1. Scope of Applicability

   1. These SaaS Terms set forth the terms and conditions under which The Why Company GmbH, Max-Urich-Straße 3, 13355 Berlin, Germany ("Kausa") will provide the entity executing the agreement with Kausa (the "Customer") with access to certain applications as ordered by the Customer ("Kausa Solution") using the order form that is made available by Kausa on its website (the "Website Order Form").

   2. The provisions of the Website Order Form, as accepted by the Customer, and these SaaS Terms form the agreement governing the use of the Kausa Solution (the "SaaS Agreement"). In case of conflicts, the provisions of the Website Order Form shall prevail over the provisions of these SaaS Terms.

2. License Grant and Right of Use

   1. Kausa makes available the Kausa Solution to the Customer under a Software-as-a-Service (SaaS) model limited to the term of this SaaS Agreement as defined in the Website Order Form (the "Subscription Term").

   2. Subject to all limitations and restrictions contained in this SaaS Agreement, Kausa grants the Customer a non-exclusive, and non-transferable, non-sublicensable right to access the Kausa Solution as hosted by Kausa during the Subscription Term and to use it solely to perform those functions described in the Website Order Form for its internal business purposes (the "SaaS License").

   3. Unless otherwise expressly permitted in the Website Order Form, the Customer shall not permit any subsidiaries, affiliated companies, or third parties to access the Kausa Solution.

   4. Kausa is entitled to update the Kausa Solution on a regular basis as part of its overall lifecycle management and product improvement policy. Any updates to the Kausa Solution are subject to this SaaS Agreement.

3. Customer Account and Authorized Users

   1. Customer may need to register for an account in order to place orders or access or receive the Kausa Solution (the "Customer Account").

   2. Customer agrees to keep its Customer Account information current, accurate and complete so that Kausa may send notices, statements and other information to Customer via email or through its Customer Account, which notifications will be subject to this SaaS Agreement and Kausa‘s privacy notice.

   3. The Customer will be responsible for maintaining the confidentiality of user login information and credentials for accessing Kausa Solution and will notify Kausa promptly of any loss, misuse, or unauthorized disclosure of such login information and/or credentials of which Customer becomes aware. Kausa will not be liable for any damage or loss that may result from Customer's breach of the foregoing obligations.

   4. Unless expressly provided otherwise in the Website Order Form, "Authorized Users" will only consist of: (i) employees of the Customer, and (ii) subject to Section 8 (Confidentiality), third party contractors of the Customer who do not compete with Kausa and who may use the Kausa Solution only at the Customer's place of business or in the presence of Customer personnel. The Customer is fully liable for the acts and omissions of Authorized Users under this SaaS Agreement.

   5. The Customer is responsible for ensuring that access to a User Account is not shared. Only one individual may authenticate to one User Account.

   6. The Customer shall be obliged to inform its Authorized Users before the beginning of use of the Kausa Solution about the rights and obligations set forth in this SaaS Agreement. The Customer will be liable for any violation of obligations by its Authorized Users or by other third parties who violate obligations within the Customer's control.

   7. If the Customer has reason to believe that its Customer Account is no longer secure (for example, in the event of a loss, theft or unauthorised disclosure or use of a Customer ID, password, or any credit, debit or charge card number), the Customer agrees to immediately notify Kausa.

4. Non-Permitted Uses

   1. Except to the extent expressly permitted in this SaaS Agreement or required by law on a non-excludable basis, the SaaS License granted by Kausa to the Customer under this SaaS Agreement is subject to the following prohibitions:

      1. the Customer must not permit any unauthorized person to access or use the Kausa Solution;

      2. the Customer must not use the Kausa Solution to provide services to third parties, unless in the course of provision of consulting services;

      3. the Customer must not republish or redistribute any content or material from the Kausa Solution;

      4. the Customer must not make any alteration to the Software;

      5. the Customer will not, directly or indirectly: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Kausa Solution; (ii) modify, translate or create derivative works based on the Kausa Solution (except to the extent expressly permitted by Kausa; and

      6. remove, circumvent, disable, damage or otherwise interfere with security-related features of the Kausa Solution, features that prevent or restrict use or copying of any content accessible through the Kausa Solution, or features that enforce limitations on use of the Kausa Solution

