Master Service Agreement

Contents

0.1
This Master Service Agreement (“MSA”) consists of the main body of the agreement and all annexes, in case its parties amend it in form of its last amendment. The MSA is being concluded by you, respectively the entity on behalf of which you are ordering, (“You” or “Customer”) and peopleForecast GmbH (“We” or “HRForecast”) (both jointly or severally the “Partner(s)”). This MSA enters into force as soon as the first Order Form which references it enters into force (“Effective Date”). As of then, it applies to all orders for Services unless it is expressly excluded (i.e. even if it is not expressly mentioned).

0.2
This MSA is a framework contract for provision of services in form of software as a service (SaaS) subscriptions and/or professional services by HRForecast to Customer as a commercial or other professional entity (for clarity: we do not provide services to consumers as to § 13 German Civil Code, BGB).

Now therefore, the Partners agree as follows:

Article 1. Definitions | What are the concepts and terms used in this MSA?

1.1
“Affiliate” of an entity is any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, for as long as such control exists. “Control,” for urposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2
“Agreement” means all documents that jointly form the contractual arrangements for the respective services between HRForecast and Customer, as further described in section 20.2.

1.3
“App” means a SaaS offering offered as one product or product group, usually targeted at a specific problem, use case or similar or covering a specific group of tasks. An App can be offered in several Editions with different feature sets.

1.4
“Confidential Information” refers to information protected against disclosure as set out in Article 15 (Confidentiality) and is defined as set out in that article.

1.5
“Content” refers to documents, files, materials and other information provided by HRForecast to Customer or its User(s) under this Agreement, for example in conjunction with the provision of SaaS.

1.6
“Customer Data” means electronic data and information, including content, materials and personal data submitted by of for Customer to the SaaS. For clarity, this does not include Content, information, material or other data created by HRForecast.

1.7
“Documentation” means the technical and functional documentation for the SaaS which HRForecast makes available to the public or to Customer specifically, as updated from time to time.

1.8
“DPA” refers to the data processing addendum which is a part of this MSA, concretely Annex C.

1.9
“Edition” describes a variant of a SaaS App with a specific set of features, as offered by HRForecast.

1.10
“Effective Date” refers to the date on which this MSA enters into force, as set out in the preamble.

1.11
“MSA” refers to this framework agreement, as further set out in the preamble.

1.12
“IP Rights” or “Intellectual Property Rights” means registered (e.g. patents) or unregistered rights of any type or other title to or right in an invention, copyright, right of authorship, mark, design or other industrial right, and includes all rights to exploit or use it.

1.13
“Order Form” refers to a document, in general based on a proposal by HRForecast, or electronic record of purchase, under which the provision of SaaS (as further set out in sec.  2.4 ) or Professional Services is agreed upon under this MSA.

1.14
“Professional Services” are knowledge, technology or experience-based services HRForecast provides to Customer; in general all Services not being SaaS will be considered Professional Services. They can be based on a different fee arrangement, as the case may be, e.g. time and material, specified as a designated amount or differently.

1.15
“SaaS” are on-demand software solutions provided by HRForecast and applications provided in conjunction therewith (e.g. mobile applications) under an individual Order Form document, via an online purchasing portal or via a free-of-charge arrangement such as a test or free beta subscription. SaaS is usually provided via internet technologies (e.g. a web browser).

1.16
“Service” are all services provided by HRForecast to Customer hereunder, namely all SaaS and Professional Services.

1.17
“Subscription” refers to the commercial agreement to subscribe to an Edition of a SaaS App for a certain period under certain commercial conditions, as further set out in Article 2 below.

1.18
“Subscription Term” refers, for each specific Subscription, to the time for which the Subscription is active according to the respective Order Form and Article 12.

1.19
“Tenant” describes the specific instance of a SaaS offering, logically separated from other instances and their data.

1.20
“User” each individual (i) to whom access to the SaaS is granted, e.g. by providing a login, and/or (ii) for whom a profile is created in the SaaS. Where no restrictions are set out in this MSA, the Order Form and Documentation, a User can be internal or external and can include employees, contractors, agency employees, directors and others.

Section A. Subscription

This Section A applies to SaaS ordered hereunder.

Article 2. Subscription mode

How do you subscribe?
How does the free trial work and why should you book it?

2.1 Subscribing for Apps and their Editions
Customer can subscribe for a specific Edition of Apps.

2.2 Subscription metrics are per named user by default and for own use only
Where the Documentation or Order Form specify a metric for fees, that metric applies. Where no other specification is made, the subscription is based on the maximum number of Users allowed to access the App plus all users for whom a profile has been opened (“Named User Subscription”). Named User Subscription can be per single User or purchased in packages or ranges for a certain number of Users, depending on the HRForecast’s offerings.
Subscriptions by agents/agencies for the use to the benefit of an entity that is not an Affiliate requires an express authorization; in general, subscriptions are only for the internal use of Customer and its Affiliates.

2.3 No mixing of Editions
Each Tenant can only have one Edition of a specific App. For the avoidance of doubt, that means that, within one Tenant, for each App, all Users need to be subscribed to the same Edition.

2.4 Process of subscribing; Offer and acceptance
Customer can subscribe based by countersigning a proposal by HRForecast and thereby making it an “Order Form” or, insofar offered for the respective SaaS, by following an online
ubscription procedure offered by HRForecast, e.g. an online purchasing portal, or a free of charge subscription, e.g. test subscription or free beta subscription.

2.5 Upgrade of the Edition
Customer can at any time decide to upgrade the Edition to a higher priced Edition of the same App. In case such upgrade is made at the new subscription term, the higher subscription fee will be charged for the new term. In case of an upgrade during a term, HRForecast will invoice the prorated difference of the subscription fees for the remaining period of the existing term. For the avoidance of doubt, a change into an Edition with a lower subscription fee is generally not possible.

2.6 Free trial
HRForecast encourages Customer to register for a free trial of its SaaS offerings. Customer is permitted one free trial run of each App.
Customer will assure no personal data is processed in trials and to use suitable test data to test the functionality and its suitability for its use case. Customer commits to use test data without any relevance to actual individuals (non-personal data) for the trial; HRForecast expressly excludes any commitments regarding the protection of personal data to trials, the DPA does not apply. Trial subscriptions automatically expire after the limited trial period, which is 14 days long unless specified differently. At expiry, HRForecast can block the access and delete the data contained in the trial SaaS. A trial can be converted to a paid subscription subject to the subscription procedure set out in sec.  2.4 above ; this requires the Customer defining the appropriate number of Users for a Named User Subscription (as described in sec. 2.2. above) and, where an App has several Editions, declare which Edition to subscribe to.

