Marketplace Agreement 
This Contract (“Agreement”) is between you (“you” or “Customer”) and TCG Informatik AG, Mühlegasse 18, 6340 Baar, Switzerland (“Publisher”) from which you are procuring Offerings (defined below) and governs your use of Offerings purchased through either Microsoft AppSource or Azure Marketplace (collectively, “Marketplace”). 
This Agreement is the parties’ entire agreement on this subject and merges and supersedes all related prior and contemporaneous agreements. By agreeing to these terms, you represent and warrant that you have the authority to accept this Agreement, and you also agree to be bound by its terms. This Agreement applies to all Orders entered into under this Agreement. Capitalized terms have the meanings given under “Definitions.” 
Both parties acknowledge that Microsoft is not a party to this Agreement, nor in anyway responsible for the parties’ actions or obligations under this Agreement. Microsoft’s relationship with Customer and Publisher is solely governed by Microsoft’s respective agreements with those parties; Microsoft otherwise disclaims all liability resulting from this Agreement (including any Orders). 

1. LICENSE TO OFFERINGS 
1.1 License grant. Offerings are licensed and not sold. Upon acceptance of an Order, and subject to Customer’s compliance with this Agreement, Publisher grants Customer a nonexclusive and limited license to use the ordered Offerings. These licenses are solely for Customer’s own use and business purposes and are nontransferable except as expressly permitted under this Agreement or applicable law. 
Only the DLL files located inside the “Shared DLLs” are part of the license of the Software and may be integrated or referenced without restriction by You into your own software products and/or software enhancements. All other DLL files supplied with the Software may only be used but not be integrated or referenced (linked) by You in your own software and/or software extensions. This shall also apply in the event that such software and/or software enhancements are executed as part of the Software (e.g. DocProStar activities).
1.2 Duration of licenses. Licenses granted on a subscription basis expire at the end of the applicable subscription period set forth in the Order, unless renewed. Licenses granted for metered Offerings billed periodically based on usage continue as long as Customer continues to pay for its usage of the Offerings. All other licenses become perpetual upon payment in full. 
1.3 End Users. Customer will control access to and use of the Offerings by End Users and is responsible for any use of the Offerings that does not comply with this Agreement. 
1.4 Affiliates. Customer may order Offerings for use by its Affiliates. If it does, the licenses granted to Customer under this Agreement will apply to such Affiliates, but Customer will have the sole right to enforce this Agreement against Publisher. Customer will remain responsible for all obligations under this Agreement and for its Affiliates’ compliance with this Agreement and any applicable Order(s). 
1.5 Reservation of Rights. Publisher reserves all rights not expressly granted in this Agreement. Offerings are protected by copyright and other intellectual property laws and international treaties. No rights will be granted or implied by waiver or estoppel. Rights to access or use Offerings on a device do not give Customer any right to implement Publisher’s patents or other intellectual property in the device itself or in any other software or devices. 
1.6 Restrictions. 
You may not and You may not allow any third party to 1) decompile, disassemble, or otherwise reverse engineer or attempt to reconstruct or discover any source code or underlying ideas of the Software by any means whatsoever; 2) remove any product identification, copyright legend or other notices; 3) rent, lease, lend, or sublicense the Software to third parties; 4) modify, incorporate into or with other software or create a derivative work of any part of the Software except as specified in the user documentation or as permitted under separate license agreement with TCG; 5) use the licensed Software to provide hosted (cloud) services or to operate a service bureau without explicit contractual agreement with TCG; 6) operate the Software in a public cloud; 7) publish, disclose or otherwise display in writing electronically or otherwise any part of the licensed Software or documentation; or 8) attempt to use the Software, or any portion thereof, in excess of its licensed capacity. Except as may be reasonably required to use the Software in accordance with the License, and except as strictly required for back-up and archival purposes, You may not copy the Software or any part thereof. TCG has the right to inspect the license file of the Software at least once per calendar year. This is in order to check if You adhere to the license terms and conditions according to this Agreement and further agreements regarding the Software.
1.7 License transfers. Customer may only transfer fully-paid, perpetual licenses to (1) an Affiliate or (2) a third party solely in connection with the transfer of hardware to which, or employees to whom, the licenses have been assigned as part of (A) a divestiture of all or part of an Affiliate or (B) a merger involving Customer or an Affiliate. Upon such transfer, Customer must uninstall and discontinue using the licensed Offering and render any copies unusable. Customer must notify Publisher of a License transfer and provide the transferee a copy of this Agreement and any other documents necessary to show the scope, purpose, and limitations of the licenses transferred. Attempted license transfers that do not comply with this section are void. 
1.8 Feedback. Any Feedback is given voluntarily, and the provider grants to the recipient, without charge, a non-exclusive license under provider’s owned or controlled non-patent intellectual property rights to make, use, modify, distribute, and commercialize the Feedback as part of any of recipient’s products and services, in whole or in part and without regard to whether such Feedback is marked or otherwise designated by the provider as confidential. The provider retains all other rights in any Feedback and limits the rights granted under this section to licenses under its owned or controlled non-patent intellectual property rights in the Feedback (which do not extend to any technologies that may be necessary to make or use any product or service that incorporates, but are not expressly part of, the Feedback, such as enabling technologies). 