   2. The Customer agrees not to use the Kausa Solution to

      1. process data on behalf of any third party other than Customer's Authorized Users;

      2. send unsolicited communications, junk mail, spam, or other forms of duplicative or unsolicited messages in violation of spamming or other laws;

      3. engage in unlawful conduct, including but not limited to violation of any person's privacy or publicity rights;

      4. store or transmit any content that infringes upon any third party's intellectual property rights;

      5. interfere with or disrupt the integrity or performance of the Kausa Solution and its components;

      6. post, transmit, upload, link to, send or store any content that is unlawful, racist, hateful, abusive, libelous, obscene, or discriminatory;

      7. post, transmit, upload, link to, send or store any viruses, malware, Trojan horses, time bombs, or any other similar harmful software;

      8. track cookies, ad exchanges, ad networks, data brokerages, or to send electronic communications (including e-mail) in violation of applicable law.

   3. Kausa has the right (but not the obligation) to suspend access to the Kausa Solution or remove any data or content transmitted via the Kausa Solution without liability (i) if Kausa reasonably believes that the Kausa Solution is being used in violation of this SaaS Agreement or applicable law, (ii) if requested by a law enforcement or government agency or otherwise to comply with applicable law, provided that Kausa shall use commercially reasonable efforts to notify the Customer prior to suspending the access to the Kausa Solution as permitted under this SaaS Agreement, or (iii) as otherwise specified in this SaaS Agreement.

   4. Information on Kausa's servers may be unavailable to the Customer during a suspension of access to the Kausa Solution. Kausa will use commercially reasonable efforts to give the Customer at least twelve (12) hours' notice of a suspension unless Kausa determines in its commercially reasonable judgment that a suspension on shorter or contemporaneous notice is necessary to protect Kausa or its customers.

5. Service Fees

   1. The Customer shall pay Kausa the fees indicated on the Website Order Form (the "Service Fees").

   2. Unless otherwise provided in the Website Order Form, all fees are to be paid to Kausa via credit card and will be invoiced in accordance with the provisions set forth on the Website Order Form. The Customer shall be responsible for keeping its credit card details and other payment information correct and up-to-date during the entire term of the SaaS Agreement.

   3. Any late payment will be subject to any costs of collection (including reasonable legal fees) and will bear interest at the statutory rate.

   4. If the Customer has set up a direct debit, Kausa will not debit the Customer's designated account before seven (7) days have elapsed from the date of the invoice.

   5. If the Customer is delinquent on a payment of Service Fees for fifteen (15) days or more, Kausa may suspend access to the Kausa Solution.

   6. Complaints concerning invoices must be made in writing within thirty (30) days from the date of the invoice. Invoices will be sent by electronic delivery unless requested otherwise by the Customer, additional fees will apply.

   7. All amounts stated in or in relation to this SaaS Agreement are, unless the context requires otherwise, stated exclusive of any applicable value added taxes or other specific taxes such as withholding tax, which will be added to those amounts and are payable by the Customer to either Kausa or, as applicable, directly to the local tax authorities.

6. Sub-Contracting

   1. The Kausa reserves the right to subcontract any services under this SaaS Agreement .

   2. With respect to the processing of personal data, the provisions of the data processing agreement (Annex A) shall remain unaffected.

7. IP Ownership

   1. The Customer acknowledges that, subject to the SaaS Licenses granted herein, the Customer has no ownership interest in the Kausa Solution or Kausa materials provided to the Customer.

   2. Kausa will own all right, title, and interest in such Software and Kausa materials, subject to any limitations associated with intellectual property rights of third parties. Kausa reserves all rights not specifically granted herein.

   3. Kausa's and the Customer's trademarks, trade names, service marks, and logos, whether or not registered, are the sole and exclusive property of the respective owning Party, which owns all right, title and interest therein. The Kausa may use the Customer's name and/or logo within product literature, press release(s), social media, and other marketing materials and/or make such other use of the Customer's name and/or logo as may be agreed between the Parties.

