Impressum

‍

Information according to § 5 DDG:

BANQR Digital Solutions GmbH
Thyssenstrasse 6-8
32312 Lübbecke
Germany

‍

Contact:
Email: info@banqr.io

‍

Represented by:

Managing Director: Wolfgang Gehrlicher

‍

Register entry:

Entry in the commercial register.
Register court: Bad Oeynhausen District Court

Registration number: HRB 19403

‍

VAT ID:

VAT identification number according to Section 27a of the Sales Tax Law: DE366899855

‍

Responsible for the content according to § 18 para. 2 MStV:

BANQR Digital Solutions GmbH
Thyssenstrasse 6-8
32312 Lübbecke
Germany

‍

Liability for links

Our offer contains links to external third-party websites over whose content we have no influence. Therefore, we cannot accept any liability for this external content. The respective provider or operator of the pages is always responsible for the content of the linked pages. The linked pages were checked for possible legal violations at the time of linking. Illegal content was not recognizable at the time of linking. However, permanent monitoring of the content of the linked pages is not reasonable without concrete evidence of a legal violation. Upon notification of any legal violations, we will remove such links immediately.

‍

Copyright

The content and works on these pages created by the site operators are subject to German copyright law. Reproduction, processing, distribution, and any form of exploitation outside the limits of copyright law require the written consent of the respective author or creator. Downloads and copies of this site are permitted only for private, non-commercial use.

To the extent that the content on this site was not created by the operator, the copyrights of third parties are respected. In particular, third-party content is marked as such. Should you nevertheless become aware of a copyright infringement, please notify us accordingly. Upon notification of any such violations, we will remove such content immediately.

‍

Dispute resolution

The European Commission provides a platform for online dispute resolution (ODR):  https://ec.europa.eu/consumers/odr . Our email address can be found above in the legal notice. We are neither willing nor obligated to participate in dispute resolution proceedings before a consumer arbitration board (Section 36 of the German Consumer Dispute Resolution Act (VSBG)).

‍

Realization of this website

BANQR Digital Solutions GmbH
Thyssenstrasse 6-8
32312 Lübbecke
Germany

‍

Update date:

This legal notice was last updated on July 9, 2025. We reserve the right to adapt this information as needed to comply with current legal requirements or to reflect changes to our services. The most current version of the legal notice will apply to your next visit.

General Terms and Conditions for the use of the "Fraud Prevention 365" Software from BANQR (GTC)

§ 1 Scope of application

(1) These GTC apply to the contracts concluded between BANQR Digital Solutions GmbH, Thyssenstrasse 6-8, 32312 Lübbecke, represented by the managing director: Wolfgang Gehrlicher, registered in the Commercial Register B of the Bad Oeynhausen Local Court under HRB 19403 (hereinafter referred to as "BANQR") and customers (hereinafter jointly referred to as "Parties") via the online portal of BANQR, available at www.banqr.io (hereinafter referred to as "Portal") for the following services.

(2) BANQR provides services in the area of Software-as-a-Service (SaaS). The "Fraud Prevention 365" Software is used to verify bank account data and enables the customer to check the validity of account data in real time via the Portal (hereinafter: "Verification Process"). The customer registers in the BANQR Portal, acquires an API quota and can then enter data for verification. This data is forwarded to the database interface of Deutsche Bank (hereinafter: "DB"). The results of the verification are provided to the customer in real time (real-time) or near real time (near-time) (see § 3 para 2).

(3) Customers of BANQR can only be natural persons, legal entities or partnerships with legal capacity who, when concluding a legal transaction, are acting in their commercial or independent professional activity. BANQR expressly does not conclude consumer contracts.

(4) The applicability of the customer's general terms and conditions is expressly rejected.

§ 2 Subject matter of the contract

(1) In return for remuneration, BANQR provides the customer with the SaaS solution "Fraud Prevention 365" (hereinafter: "Software") for the duration of this contract in the current version via the Portal.

(2) By registering and paying, the Customer gains access to the Portal and can purchase API quotas.

(3) The customer can enter the account number and account holder via the Portal, which are forwarded to the DB interface for verification.

(4) BANQR stores this data exclusively and only temporarily for the verification process and displays the result of the verification to the customer in real time or near real time.

