General Terms and Conditions (“GTC”)


SaaS Agreement

1. Scope
1.1 These GTC apply to all agreements (each an “Agreement”) for software solutions to support business processes for use via the Internet as a web application (“SaaS Solution”) of ZREALITY GmbH, Zollamtstraße 11, 67663 Kaiserslautern, Germany (“ZREALITY”).
1.2 Clients of ZREALITY can only be companies, i.e. natural or legal persons acting in connection with their business or self-employment (each a “Customer”; ZREALITY and Customers are each a “Party” and together the “Parties”).
1.3 ZREALITY does not recognize deviating terms and conditions or other agreement terms of the Customer unless ZREALITY has expressly agreed to their validity in writing in advance. ZREALITY already expressly objects to the validity of the Customer’s terms and conditions.

2. Conclusion of Agreement
2.1 Upon the Customer’s request, ZREALITY shall prepare a non-binding offer (“Offer”) for the use of the SaaS solution requested by the Customer. An Offer shall not be deemed to be agreed in the sense of an agreement conclusion until an authorized representative of the respective contracting party has signed it.
2.2 The commencement of the Agreement shall be determined by the Parties in the Offer (“Commencement Date”). If no specific date is specified as the start of the Agreement, the Agreement shall start on the date of the last signature of an authorized representative within the framework of the conclusion of the Agreement.

3. Subject of the Agreement
3.1 The concrete scope of functions of the SaaS solution as well as the requirements for the hardware and software environment that must be fulfilled on the Customer’s side result from the respective offer and the documentation that ZREALITY provides or makes accessible to Customer together with the SaaS Solution (“User Documentation”). The SaaS solution is not provided for local installation at Customers’s site.
3.2 As part of the SaaS Solution, storage space is provided by ZREALITY on central servers on which the information and data generated and processed with the SaaS solution (e.g. 3D-visualizations) as well as information uploaded by Customer (e.g. participation list) (“Customer Content”) is stored for the Customer for the duration of the contractual relationship.
3.3 The service transfer point is the ZREALITY router output to the Internet. On Customer side, the Customer itself must take care of the connection to the Internet, the provision or maintenance of the network connection to the service transfer point, and the procurement and provision of network access components for the Internet.
3.4 Customer’s access to the SaaS Solution is secured via Internet. After conclusion of the Agreement, ZREALITY will provide Customer with access data for accessing its account (“Customer Account”) in the SaaS Solution and for using the SaaS Solution. Customer is obliged to keep its access data including password secret and to protect it from misuse by third parties. In this context, ZREALITY points out that employees of ZREALITY are not authorized to request passwords or access data by telephone or in writing. Customer will change the password provided by ZREALITY for the initial log-in. When choosing a password, the generally known rules should be observed (length, complexity of the password). Customer must notify ZREALITY immediately in the event of loss of the access data, including the password, or if there is any suspicion of misuse of this data. Furthermore, ZREALITY is entitled to block access to Customer account to the SaaS Solution in the event of misuse. Customer is liable in case of misuse for which he is responsible.

4. Service Level
4.1 The following service levels apply to the SaaS solution:
• Hours of Operation: 24 hours per day, all seven (7) days per week (“Hours of Operation”);
• Maintenance times: ZREALITY performs maintenance work that is scheduled in advance and that requires an interruption in the availability of the SaaS Solution, as far as this is technically possible, on working days between 20:00 and 08:30 (“Scheduled Maintenance Work”);
• Availability during Operating Hours: 99% on average over a calendar month (“Availability”), excluding Planned Maintenance and Downtime beyond ZREALITY’s control from the calculation of Availability.
4.2 If, for urgent technical reasons that cannot be postponed, maintenance work is exceptionally required during the operating hours that does not constitute Planned Maintenance Work, with the consequence that the SaaS Solution is not available during this time, ZREALITY will inform the Customer in time by e-mail to the address specified by the Customer, if possible.
4.3 ZREALITY performs the analysis and correction of documented, reproducible errors of the SaaS Solution (hereinafter “Support Services”) in accordance with recognized industry standards. ZREALITY does not guarantee success in the elimination of errors. “Error” within the meaning of these GTC is any failure reported by Customer that results in the condition and functionality of the SaaS Solution deviating from the offer and user documentation and
• this has a more than insignificant effect on their serviceability, or
• Corruption of data or loss of data processed with or generated by the SaaS Solution occurs.
If a malfunction that has occurred, cannot be reproduced, it is not considered a fault. In this case, the parties will jointly agree on the further procedure.
4.4 Customer must report occurring errors immediately with a precise description of the problem. The report can initially be made verbally, but must be repeated in text form (e-mail) no later than the next working day. ZREALITY is available to receive error reports by e-mail Monday – Friday from 09:00 to 17:00 at the following e-mail address: support@zreality.com
4.5 The type and duration of error checking and processing depends on the error class and the corresponding response times:
4.5.1 Error classes
• Error class 1: Productive use of the SaaS Solution is not possible or only possible to a significantly limited extent, or essential performance features are missed.
• Error class 2: The core functionality is ensured, but there is a significant fault in a submodule that prevents or significantly restricts working with this module.
• Error class 3: All other defects
4.5.2 Response times depend on the support services agreed between ZREALITY and the Client:
Standard Support
• Error class 1: Until the next working day
• Error class 2: At the discretion of ZREALITY
• Error class 3: At the discretion of ZREALITY

