs for the return of defective goods will be undertaken by the Client in direct consultation with the Supplier.
(4) This shall not apply, when the defect is caused by improper handling of the supplier’s product for which Square Metrics is responsible. If the Client is unable to assert his warranty claims against the supplier out of court, the subsidiary warranty by Square Metrics shall remain unaffected.
(5) The warranty period for hardware products (“Beacons”) – excluding batteries – shall be typically 12 months commencing on the date of order by the Client to Square Metrics, as provided by the Supplier.
(6) Square Metrics may refuse to remedy defects or deliver replacements, if and while the Client is in default of payment with an amount not less than two (2) monthly installments.
3. Provision of hardware free of cost
(1) In this case, Square Metrics will be merely passing on a third party product to the Client, then Square Metrics’s warranty shall be limited to the assignment of its own warranty claims against the Supplier.
4. Liability, Damages
(1) Square Metrics shall be liable for damages under the terms of this Agreement only in accordance with the provisions set out under section 8 “Liability” of its Master Services Agreement.
(2) Square Metrics shall be liable for losses arising from the lack of any warranted characteristics up to the amount which is covered by the purpose of the warranty and which was foreseeable for Square Metrics at the time the warranty was given.
(3) Any more extensive liability of Square Metrics is excluded on the merits.
5. Statute of limitations
The right to claim for defects shall expire within 12 months. This shall not apply in the event of claims for damages and compensation for which Square Metrics is liable by law.
6. Legal regulation
Apart from that, the applicable statutory rules for liability for defects shall apply. Any other liability on Square Metrics’s part shall be excluded regardless of its alleged legal basis, except where Square Metrics is legally liable for damages, including, but not limited to cases of injuries caused to the life, limb or health of a person, the undertaking of a warranty, the fraudulent concealment of a defect, or as provided by the applicable Product Liability law.