§ 3 The Verification Process

(1) The verification process enables the customer to verify the validity of accounts and certain account-related data by submitting either individual verification requests (e.g. for IBAN and account holder) or multiple requests in the form of a file import (e.g. Excel or CSV) via the function provided in the Portal. The data to be checked is verified using DB's data pool, which includes not only DB accounts (including its branches and subsidiaries) but also data from third-party banks outside the DB Group. The prerequisite for verification is that the respective bank has the information requested in the application regarding the existence of the accounts and/or the associated data.

(2) As the customer's application is forwarded to DB's database interface, the following distinction must be made with regard to the request:

a. If the customer's request concerns an account and/or account-related data of a third-party bank that does not belong to the DB Group, BANQR is only responsible for forwarding the application to the third-party bank. In such a case, BANQR is dependent on the cooperation of the third-party bank and therefore cannot influence the receipt or processing of the request or work towards verification. If the third-party bank in question does not respond to the customer's request, BANQR may be able to provide the customer with a verification result based on historical information about or in connection with the data requested by the customer (e.g. information relating to the last transaction date and/or the last payment status), if BANQR is provided with such historical data via the DB's database interface. In such a case, the verification result is not provided in real time, but only in near-time. Furthermore, it cannot be confirmed that the underlying historical information is still correct, complete and/or up-to-date at the time the verification result is provided to customers. The customer acknowledges this and agrees to this procedure.

b. If the customer's request concerns an account and/or account-related data of DB, one of its branches or subsidiaries, the verification of the account and/or account-related data can be carried out if the respective entity has the information requested in the application. These verification results will then be provided in real time.

(3) The customer acknowledges and agrees that all responses received via the DB database interface are time-critical and their content reflects only the information received at the time of pre-validation and may therefore be out of date after a certain period of time.

(4) BANQR is bound by the customer's request and cannot go beyond its scope or subsequently amend the request. Furthermore, BANQR is not in a position to adjust the information provided by the respective bank in response to the customer's request, nor does BANQR intend to do so. BANQR merely forwards the customer's requests to the banks, evaluates the information provided by the banks and forwards the verification result to the customer. BANQR does not owe any further service.

(5) The feasibility of the Verification Process depends on the technical availability of the database interface of the DB. If the DB's database interface is not functioning or available for any reason, or if the DB suspends or permanently discontinues its service, BANQR shall inform the customer of this without undue delay. In the event of a prolonged suspension or permanent suspension of DB's services, the Parties agree at the time of conclusion of this contract to find a mutually acceptable solution for the further procedure.

§ 4 API quotas and payment

(1) The customer can purchase API quotas for a fee via the Portal as long as they are available. Depending on the offer, the API quotas allow the customer a certain number of verification requests. The use of purchased API quotas is not limited in time, but is dependent on the service provided by DB.

(2) Once a purchased API quota has been used up, the customer is free to purchase a further API quota.

(3) Payment is made in advance by credit card or other means of payment provided by BANQR in the Portal.

(4) Billing also carried out directly via the Portal.

§ 5 Maintenance

(1) BANQR is obligated to maintain the contractually agreed quality of the Software during the term of the contract ("maintenance"). The contractually owed quality of the Software is determined in accordance with Annex 1. In order to fulfill BANQR's maintenance obligation, BANQR will carry out the maintenance and servicing measures required according to the state of the art.

(2) BANQR is only obliged to modify or adapt the Software if such a modification or adaptation is necessary to maintain the Software in accordance with the state of the art. Otherwise, BANQR is only obliged to modify, adapt and further develop the Software if the Parties agree to this separately. In particular, BANQR is not obliged to further develop the Software without such a separate agreement.

§ 6 Rights of Use to the Software

(1) BANQR is the sole and exclusive owner of all rights to the Software.

(2) BANQR grants the customer a simple, non-exclusive and non-transferable right, limited in time to the duration of the contract and in location to the territory of the Federal Republic of Germany, to use the Software as intended and only for internal business processes.

(3) Insofar as this is necessary for the contractual use, the customer is entitled to reproduce the Software. In particular, the loading of the Software into the working memory on BANQR's server is to be regarded as reproduction required for contractual use. Otherwise, the customer is not entitled to reproduce the Software, unless otherwise provided by law.