Article 3. Provision of SaaS and duties of HRForecast

How we provide our SaaS?

HRForecast will provide all paid SaaS subscriptions as follows:

3.1 SaaS functionality | Which functionality do we provide?
For the duration of the concluded contract HRForecast provides the customer access to the selected Edition of the App as SaaS, as further set out in this Agreement, the Order Form, the documents referenced therein including Documentation.

3.1.1 Thoffer documents and Documentation describe the functionality. | Where is the functionality set out?
The functional range of the booked software version is defined by the description on the corresponding offer from HRForecast and the Documentation. No commitments to implement any specific functionality or feature are made, except where stated in the Order Form, the Documentation or this MSA. Customer has the option to test the SaaS by a free trial to establish whether the SaaS meets Customer’s requirements and HRForecast encourages Customer to do so.

3.1.2 Maintenance and further development of the SaaS | How will the SaaS change over time?
SaaS is a dynamic offering which will be adapted over time, considering the needs of typical users and questions of software stability including management of complexity; with such adaptations including adding and removing of certain features. SaaS is generally provided with the same features to all of its customers, who can adapt it to their and their Users’ needs within the possibilities of configuration. HRForecast will maintain the operability of the SaaS during the Subscription Term.
It is expressly agreed that the SaaS can change in the functionality details in order to provide a standardized evolving cloud offering, provided that the overall functionality does not decrease significantly. HRForecast will inform about material changes in a reasonable manner. While the details of the products may differ, HRForecast warrants that functionality and security do not significantly decrease, as concretely set out in Article 10 (Defects).
The Parties agree that modifications that are necessary (i) to maintain compliance with applicable laws, (ii) to eliminate security vulnerabilities are not considered significant in this regard.

3.1.3 External interfaces | How will connections to third party applications be upheld?
Where the App provides options to integrate third-party applications, as may be further described in the Documentation, (an “Interface”), HRForecast will maintain the core functionality of such Interface, throughout Subscription Term or replace it by a successor interface providing similar functionality. Where the Interface connects to a specific interface as counterpart, this relates to that specific counterpart only and, for the avoidance of doubt, HRForecast is not responsible for any third party’s interface, API or other means to integrate and the effect thereof on interoperability.

3.1.4 Professional Services are separate and only provided if booked
Other services (e.g. onboarding packages & services, consulting, market intelligence, etc.) are not part of a contract for the Subscription to a SaaS. Such additional services can be provided by HRForecast on the basis of a distinct offer for Professional Services. HRForecast has no obligation to render any specific services unless expressly contractually agreed upon.

3.2 SLA | Which availability do the Services have?
HRForecast will provide the SaaS in accordance with Annex A (SLA).

3.3 Access to and return of Customer Data | How can we receive a copy of our data?
Upon Customer’s request made no later than 30 days after the end of Subscription Term, HRForecast will provide a machine-readable copy of Customer Data.
After that period, HRForecast has no obligation to maintain or provide Customer Data and will delete Customer Data unless HRForecast is required by law to retain it (for clarity, any processing including storage is then still subject to the provisions of this MSA including the confidentiality provision).

Article 4. Privacy and security

How do we ensure security of data processing and privacy?

4.1 Privacy | How are privacy requirements implemented?
The DPA, as attached hereto as Annex C, applies and both Parties agree to be bound to it.

4.2 Security of the SaaS | Which measures do we take to protect the SaaS and Customer Data?
HRForecast will maintain appropriate technical and organizational safeguards for the protection of the security, confidentiality and integrity of Customer Data, as described with validity on Effective Date in the Technical and Organizational Measures (Appendix 2). Customer will evaluate if these measures meet Customer’s needs. HRForecast may adapt the measures and will not materially decrease the security measures during the Subscription Term.

4.3 Information duty | Which actions will the Parties take if issues arise?
HRForecast will inform Customer about security or privacy breaches as set out in the DPA.
Customer will inform HRForecast in case they see or suspect (i) a significant misuse of the SaaS, (ii) privacy or security breaches, (iii) hacking attempts, (iv) loss of authentication credentials, (v) misuse of authentication credentials or (vi) other unauthorized access or use.

Article 5. Customer duties and use of SaaS

What does the Customer need to take care of when using the SaaS? Which limits does Customer need to implement?

5.1 Customer key responsibilities | What do you need to take care of?
Customer will:
(a) make available the SaaS (including Apps and Editions) only to Users (and not to anybody else) and use the SaaS only for its internal business purposes and those of its Affiliates;
(b) set up User accounts and profiles and take care of data migration, initial and ongoing configuration and user management and setup of any interfaces they require;
(c) be responsible for the accuracy, quality and legality of Customer Data, the means by which Customer acquired Customer Data, Customer’s use of Customer Data with the SaaS, and the interoperation of any third-party applications with which Customer uses SaaS or Content;
(d) ensure that Users abide the conditions set out in this MSA (insofar applicable) and that no illegal activities are pursued or fostered by its or its Users’ use of the SaaS;
(e) keep confidential login credentials and ensure they are not known to anybody but the authorized User;
(f) implement all steps required to ensure compliance with the contractual usage restrictions set out in the Agreement for its Subscriptions;
(g) use reasonable efforts to prevent unauthorized access to or use of SaaS and Content,
(h) not conduct or authorize penetration tests of the SaaS without advance approval from HRForecast (such approval not to be unreasonably withheld),
(i) be responsible for the technical means required to access the SaaS (including but not limited to using up-to-date browser software, having suitable connectivity and security features such as multi-factor authentication); Customer acknowledges that failing to meet these requirements might result in poor user experience or functional errors); and
(j) Ensure that all devices and software using to access the SaaS are in line with reasonable security standards.

5.2 Customer further responsibilities | In your own interest, what else should you do?
It is incumbent on Customer without being a full obligation (es obliegt dem Kunden),
(a) to use a free trial to establish suitability of the offering for their use case;
(b) to book an onboarding package to be able to leverage the full potential of the specific SaaS subscribed.