2. PRIVACY 
2.1 The parties agree to the attached data protection agreement (“DPA”, Annex 1).
2.2 Personal Data. Customer consents to the processing of Personal Data by Publisher and its Affiliates, and their respective agents and Subcontractors, as provided in this DPA. Before providing Personal Data to Publisher, Customer will obtain all required consents from third parties (including Customer’s contacts, partners, distributors, administrators, and employees) under applicable privacy and Data Protection Laws.
2.3 Processing of Personal Data; GDPR. To the extent Publisher is a processor or subprocessor of Personal Data subject to the GDPR, the Standard Contractual Clauses govern that processing and the parties also agree to the following terms in this subsection (“Processing of Personal Data; GDPR”): 
a. Processor and Controller Roles and Responsibilities. Customer and Publisher agree that Customer is the controller of Personal Data and Publisher is the processor of such data, except when (a) Customer acts as a processor of Personal Data, in which case Publisher is a subprocessor or (b) stated otherwise in any Offering-specific terms. Publisher will process Personal Data only on documented instructions from Customer. In any instance where the GDPR applies and Customer is a processor, Customer warrants to Publisher that Customer’s instructions, including appointment of Processor as a processor or subprocessor, have been authorized by the relevant controller.
b. Processing Details. The parties acknowledge and agree that: 
i. the subject-matter of the processing is limited to Personal Data within the scope of the GDPR; 
ii. the duration of the processing will be for the duration of the Customer’s right to use the Offering and until all Personal Data is deleted or returned in accordance with Customer instructions or the terms of this Agreement; 
iii. the nature and purpose of the processing will be to provide the Offering pursuant to this Agreement; 
iv. the types of Personal Data processed by the Offering include those expressly identified in Article 4 of the GDPR; and 
v. the categories of data subjects are Customer’s representatives and end users, such as employees, contractors, collaborators, and customers, and other data subjects whose Personal Data is contained within any data made available to Publisher by Customer. 
c. Use of Subprocessors. Customer consents to Publisher using the subprocessor as listed in the DPA. Publisher remains responsible for its subprocessors’ compliance with the obligations herein. Publisher may update its list of subprocessors from time to time, by providing Customer at least 14 days notice before providing any new subprocessor with access to Personal Data. If Customer objects to any such changes, Customer may terminate any subscription for the affected Offering prior to expiration of the notice period.
d. Records of Processing Activities. Publisher will maintain all records required by Article 30(2) of the GDPR and, to the extent applicable to the processing of Personal Data on behalf of Customer, make them available to Customer upon request. 
2.4 Security. Publisher will take appropriate security measures that are required by Data Protection Laws and in accordance with good industry practice relating to data security. The technical and organisational measures taken by Publisher are listed within Annex 1. 
2.5 Support Data. Publisher may collect and use Support Data internally to provide technical support for the Offering. Publisher will not use Support Data for any other purpose unless otherwise agreed in writing by the parties.

3. CONFIDENTIALITY
3.1 Non-Disclosure Agreement. The parties will treat all confidential information exchanged between the parties under this Agreement.
3.2 Confidential Information. “Confidential Information” is non-public information that is designated “confidential” or that a reasonable person should understand is confidential, including, but not limited to, Customer Data, Support Data, the terms of this Agreement, and Customer’s account authentication credentials. Confidential Information does not include information that: (1) becomes publicly available without a breach of a confidentiality obligation; 
(2) the receiving party received lawfully from another source without a confidentiality obligation; (3) is independently developed; or (4) is a comment or suggestion volunteered about the other party’s business, products, or services. 
3.3 Protection of Confidential Information. Each party will take reasonable steps to protect the other’s Confidential Information and will use the other party’s Confidential Information only for purposes of the parties’ business relationship. Each party must promptly notify the other party in the event of discovery of any unauthorized use or disclosure.
3.4 Each party acknowledges and agrees that a breach of any of its promises or agreements contained herein will result in irreparable injury to the disclosing Party and the disclosing Party shall be entitled to apply for injunction and specific performance in the event of any breach or threatened breach or intended breach of this Agreement.
3.5 Disclosure required by law. A party may disclose the other’s Confidential Information if required by law, but only after it notifies the other party (if legally permissible) to enable the other party to seek a protective order. 
3.6 Duration of Confidentiality obligation. These obligations apply: (1) for Customer Data, until it is deleted by Publisher; and (2) for all other Confidential Information, for a period of five years after a party receives the Confidential Information. 
4. SERVICE LEVEL AGREEMENTS (SLA)
Publisher offers support and maintenance for the Offering. The service level agreement is made available to the customer upon request. 
5. VERIFYING COMPLIANCE
5.1 Customer must keep records relating to Offerings. At Publisher’s expense, Publisher may verify Customer’s and its Affiliates’ compliance with this Agreement by directing an independent auditor (under nondisclosure obligations) to conduct an audit or ask Customer to complete a self-audit process. Customer must promptly provide any information and documents that Publisher or the auditor reasonably requests related to the verification and access to systems running the Offerings. If verification or self-audit reveals any unlicensed use, Customer must order sufficient licenses to cover the period of its unlicensed use.  All information and reports related to the verification process will be Confidential Information and used solely to verify compliance. 
5.2 Upon request, Publisher will make available to Customer all information necessary to conduct an audit and demonstrate compliance with applicable laws for the processing of Personal Data. 