(4) The customer is not entitled to make the Software available to third parties for use, either for a fee or free of charge. Therefore the customer is the expressly not permitted to sublet the Software. Passing on or sublicensing the Software to third parties, including affiliated companies within the meaning of § 15 AktG (German Stock Corporation Act), is prohibited. § 15 AktG, is prohibited.

(5) The customer is not entitled to modify or edit the software unless the modification or editing is necessary to remedy a defect that is essential for the contractual use of the Software and for which BANQR is in default.

§ 7 Support

(1) Provided it is not a case of warranty, BANQR will provide the customer with support against payment of a separate fee. BANQR maintains a hotline for this purpose, which serves to quickly classify and process the request. The scope of the support and a more detailed description of its content, in particular availability, is regulated in Annex 2 ("Support").

(2) As Annex 4, the Parties conclude a contract in accordance with Art. 28 para. 3 GDPR ("Data Processing Agreement"), insofar as this is necessary for the agreed support services.

§ 8 Remuneration

(1) The customer has the option of purchasing an API quota (see § 4). The purchase of the API quota also covers the remuneration for the provision of the Software and the granting of the rights of use to the Software. The prices for this are listed in Annex 3 ("Remuneration").

(2) If further special services have been agreed between the Parties, the prices listed in Annex 3 shall apply.

(3) All fees are subject to statutory value added tax.

(4) The amount of the total remuneration to be paid each month and the payment information can also be found in Annex 3.

§ 9 Security Obligation

(1) The customer is obliged to take suitable precautions to ensure that unauthorized third parties cannot access the Software.

(2) In particular, the customer is obliged to keep his registration data secret.

§ 10 Warranty

(1) Should the customer discover defects in the Software, the customer must notify BANQR immediately in writing. A defect exists in particular if the Software does not have the specifications owed according to Annex 1.

(2) BANQR is obliged to rectify the notified defects in the Software within a reasonable period of time. BANQR shall bear the costs of remedying the defect.

(3) The customer is not entitled to claim a reduction in remuneration by deducting the reduction amount from the monthly remuneration payable on their own initiative. The customer's claim under the law of unjust enrichment to reclaim the part of the remuneration paid in excess due to a justified reduction remains unaffected by this.

(4) In the event of failure to remedy the defect in accordance with § 10 para. 2, the customer shall be entitled to terminate this contract without notice. Failure to remedy the defect is deemed to have occurred in particular if it is impossible for BANQR to remedy the defect, if BANQR refuses to remedy the defect or if BANQR's remedy of the defect is unreasonable for the customer for other reasons.

§ 11 Liability and indemnification

(1) BANQR is liable without limitation:

a) in the event of malice, intent or gross negligence;

b) within the scope of a guarantee expressly assumed by it;

c) for damages resulting from injury to life, body or health;

d) for the breach of an essential contractual obligation, the fulfillment of which makes the proper execution of this contract possible in the first place and on the observance of which the customer regularly relies and may rely ("cardinal obligation"), but limited to the damage reasonably to be expected at the time of the conclusion of the contract;

e) in accordance with the provisions of the Product Liability Act.

(2) Any further liability on the part of BANQR is excluded. In particular, BANQR is not liable for defects already existing at the time of conclusion of the contract, provided that no case under § 11 para.1 applies.

(3) The data used for verification does not originate from BANQR, but is provided to the customer by the relevant bank, meaning that no liability is accepted for this data, in particular for its accuracy, completeness, or up-to-date status. BANQR is also not liable for the response times or the quality of the responses provided by the banks.

(4) The above liability rules apply accordingly to the conduct of and claims against employees, legal representatives and vicarious agents of BANQR.

(5) BANQR warrants to the customer that the Software does not infringe any third-party rights ("infringement of property rights"). BANQR shall indemnify the customer against all claims by third Parties due to infringements of property rights for which BANQR is responsible in connection with the contractual use of the Software upon first request and shall also assume the reasonable costs of legal defense for the customer. The customer shall inform BANQR immediately of any claims asserted by third parties; it is not entitled to accept such claims in fact or in law unless BANQR has given its prior written consent. The right to indemnification under this § 11 para. 5 expires if the customer does not immediately inform BANQR of the assertion of claims by third parties and provided that there is no case of unlimited liability under § 11 para. 1.