5.3 Excluded uses and prohibited activities | What do you need to refrain from?
Customer shall not:
(a) copy, translate, disassemble, decompile, make derivative works, reverse engineer or modify the SaaS or Content (except as permitted by mandatory law);
(b) use the SaaS in breach of applicable law, in particular Customer will not enter, store or transfer any content or data on or via the SaaS that is unlawful or infringes any IP Rights or remove relevant notices (e.g. copyright/authorship notices); or
(c) circumvent or endanger the operation or security of the SaaS or use the SaaS to store or distribute malicious software or content (e.g. viruses, trojans or ransomware) or to attack any systems;
(d) make any SaaS or Content available to anyone other than Customer or Users, or use any SaaS or Content for the benefit of anyone other than Customer or its Affiliates (for clarity, amongst the excluded uses is loading data of Customer’s clients that are not its Affiliates), unless expressly stated otherwise in an Order Form or the Documentation; for the avoidance of doubt, a use of the SaaS or Content in conjunction with services rendered to parties other than Affiliates of the Customer is considered a use for a third party and therefore not permitted under this MSA;
(e) sell, resell, license, sublicense, distribute, rent or lease any SaaS or Content, or include any SaaS or Content in a service bureau or outsourcing offering;
(f) access the services to create a competing product or replicate parts of the SaaS or Content; and
(g) permit to share login credential amongst several people.

5.4 Contractual usage limitation | How are specifically agreed limitations of use handled?
Where limits are not technically imposed, Customer is required to monitor its Users’ use of the SaaS to ensure it stays in line with the contractual usage limits. Customer exceeds contractual usage limits and HRForecast notifies Customer thereof, Customer has 30 days to remedy the overuse; if Customer breaches the contractual usage after such period has elapsed, HRForecast can require Customer to buy the least expensive subscription covering the actual number of users or the features actually used (e.g. a functionally unrestricted subscription or the next higher named user package) and Customer is required to sign a corresponding Order Form.

Article 6. Subscription fees

When and how are fees to be paid?

6.1 Prices are based on price list or agreed for the specific case
The pricing depends on the App, the Edition and the volume of the Subscription and can be made available upon request.

6.2 Invoicing, due date, payment modalities and late payment
Subscription fees are net prices and are invoiced and are payable in advance within two weeks as of the invoice date unless agreed upon otherwise in the Order Form, without deduction of cash discounts. The billing period is one year, unless the Order Form foresees a deviating period.
If customer fails to pay a due invoice, irrespective of other rights, HRForecast is entitled to the statutory interest for delayed payment, which amounts to 9% points above the legal base interest rate (Basiszinssatz) as of due date.

Article 7. Suspension and further consequences

Under which circumstances can we restrict your access to the service?

7.1 Suspension to safeguard security and rights of involved and third parties
If, in HRForecast’s reasonable judgment, there is a significant risk that the use of Customer’s Tenant may result in material harm to the SaaS, its security, integrity or availability, its Users, other customers of HRForecast, or the rights of third parties, each in such a way that quick action is required to avoid damage (e.g. in cases of Customer, or Users for which Customer is responsible, are in such breach of the Agreement, due to loss of credentials or hacking attempts), HRForecast can temporarily limit or suspend Customer’s use to the SaaS to prevent damages. HRForecast will notify in textual form Customer of the limitation or suspension without undue delay (if circumstances allow, in advance). HRForecast will limit the suspension or limitation in time and scope as reasonably required under the circumstances in its judgment.

7.2 Suspension in case of failure to pay within due time
If a customer does not pay an invoice within the payment period, HRForecast can notify Customer and, if customer fails to pay within 30 days of such notification, suspend access to the SaaS until payment is made. If Customer fails to pay within 45 days of such notification, HRForecast has the right to extraordinarily terminate the Subscription. HRForecast will not exercise this right in case of a good faith objection to the invoice by Customer.

Article 8. Grant of rights, reservation of rights

What are you allowed to do with the SaaS?

8.1
HRForecast grants the Customer and its Affiliates a non-exclusive, simple, non-transferable usage right for the Subscribed SaaS by accessing it via the browser, limited time-wise to the term of the (fee-based) contract and subject to the further conditions and limitations set out in this MSA. Where the SaaS includes software provided to download, the foregoing license includes the right to install and run it in object code subject to the limitations (except for access by browser) of the foregoing sentence.

8.2
Usage is limited to the usage metrics and volumes stated in the Order Form. Customer may only permit Users to use the SaaS within the contractually agreed scope.

8.3
Customer grants to HRForecast and its Affiliates and subcontractors a non-exclusive right to process and use Customer Data as reasonably necessary to provide and support the SaaS and as set out in the Agreement. For clarity, this includes backups and penetration testing.

8.4
Except as set out in this Article 8, the Parties do not grant any rights to use their IP Rights but rather reserve all rights. For clarity, SaaS and Content are proprietary to HRForecast and Customer Data is proprietary to Customer.

Article 9. Customer Service

How can you address issues to us? What is required for us to provide support?

9.1
Where Documentation and Order Form do not provide otherwise, HRForecast will provide customer support as set out in Annex B (Customer Support Level) for SaaS; Customer can make use of that support within reasonable limits (within what is reasonably to be expected by a professional company, so called “fair use”).

9.2
For HRForecast to be able to provide support, it needs relevant information about the question and issue. Customer will therefore provide suitable information to evaluate the matter and provide further information upon request. Customer acknowledges that provision of support requires suitable collaboration.

Article 10. Defects and correction; Third party rights

How does HRForecast warrant the SaaS functionality and correct errors? What does Customer need to do?

10.1 Warranties | What is the standard the SaaS should meet? What does HRForecast warrant?

10.1.1
The Parties agree that the SaaS shall meet the following criteria:
(a) standards and specifications agreed in sec. 3.1 (SaaS functionality) and the Documentation,
(b) Documentation is accurate,
(c) the SaaS shall be provided in accordance with its commitments in Article 4 (Privacy and Security) and
(d) where used in accordance with the contractual provisions, shall not infringe any third party rights.

10.1.2
HRForecast warrants (gewährleistet), for the Subscription Term, that it will not decrease materially during the Subscription Term: (a) the functionality (sec. 10.1.1 (a) and (b)) and (b) the security of the SaaS.

10.2 Notification of defects | What to do when becoming aware of an issue?
In case Customer becomes aware of defects and service disruptions, Customer will notify HRForecast in textual form. To enable a quick resolution, the notification should be without undue delay and as follows:

10.2.1
Where reasonably possible, the notification includes the steps to reproduce the issue, otherwise the symptoms and should be made in a way sufficient to enable HRForecast understand and evaluate the issue.