6. REPRESENTATION AND WARRANTIES 
6.1 Publisher continuously represents and warrants that: 
a. it has full rights and authority to enter into, perform under, and grant the rights in, this Agreement; 
b. its performance will not violate any agreement or obligation between it and any third party; 
c. the Offering will substantially conform to the Documentation; 
d. the Offering will not: 
i. to the best of Publisher’s knowledge, infringe or violate any third party patent, copyright, trademark, trade secret, or other proprietary right; or 
ii. contain viruses or other malicious code that will degrade or infect any products, services, software, or Customer’s network or systems, and 
e. while performing under this Agreement, Publisher will comply with law, including Data Protection Laws and Anti-Corruption Laws, and will provide training to its employees regarding Anti-Corruption Laws. 
6.2 Disclaimer. Except as expressly stated in this Agreement, the Offering is provided as is. To the maximum extent permitted by law, Publisher disclaims any and all other warranties (express, implied or statutory, or otherwise) including of merchantability or fitness for a particular purpose, whether arising by a course of dealing, usage or trade practice, or course of performance.
7. DEFENSE OF THIRD-PARTY CLAIMS 
7.1 By Customer. Customer will defend Publisher and its Affiliates from and against any and all third party claims, actions, suits, proceedings arising from or related to: Customer’s or any authorized user’s violation of this Agreement or user terms (a “Claims Against Publisher”), and will indemnify Publisher and its Affiliates for all reasonable attorney’s fees incurred and damages and other costs finally awarded against Publisher or its Affiliates in connection with or as a result of, and for amounts paid by Publisher or its Affiliates under a settlement Customer approves of in connection with a Claim Against Publisher. Publisher must provide Customer with prompt written notice of any Claims Against Publishers and allow Customer the right to assume the exclusive defence and control of the claim and cooperate with any reasonable requests assisting Customer’s defence and settlement of such matter. 
7.2 By Publisher. Publisher will defend Customer from and against any and all third party claims, actions, suits, proceedings, and demands alleging that: (i) the use of the Offering as permitted under the Contract infringes or misappropriates a third party’s intellectual property rights and (ii) any violation of applicable law including Data Protection Laws (a “Claim Against Customer”), and will indemnify Customer for all reasonable attorney’s fees incurred and damages and other costs finally awarded against Customer in connection with or as a result of, and for amounts paid by Customer under a settlement Publisher approve of in connection with a Claim Against Customer; provided, however, that the Publisher has no liability if a Claim Against Customer arises from: (1) Customer Data or non-Publisher products, including third-party software; and (2) any modification, combination or development of the Offering that is not performed or authorized in writing by Publisher, including in the use of any application programming interface (API). Customer must provide Publisher with prompt written notice of any Claim Against Customer and allow Publisher the right to assume the exclusive defence and control and cooperate with any reasonable requests assisting Publisher’s defence and settlement of such matter. This section states Publisher sole liability with respect to, and Customer’s exclusive remedy against Publisher for, any Claim Against Customer. 
7.3 Notwithstanding anything contained in the above subsections (a) and (b), (1) an indemnified party will always be free to choose its own counsel if it pays for the cost of such counsel; and (2) no settlement may be entered into by an indemnifying party, without the express written consent of the indemnified parties (such consent not to be unreasonably withheld), if: (A) the third party asserting the claim is a government agency; (B) the settlement arguably involves the making of admissions by the indemnified parties; (C) the settlement does not include a full release of liability for the indemnified parties; or (D) the settlement includes terms other than a full release of liability for the indemnified parties and the payment of money. 

8. LIMITATION OF LIABILITY
For each Offering, each party’s maximum, aggregate liability to the other under this Agreement is limited to direct damages finally awarded in an amount not to exceed the amounts Customer was required to pay for the Offerings during the term of the applicable licenses, subject to the following: 
a. Subscriptions. For Offerings ordered on a subscription basis, Publisher’s maximum liability to Customer for any incident giving rise to a claim will not exceed the amount Customer paid for the Offering during the 12 months before the incident or $250,000, whichever is greater. 
For Offerings ordered on a subscription basis, Publisher’s maximum liability to Customer for any unauthorized access, use, or disclosure of Customer Data due to a breach of Publisher’s obligations under Section II(6) (Security), Publisher’s maximum liability to Customer will not exceed two times (2x) the amount Customer paid for the Offering during the 12 month before the incident or $ 250,000, whichever is greater.
b. Free Offerings and distributable code. For Offerings provided free of charge and code that Customer is authorized to redistribute to third parties without separate payment to Publisher, Publisher’s liability is limited to direct damages finally awarded up to US $500.
c. No Indirect Damages. In no event will either party be liable for indirect, incidental, special, punitive, or consequential damages, or loss of use, loss of profits, or interruption of business, however caused or on any theory of liability.
d. Exceptions. No limitation or exclusions will apply to liability arising out of either party’s: (1) confidentiality obligations under Section 3 (except for liability related to Customer Data, which will remain subject to the limitations and exclusions above); (2) defence obligation under Section 7; (3) violation of the other party’s intellectual property rights; or (4) gross negligence, wilful misconduct, or fraud. 