(6) If a claim is made against the customer due to a defect in the Software in accordance with § 10 para. 1 sentence 2, § 11 para. 5 shall apply accordingly; if indemnification is not possible in the external relationship, the obligation shall apply in the internal relationship.

§ 12 Contract duration and termination

(1) The customer can only use the functionalities provided in the Portal that are subject to a renumeration once they have registered for them. The contract for the use of the Portal therefore comes into force when the customer registers and shall run for an indefinite period.

(2) The customer may terminate the contract for the use of the Portal at any time without giving reasons by permanently logging out of the Portal. Upon successful deregistration, the contractual relationship ends and the customer can no longer use their access.

(3) BANQR may terminate the contract at any time with reasonable notice. When determining the notice period, BANQR shall take into account the legitimate interests of the customer, in particular, BANQR shall not exceed a notice period of 60 days.

(4) The right of both Parties to extraordinary termination without notice at any time for good cause remains unaffected. Good cause exists in particular if BANQR or the customer intentionally or negligently breaches a material obligation under this contract and it is therefore no longer reasonable for the terminating party to adhere to the contract. In particular, BANQR is entitled to extraordinary termination of the contract without notice if the customer violates the provisions of § 6 and does not cease its acts of violation within a reasonable period of time, if BANQR has previously warned the customer to cease these acts of violation.

§ 13 Cessation of use

The rights of use granted to the customer in accordance with § 6 expire upon termination of the contract. This means that any use of the Software after termination of the contract is not permitted and the customer is obliged to stop using the Software. BANQR reserves the right to block the customer's access to the Portal upon termination of the contract.

§ 14 Confidentiality

(1) "Confidential information" is all information and documents of the respective other party that are marked as confidential or are to be regarded as confidential due to the circumstances, in particular information about products of the respective party, including object codes, documentation and other documents, operational processes, business relationships and know-how.

(2) The Parties agree to maintain secrecy about such confidential information. This obligation shall continue for a period of time after termination of the contract.

(3) Excluded from this obligation is such confidential information

a) which was demonstrably already known to the recipient at the time the contract was concluded or which subsequently becomes known to the recipient from a third party without violating a confidentiality agreement, statutory provisions or official orders;

b) which are publicly known at the time of conclusion of the contract or are made publicly known thereafter, insofar as this is not based on a breach of this contract;

c) which must be disclosed due to legal obligations or by order of a court or authority. To the extent permissible and possible, the recipient obliged to disclose will inform the other party in advance and give it the opportunity to take action against the disclosure.

(4) The Parties shall only grant access to confidential information to consultants who are subject to professional secrecy or who have previously been subject to obligations corresponding to the confidentiality obligations of this agreement. Furthermore, the Parties shall only disclose confidential information to those employees who need to know it for the performance of this contract and shall also oblige these employees to maintain confidentiality to the extent permitted by labor law for the period after their departure.

§ 15 Reservation of the right to make changes

(1) BANQR reserves the right to amend these GTC at any time, including within existing contractual relationships, insofar as

a. this is necessary for valid reasons, in particular due to a change in the legal situation or supreme court rulings, technical changes or further developments, loopholes in the GTC, changes in market conditions or other equivalent reasons and does not unreasonably disadvantage the customer, and

b. the changes do not alter the essential business characteristics of the contract, in particular the services owed by BANQR in return for a renumeration.

(2) BANQR will inform the customer of such changes at least two (2) months before the planned entry into force of the changes. The customer can either agree to the changes before they come into effect or reject the changes. The customer shall be deemed to have given its consent if it has not notified BANQR of its rejection before the planned entry into force of the changes. BANQR will specifically point out this approval effect to the customer in its offer.

(3) If the customer rejects the changes, both Parties have the right to terminate the contract extraordinarily. BANQR shall inform the customer separately of this mutual extraordinary right of termination as part of the notification of change.

§ 16 Final provisions

(1) Should any provision of these GTC be or become invalid, this shall not affect the validity of the remaining provisions. The invalid provision shall be deemed replaced by a valid provision that comes closest to the economic purpose of the invalid provision. The same shall apply in the event of a loophole in the GTC.

(2) Annexes which are referenced in these GTC are an integral part of the contract.