   4. The Customer may choose to, or Kausa may invite the Customer, to submit comments or ideas about the Kausa Solution, including without limitation about how to improve the Kausa Solution. By submitting any such comments, the Customer agrees that Customer's disclosure is gratuitous, unsolicited and without restriction and will not place Kausa under any fiduciary or other obligation, and that Kausa is free to use any such comments without any additional compensation to the Customer, and/or to disclose the comments on a non-confidential basis or otherwise to anyone. The Customer further acknowledges that, by acceptance of Customer's submission, Kausa does not waive any rights to use similar or related ideas previously known to Kausa, or developed by its employees, or obtained from sources other than the Customer.

8. Confidentiality

   1. "Confidential Information" means any information, documents, items, materials, substances or electronic files disclosed by one Party to the other Party in written, electronic, oral or any other form, which is marked confidential by the disclosing Party or is by its nature to be treated as confidential.

   2. The Parties undertake to treat the Confidential Information of the other Party as confidential and to use them exclusively for the purposes of the performance of this SaaS Agreement.

   3. The disclosure of the Confidential Information of the disclosing Party by the respective recipient to third parties is only permitted to the extent that this is necessary for the performance of this SaaS Agreement, provided that the third party has committed itself to confidentiality vis-à-vis the Party making the Confidential Information available to the third party or is bound to confidentiality for professional reasons. Legal disclosure obligations remain unaffected. The respective Party making the Confidential Information available to the third party shall be responsible for ensuring that the obligations of this SaaS Agreement are also observed by such third parties. The Party making the Confidential Information available to the third party shall be liable for breaches of the confidentiality obligations under this SaaS Agreement by such third parties as if they were its own breach.

   4. Each Party undertakes to protect the Confidential Information of the respective other Party by taking appropriate security measures.

   5. The foregoing obligations shall not apply to information of which the receiving Party can prove that it (i) was or is available to the public in a lawful manner and in a manner not in breach of the provisions of this SaaS Agreement, (ii) was previously known to the receiving Party and was available to it without restriction, (iii) was disclosed to the receiving Party by a third party authorized to do so, or (iv) was developed by the receiving Party independently and without use of the Confidential Information disclosed by the disclosing Party.

   6. The respective receiving Party undertakes to completely and permanently destroy all documents and records containing Confidential Information of the respective other Party or, in the case of electronic data, to permanently delete such data immediately after termination of this SaaS Agreement. This shall not affect any statutory storage and archiving obligations.

   7. After termination of this SaaS Agreement, all rights and obligations of each Party with respect to the Confidential Information of the respective other Party shall continue to apply for a period of ten (10) years.

9. Customer Data and Data Protection

   1. Before entering its data and information to the Kausa Solution for the provisions of the Services hereunder (such data the "Customer Data"), the Customer shall be obliged to check the same for viruses or other harmful components and to use state of the art anti-virus programs for this purpose. For the avoidance of doubt, the term "Customer Data" as used herein shall be limited to any data of the Customer hosted in the Kausa Solution for the provision of the services and contemplated hereunder and shall not comprise any contact or log-in data.

   2. In addition, the Customer itself shall be responsible for the entry and the maintenance of its Customer Data.

   3. The Customer grants to Kausa a non-exclusive, royalty-free license to access, use, reproduce, modify, perform, display and distribute Customer Data as is reasonable or necessary for Kausa to perform or provide the Kausa Solution.

   4. The Customer is solely responsible for all Customer Data, in particular that its transfer and use in accordance with this SaaS Agreement does not violate any applicable laws, including data protection laws, and/or intellectual property rights of third parties.

   5. The Customer acknowledges that Kausa does not exercise any control over Customer Data.

   6. Any processing of personal data of the Customer by Kausa shall be governed by the data processing agreement in accordance with Art. 28 GDPR which is attached hereto as Annex A.