9. PRICING AND PAYMENT
Microsoft will invoice and charge Customer under the terms of the Microsoft Commercial Marketplace Terms of Use and applicable Order. 

10. TERM AND TERMINATION
10.1 Term. This Agreement is effective until terminated by a party, as described below. The term for each Order will be set forth therein. 
10.2 Termination without cause. Unless otherwise set forth in an Order, either party may terminate this Agreement or any Order without cause on 60 days’ notice. Termination without cause will not affect Customer’s perpetual licenses, and licenses granted on a subscription basis will continue for the duration of the subscription period(s), subject to the terms of this Agreement. Publisher will not provide refunds or credits for any partial subscription period(s) if the Agreement or an Order is terminated without cause. 
10.3 Termination for cause. Without limiting other remedies, it may have, either party may terminate this Agreement or any Order immediately on notice if (i) the other party materially breaches the Agreement or an Order, and fails to cure the breach within 30 days after receipt of notice of the breach; or (ii) the other party becomes Insolvent. Upon such termination, the following will apply: 
a. All licenses granted under this Agreement will terminate immediately except for fully paid, perpetual licenses. 
b. All amounts due under any unpaid invoices will become due and payable immediately. For metered Offerings billed periodically based on usage, Customer must immediately pay for unpaid usage as of the termination date. 
c. If Publisher is in breach, Customer will receive a credit for any subscription fees, including amounts paid in advance for unused consumption for any usage period after the termination date. 
10.4 Suspension. Publisher may suspend use of the Offering without terminating this Agreement during any period of material breach. Publisher will give Customer reasonable notice before suspending the Offering. Suspension will only be to the extent reasonably necessary. 
10.5  Survival. The terms of this Agreement, including the applicable Order, or have application to events that may occur, after the termination or expiration of this Agreement or any Order, 
will survive termination or expiration, including all indemnity obligations and procedures. 
11. MISCELLANEOUS
11.1 Entire Agreement. This Agreement supersedes all prior and contemporaneous communications, whether written or oral, regarding the subject matter covered in this Agreement. If there is a conflict between any parts of this Agreement, the following order of precedence will apply: 
a. Order; 
b. this Agreement; 
c. Service Level Agreement (SLA); and 
d. Documentation. 
11.2 Independent contractors. The parties are independent contractors. Customer and Publisher each may develop products independently without using the other’s Confidential Information. 
11.3 Agreement not exclusive. Customer is free to enter into agreements to license, use, and promote the services of others. 
11.4 Amendments. Unless otherwise agreed in a writing signed by both parties, Publisher will not change the terms of this Agreement during the term of this Agreement. 
11.5 Assignment. Either party may assign this Agreement to an Affiliate, but it must notify the other party in writing of the assignment. Customer consents to the assignment to an Affiliate or third party, without prior notice, of any rights Publisher may have under this Agreement to receive payment and enforce Customer's payment obligations, and all assignees may further assign such rights without further consent. Furthermore, either party may assign this Agreement without the consent of the other party in connection with a merger, reorganization, acquisition, or other transfer of all or substantially all of such party’s assets. Any other proposed assignment of this Agreement must be approved by the non-assigning party in writing. Assignment will not relieve the assigning party of its obligations under the assigned Agreement. Any attempted assignment without required approval will be void. 
11.6 Severability. If any part of this Agreement is held to be unenforceable, the rest of the Agreement will remain in full force and effect. 
11.7 Waiver. Failure to enforce any provision of this Agreement will not constitute a waiver. Any waiver must be in writing and signed by the waiving party. 
11.8 No third-party beneficiaries. This Agreement does not create any third-party beneficiary rights except as expressly provided by its terms. 
11.9 Notices. Notices must be in writing and will be treated as delivered on the date received at the address, date shown on the return receipt, email transmission date, or date on the courier or fax confirmation of delivery. Notices to Publisher must be sent to the address stated in the Order. Notices to Customer will be sent to the individual at the address Customer identifies on its account as its contact for notices. Publisher may send notices and other information to Customer by email or other electronic form. 
11.10 Applicable law. 
This Agreement will be construed and governed in accordance with the laws of Switzerland, without regard to any rules of conflicts or choice of law provisions that would require the application of the laws of any other jurisdiction. The parties undertake to conduct mediation proceedings before recourse is made to the arbitral tribunal. The mediator shall be appointed by mutual agreement of both parties within three weeks after one party has notified the other party of this request in writing (request for mediation). If the parties have not reached agreement on the mediator within this period, the Zurich Chamber of Commerce shall be called upon to appoint a mediator. If the dispute is not settled within 180 days of the appointment of the mediator, it shall then be settled by arbitration in accordance with the International Rules of Arbitration of the Swiss Chambers of Commerce. The arbitral tribunal shall consist of one arbitrator. The seat of the arbitration shall be Zurich, Switzerland.
11.11 Order of precedence. The body of this Agreement will take precedence over any conflicting terms in other documents that are part of this Agreement that are not expressly resolved in those documents. Terms in an amendment control over the amended document and any prior amendments concerning the same subject matter. 
11.12 Government procurement rules. By accepting this Agreement, Customer represents and warrants that: (1) it has complied and will comply with all applicable government procurement laws and regulations; (2) it is authorized to enter into this Agreement; and (3) this Agreement satisfies all applicable procurement requirements. 
11.13 Compliance with laws. Publisher will comply with all laws and regulations applicable to its provision of the Offerings. Publisher will obtain and maintain any approvals, licenses, filings, or registrations necessary to its performance, and will comply with all law (including law related to export, corruption, money laundering, or any combination of these). Customer must also comply with laws applicable to their use of the Offerings. 
11.14 Construction. Neither party has entered this Agreement in reliance on anything not contained or incorporated in it. This Agreement is in English only. Any translation of this Agreement into another language is for reference only and without legal effect. If a court of competent jurisdiction finds any term of the Agreement unenforceable, the Agreement will be deemed modified as necessary to make it enforceable, and the rest of the Agreement will be fully enforced to affect the parties’ intent. Lists of examples following “including”, “e.g.”, “for example”, or the like are interpreted to include “without limitation,” unless qualified by words such as “only” or “solely.” This Agreement will be interpreted according to its plain meaning without presuming that it should favor either party. Unless stated or context requires otherwise: 
a. all internal references are to this Agreement and its parties; 
b. all monetary amounts are expressed and, if applicable, payable, in U.S. dollars;
c. URLs are understood to also refer to successors, localizations, and information or 
resources linked from within websites at those URLs; 
d. a party’s choices under this Agreement are in its sole discretion, subject to any implied 
duty of good faith; 
e. “written” or “in writing” means a paper document only, except where email is expressly 
authorized; 
f. “days” means calendar days; 
g. “may” means that the applicable party has a right, but not a concomitant duty, 
h. “partner,” if used in this Agreement or related documents, is used in its common, 
marketing sense and does not imply a partnership; 
i. “current” or “currently” means “as of the Effective Date” but “then-current” means the 
present time when the applicable right is exercised or performance rendered or 
measured; 
j. “notify” means to give notice under subsection (i) above; and 
k. a writing is “signed” when it has been hand-signed (i.e., with a pen) or signed via an 
electronic signature service by a duly authorized representative of the signing party.