Enterprise Support
• Error class 1: One (1) hour
• Error class 2: Two (2) business days
• Error class 3: Five (5) working days
Within the response times, ZREALITY presents a proposal for correcting the error. The proposal includes the following:
• Performing an error analysis and presenting the results of the performed analysis;
• Representation of the impact of the error on other functionalities (criticality);
• Suggestion of a procedure to fix the error.
Availability Service credit (% of the monthly fee for the service)
<99,0% 5,0%
<98,0% 7,5%
<97,0% 10%
<96,0% 15%
<95,0% 20%
4.6 ZREALITY is not obligated to provide support services (neither standard nor enterprise support):
• in the event of errors resulting from unauthorized modifications or adaptations of the SaaS solution by Customer or on Customer’s behalf;
• for software other than the SaaS Solution (especially third-party software used on Customer systems);
• in the event of errors resulting from improper or unauthorized use of the SaaS Solution or from operating errors on the part of the Client, unless the operation is carried out in accordance with the user documentation;
• for any hardware error;
• in case of use of the SaaS Solution by Customer on other than the permitted hardware and operating system environments specified in the user documentation; or
• in form of on-site visits by employees of ZREALITY.
4.7 If ZREALITY and Customer agree in individual cases to provide support services in accordance with this Section 4.6 outside of ZREALITY’s general obligations, ZREALITY is entitled to treat corresponding services as a separate order and to invoice the Customer for such services at the usage fees for the SaaS Solution in accordance with the applicable service rates. In the event of Unplanned Downtime, ZREALITY shall make commercially reasonable efforts to remedy the Unplanned Downtime within a reasonable period of time.
In the event that ZREALITY fails to meet the Service Level for the Service set forth in Section 4.1 these GTC (“Unavailability”), Customer shall be entitled to the service credits set forth below (“Service Credits”), provided that the Service Credits shall not exceed 10% of the total fees paid by Customer to ZREALITY for all Services provided in the relevant Service Month.

In order to receive a service credit, Customer must claim such credit with ZREALITY within five (5) business days of receipt of the Service Level Report for the period for which Customer claims the service credit. Such claim by Customer shall include specific details of the days, times and duration of each unavailability claimed by Customer. If, after investigation, ZREALITY accepts the Customer’s written claim for a Service Credit, ZREALITY will notify the Customer that the relevant Service Credit will be offset against the charge for Services paid by Customer in the next monthly invoice for Services. Service credits cannot be credited retroactively. If Customer fails to claim a Service credit in a timely manner, the Customer’s entitlement to a Service credit for that month expires. Service credits payable by Customer shall be offset against any claims for damages of the Contractual Partner due to non-compliance with the Service Level.
4.8 ZREALITY provides continuous monitoring of the service levels. All service level measurements are made on a monthly basis for each calendar month during the term of the Agreement.
Upon a Customer’s request, ZREALITY will provide monthly reports of Unplanned Downtime measurements and system availability calculations for the relevant prior month. If Customer has any complaints regarding any measurement or other information set forth in such report, the Customer shall notify ZREALITY in writing of such complaints within five (5) calendar days of receipt of the report, provided that the accuracy of the report shall be deemed sufficient if no such notice is given by Customer. Any such notice shall specify the measurements complained of and describe in detail the nature of the complaint. ZREALITY and Customer agree to resolve any such disagreement regarding Service Levels and/or related Measurements to the extent possible and in a timely manner by mutual agreement.
4.9 The rights of the Customer in the event of non-availability are governed exclusively by this clause 4 Further rights are excluded. This shall not affect Customer’s right to terminate the Agreement and claim damages in accordance with these GTC.

5. Backups and Data Storage
The Customer is obligated to sufficiently back up Customer Content. ZREALITY also performs daily backups of the Service and Customer’s data. Backups are stored for up to twelve (12) months. After termination (ordinary or extraordinary) of the Agreement by either party, Customer’s data processed via the SaaS Solution will be stored for a further three (3) months before being finally deleted by ZREALITY, subject to any statutory retention periods of ZREALITY.