10.2.2
Where the issue is a defect in quality or an unavailability, Customer should use the customer service process, as referenced in Article 9 and detailed in Annex B to inform HRForecast about the issue and include information Customer has available which might be helpful for rectification of the issue.

10.2.3
Where the issue is a defect in title and a third party asserts a right to the SaaS,
(a) Customer shall only defend with HRForecast’s agreement or authorize HRForecast to take over defense; and,
(b) if Customer ceases to use the SaaS, Customer will inform the third party that this is not a recognition of the claimed infringement.

10.2.4
Where a third party asserts rights against HRForecast which are due to acts or omissions by Customer, HRForecast shall only defend with Customer’s agreement or authorize Customer to take over defense.

10.3 Remedy of defects | How will HRForecast address the issues?
HRForecast will remedy defects in the SaaS, at its own choice, (1) by providing Customer with SaaS that is free of defects or (2) by eliminating the defects, for example by showing a reasonable way by which Customer can avoid the effects of the defect.

10.4 Further customer rights | What further rights does Customer have in case of defects?

10.4.1
If, after Customer set a rectification period and subsequently, a reasonable rectification period elapsed and the defect persists and consequently, the suitability of the SaaS is reduced more than just insignificantly, Customer can (i) reduce the remuneration appropriately or (ii) terminate the Subscription for the respective SaaS, in case of termination HRForecast will reimburse fees for the remainder of the Subscription Term prepaid for the respective SaaS.

10.4.2
Insofar a Subscription is classified as lease under the German Civil Code, the no-fault liability as to its sec. 536a para. 1 alt. 1 for defects existing at the time of conclusion of contract is excluded except malice is given.

10.4.3
Claims for damages and wasted expenditure are subject to applicable laws, provided, however, that the limitation of liability as to this MSA applies.

10.5 Exclusion of warranty | When are warranty claims by Customer excluded?
Insofar a defect is caused by Customer’s use of SaaS not being in accordance with the terms of this MSA, the Order Form and Documentation, claims are excluded.

Article 11. Free of charge services

Which service level and reliability apply to free of charge offerings? What is HRForecast’s liability in their regard?

11.1
If Customer is provided with a free-of-charge SaaS, HRForecast has no obligation to provide support for this SaaS and has no obligation to provide any particular service level. HRForecast may cease providing access to such free-of-charge Service at any time. This section 11.1 overrules conflicting term in this MSA including its annexes and referenced documents and, unless set out otherwise therein, in the Order Form and its annexes.

11.2
Any liability of HRForecast in conjunction with free of charge services is limited to mandatory liability according to section 17.1.

Article 12. Subscription term

When does the SaaS start? How long does it run?

12.1
The Subscription Term starts with the agreed starting date, which is (i) usually the beginning of onboarding, respectively, (ii) for a renewal Subscription Term, the first logical instance after the earlier Subscription Term ending.

12.2
The Subscription Term will terminate with the last day of the agreed upon period, which is a year, unless specified differently on the Order Form. A termination before the end of the current Subscription Term is generally not possible unless there is a good cause, as set out in the following paragraph.

12.3
Each Partner’s right to terminate the Subscription for good cause (as further detailed in sec. 19.2) remains unaffected. If Customer terminates for good cause, HRForecast will refund the part of prepaid fees that covers the time after the termination becomes effective. The right of the Parties to claim damages (including outstanding fees) or fees for periods before the termination for good cause becoming effective remains intact.

Section B. Professional Services

This Section B applies Professional Services ordered hereunder.

Article 13. Provision of Professional Services

13.1
HRForecast will provide to Customer the Professional Services agreed upon on an Order Form and Customer will support the delivery of such services as reasonably necessary for the provision of the respective Professional Service, e.g. by providing informed contacts entitled to take decisions, by providing relevant information and access to relevant sources within customer’s organization. Such Services may include, for example, (i) onboarding services and (ii) data driven and experienced based services such as labor market and workforce analytics which can include generalized insights explanations, reports and management consulting.

13.2
All Services purchased in Order Forms that are not SaaS are covered by this Professional Services section of the MSA unless agreed otherwise.

13.3
Any deadlines and agreed times shall only begin as when Customer has provided all support as set out in this Article 13 which is reasonably required to provide the respective part of the Professional Service.

13.4
Customer will designate a contact who will coordinate and ensure all decisions relevant on its side for the delivery of the Professional Services by HRForecast will be rendered in a timely manner; Customer will notify any changes in a timely manner.

Section C. General Terms

This Section C applies to the all Services HRForecast provides to Customer; it covers the overall business relation between the Parties in which HRForecast acts as a supplier to Customer.

Article 14. Payment and tax

When and with which modalities will payments be done?

14.1 Net prices (taxes are in addition to them) | What is charged in addition to listed prices?
All Subscription and Professional Service fees noted are displayed net prices and will be invoiced with addition of applicable Indirect Taxes. “Indirect Taxes” means all indirect taxes, being transactional taxes, levies and similar charges (and any related interest and penalties) such as federal, state or local sales tax, value added tax, goods and services tax, use tax, property tax, excise tax, service tax, withholding tax or similar taxes.

14.2 Invoicing of SaaS | When are SaaS charged?
SaaS will be invoiced in advance, where reasonably possible at least two weeks but no more than one month before the start of the respective term (e.g. Subscription Term).

14.3 Invoicing of Professional Services | When are Professional Services charged?
For Professional Services, unless agreed upon otherwise, an advance payment of 40% of the anticipated cost as to the Order Form is required and will be invoiced after conclusion of an Order Form for such services. The remainder of the fee will be invoiced after provision of the Professional Services; legally mandatory fee retention rights remain unaffected.

14.4 Payment term | When are invoices due?
All payments are due 30 days as of the date the invoice has been sent via email, or another path agreed upon by the Partners and to be made by wire transfer.

14.5 Pricing and discounts are only valid for one Subscription Term or Service | Until when is the pricing valid and what will apply thereafter?
Generally, SaaS Subscriptions and Professional Services are sold based on list prices for a specific Subscription Term or Service respectively. Where the Parties agree differing pricing, this is only for the agreed-upon Subscription Term or Service unless agreed upon differently.

Article 15. Confidentiality

How is the Parties’ information protected contractually?