12. DEFINITIONS
“Affiliate” means any legal entity that controls, is controlled by, or is under common control with a party. 
“Anti-Corruption Laws” means all laws against fraud, bribery, corruption, inaccurate books and records, inadequate internal controls, money-laundering, and illegal software, including the U.S. Foreign Corrupt Practices Act. 
“Control” means ownership of more than a 50% interest of voting securities in an entity or the power to direct the management and policies of an entity. 
“Confidential Information” is defined in the “Confidentiality” section. 
“Customer Data” means all data, including all text, sound, software, image or video files that are provided to Publisher or its Affiliates by, or on behalf of, Customer and its Affiliates through use of the Offering. Customer Data does not include Support Data. 
“Data Protection Law” means any law applicable to Publisher or Customer, relating to data security, data protection and/or privacy, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to processing of personal data and the free movement of that data (“GDPR”), and any implementing, derivative or related legislation, rule, regulation, and regulatory guidance, as amended, extended, repealed and replaced, or re-enacted. 
“Documentation” means all user manuals, handbooks, training material, requirements, and other written or electronic materials Publisher makes available for, or that result from use of, the Offering. 
“End User” means any person Customer permits to use an Offering or access Customer Data. 
“Feedback” means ideas, suggestions, comments, input, or know-how, in any form, that one party provides to the other in relation to recipient’s Confidential Information, products, or services. Feedback does not include sales forecasts, future release schedules, marketing plans, financial results, and high-level plans (e.g., feature lists) for future products. 
“Insolvent” means admitting in writing the inability to pay debts as they mature; making a general assignment for the benefit of creditors; suffering or permitting the appointment of a trustee or receiver for all or any of its (i.e., the non-terminating party’s) assets, unless such appointment is vacated or dismissed within 60 days from the date of appointment; filing (or having filed) any petition as a debtor under any provision of law relating to insolvency, unless such petition and all related proceedings are dismissed within 60 days of such filing; being adjudicated insolvent or bankrupt; having wound up or liquidated; or ceasing to carry on business. 
“Offering” means all services, websites (including hosting), solutions, platforms, and products identified in an Order and that Publisher makes available under or in relation to this Agreement, including the software, equipment, technology, and services necessary for Publisher to provide the foregoing. Offering availability may vary by region. 
“Order” means an ordering document used to transact the Offering via the Marketplace. 
“Personal Data” means any information relating to an identified or identifiable natural person. 
“Representatives” means a party’s employees, Affiliates, contractors, advisors and consultants. 
“Standard Contractual Clauses” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR. 
“Subcontractor” means any third party: (1) to whom Publisher delegates its obligations under this Agreement, including a Publisher Affiliate not contracting directly with Customer through an Order; or (2) who, in performing under a contract between it and Publisher or a Publisher Affiliate, stores, collects, transfers or otherwise processes Personal Data (obtained or accessed in connection with performing under this Agreement) or other Customer Confidential Information. 
“Support Data” means all data, including all text, sound, video, image files, or software, that are provided to Publisher by or on behalf of Customer (or that Customer authorizes Publisher to obtain from an Offering) through an engagement with Publisher to obtain technical support for the Offering covered under this Agreement.
“Use” means to copy, download, install, run, access, display, use or otherwise interact with the Software.
 