6. Rights of use – SaaS Solution and Customer Content
6.1 Subject to the provisions of this Agreement, ZREALITY grants Customer the non-exclusive, worldwide, royalty-bearing right, which may be sublicensed exclusively to the number of users of Customer’s account agreed upon in the Offer, to use the SaaS Solution for internal contractual purposes during the term of the Agreement. Customer may use the SaaS Solution only within the scope of the capacity agreed in the offer.
6.2 Subject to the rights granted under these GTC, ZREALITY reserves all rights and legal title to the SaaS Solution, developments and programming based on this, and the related intellectual property and know-how. Customer acknowledges that it does not receive or acquire any rights other than those expressly granted under these GTC.
6.3 Customer hereby grants to ZREALITY the non-exclusive right to (a) copy, use, modify, distribute, display and disclose Customer Content to the extent necessary to provide the Services to Customer pursuant to this Agreement, (b) copy, modify and use Customer Content in connection with internal operations and functions, including, but not limited to, for purposes of operational analysis and reporting, internal financial reporting and analysis, audit functions and archiving, and (c) use aggregated and anonymized Customer Content for marketing purposes, provided that the aggregated data does not contain any information that identifies or makes identifiable the Customer, Brands or users as the source of such data.

7. Trial Version
If ZREALITY and Customer have agreed to make available a version of the SaaS Solution for testing purposes (“Test Version”), these GTC shall apply accordingly to the extent applicable to the Test Version. The specific scope of services for the test version is set out in the corresponding offer.

8. Duty to cooperate
Customer’s cooperation services required for the performance of the contractual services by ZREALITY shall be provided in full and in a timely manner. Subject to further specifications in the offer to Customer and the user documentation, Customer’s duties to cooperate shall in particular include the following:
• when using the SaaS Solution, all applicable laws and other legal provisions must be observed. Customer may not transfer any data or content to servers of ours that violate legal provisions or infringe third-party property rights or copyrights or other rights of third parties;
• in the event of an error message, all documentation, logs and other information relevant for troubleshooting must be made available to ZREALITY by Customer without delay;
• Customer is obligated to regularly participate in the product training offered by ZREALITY or otherwise acquire the necessary knowledge to use the SaaS solution;
• Customer may only transmit data via the SaaS Solution that is free of computer viruses or other harmful code/technology;
• Customer shall not use any software or other techniques or procedures in connection with the use of the SaaS Solution that are likely to impair the operation, security and availability of the SaaS Solution.

9. Adjustment of Remuneration
ZREALITY is entitled to adjust the remuneration payable by Customer for the use of the SaaS Solution during the term of the Agreement. However, such a price change is only permitted once a year. Price increases must be announced by ZREALITY by e-mail to the e-mail address specified by Customer no later than six (6) weeks before they take effect (“Price Increase Announcement”). In the event that the price increase amounts to more than 10% of the previous remuneration, the Customer has a special right of termination, which it may exercise in writing with a notice period of one (1) month to the end of the calendar month following receipt of the Price Increase Notice.

10. Data Blocking
If a third party asserts against ZREALITY an infringement of rights by data or content transmitted by Customer to the data storage provided by ZREALITY (“Reported Content”), ZREALITY shall be entitled to temporarily block the corresponding Reported Content if the third party has conclusively demonstrated the infringement. In this case, ZREALITY shall request Customer to cease the infringement within a reasonable time period or to prove the legality of the Reported Content. If this request is not or not sufficiently complied with, ZREALITY shall be entitled to terminate the Agreement for good cause without notice, without prejudice to further rights and claims. Insofar as the Customer is responsible for the infringement, he shall also be obliged to compensate ZREALITY for any resulting damage and shall indemnify ZREALITY against any claims by third parties upon first request. Further rights are reserved.

11. Performance Changes
ZREALITY is entitled at any time to further develop, change or supplement the SaaS solution in part or in total. ZREALITY will announce contractually relevant, significant changes at least six (6) weeks before they take effect by e-mail to the e-mail address specified by the Client (“Service Change Notice”). Customer may object to the changes in writing or by e-mail with a notice period of one (1) month from receipt of the Service Change Notice. If not objected to, the changes will become part of the Agreement between ZREALITY and the Customer. The notification of the change in service shall indicate the consequences of the objection. In the event of a timely objection, ZREALITY is entitled to terminate the Agreement in writing with a notice period of one (1) month to the end of the calendar month.