10. Limitation of Liability

    1. In case of wilful misconduct, Kausa shall be liable according to the statutory provisions of applicable law.

    2. In case of gross negligence, Kausa shall be liable according to the statutory provisions of applicable law.

    3. In case of ordinary negligence, Kausa shall – provided that the standard of liability is not limited according to statutory provisions of applicable law (such as any limitation to the duty of care observed in own affairs) – only be liable for breach of material contractual obligations (material contractual obligations are obligations the breach of which endangers the purpose of the agreement and the fulfilment of which the Customer generally relies and may reasonably rely on); in this case Kausa's liability shall be limited to the typical damages that were reasonably foreseeable. Therefore, indirect and consequential damages resulting from defects of the delivered goods and/or work are only eligible for compensation if such damages are typical and reasonably foreseeable and when the goods and/or work are used in conformity with its intended purpose.

    4. The aforementioned limitations do not apply to

       1. damages resulting from injury to life, body or health;

       2. liability pursuant to the German Product Liability Act;

       3. the assumption of a guarantee for the condition of goods and/or work or fraudulent concealment of defects by Kausa.

    5. The aforementioned limitations of liability shall, subject to the provisions of Section 10.4, apply to (i) any liability claims for whatever legal reason but in particular due to impossibility, default, defective or incorrect delivery, breach of contract, breach of obligations in contractual negotiations and tort, as far as such claims are subject to fault, and (ii) any breach of duty by vicarious agents or any other person for whose conduct Kausa can be held liable according to the statutory provisions of applicable law.

11. Customer Indemnity

    1. Customer will defend Kausa from any third party claim ("Claim"), and will indemnify and hold harmless Kausa from and against any damages and costs awarded against Kausa, or agreed in settlement by Customer (including attorneys' fees) resulting from such Claim, to the extent caused by:

       1. modifications of the Kausa Solution by Customer, its affiliates, users, or third party contractors,

       2. Customer's or its affiliate's unauthorized supply, disclosure, or processing of Customer Data, including personal data therein, and

       3. Customer's or its affiliate's violation of laws applicable to Customer's or its affiliate's business.

    2. Customer will have no liability or obligation with respect to any Claim if such claim is caused in whole or in part by Kausa's breach of this SaaS Agreement or violation of applicable law.

    3. In the event of a potential indemnity obligation under this Section, Kausa will: (i) promptly notify the Customer in writing of the claim, (ii) allow the Customer the right to control the investigation, defense and settlement (if applicable) of such claim at the Customer's sole cost and expense, and (iii) upon request of the Customer, provide all necessary cooperation at the Customer's expense.

    4. Failure by Kausa to notify the Customer of a claim under this Section will not relieve the Customer of its obligations under this Section, however, the Customer will not be liable for any litigation expenses that Kausa incurred prior to the time when notice is given or for any damages and/or costs resulting from any material prejudice caused by the delay or failure to provide notice to the Customer in accordance with this Section.

    5. The Customer may not settle any claim that would bind Kausa to any obligation or require any admission of fault by Kausa, without Kausa's prior written consent.

12. Term and Termination

    1. The Subscription Term shall be defined in the Website Order Form.

    2. If agreed on the Website Order Form, the Subscription Term may commence with a pilot period as specified on the Website Order Form.

    3. If the Website Order Form does not contain any specific provisions on the Subscription Term, the Subscription Term shall commence upon execution of the Purchaser Order and shall run for an initial term of one (1) year. Thereafter, it shall extend automatically by consecutive one (1) year renewal terms, unless terminated by either Party with three (3) months' written notice to the end of the initial term or any renewal term.

    4. Upon termination of this SaaS Agreement, the Customer shall no longer access the Kausa Solution and the Customer shall not circumvent any security mechanisms contained therein.

    5. Termination of this SaaS Agreement will not limit either Party from pursuing other remedies available to it, including injunctive relief, nor will such termination relieve the Customer's obligation to pay all Service Fees that have accrued or are otherwise owed by the Customer under this SaaS Agreement.

    6. Within thirty (30) days following the termination of this SaaS Agreement for any reason and the submission of a request to transfer data ("Data Transfer Request"), whatever is later, Kausa will provide the Customer with an extract of all Customer Data stored on the Software at the moment of termination, in machine-readable format. A Data Transfer Request must be submitted within seven (7) days of termination. Absent a Data Transfer Request, Kausa will delete the Customer Data from its Software.

    7. Anonymized data previously produced from the Customer Data may be retained. Technical copies produced within an IT archiving system may be retained by Kausa.