Annex 1: Data Processing Agreement
I.	Definitions
Within the following data processing Agreement (thereinafter “DPA”), the following terms are used:
-	Controller of personal data is the Customer  
-	Processor of personal data is the Publisher.
-	 The Processing Purpose is the fulfilment of the contractual obligations as defined within the Agreement between You and the Publisher.
-	The Subprocessor is Microsoft Azure. 

II.	Purpose and scope
The purpose of this Data Processing Agreement (the "DPA") is to ensure compliance with the EU General Data Protection Regulation ("GDPR") and the Swiss Federal Act on Data Protection ("FADP"), with respect to each law only if and to the extent applicable to the respective processing activity. 
This DPA applies with respect to the processing of personal data as required to perform the Agreement between the Parties.
Where this DPA uses the terms defined in the GDPR or the FADP, as applicable, those terms shall have the same meaning as in that law.
This DPA shall be read and interpreted in the light of the provisions of the GDPR and the FADP, as applicable.
These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in the GDPR or the FADP, as applicable, or prejudices the fundamental rights or freedoms of the data subjects.
III.	Hierarchy
In the event of a conflict between this DPA and the provisions of any other agreement between the Parties existing at the time when this DPA are agreed or entered into thereafter, this DPA shall prevail, except where explicitly agreed otherwise in text form.
IV.	Description of processing(s)
The Controller has access to the data in the documents that you process, store, or manage through our services. This access is necessary to provide and improve our services, ensure security, perform backups, and comply with legal obligations. We implement stringent security measures to protect your data and ensure confidentiality as outlined below. The Controller will not use your data for any purpose other than providing the services you have subscribed to, unless we have your explicit consent or are required by law. Additionally, we may collect aggregate data about product usage (e.g., statistics) for billing, analytical, and fraud prevention purposes. Only a selected number of trusted employees have access to your data and such access is granted only to the extent necessary to perform the contractual services, adhering to the principle of least permissions. This means that employees have the minimum level of access required to accomplish their tasks, ensuring your data is handled with the utmost security and privacy.