12. Third Party Property Rights
12.1 If the contractual use of the SaaS Solution by ZREALITY infringes the industrial property rights and copyrights of third parties, and if third parties assert claims against Customer due to such infringement, ZREALITY shall, at option from ZREALITY and at the expense of ZREALITY, either
• procure the rights of use required for the SaaS Solution; or
• rework the SaaS Solution in such a way that it no longer infringes third-party rights and has at least the features contractually agreed with the customer.
12.2 ZREALITY shall defend Customer against or indemnify Customer, at its own discretion and within the limits of the liability limitations set forth in Section 13 any damages directly resulting from an assertion of corresponding claims arising from infringements of the rights of third parties and asserted against Customer in court, to the extent that such claims of the third party are not based on the following:
• Changes to the SaaS Solution by Customer not approved by ZREALITY under this Agreement or otherwise; or
• Use of the SaaS Solution in any manner other than as agreed in accordance with the purpose of this Agreement; or
• Use of the SaaS Solution on hardware or operating system environments not approved by us.
The obligation to pay compensation is excluded if ZREALITY can prove that the Customer himself is responsible for the infringement of third party rights.
12.3 Customer is obligated to notify ZREALITY immediately if third parties assert property right infringements against him in connection with the SaaS Solution. Customer shall only be entitled to take measures, in particular to defend itself against the claims in court or to satisfy legal claims of the third party with reservation, if ZREALITY has previously notified the Customer that ZREALITY will not defend the Customer against the claim.

13. Liability
ZREALITY shall be liable for all damages arising in connection with this Agreement, regardless of the actual or legal reason, only in accordance with the following provisions:
13.1 In the event of intent and gross negligence, claims under the German Product Liability Act and injury to life, limb or health, ZREALITY shall be liable without limitation in accordance with the statutory provisions.
13.2 In all other respects, the liability per calendar year shall be limited to the damage foreseeable at the time of the conclusion of the Agreement up to a total amount for all cases of damage per calendar year corresponding to 50% of the remuneration paid by Customer in that calendar year. This limitation of liability also applies to the case of data loss and data deterioration as well as data protection violations by ZREALITY as defined in the order processing agreement between the Parties.

14. Data Protection
In the course of providing the SaaS Solution, ZREALITY may have access to personal data that ZREALITY processes as a processor for Customer based on the data processing agreement (“DPA”) entered into with Customer with respect to this Agreement.

15. Confidentiality
The provisions of the confidentiality agreement agreed between the parties shall apply with priority.
Unless expressly agreed, the following shall apply:
15.1 The Parties are aware that during the term of the Agreement they will have access to certain Confidential Information of the other Party or Confidential Information of third parties that the disclosing Party is obligated to keep confidential. Confidential Information means any written, electronic or oral information that (i) has been disclosed by one Party to the other Party, (ii) is not generally known or publicly available, either in its entirety or in the precise arrangement and composition of its component parts, (iii) relates to the activities of a Party or a Third Party, (iv) is subject to the disclosing Party’s reasonable technical and organizational safeguards, and (v) has either been designated as confidential or, because of the nature of the circumstances under which the disclosure is made, should reasonably be treated as confidential (“Confidential Information”). Both Parties acknowledge that the disclosing party or third party, as the case may be, shall remain the owner of all rights to Confidential Information.
15.2 Each Party undertakes (i) to use the Confidential Information disclosed by the other Party only to the extent permitted and intended in this Agreement, (ii) to keep the Confidential Information obtained from the other Party strictly confidential and to protect it from disclosure and use by third parties by implementing appropriate technical and organizational measures, (iii) to limit access to the Confidential Information disclosed by the other Party to those of its employees, agents and/or consultants, if any, who have a need to know such information and who have been obligated in writing to keep such information confidential in accordance with this Agreement, and (iv) surrender or destroy any Confidential Information disclosed by the other Party that is in its possession upon termination or expiration of this Agreement. Notwithstanding the foregoing, Customer acknowledges that ZREALITY may use anonymized statistical data about Customer’s use of ZREALITY and may share such statistical data with third parties. The agreedl confidentiality obligations shall continue to apply for two (2) years after termination of the Agreement.
15.3 Notwithstanding the foregoing, the provisions of Sections 15.1 and 15.2 of the General Terms and Conditions shall not apply to Confidential Information that (i) is freely accessible or generally known at the time of its disclosure, (ii) becomes freely accessible or generally becomes generally known, (iii) was lawfully communicated to recipient by persons who were not bound by confidentiality obligations in this regard, (iv) is already in recipient’s possession at the time of disclosure without any confidentiality obligations attached thereto, (v) was independently developed by recipient, or (vi) is authorized for release or disclosure by disclosing Party without restriction. Notwithstanding the foregoing, either Party may disclose Confidential Information to the extent necessary (i) to comply with a court or governmental order or otherwise to satisfy the requirements of mandatory law, provided that the Party disclosing the Confidential Information pursuant to the order shall give prior written notice to the other Party and use reasonable efforts to obtain a protective order, or (ii) to have a court determine a Party’s rights under this Agreement, including any motions necessary to do so.