15.1 Definition | What is Confidential Information?
“Confidential Information” means all information disclosed by one Partner (“Disclosing Party”) or one of its Affiliates (the Partner then being considered the “Disclosing Party”) to the other Partner (“Receiving Party”) or one of its Affiliates (the other Partner then being the “Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure.
Confidential Information of Customer includes Customer Data; Confidential Information of HRForecast includes the SaaS, its details and technical and organizational measures as well as Content, and the terms and conditions of this Agreement and all Order Forms (expressly including pricing) and non-public Documentation (including documents linked from Order Forms but not from public websites). Confidential Information of each Partner includes business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such Partner.
However, Confidential Information does not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without knowledge of any breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party.

15.2 Confidentiality Obligations | How is Confidential Information protected?

15.2.1
As between the Partners, each Partner retains all ownership rights in and to its Confidential Information and the Receiving Party will:
(a) maintain all Confidential Information in confidence, taking steps to protect the Confidential Information substantially similar to those steps that the Receiving Party takes to protect its own Confidential Information, which shall not be less than a reasonable standard of care;
(b) not use or disclose any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement;
(c) except as otherwise authorized by the Disclosing Party in writing, limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ employees and contractors who need that access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections not materially less protective of the Confidential Information than those herein; and
(d) where technically feasible, retain any and all confidential, internal, or proprietary notices or legends which appear on the original and on any reproductions.

15.2.2
The confidentiality obligation applies beyond the duration of the Agreement (i) infinitely insofar the Confidential Information is Personal Data processed under the DPA (ii) for Confidential Information being a trade secret protected by law for as it remains such trade secret and (iii) until twelve months after the effective termination date of the Agreement otherwise.

15.3 Application of confidentiality obligation for evaluation phase.
For the avoidance of doubt, the non-disclosure obligations set forth in this Article 15 (“Confidentiality”) apply to Confidential Information exchanged between the parties in connection with the evaluation of additional HRForecast services.

15.4 Compelled disclosure | How will legally required disclosures be handled?
The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. The Receiving Party shall use commercially reasonable efforts to disclose only that portion of the Confidential Information which is legally requested to be disclosed and shall request that all Confidential Information that is so disclosed is accorded confidential treatment.

15.5 Return | When and how will the Parties return Confidential Information?
Upon the Disclosing Party’s request, the Receiving Party shall promptly destroy or return the Disclosing Party’s Confidential Information, including copies and reproductions of it, unless applicable law requires its retention; In this case, the Confidential Information shall continue to be subject to this Article 15.

Article 16. Guarantees

When and how does HRForecast give guarantees?

16.1
Nothing in this MSA or the Documentation shall be construed in a way as to describe a guarantee (Garantie). In case of defects, the customer has the rights described herein, including the warranties as set out Article 10 (Gewährleistungsrechte).

16.2
For clarity, HRForecast employees and agents are not entitled to offer any guarantees.

Article 17. Liability

Which liability do the Parties take? When is liability excluded?

Claim towards either Partner and their Affiliates contracting on the basis of this MSA, its Annexes and Schedules as well as in conjunction with any Order Forms thereunder and corresponding Services, based on whatever legal reason, including infringement of duties arising in connection with this MSA, all contracts that are subject to this MSA, tort and data processing, except for claims for fees to be paid, are limited as follows:

17.1 In which cases do are the parties liable without limitation?
The Parties shall be mutually liable without limitation:
(a) in the event of willful misconduct or gross negligence,
(b) within the scope of a guarantee taken over by the respective Partner,
(c) in the event that a defect is maliciously concealed or of fraudulent intent,
(d) in case of an injury to life, body or health, and
(e) according to the German Product Liability Law.

17.2 What liability is given in connection with duties essential for performance?
When a Cardinal Duty is infringed, except for the foregoing cases, the Partners’ liability is limited to damage which is foreseeable in view of the given contract and duty.
A “Cardinal Duty” is a duty (1) the fulfilment of which the other Partner could legitimately rely upon and (2) (a) which in itself is a essential prerequisite for the contractual performance, or (b) a breach of which would jeopardizes the purpose of the contract.

17.3 What liability applies otherwise?
In other cases, the aggregate liability of the Partner and its Affiliates is limited to the fees paid for the relevant Service by the Customer and its Affiliates within the last 12 full months preceding the first incident out of which the liability arose, and in cases the MSA’s term up to that point is not 12 months yet, the fees that are committed to be paid for the first 12 months for such Service of the MSA’s validity, or, where the commitment is only a minor part of the expected fees, the respective expected fees.
For each calendar year, the overall liability under this section for the Partner and its Affiliates is limited to the overall fees payed or payable by Customer and its Affiliates to HRForecast and its Affiliates for services under this MSA within the calendar year.

17.4 Who bears the burden of proof?
This clause does not change the burden of proof, which is determined as to applicable law.

17.5 To who else does the limitations of liability apply?
The limitations of liability in this Article 17 equally apply in the case of claims for a Partner’s damages against the respective other Partner’s employees, agents, bodies and subcontractors.

Article 18. Publicity clause

How can the Partners communicate about the business relation?

18.1
Customer agrees to be reference customer to HRForecast. HRForecast is therefore allowed to name the customer in public communication and may, within limits reasonable in view of the Customer’s interest, connect third parties to the Customer for an exchange on experiences with HRForecast’s offering.
Any press announcements about the relation require review by both Parties, not to be unreasonably withheld.

Article 19. Term

From when to when are the contracts valid? When can they be terminated exceptionally?

19.1 Regular term

19.1.1
This MSA enters into force on Effective Date as set out in the preamble, provided that at least one Order Form is bindingly concluded no later than two weeks after Effective Date.

19.1.2
The MSA automatically terminates when no further Subscriptions are active thereunder.

19.2 Extraordinary termination
A Partner (“Terminating Party”) can terminate this MSA anytime for good cause (“Extraordinary Termination”, außerordentliche Kündigung aus wichtigem Grund), provided that:
(a) If, taking into account all circumstances of the individual case, in particular breach fault on the part of the contracting parties, and their weighted interests, the Terminating Party cannot reasonably be expected to continue the contractual relation until its regular end;
(b) The Terminating Party declares Extraordinary Termination other Partner in writing (as defined in sec. 20.3) including an explanation of the cause; and
(c) The other Partner is given 30 days to cure the matter (unless activities by the other Party could not reasonably cure the matter).
(d) The Extraordinary Termination implies a termination of all Order Forms under the MSA, unless (i) the matter relates to a specific Order Form and (ii) the Terminating Party stipulates in the termination notice that it terminates the Order Form only.