V.	Obligations of the Parties
I.	General
The data processor shall process personal data only for the defined purpose of providing the agreed service, unless processing is required by appliable law to which the processor is subject. If subsequent instructions are be given by the data controller throughout the duration of the processing of personal data, such instructions shall always be documented.
The data processor shall immediately inform the data controller if, in the opinion of the data processor, the data controller infringes applicable data protection provisions.
II.	Purpose limitation
The data processor shall process the personal data only for the specific purpose(s) of the processing, as required to perform the contractual obligations defined in the Agreement.
III.	Erasure or return of data
Processing by the data processor shall only take place for the duration as required to perform the contractual obligations.
Upon termination of the provision of personal data processing services or termination, the data processor shall return all the personal data to the data controller delete all personal data processed on behalf of the data controller and certify to the data controller that it has done so and delete existing copies unless applicable law requires storage of the personal data.
IV.	Security of processing
The data processor shall implement the technical and organizational measures specified in below to ensure the security of the personal data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to that data (personal data breach). In assessing the appropriate level of security, they shall in particular take due account of the risks involved in the processing, the nature of the personal data and the nature, scope, context and purposes of processing.
In the event of a personal data breach concerning data processed by the data processor, it shall notify the data controller without undue delay and at the latest within 72 hours after having become aware of the breach. Such notification shall contain the details of a contact point where more information concerning the personal data breach can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and data records concerned), its likely consequences and the measures taken or proposed to be taken to mitigate its possible adverse effects. Where, and insofar as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall be provided as it becomes available without undue delay.
The data processor shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. The data processor shall ensure that persons authorized to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
V.	Documentation and compliance
The Parties shall be able to demonstrate compliance with this DPA.
The data processor shall deal promptly and properly with all reasonable inquiries from the data controller that relate to the processing under this DPA.
The data controller may choose to conduct the audit by itself, to mandate, at its own cost, an independent auditor or to rely on an independent audit mandated by the data processor. Any audit and request for information shall be limited to information necessary for the purposes of this DAP and shall give due regard to the data processor's confidentiality obligations and legitimate interest to protect business secrets.
The data processor and data controller shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority on request if and to the extent required by the GDPR or the FADP, as applicable.
VI.	Use of sub-processors
The data processor has the data controller’s general authorization for the engagement of sub-processors. The data processor shall inform in text form the data controller of any intended changes of that list through the addition or replacement of sub-processors at least 7 days in advance, thereby giving the data controller the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s). Such objection shall not be unreasonable raised. The Parties shall keep the list up to date.
Where the data processor engages a sub-processor for carrying out specific processing activities (on behalf of the data controller), it shall do so by way of a contract which imposes on the sub-processor the same obligations as the ones imposed on the data processor under this DPA. The data processor shall ensure that the sub-processor complies with the obligations to which the data processor is subject pursuant to this DPA, the GDPR and the FADP.
VII.	International transfers
Any transfer of data to a "Third Country" (any country outside of the EU/EEA and Switzerland) or an international organization by the data processor shall take place in compliance with the GDPR and the FADP, as applicable.
The data controller agrees that where the data processor engages a sub-processor in accordance for carrying out specific processing activities (on behalf of the data controller) in a Third Country and those processing activities involve transfer of personal data within the meaning of the GDPR or the FADP, as applicable, the processor and the sub-processor may use standard contractual clauses adopted by the European Commission on the basis of Article 46(2) of the GDPR in order to comply with the requirements of Chapter V of the GDPR, provided the conditions for the use of those clauses are met and provided that an internal assessment concluded that such transfer meets the level of data protection of the GDPR and the FDPA.
VIII.	Data Subject Rights
The data processor shall promptly notify the data controller about any request received directly from the data subject. It shall not respond to that request itself, unless and until it has been authorized to do so by the data controller.
The data processor shall assist the data controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights, namely:
-	the right to be informed when personal data are collected from the data subject,
-	the right to be informed when personal data have not been obtained from the data subject,
-	the right of access by the data subject,
-	the right to rectification,
-	the right to erasure (‘the right to be forgotten’),
-	the right to restriction of processing,
-	the notification obligation rectification or erasure of personal data or restriction of processing,
-	the right to data portability,
-	the right to object,
-	the right not to be subject to a decision based solely on automated processing, including profiling.
The data processor shall assist the data controller in case a data subject has lodged a complaint to the competent supervisory authority that concerns data processed on the basis of this DPA.
In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6(b), the data processor shall furthermore assist the data controller in ensuring compliance with the following obligations, taking into account the nature of the processing and the information available to the data processor:
The obligation to notify a personal data breach to the competent supervisory authority without undue delay after having become aware of it, (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;
the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
the obligation to consult the competent supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk.
The Parties shall set out the appropriate technical and organizational measures as listed below by which the data processor is required to assist the data controller in the application of this clause as well as the scope and the extent of the assistance required.
IX.	Notification of personal data breaches
In the event of a personal data breach, the data processor shall cooperate in good faith with and assist the data controller in any way necessary for the data controller to comply with its obligations under Articles 33 and 34 of the GDPR and Article 22 of the FADP, as applicable, taking into account the nature of processing and the information available to the processor.
The data processor shall assist the data controller in notifying the personal data breach to the competent supervisory authority, where relevant. The data processor shall be required to assist in obtaining in particular the following information which, pursuant to Article 33(3) of the GDPR or Article 22(2) of the FADP, as applicable, shall be stated in the data controller’s notification:
The nature of the personal data including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
the likely consequences of the personal data breach;
the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
X.	Termination
Without prejudice to any provisions of the GDPR or the FADP, as applicable, in the event that the data processor is in breach of its obligations under this DPA, the data controller may instruct the data processor to temporarily suspend the processing of personal data until the latter complies with this DPA or the contract is terminated. The data processor shall promptly inform the data controller in case it is unable to comply with this DPA, for whatever reason.
The data controller shall be entitled to terminate this DPA where:
the processing of personal data by the data processor has been temporarily suspended by the data controller pursuant to point (a), data processor's breach is material, and compliance with this DPA is not restored within a reasonable time and in any event within one month;
the data processor is in substantial or persistent breach of this DPA or its obligations under the GDPR or the FADP, as applicable, and such breach cannot be reasonably expected to be remedied;
the data processor fails to comply with a binding decision of a competent court or the competent supervisory authority regarding its obligations under this DPA or under the GDPR, as applicable.
This Agreement shall remain in full force and effect so long as the Base Agreement remains in effect. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Base Agreement in order to protect Personal Data shall remain in full force and effect.
XI.	Liability and indemnity
To the extent permitted by law, either party's liability arising out of or in connection with this Agreement shall be limited to direct damages and to the remuneration due in connection with this Agreement for the last 12 months. 
Liability is in any case unlimited for 
-	Gross negligence and intent; and
-	Material damage and personal injury.