16. Agreement Term and Termination
16.1 The Agreement shall enter into force on the Commencement Date and, unless otherwise agreed based on the Offer, shall continue for twelve (12) months (“Minimum Term”) unless terminated in accordance with this Section 16. The Agreement shall automatically renew for successive one-year periods unless terminated by either Party upon three (3) months written notice prior to the expiration of the current renewal period (the Minimum Term and any renewal periods are collectively referred to as the “Term”).
16.2 In the event of termination of an agreement with a notice period or Minimum Term agreed in accordance with the offer, Customer shall continue to be entitled to the contractually agreed services until the end of the agreed term.
16.3 If the Service Level specified in Section 4 of the General Terms and Conditions is not met for a period of three (3) consecutive calendar months or for three (3) calendar months within a period of six (6) calendar months (availability during operating hours below 95%) and if ZREALITY is responsible for the shortfall,Customer shall be entitled to terminate the Agreement without notice and to claim damages in lieu of performance.
16.4 Any termination must be made in text form (letter, fax, e-mail). Non-use of the SaaS Solution shall not be deemed as termination. If no notice of termination is received in due time and form, the term of the Agreement shall be automatically extended.

17. Termination, Consequences of Termination
17.1 The right of both Parties to terminate for cause remains unaffected. In particular, ZREALITY shall be entitled to terminate this Agreementt extraordinarily without notice if
• Customer is in default of payment of an amount for a period exceeding two (2) months, which is at least equal to the agreed fee for the use for the period of two (2) months;
• insolvency proceedings or other judicial or extrajudicial proceedings for the settlement of debts have been or will be instituted against the Customer’s assets;
• the user account of the third party was transferred or the access data to the SaaS Solution was made accessible to third parties without prior consent from ZREALITY in each case;
• Customer has violated its obligations under this Agreement in other respects and, despite being given a deadline, does not cease the breach of Agreement or provide evidence of measures suitable to prevent the repetition of the breach of Agreement in the future.
17.2 In the event of termination of the Agreement, for whatever legal reason, the Parties are obliged to wind up the contractual relationship in an orderly manner. For this purpose, ZREALITY shall, in accordance with the DPA
• hand over the data stored by ZREALITY within the scope of the Agreement at the latest four (4) weeks after the termination of the Agreement at Customer’s option either by way of remote data transmission or on data carriers to Customer or a third party designated by Customer;
• delete the data immediately after confirmation of successful data transfer by Customer or a designated third party and destroy all copies made.
17.3 ZREALITY may provide support services for the migration of the data that go beyond Section 17.2 based on a separate order. Such additional support services is remunerated in accordance with the applicable price list of ZREALITY.

18. Terms of Payment
18.1 Customer is obligated to pay ZREALITY the fees agreed in the Offer in euros or, if applicable, a different currency listed in the Offer in advance at the intervals agreed in the Offer (if nothing has been agreed: annually) in accordance with Section 18.2.
18.2 The fees due under this Agreement shall be invoiced during the term of the Agreement at the intervals agreed in the Order (unless agreed otherwise: annually), in each case in advance for the following year, for the first time with the invoice date of the first day of the term of the Agreement. Customer accepts an electronic invoice.
18.3 Each invoice amount is due fifteen (15) days after receipt of the invoice by Customer.
18.4 All charges are exclusive of statutory value added tax and any other applicable tax, the payment of which is the sole responsibility of Customer.
18.5 Customer shall be in default of payment if it fails to pay the invoice amount within thirty (30) days of the invoice date. The default interest shall be 9% points above the prime rate per year from the due date.
18.6 If Customer disputes any invoice or other amount due under this Agreement, the Customer shall so notify ZREALITY in writing within thirty (30) days after receipt of the invoice or after the due date, setting forth in detail the reasons for the dispute (“Disputed Invoice”). Except for Disputed Invoices, all invoices or amounts due shall be deemed accepted and payable without deduction. ZREALITY will not assert the rights under Section 18.4 with respect to charges that are the subject of a justified complaint by Customer.

19. Transfer of Agreement
ZREALITY is entitled to transfer rights and obligations from this contractual relationship in whole or in part to a third party with a notice period of four (4) weeks. In this case, Customer shall be entitled to terminate the Agreement within two (2) weeks after announcement of the transfer of the Agreement.