13. Final Provision

    1. Each Party shall bear its own costs incurred in connection with the execution and performance of this SaaS Agreement, unless expressly agreed otherwise in this SaaS Agreement.

    2. This SaaS Agreement fully reflects the agreement between the Parties regarding the subject matter; no oral or other side agreements exist. Unless expressly agreed otherwise in this SaaS Agreement, all previous agreements between the Parties regarding the subject matter shall be fully replaced by this SaaS Agreement with effect from the effective date of this SaaS Agreement.

    3. Amendments or additions to this SaaS Agreement shall require written form to be effective, unless a stricter form is required under mandatory law. The same applies to the waiver of this written form requirement. Unless expressly agreed otherwise in this SaaS Agreement, e-mails do not comply with this written form requirement. The written form requirement under this SaaS Agreement shall be deemed to have been met when the copy of a declaration is being transmitted by telecommunications (e.g. as an attachment to an e-mail) and that copy contains the signature of the person making that declaration, unless a stricter form is required under mandatory law.

    4. Neither Party is entitled to transfer this SaaS Agreement or to assign rights or obligations under this SaaS Agreement to a third Party without the prior written consent of the other Party.

    5. This SaaS Agreement shall be governed by the laws of the Federal Republic of Germany, excluding the conflict of laws rules of private international law. The applicability of the UN Convention on Contracts for the International Sale of Goods (CISG) is excluded.

    6. Exclusive place of jurisdiction for all disputes arising out of or in connection with this SaaS Agreement shall be Berlin, Germany, unless otherwise required by mandatory law.

    7. Should any provision of this SaaS Agreement be or become invalid or unenforceable in whole or in part, the validity of the remaining provisions of this SaaS Agreement shall not be affected. The same shall apply if and insofar as a gap in this SaaS Agreement becomes apparent. In place of the invalid or unenforceable provision or to fill the gap, an appropriate provision shall apply which, as far as legally possible, comes closest to or corresponds to what the Parties economically intended or would have intended according to the spirit and purpose of this SaaS Agreement, had they considered this point.

---

Annex A

Data Processing Agreement

1. Recitals

   1. This agreement (the "Data Processing Agreement") forms an integral part to the agreement entered into the Parties on the basis of Kausa's SaaS Terms (that agreement hereinafter the "SaaS Agreement").

   2. Within the context of performance of the SaaS Agreement, Kausa will process personal data of Customer.

   3. The Parties have agreed that Kausa shall process certain personal data as further specified in Sec. 2.1. below in accordance with the instructions of Customer in accordance with Art. 28 of the General Data Protection Regulation ("GDPR").

2. Object and Term

   1. This Data Processing Agreement specifies the rights and obligations of the Parties that result from processing of personal data of Customer by Kausa when performing the SaaS Agreement, provided that the scope of application of this Data Processing Agreement shall be limited to such personal data that form part of the Customer Data (as defined in the SaaS Agreement).

   2. For this purpose, Customer hereby retains Kausa as processor within the meaning of Art. 28 GDPR. Any terms used in this Data Processing Agreement shall have the meanings defined in the GDPR.

3. Principle of processing based on a contract (Art. 28(1) GDPR) and processing abroad

   1. Kausa ensures that it will implement suitable technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensures protection of the rights of data subjects. The details result from section 8 of this Data Processing Agreement.

4. Subcontracting (Art. 28 (2), (3) point (d), (4) GDPR)

   1. Kausa shall not engage any further contractor ("Subcontractor") without prior specific or general written authorisation of Customer.

   2. The Customer hereby grants its specific authorisation to engage the following Subcontractors:

      Name and address of the subcontractor	Description of the affected parts of performance
      Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg	Compute Servers & Logging
      Heroku by Salesforce.com, inc. Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, United States	Web Servers & Databases
      Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland	Data Warehouse & Product Analytics
      Snowflake Inc., 450 Concar Drive, San Mateo, California 94402 USA	Data Warehouse
      Databricks Inc., 160 Spear Street, 13th Floor, San Francisco, CA 94105 USA	Data Preprocessing
      GSuite by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland	Project Management
      Slack Technologies, Inc., 500 Howard St, San Francisco, CA 94105, USA	Customer Relationship Management
      1password by AgileBits Inc., a Canadian company located at 4711 Yonge St, 10th Floor, Toronto, Ontario, M2N 6K8, Canada	Credentials Management

   3. The Customer hereby grants its general authorisation to the engagement of Subcontractors.

   4. Kausa informs the Customer in respect of the above general authorisation of any intended changes concerning the addition or replacement of Subcontractors, thereby giving Customer the opportunity to object to such changes.