Article 20. Miscellaneous

20.1 Interpretation | What is the role of headings and questions?
The headings and questions in this MSA are only for ease of reading and shall not be used for its interpretation.

20.2 Entire agreement and order of precedence | Which documents apply to the services and in which order?
In case of conflicts, the parts of the Agreement will govern in the following order of precedence unless expressly agreed upon otherwise:
(1) the Order Form, (2) annexes to the Order Form, (3) annexes to this MSA, (4) the main body of this MSA, (5) (as referenced documents which are not part of the main agreement) Documentation and other referenced documents.
The foregoing documents constitute the entire agreement between the parties and shall substitute all earlier arrangements on the same subject matter.
The Partners expressly exclude applicability of any other general terms and conditions by either of them which are not referenced herein, but they acknowledge that they might retain references to them for practicality reasons (these references would not apply).

20.3 Amendments; Form requirements; Written form | In which form can this agreement be updated?
Changes to this MSA, its annexes and amendments, Order Forms, their annexes and amendments require an agreement in writing; this equally applies to a waiver of the form requirement. An agreement in writing is given, in these cases where the parties sign and exchange orginals, or facsimilie copies thereof, sign digitally using a generally accepted tool (for the avoidance of doubt, any provider being certified for qualified electronic signature as to eIDAS shall be regarded generally accepted) or, for Order Forms and its annexes, where HRForecast provides an electronically generated document which does not include any reference to being a draft or similar and customer signs this in accordance with the foregoing or where HRForecast offers to accept and Customer accepts in a documented way a corresponding electronic statement it can download or receive in a form suitable for long term reference in an electronic system by HRForecast. Where this Agreement requires a written or textual notification, that requires written text with a clear identification of the declaring person communicated in a form that the recipient can reasonably store (as further detailed in the definition of the textual form as to sec. 126b German Civil Code).

20.4 Choice of law and legal venue | Where and how would disputes be resolved?
This Agreement is governed by German law excluding the CISG (UN Convention on Contracts for the International Sale of Goods).
All disputes out of this agreement, orders thereunder or in connection with it will be exclusively resolved at the courts of Munich (insofar permissible as to sec. 38 German Code of Civil Procedure, Zivilprozessordnung).

20.5 Compliance, export laws
Both parties are committed to compliance with applicable laws, including the export laws. No provision of this MSA shall entail an obligation to act contrary to laws.

20.6 Restriction of assignment
The Partners are only allowed to assign their respective rights and obligations under this MSA and Order Forms thereunder to another entity (“Assignee”) (a) where such right cannot be excluded as a matter of law, (b) with consent of the other Partner (not to be unreasonably withheld) or (c) to an Affiliate of the Partner provided that the Agreement including all single contracts thereunder are transferred and the Assignee agreeing to being comprehensively bound by all terms of this MSA.

20.7 Annexes
The following Annexes are part of Agreement:
Annex A. Software as a Service (SaaS) availability
Annex B. Customer support SLA
Annex C. Data Processing Addendum
Appendix 1. Scope of processing, categories of subjects and data
Appendix 2. Technical and Organizational Measures (TOMs) as valid on Effective Date

Annex A. Software as a Service (SaaS) availability

Where HRForecast provides SaaS, the following SLA applies:

1. General rule for availability

HRForecast warrants (gewährleistet) 98% availability of the SaaS based on an annual average. The SaaS is deemed “Unavailable” when User log-in into the SaaS is not possible, subject to section below.

2. Times not counting as unavailable

The following times shall not be counted as Unavailable:

2.1 Maintenance windows:
any times HRforecast classifies in its reasonable discretion, for the specific case, as timeframe for maintenance (e. g. for updates to the software or underlying infrastructure) provided such “Maintenance Downtime” is (1) outside of the “Standard Business Hours” at our Munich, Germany site, Monday to Friday between 9:00 am and 6:00 pm, excluding public holidays, (2) within a downtime period of no longer than 30 minutes or (3) were announced with a Downtime Notice as described subsequently.
A “Downtime Notice“ is a notice sent to Customer to notify of a planned unavailability of the service. It will be sent at least 24 hours in advance unless urgent action is necessary to safeguard availability and security of the systems (e.g. in case of critical vulnerabilities updates might exceptionally require shorter notice periods).
HRForecast strives to carry out maintenance outside of the Standard Business Hours.

2.2 Force majeure events:
any unavailability caused by circumstances beyond HRForecast’s reasonable control (“Force Majeure Events”), including, for example, act or terror, act of government, flood, fire, earthquake, civil unrest, strike or other labor problem (other than one involving HRForecast’s employees), internet service provider failure or delay, third-party applications, or denial of service attack, all provided HRForecast took reasonable steps to protect availability of the systems as further set out in this MSA.

3. Duty to notify unavailability as key to resolve the matter

To assure quick resolution, Customer commits to report any disruption of the system availability to HRForecast without undue delay (unverzüglich) after it has become known.
HRForecast will enter such case high priority customer incident case initially and can reclassify based on consequent findings about the case.

Annex B. Customer support SLA

1. Hotline

The hotline is an offering by which Customer can contact HRForecast concerning any questions regarding the SaaS or to raise a support case.

2. Support times

The support is available during “Standard Business Hours” at our Munich, Germany site, which are Monday to Friday between 9:00 am and 6:00 pm, excluding public holidays.

3. Case handling

3.1
Customer can raise cases using communication channels HRForecast has opened (“Case Notice”). The Parties strive to streamline communication by using suitable communication means. HRForecast can for example offer a ticketing system on HRForecast’s customer support website.

3.2
When HRForecast receives such a Case Notice from customer, it will acknowledge its receipt and thereby create a “Case” within the Response Time (as defined below in sec. 5 as Service Level for the respective case type).

4. Case prioritization

Cases will be classified into the following priority levels (“Priority Levels”) and will be Resolved accordingly. Customer can note a priority when notifying the case. HRForecast has the final authority to determine the Priority Level within its reasonable discretion.