20. Other
20.1 Amendments to these GTC. Subject to the following provisions, ZREALITY reserves the right to amend these GTC, provided that such amendment is reasonable for the Customer, taking into account the interests of ZREALITY; this shall be the case, in particular, if the amendment is without material legal or economic disadvantages for the Customer, e.g. in the case of changes to contact information. In all other respects, ZREALITY shall inform the Customer of any changes to these Terms and Conditions with reasonable advance notice, but at least one (1) month before the intended entry into force of the changes, to the e-mail address specified by Customer (“GTC Change Notice”).
If the Customer does not agree with a change intended by ZREALITY, he has the right to object to the change within one (1) month from receipt of the GTC Change Notice. In the event of a timely objection, ZREALITY shall be entitled to terminate the Agreement with a notice period of one (1) month to the end of the calendar month.
20.2 Entire Agreement. This Agreement, including the Offer, attachments, and appendices hereto, conclusively governs all agreements between the Parties with respect to the subject matter hereof and, except as otherwise expressly provided in this Agreement, supersedes all prior oral and written agreements and understandings between the Parties with respect to its subject matter. Neither Party shall be bound by any terms, conditions or representations other than those expressly provided for in this Agreement, including the Proposal and attachments and appendices hereto.
20.3 Amendments and Supplements. Unless otherwise agreed based on these GTC, amendments and supplements to this agreement must be made in writing within the meaning of Section 126 (2) of the German Civil Code and must be signed by authorized representatives of both Parties. This shall also apply to the waiver of the written form and an amendment of this written form requirement.
20.4 Assignment. Customer shall not be entitled to assign its rights or delegate its obligations under this Agreement without the prior express written consent of ZREALITY; in the absence of such consent, any attempted assignment or delegation shall be void and of no effect.
20.5 Set-off and retention. Customer shall have a right of set-off or retention vis-à-vis ZREALITY only in the case of counterclaims that have become res judicata or are undisputed.
20.6 No Agreement for the Benefit of Third Parties. The Parties acknowledge that, except as otherwise expressly provided in this Agreement, the provisions of the Agreement are for the exclusive benefit of the Parties. Nothing in this Agreement expressly or impliedly confers any right on any third party, whether an individual or a legal entity, to enforce any provision of the Agreement.
20.7 Severability Clause. To the extent that any provision of this Agreement is invalid or unenforceable for any reason in any jurisdiction, such provision shall be modified to the extent necessary to make it valid or enforceable. The invalidity or unenforceability of any provision shall not render such provision invalid or unenforceable in any other case, circumstance or jurisdiction and shall not affect the validity of the remaining provisions of the Agreement.
20.8 Waiver. No waiver with respect to the Agreement shall be effective and binding unless in writing and duly signed by the waiving party. Any waiver shall constitute a waiver only with respect to the specific matter governed thereby and shall in no way affect the rights of the waiving party in any other respect or at any other time. No delay or omission by a Party in exercising any right under this Agreement shall be deemed a waiver of such right.
20.9 Jurisdiction. The place of performance and jurisdiction for all disputes arising from or in connection with this Agreement, including any tort claims for merchants, legal entities under public law or special funds under public law, is Kaiserslautern, Germany.
20.10 Prevailing Language. The German language version of this Agreement shall be controlling and legally binding in all respects and shall prevail in case of any inconsistencies.
20.11 Governing law. The law of the Federal Republic of Germany shall apply exclusively to the exclusion of its conflict of laws rules and the UN Convention on Contracts for the International Sale of Goods (CISG).
20.12 Contact details of ZREALITY
Please send complaints and notices to the following address:
Zollamtstr. 11
67663 Kaiserslautern

Data Processing Agreement

Agreement between (“Customer”) and ZREALITY GmbH, Zollamtstrasse 11, 67663 Kaiserslautern (“ZREALITY”; together the “Parties” or each a “Party”) on the Processing of Personal Data on behalf of Company (“DPA”). The terms “Personal Data”, “Process”, “Data subject”, “Controller” and “Processor” are defined in Art. 4 of the EU General Data Protection Regulation (Regulation (EU) 2016/679 (“GDPR”).

1. Subject matter and duration of the Processing
1.1. Subject matter
The subject matter of the DPA is the Processing of Personal Data as set forth in the software or SaaS contract between the Parties (“Main Agreement”). ZREALITY Processes Personal Data on behalf of Company. Company as Controller is responsible for the Processing of Personal Data, for assessing the legal admissibility of the Processing of Personal Data and for protecting the rights of Data Subjects.
1.2. Duration of the Processing
This DPA is agreed between the Parties for the period during which ZREALITY Processes Personal Data for Company on the basis of the Main Agreement.