   5. Where Kausa engages another Subcontractor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in this data processing agreement shall be imposed on the Subcontractor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient safeguards to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. The parties clarify that in order to impose the same data protection obligations it is sufficient if the level of protection under the subcontract corresponds to the level of protection under this Data Processing Agreement.

   6. Subcontracting within the meaning of this provision shall not include such services that Kausa utilises from third parties as ancillary services for support when performing its services. This applies to e.g. telecommunication services, maintenance and user services, cleaning personnel, auditors or disposal of data carriers. However, also in case such services are outsourced, Kausa is obliged to provide for appropriate and legally compliant contractual agreements and to take control measures in order to ensure the protection and security of the data of the Customer.

5. Categories of data subjects, type of personal data as well as scale and purpose of processing (Art. 28(3) GDPR)

   Schedule 1 of this Data Processing Agreement lists the following information that must be observed as a proviso for processing by Kausa:

   1. the categories of data subjects,

   2. the types of personal data,

   3. as well as the scale and purpose of processing.

6. Instruction rights of Customer (point (a) of Art. 28(3) GDPR)

   1. The personal data are only processed on documented instructions from Customer, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which Kausa is subject; in such a case, Kausa shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

   2. The instruction right of the Customer concerning the type, scale and procedure of processing of its personal data is limited to the scope of the order provided for in this Data Processing Agreements. As far as Kausa agrees to follow instruction exceeding the scope of the order as provided for in this Data Processing Agreement, the Customer will have to reimburse Kausa for the corresponding expenditure.

   3. The Customer shall issue its instructions in writing or by email (in text form).

   4. Kausa shall use the personal data covered by this Data Processing Agreement for no other purposes than to perform the SaaS Agreement. This shall not include backup copies as far as these are required to ensure proper processing activities, as well as data that are required for compliance with statutory archiving obligations.

7. Control rights of Customer

   1. Upon written request and within a reasonable period of time, Kausa commits to providing Customer with all information required for the verification of compliance with the contractual agreements under this Data Processing Agreement, if and to the extent required under Art. 28 GDPR.

   2. For this, Kausa may also submit current certificates, reports or excerpts from reports from independent instances (e.g. public accountants, auditors, data protection officer, IT security department, data protection auditors, quality auditors) or suitable certification by an IT security or data protection audit.

   3. The Customer shall reimburse Kausa for the expenses incurred in providing the information.

8. Obligation to confidentiality and data secrecy (point (b) of Art. 28(3) GDPR)

   Kausa shall ensure that persons authorised to process the personal data under this contract have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

9. Technical and organisational measures (point (c) Art. 28(3), and Art. 32 GDPR)

   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Kausa and Customer shall – each in their sphere of responsibility – implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

   2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

   3. The technical and organisational measures to be taken by Kausa result from Schedule 2 of this Data Processing Agreement. The Customer acknowledges that the adherence to the measures described in Schedule 2 will suffice to meet the requirements of this section 8.

   4. The Kausa shall be entitled at any time to replace the technical and organizational measures specified in Schedule 2 to this Data Processing Agreement with other measures, provided that Kausa meets the requirements set out in section. 8 para. 1.

   5. Kausa shall ensure that any natural person acting under its authority who has access to personal data does not process them except on instructions from Customer, unless he or she is required to do so by Union or Member State law.

10. Kausa's notification obligations (Art. 33 GDPR)

    1. The Kausa shall inform the Customer without undue delay pursuant to Art. 33 (2) GDPR if he becomes aware of a breach of the protection of the Customer's personal data which fall within the scope of this Data Protection Agreement.