  • Critical – severe business impact; e.g., SaaS is unusable resulting in total disruption of work, affects a large regional or global group of Users, or one or more business critical applications or business processes are disabled;
  • High – high business impact; e.g., major feature/function failure in SaaS, operations are severely restricted, affects a large group of Users, and/or a business critical application or business process;
  • Medium – Low or medium business impact affecting only non-business critical applications or business processes; e.g., minor feature/function failure in SaaS, or affects only a single user, who cannot work at all, and/or a small group of Users, who cannot work with a specific application or business process;
  • Low – Very limited business impact affecting only non-business critical applications or business processes; e.g., minor problem with SaaS, or affects only a single User, who cannot use a single application or business process;

4.1 Case resolution
HRForecast will Resolve Cases within Target Resolution Time (as defined below in sec. 5 as Service Level for the respective case type). A Case is “Resolved” when the matter at hand is investigated and a content response is provided which should include the solution approach.

5. Service Levels and timing depending on priority

HRForecast shall resolve all Incidents prioritized according to the schedule below (“Service Levels”):

PriorityFirst “Response Time*Target Resolution Time*
Critical2 h8 h
High8 h72 h
Medium8 h5 days
Low3 days5 days
(not formally prioritized)
New/Change requests
4 daysSchedule follow up meetings to determine project scope and timeline.

* The time periods start:
a) at the time of reporting when a report is received within Standard Business Hours, and
b) at the start of the next period of Standard Business Hours otherwise.
Any delays in the responsibility of the customer (e.g. unavailability of the customer side contact person, late notification of a disruption) (“Customer Delays”) are at customer’s risk and the periods are considered not to run during that such delays.
The end of the respective time period is the start plus the time mentioned in the table plus Customer Delays.

Annex C. Data Processing Addendum

This Data Processing Addendum (“DPA”) concluded by and between you, Customer, and us, HRForecast, with the signature of the MSA, an integral part of which it constitutes. This DPA sets out the obligations of the contracting parties in regards to data protection, associated with the Processing of Personal Data by HRForecast on behalf of the Customer in the SaaS within the delivery of services covered by the Master Service Agreement to which it is attached (“MSA”), as detailed in the respective Order Form. This DPA is valid throughout the term of the MSA unless replaced by a newer DPA.

1. Definitions

1.1
Terms not defined in this DPA, but in the MSA have the meaning stipulated in the MSA.

1.2
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

1.3
“Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.4
“Data Protection Law” encompasses laws and regulations, including, applicable to the Processing of Personal Data under the MSA, including—for the European Economic Area (“EEA”) and their member states—GDPR, similar laws and binding regulations of the Switzerland and the United Kingdom and the laws regulating Processing of Personal Data in other countries insofar they apply to Processing under this DPA.

1.5
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom and the countries of the European Economic Area.

1.6
“Personal Data” means any Customer Data that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under applicable Data Protection Laws.

1.7
“Personal Data Breach” means a confirmed:
a) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or unauthorized third-party access to Personal Data; or
b) similar incident involving Personal Data, in each case for which a Controller is required under Data Protection Law to provide notice to competent data protection authorities or Data Subjects.

1.8
“Processor” means any a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

1.9
“Sub-processor” means any Processor engaged by HRForecast in the processing of Personal Data on behalf of Controller under this DPA and

1.10
“Sub-processing” refers to all activities done by such Sub-processor under this DPA, both as further described in sec. 4 (Sub-Processing).

2. Commissioned data processing

In the context of Service delivery, HRForecast may process Personal Data as a Processor for Customer, and, as set out herein, for Customer’s Affiliates. Where that is the case, the processing is subject to this DPA, except for non-production systems to which this DPA will not apply and into which no Personal Data may be entered.

2.1 Roles of the Parties
HRForecast acts as a Processor under this DPA.
Customer is the Controller. As an exception to that, where an Affiliate of Customer is the Controller, Customer acts on behalf of such Controller and confirms that it is authorized to do so, to exercise rights, to act as recipient in case of duties by HRForecast and Customer commits to fulfill any duties by such Affiliate being a Controller. For such case, Customer agrees to bundle requests by different Controllers under this contract as much as reasonably possible to reduce the additional burden.

2.2 Details of processing and purpose limitation
HRForecast shall process and the personal only for the specific purpose(s) of the processing, as set out in Appendix 1 (Scope and details of data processing), unless it receives further instructions from the Customer. HRForecast will require its staff to abide this processing restriction.

2.3 Instructions
a) HRForecast shall process Personal Data, including with regard to transfers of personal data to a third country or an international organisation, only on documented instructions from Customer, unless required to do so by law to which HRForecast is subject. In this case, HRForecast shall inform the controller of that legal requirement before processing, unless the law prohibits this.
b) The MSA, Order Forms, DPA and Documentation constitute the full and comprehensive instructions given by Customer to HRForecast.
c) Subsequent instructions shall always be documented. Regarding the use of SaaS, the use constitutes instructions are in general given by using the Services. Customer can give further instructions during the Subscription Term, provided that these are in line with the contractual agreements and scope of services delivered. Instructions not foreseen in or covered by the contractual agreements or which are out of scope of the Services delivered shall be treated as requests for changes to the Order Form. Customer shall, without undue delay, confirm in writing or in text form any instruction issued orally.
d) Customer will use the Services and issue instructions in line with the legal requirements only and is responsible for ensuring this.

2.4 Sensitive data
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“Sensitive Data”), the Parties will assure that restrictions and safeguards suitable for processing of such data apply. Customer has reviewed the Personal Data they intend to process and confirms the measures taken are appropriate to protect the rights and freedoms of the respective data subjects.

3. Confidentiality and security of processing

3.1
HRForecast and its Sub-Processors shall grant access to Personal Data undergoing processing to members of its personnel only to the extent necessary for implementing, managing and monitoring of the Agreement. They shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Such confidentiality obligations shall be binding infinitely.

3.2
HRForecast shall implement, and procure for its Sub-Processors to implement, technical and organizational measures to ensure the adequate protection of Customer Data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects. This includes measures required for ongoing confidentiality, integrity, availability and resilience of processing systems and services. The measures applying to SaaS taken by HRForecast on Effective Date are set out in Appendix 2 (“TOM”).

3.3
Customer has reviewed the TOM and agrees that, as to the SaaS selected by Customer in the Order Form, the measures are appropriate taking into account the state of the art, the costs of implementation, nature, scope, context and purposes of the processing of Personal Data.

3.4
HRForecast will regularly review the TOM and has the right to modify the measures and safeguards implemented, provided, however, that the overall level of security shall not be less protective than initially agreed and that HRForecast will publish an updated summary of the TOM in its customer portal and provide it to Customer upon request.