2. Details of the Processing
2.1. Scope, nature and purpose
Scope, nature and purpose of the Processing
by ZREALITY for Company are specified in the Main Agreement.
2.2. Types of data
The subject of the Processing are the following types / categories of data (“Company Data”)
• Name,
• Contact details (e-mail / phone),
• Internet usage data that is generated when using ZREALITY’s Saas solution,
• Data that is generated when using the chat or video chat function.
2.3. Affected Data Subjects
The Data Subjects affected by the Processing of Personal Data within the scope of this DPA include
• Employees of Company (this includes the management, interns, temporary employees and similar persons)
• Employees of business partners of Company,
• Company’s customers.

3. Company’s authority to issue instructions / location of Processing
3.1. The Processing of Company Data is exclusively carried out according to documented instructions of Company. Oral instructions will be immediately confirmed by Company in writing or by e-mail (in text form). Changes to the object of Processing and procedural changes must be agreed and documented jointly. Any additional expenses incurred shall be remunerated by Company on a time and material basis.
3.2. ZREALITY Processes Company Data only outside the instructions of Company, insofar as ZREALITY is obliged to do so by applicable law. In such a case, ZREALITY hall inform Company of this circumstance in advance, unless the respective law prohibits this.
3.3. ZREALITY shall inform Company if it believes that an instruction violates applicable data protection regulations. ZREALITY is entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the person responsible at Company.
3.4. The Processing of Company Data by ZREALITY takes place within the EU / EEA. A relocation of the Processing to countries outside the EU / EEA by ZREALITY takes place only after consultation with Company.

4. Confidentiality
The persons authorized to Process Company Data have committed themselves to confidentiality or are subject to a legal obligation to secrecy.

5. Technical-organizational measures
5.1. ZREALITY shall take technical and organizational measures to protect Company Data which meet the requirements of Art. 32 GDPR. These technical and organizational measures are described in Appendix 1 of this DPA. Company is aware of these technical and organizational measures and is responsible for ensuring that they provide an appropriate level of protection for the risks of the data to be Processed.
5.2. The technical and organizational measures are subject to technical progress and further development. In this respect, ZREALITY is permitted to implement alternative adequate measures. In doing so, the safety level of the specified measures may not be undercut. Significant changes must be documented.

6. Subcontracting relationships
6.1. Company agrees to the use of subcontractors by ZREALITY:
6.1.1. Company agrees to the use of the subcontractors listed in Appendix 2 of this DPA upon conclusion of this DPA.
6.1.2. Company agrees to the use of further subcontractors or the modification of existing subcontractors if ZREALITY notifies
Company of the use or modification in writing (e-mail sufficient) fourteen (14) days before the start of Processing. Company may object to the use of a new subcontractor or the change for important data protection reasons within ten (10) days. If no objection is received within this period, the consent to the use or modification shall be deemed to have been given. Company acknowledges that in certain cases the service can no longer be provided without the use of a specific subcontractor. If there is an important data protection reason for the objection and if an amicable solution cannot be found between the Parties, the Parties shall each have a right to termination for cause with regard to the service of ZREALITY concerning the rejected subcontractor.
6.2. ZREALITY shall enter into written (this includes electronic form) data processing agreements with the subcontractor(s), taking into account the nature and scope of Processing within the scope of the subcontract, equivalent to the obligations in this DPA.

7. Rights of Data Subjects
ZREALITY supports Company within the scope of his possibilities in fulfilling the requests and claims of Data Subjects according to Chapter III of the GDPR.

8. ZREALITY’s assistance obligations
ZREALITY shall support Company in complying with the obligations regarding the security of Personal Data, notification obligations in the event of data breaches, data protection impact assessments and prior consultations as set out in Articles 32 to 36 GDPR.

9. Company’s right to information and audits
9.1. Company has the right to request the necessary information to prove that ZREALITY has complied with the agreed obligations and to carry out audits in agreement with ZREALITY or to have them carried out by third-party auditors to be appointed in individual cases.
9.2. The Parties agree that ZREALITY is entitled to submit meaningful documentation to Company in order to prove that it has complied with its obligations and implemented the technical and organizational measures. Meaningful documentation can be provided by presenting a current audit certificate, reports or report extracts from independent bodies (e.g. auditors, data protection officers), suitable certification by IT security or data protection audit (e.g. according to ISO 27001) or certification approved by the responsible supervisory authorities.
9.3. Company’s right to carry out on-site checks shall not be affected by this. Company shall, however, consider whether an on-site inspection is still necessary after presentation of meaningful documentation, in particular taking into account the maintenance of ZREALITY’s proper operation. Company will only carry out on-site inspections in consultation with ZREALITY.