    2. The Customer shall reimburse Kausa for the expenses incurred in providing the information, unless the breach of the protection of the Customer's personal data which fall within the scope of this Data Protection Agreement is due to Kausa's fault.

11. Obligations to support the controller (points (e), (f), (h) of Art. 28(3) GDPR

    1. Kausa is obligated to assist Customer by appropriate technical and organisational measures, insofar as this is possible, taking into account the nature of the processing, for the fulfilment of Customer's obligation to respond to requests for exercising the data subject's rights ("Data Subject's Rights") laid down in Chapter III of the GDPR.

    2. Kausa shall be obligated to assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of processing and the information available to it.

    3. Kausa shall be obligated to make all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR available to Customer and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

    4. Kausa shall immediately inform Customer if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

    5. The Customer shall reimburse Kausa for the expenses incurred in providing the support pursuant to this section 10.

12. Confidentiality

    1. The confidentiality rules of the SaaS Agreement shall remain unaffected.

13. Term

    1. This Data Processing Agreement shall enter into effect upon execution of the Sass Agreement by both Parties and shall apply for the term of the SaaS Agreement.

    2. The termination of the SaaS Agreement, no matter the reason, shall lead to corresponding premature termination of this Data Processing Agreement.

14. Erasure obligation and return obligation after termination (point (g) Art. 28(3) GDPR)

    1. After completion of rendering of the processing services Kausa shall be obligated to, at the choice of Customer, either delete all personal data or return them, unless Union or Member State law requires storage of the personal data.

    2. The Customer shall reimburse Kausa for the expenses incurred in providing the services pursuant to this section 10.

15. Data protection officer

    1. Kausa shall designate a data protection officer in writing, under observation of Art. 37 to 39 GDPR, except if designation is not required according to the provisions of the GDPR or the BDSG.

    2. The respective current contact details of the data protection officer shall be filed easily accessible on the homepage of the website of Kausa in accordance with Art. 37(7) GDPR and must be disclosed to Customer separately, except if designation is not required according to the provisions of the GDPR or the BDSG.

    3. Kausa shall not have any claim to any further remuneration and/or reimbursement for any expenses under this Data Processing Agreement, unless otherwise expressly stipulated.

    4. Insofar as services of Kausa under this Data Processing Agreement are marked as subject to remuneration, the corresponding services of Kausa shall be remunerated per expense on the basis of the remuneration rates agreed in the SaaS Agreement. If no remuneration rates have been agreed for certain services, the general remuneration rates of the Customer in the version valid at the time the service are provided shall apply.

16. Liability

    The liability provisions of Sec. 10 of the SaaS Terms shall apply accordingly to this Data Processing Agreement.

17. Final provisions

    1. This Data Processing Agreement shall be an integral part of the SaaS Agreement.

    2. In case of deviations between the provisions of the SaaS Agreement and this Data Processing Agreement, the provisions of this Data Processing Agreement shall take precedence.

---

Schedule 1

Categories of data subjects, types of personal data, scale and purpose of processing

1. Categories of data subjects

   Data of the Customer's end-customers and their employees, if applicable.

2. Types of personal data

   The types of personal data will be player-level game data, order data, marketing data, sales data, session data, and payment data always provided such data constitutes personal data.

3. Scale of processing

   The scale of processing is determined by the SaaS Agreement.

4. Purpose of processing

   The purpose of processing is the performance of the SaaS Agreement.

---

Schedule 2

Technical and Organisational Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, the Contractor shall, in its capacity as processor, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including but not limited to the following:

1. Confidentiality (Art. 32 para. 1 lit. b DS-GVO)

   1. Physical Access Control

      The Contractor shall prevent unauthorised persons from gaining access to data processing systems with which the Client's personal data are processed and used. To this end, the Contractor shall take the following precautions:

      1. Alarm system

      2. Automatic access control system

      3. Locking system with code lock

      4. Video surveillance of the entrances

      5. Security locks

      6. Key regulation (key issue etc.)

      7. Personal check at the gatekeeper / reception

      8. Logging of visitors

      9. Careful selection of cleaning personnel

      10. Careful selection of security guards

      11. Obligation to carry credentials

   2. Authentication Control

      The Contractor shall ensure that data processing systems cannot be used by unauthorised persons. To this end, the Contractor shall take the following precautions, in particular by using state-of-the-art encryption procedures:

      1. Assignment of user rights

      2. Create user profiles

      3. Password assignment

      4. Authentication with username / password and a second factor

      5. Use of VPN technology

      6. Encryption of mobile data carriers

      7. Encryption of data carriers in laptops / notebooks

      8. Deployment of a hardware/software firewall

      9. SSH key rotation

   3. Authorization Control

      The Contractor shall ensure that the persons authorised to use the data processing systems can only access the personal data subject to their access authorisation and that personal data of the Client cannot be read, copied, changed or removed without authorisation during processing, use and after storage. To this end, the Contractor shall take the following precautions, in particular by using state-of-the-art encryption procedures:

      1. Creation of an authorization concept

      2. Administration of rights by system administrator

      3. Reduction in the number of administrators

      4. Password policy incl. password length, password change

      5. Logging of accesses to applications

      6. Encryption of data carriers

   4. Separation Control

      The Contractor shall ensure that personal data of the Client collected for different purposes can be processed separately. To this end, the Contractor shall take the following precautions:

      1. Software-based client separation

      2. Creation of an authorization concept

      3. Encryption of data sets processed for the same purpose

      4. Setting database rights

2. Integrity (Art. 32 para. 1 lit. b DS-GVO)

   1. Disclosure Control

      The Contractor shall ensure that personal data of the Client cannot be read, copied, changed or removed by unauthorised persons during electronic transmission or during their transport or storage on data carriers, and that it is possible to check and establish to which bodies a transmission of personal data is intended by data transmission facilities. To this end, the Contractor shall take the following precautions, in particular by using state-of-the-art encryption procedures:

      1. Establishment of dedicated lines or VPN tunnels

      2. Disclosure of personal data in anonymised or pseudonymised form

      3. Email encryption

      4. Creation of an overview of regular call-off and transmission processes

      5. Virtual Private Cloud

      6. Public data transfer is encrypted using TLS using AES 256

      7. Documentation of the recipients of data and the time periods of the planned transfer or agreed deletion periods

   2. Input control

      The Contractor shall ensure that it is possible to check and establish retrospectively whether and by whom personal data of the Client have been entered into data processing systems, changed or removed. For this purpose, the Contractor shall take the following precautions:

      1. Logging of the entry, modification and deletion of personal data

      2. Create an overview of which applications can be used to enter, change and delete which personal data.

      3. Traceability of input, modification and deletion of personal data through individual user names

      4. Retention of forms from which personal data have been transferred to automated processing operations

      5. Assignment of rights to enter, change and delete personal data on the basis of an authorization concept

      6. Software dependency auditing

3. Availability and resilience (Art. 32(1)(b) DS-GVO)

   1. Availability control

      The Contractor shall ensure that personal data of the Client is protected against accidental destruction or loss. To this end, the Contractor shall take the following precautions:

      1. Uninterruptible power supply (UPS)

      2. Air conditioning in server rooms

      3. Protective socket strips in server rooms

      4. Fire and smoke detection systems

      5. Alarm message in case of unauthorized access to server rooms

      6. Creation of a backup concept

      7. Keeping backups in a secure, off-site location

   2. Rapid recoverability (Art. 32(1)(c) DS-GVO);

      The Contractor shall ensure that personal data of the Client and access to them are quickly restored in the event of a physical or technical incident. To this end, the Contractor shall take the aforementioned measures.

4. Procedures for periodic review, assessment and evaluation (Article 32(1)(d) of the GDPR; Article 25(1) of the GDPR)

   The Contractor shall implement procedures to regularly review, assess and evaluate the effectiveness of the technical and organisational measures to ensure the security of the processing. For this purpose, the contractor shall take the following measures

   1. Privacy Management;

   2. Incident Response Management;

   3. Data protection-friendly default settings (Art. 25(2) DS-GVO);

   4. Order control, i.e. no commissioned data processing within the meaning of Art. 28 DS-GVO without corresponding instructions from the client, e.g.: Clear contract design, formalised order management, strict selection of the service provider, obligation to convince in advance, follow-up checks.