3.5
Article 15 of the MSA applies to Personal Data and provides for its confidential treatment.

4. Sub-processing

4.1 Authorisation to use Sub-processors
Customer hereby generally authoritzes HRForecast to use Sub-processors. HRForecast remains responsible for the compliance with this DPA and is responsible for ensuring that its obligations on data protection resulting from the MSA (including this DPA) are valid and binding upon Sub-Processors; The Parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this agreement, respectively if the obligations laid down in art. 28 para. 3 GDPR are imposed on the Sub-Processor.

4.2
The current Sub-Processors for SaaS are set out in Appendix 3.

4.3 Objection to new Sub-processors
When HRForecast intends to retain a new Sub-Processor, it will notify Customer at least 30 days in advance (“New Sub-processor Notice”).
If Customer has legitimate reason under Data Protection Law to object to the use of such Sub-Processor, Customer may object the use of a new Sub-Processor within 30 days of the notice; the notice is required to state the legitimate reasons; in such case HRForecast will take commercially reasonable effort to provide the Services to Customer without using such Sub-Processor, in case HRForecast fails to do so within 30 days, Customer has the right to terminate with a notice period of no more than 30 days solely the respective Service by providing notice without undue delay and HRForecast will reimburse prepaid fees for the part Service terminated in line with this provision; in case such termination is not notified within 60 days of the New Sub-processor Notice, Controller is deemed not to have objected the Sub-Processor and the general autorisation applies.

4.4 Emergency replacement of Sub-Processors
If there are urgent reasons to replace a Sub-Processor (e.g. security), HRForecast may do so. In such case, it will notify Customer without undue delay (“New Sub-processor Notice”) and 4.3 applies accordingly, except for the fact that the New Sub-processor Notice is replaced by the notice under this paragraph.

4.5 Ancillary services
In general, no authorization is required for contractual relationships with service providers that are concerned with the examination or maintenance of data processing procedures or systems by third parties or that involve other additional services, even if access to Personal Data cannot be excluded, as long as the Supplier takes reasonable steps to protect the confidentiality of the Personal Data.

5. Locations of processing

5.1
HRForecast may to process Personal Data, including by using Sub-Processors, in accordance with this DPA outside the country in which the Customer is located as permitted under GDPR.

5.2
HRForecast shall not transfer Personal Data from European Union to a country or recipient that is not recognized as providing an adequate level of data protection (within the meaning of applicable European Data Protection Laws) unless it takes measures necessary to ensure that the transfer is in compliance with applicable European Data Protection Laws. The Parties, for example, consider a transfer mechanisms such as the Standard Contractual Clauses (as published by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914, including potential amendments and updates) or binding corporate rules (as defined by art. 47 GDPR) as such suitable measures.

6. Supporting obligations

6.1
In view of the legal duties, especially Customer’s obligations enumerated in articles 33 through 36 of GDPR, HRForecast shall provide reasonable commercial efforts to assist to the Customer as follows:

6.2 Data Subject requests
HRForecast will promptly notify via e-mail Customer of requests by Data Subjects it receives in conjunction with data processing hereunder. HRForecast shall not respond to the request itself, unless authorised to do so by the controller; it is Customer’s responsibility to handle the data subject request timely and adequately and HRForecast is not responsible in case Customer fails to respond to such request in total, correctly or in a timely manner.
Both parties will keep each other appropriately informed and will cooperate reasonably with the aim to resolve the matter with the Data Subject. HRForecast shall assist to a commercially reasonable extent Customer in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with Customer’s instructions.

6.3 Data Protection Impact Assessment
Upon Customer’s request, HRForecast will provide access to generally available Documentation for assessing the privacy impact of the Services within the scope of this DPA. Where no such generally available Documentation exists for a given Service, HRForecast will provide assistance at a remuneration to be agreed between the Parties. Any additional assistance shall be mutually agreed between the Parties.

6.4 Data breaches
HRForecast will notify Customer, without undue delay after becoming aware of Personal Data Breach. It will reasonably assist Customer in meeting Customer’s obligations to report a Personal Data Breach as required under Data Protection Laws, such assistance shall be reasonable in view of the kind of Service provided and will in general consist in providing the relevant information available to HRForecast and, as reasonably required, cooperation with requests from Data Subjects and authorities regarding the processing hereunder. The duties under this clause and their implementation shall not be interpreted or construed as an admission of fault or liability by the HRForecast.

7. Return of Customer Data including Personal Data

7.1 Retrieval by Customer
Customer may access and export in a standard format its Personal Data during the Subscription Term of the respective Service and subject to the Agreement. In case there are technical limitations to exports, the Partners will collaborate to create a reasonable path for Customer to suitably access Personal Data.

7.2 Deletion after Subscription Term has ended
Upon the termination of the Agreement, Customer hereby instructs HRForecast to delete Customer Data within a reasonable time period (not to exceed 6 months) in line with Data Protection Law unless applicable law requires retention.

8. Documentation and audits

8.1
HRForecast shall document appropriately its compliance with the obligations agreed upon in this DPA. At Customer’s request, HRForecast will provide Customer with the information required and available to HRForecast to prove such compliance.

8.2
The Parties agree that the favorable way to prove such compliance is provision of suitable third-party certification, e.g. ISO27001.

8.3
Where on-site audits and inspections by Customer or a suitably qualified and reasonably independent auditor appointed by Customer are necessary, such audits and inspections will be limited to HRForecast’s own premises and conducted during regular business hours, and without interfering with HRForecast’s operations, upon prior notice, and observing an appropriate notice period. HRForecast is entitled to a remuneration for such audit unless the audit reveals material breach of this DPA by HRForecast. Customer will provide the audit results to HRForecast.
HRForecast is entitled, at his own discretion and taking into account the legal obligations of Customer, not to disclose information which is sensitive with regard to HRForecast’s business or if HRForecast would be in breach of statutory or other contractual provisions as a result of its disclosure. Customer is not entitled to get access to data or information about HRForecast’s other customers, cost information, quality control and contract management reports, or any other confidential data of HRForecast that is not directly relevant for the agreed audit purposes. Customer will treat all information found in the audit as Confidential Information.
HRForecast is entitled to reject auditors which are competitors to HRForecast.

8.4
Where a data protection supervisory authority or another supervisory authority with statutory competence for Controller conducts an inspection, sec. 8.3 above shall apply mutatis mutandis. The execution of a confidentiality undertaking shall not be required if such supervisory authority is subject to professional or statutory confidentiality obligations whose breach is sanctionable under the applicable criminal code.