10. Deletion of data and return of data media
At the choice and request of Company – at the latest upon completion of the Processing – ZREALITY shall, at Company’s discretion, either hand over to Company all documents that have come into its possession, the results of Processing and instructed use of Company Data that have been produced, as well as data stocks that are connected with the contractual relationship, or destroy them in accordance with data protection laws after prior consent of Company.
Documentation which serves as proof of the orderly and proper Processing or which ZREALITY is legally obliged to keep may be kept by ZREALITY beyond the end of the DPA in accordance with the respective retention periods.
11. Liability
The liability of ZREALITY in connection with this DPA is subject to the limitations of liability agreed in the Main Agreement.

Appendix 1 to the DPA:

Technical and Organisational Security Measures in accordance with Art. 32 GDPR
Description of the Technical and Organisational Security Measures taken by ZREALITY GmbH (“Provider”)
Provider has implemented the following technical and organisational security measures to provide the on-going confidentiality, integrity, availability and resilience of processing systems and services. The technical and organisational measures are supplemented by the technical and organisational measures taken by the sub-processors engaged by Provider:

1. Confidentiality
Provider has implemented the following technical and organisational security measures to provide the confidentiality of processing systems and services, in particular:
• Provider implements suitable measures to prevent its data processing systems from being used by unauthorized persons. This is accomplished by:

o authentication with username and password;
o key rules (provision of keys only to authorized persons, etc.) and safety locks;
o careful selection of external service providers and obligation to confidentiality and secrecy;
o alarm system detection of unauthorized access to server rooms;
o automatic time-out of user terminal if left idle, identification and password required to reopen;
o issuing and safeguarding identification codes to Provider’s online platform, requiring two-factor authentication for all users;
o industry standard encryption and requirements for passwords (minimum length, use of special characters, etc.);
o denial of access after unsuccessful login attempts;
o physical separation of Provider systems and data carriers;
o frequent updates for data processing systems.

• Provider’s employees entitled to use its data processing systems are only able to access personal data within the scope of and to the extent covered by their respective access permission (authorization). In particular, access rights and levels are based on employee job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. This is accomplished by:

o employee policies and mandatory employee privacy and security awareness training;
o obligation of employees to confidentiality and data privacy;
o user profiles and assignment of user roles and access rights;
o limited access to personal data to only authorized persons;
o locking of user accounts after unsuccessful login attempts;
o centralised storage of log-data and access only for authorized persons;
o logical client-separation;
o limited access to servers to only authorized persons;
o industry standard encryption;
o use of VPN technologies;
o physical deletion of data carriers before reuse.

2. Integrity
Provider has implemented the following technical and organisational security measures to provide the integrity of processing systems and services, in particular:
• Provider implements suitable measures to prevent personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:

o use of VPN technologies, e.g. VPN tunnels;
o use of firewall and encryption technologies to protect software and hardware;
o monthly vulnerability testing;
o avoiding the storage of personal data on portable storage media for transportation purposes and on company issued laptops or other mobile devices;
o for physical transport: careful selection of transport personnel and vehicles; secure transport containers and packaging;
o secure destruction and disposal of data carriers.

• Provider does not access any Customer content except as necessary to provide that Customer with the Provider products and professional services it has selected. Provider does not access Customers’ content for any other purposes.

3. Availability
Provider has implemented the following technical and organisational security measures to provide the availability of processing systems and services, in particular:
• Provider implements suitable measures to provide that personal data is protected from accidental destruction or loss. This is accomplished by:

o creation of back-up and recovery concept;
o infrastructure redundancy;
o use of antivirus software
o use of hardware firewall;
o fire and smoke detection systems;
o protective socket strips in server rooms;
o fire extinguishing equipment in server rooms;
o regular security updates for data processing systems;.
o alarm system detection unauthorized access to server room;
o performing regular data back-ups;
o store back-ups in a secure, off-site location;
o separation of test-, and live- environment.

4. Resilience
Provider has implemented the following technical and organisational security measures to provide the resilience of processing systems and services, in particular:

• data protection management and definition of roles and responsibilities;
• business continuity management and disaster recovery plan;
• project related risk management;
• incident tracking system and project related incident response management;
• monthly vulnerability testing and immediate response;
• regular (external) audits;
• regular assessment of scaling and infrastructure;
• data protection-friendly pre-settings;
• secure development cycle;
• test plan;
• order control and obligation of sub-contractors to take respective technical and organisational measures.


Appendix 2 to the DPA

Approved subcontractors

# Name Address Field of application within the scope of the contract
1 Amazon Web Services EMEA SARL 38 Avenue John F. Kennedy, L-1855, Luxembourg IT Infrastructure / Hosting (EU servers only)


Status: March 2021