 
Technical and Organizational Security Measurements
The Processor, TCG Informatik AG (“TCG”) is dedicated to complying with applicable data protection regulations and maintaining a high standard of data security, both as a data controller and a data processor. In alignment with Article 7 of the FDPA and Article 32(1) of the GDPR, we have implemented various measures aimed at safeguarding the following objectives: data access control, storage control, user control, data transport control, data input control, data disclosure control, data recovery, data breach detection, and system availability. The measurements are set forth in the following.
I.	Organisational and Security Measurements
The TCG development environment is based on technologies and tools that are provided by Microsoft Corporation, USA. Software development is based on DevOps from Microsoft and takes place on MS Azure via cloud-based services. TCG closely adheres to the development and security standards developed by Microsoft for DevOps. Development and security standards developed by Microsoft. The DPS software has been designed so that it can also be used by appropriately third parties completely independent of TCG (end-users, resellers, etc.). Likewise, the software must always remain release-ready.
II.	Security Management

1.	Security policy and procedures: documented security policy with regard to the processing of personal data.
2.	Roles and Responsibilities: Roles and responsibilities related to the processing of personal data are clearly defined and allocated in accordance with the security policy. During internal re-organizations or terminations and change of employment, revocation of rights and responsibilities with respective hand-over procedures is clearly defined.
3.	Access Control Policy: Specific access control rights are allocated to each role involved in the processing of personal data, following the need-to-know principle.
4.	Resource / asset management: register of the IT resources used for the processing of personal data (hardware, software, and network). The information security officer (dataprotection@tcgprocess.com) is assigned the task of maintaining and updating the register.

III.	Incident Response and Business Continuity
1.	An incident response plan with procedures and defined roles is implemented to ensure effective and orderly response to incidents pertaining personal data.
2.	Business continuity: In the event of a security incident or personal data breach, an established procedure to secure level of continuity and availability of the IT system.

IV.	Human Resources
Confidentiality of personnel: TCG ensures that all employees understand their responsibilities and obligations related to the processing of personal data. Roles and responsibilities are clearly communicated during the pre-employment and/or introduction process.  The personnel is instructed on the confidentiality level of personal date by the data protection officer, in the event that they process personal data of any of our clients.  
Back-up check personnel: Hired personnel have undergone a back-up check as we thrive to provide a trusted service to all our customers.

V.	Technical Security Measurements
Access Control and Authentication
1.	An access control system applicable to all users accessing the IT system is implemented. The system allows creating, approving, reviewing, and deleting user accounts. 
2.	The use of common user accounts is avoided. In cases where this is necessary, it is ensured that all users of the common account have the same roles and responsibilities. 
3.	An access control system applicable to all users accessing the IT system is implemented. The system allows creating, approving, reviewing, and deleting user accounts. 
4.	The use of common user accounts is avoided. In cases where this is necessary, it is ensured that all users of the common account have the same roles and responsibilities. 
5.	When granting access or assigning user roles, the “need-to-know principle” shall be observed in order to limit the number of users having access to personal data. 
6.	The authentication credentials (such as user ID and password) shall never be transmitted unprotected over the network.
7.	A guideline for passwords and regular change of passwords has been set into place.

VI.	Logging and Monitoring
Log files are activated for each system / application used for the processing of personal data. They include all types of access to data (view, modification, deletion).
VII.	Security of Data at Rest: Workstation Security
1.	Users are not able to deactivate or bypass security settings.
2.	Anti-virus applications and detection signatures are configured on a regular basis. 
3.	Users don't have privileges to install or deactivate unauthorized software applications.
4.	Critical security updates released by the operating system developer are installed regularly.

VIII.	Network / Communication Security
1.	Whenever access is performed through the Internet, communication is encrypted through cryptographic protocols. 
2.	Traffic to and from the IT system is monitored and controlled through firewalls and intrusion detection systems.

IX.	Backups
1.	Backups are given an appropriate level of physical and environmental protection consistent with the standards applied on the originating data.
2.	Execution of backups is monitored to ensure completeness.

X.	Mobile / Portable Devices
Mobile and portable device management procedures are defined and documented establishing clear rules for their proper use. 
XI.	Data Deletion / Disposal of Data
1.	Software-based overwriting will be performed on media prior to their disposal. In cases where this is not possible, physical destruction will be performed by an external service provider.
2.	Shredding of paper and portable media used to store personal data is carried out.

XII.	Physical Security
The physical perimeter of the IT system infrastructure is not accessible by non-authorized personnel. Appropriate technical measures (e.g. intrusion detection system, chip-card operated turnstile, single-person security entry system, locking system) are set in place to protect security areas and their access points against entry by unauthorized persons.
XIII.	Data Protection Awareness Training and Cybersecurity Awareness 
The data protection officer conducts a yearly data protection awareness training. In the aftermath of the training possible improvements of the implemented organizational and technical measures are being discussed and implemented accordingly. All employees of TCG receive weekly emails regarding cybersecurity from a designated security provider. This platform conducts routine security assessments with our team to help raise awareness about data protection. Our data protection officer can be reached via e-mail under dataprotection@tcgprocess.com.