(3) The exclusive place of jurisdiction for all disputes arising from or in connection with these GTC is the registered office of BANQR. BANQR remains entitled to take legal action at the customer's general place of jurisdiction.

(4) The law of the Federal Republic of Germany shall apply to these GTC, excluding its conflict of law provisions and the United Nations Convention on Contracts for the International Sale of Goods of April 11, 1980 (UN Sales Convention).

List of Annexes

• Annex 1 - Subject matter of the contract
• Annex 2 - Support
• Annex 3 - Remuneration
• Annex 4 - Data Processing Agreement

Annex 1 - Subject matter of the contract

1. General Description of the Software

Fraud Prevention 365 is a Software-as-a-Service (SaaS) solution for the verification of bank account data. The Software enables the customer to verify the validity of account data in real time or near real time via BANQR's online portal (hereinafter referred to as the "Portal").

The customer can register in the Portal, purchase an API quota and then enter bank account data for verification. This data is forwarded to the Deutsche Bank database (hereinafter referred to as "DB") via an interface. The result of the verification is made available to the customer within the Portal.

2. Functional Scope of the Software

The Software includes the following main functions:

a) Account verification via the Portal

• Direct entry of IBAN and account holder by the customer
• Automatic forwarding to the DB database
• Feedback on the validity of the account data in real time or near real time

b) API access for automated verification processes

• Customers can purchase an API contingent and integrate it into their business processes

c) Data processing & security measures

• Temporary storage of the data entered for the duration of the verification process
• Encrypted transmission via TLS 1.2/1.3
• No storage of account data after verification has been completed

3. Usage-dependent Components

Use of the Software is based on a flexible pricing model with the following components:

1. API quota that the customer can purchase (see Annex 4: Remuneration)
2. Additional services (e.g. support, special solutions in accordance with Annex 3)

4. Technical Requirements for Use

The customer must fulfill the following technical requirements in order to use the Software:

• Registration in the Portal with name, e-mail address and payment details
• Purchase of an API quota for access to the verification function
• Internet connection & access to a supported web browser (Chrome, Edge, Firefox, Safari)

Annex 2 - Support

BANQR offers a Basic Support Plan which includes up to 5 support hours per month for a flat rate of EUR 350.00. Any additional support hours are charged at EUR 160.00 per hour.

Availability: Monday to Friday, from 09:00 to 18:00 (CET)

E-Mail Support: Response time within 24 hours

All support services are provided within the above service hours. For support requests, please contact: support@banqr.io

Annex 3 - Remuneration

Price table

Prices for API quota regarding Fraud Prevention 365

API calls to all regions | Price (0.86 EUR/call)

‍100 API calls | 86,00 EUR

Additional information

• Prices are subject to statutory VAT.
• The API packages can be used once and have no expiry date.

2. Payment Information

Payment is made in advance to BANQR and via a payment method supported in the Portal (e.g. credit card).

‍

Annex 4: Data Processing Agreement pursuant to Art. 28 GDPR

1. Scope of application

(1) This Data Processing Agreement (hereinafter referred to as the "Agreement") governs the rights and obligations of BANQR Digital Solutions GmbH, Thyssenstrasse 6-8, 32312 Lübbecke, represented by the Managing Director: Wolfgang Gehrlicher, registered in the Commercial Register B of the Bad Oeynhausen Local Court under HRB 19403, (hereinafter referred to as the "Contractor") and its customer (hereinafter referred to as the "Client") in the context of processing personal data on behalf of the Client. For the purposes of data protection, the Client is the "Controller" and the Contractor is the "Processor" (hereinafter also jointly referred to as the "Parties").

(2) This contract applies to all activities in which the Contractor or employees of the Contractor process personal data of the Client on behalf of the Client.

(3) Terms used in this contract are to be understood in accordance with their definition in the General Data Protection Regulation (hereinafter referred to as "GDPR") in its current version.

(4) Insofar as declarations in the following are to be made in "text form", § 126b BGB applies.

2. Subject matter and duration of the contract

(1) The subject matter of the contract for the processing of personal data is defined in the main contract. The Contractor shall undertake the following data processing in accordance with the assignment in the main contract:

a. Verification process for fraud preventionb. Provision of support services on the Client's IT systems, if commissioned separately.

(2) The Client guarantees that the data passed on to the Contractor and processed in the order was obtained lawfully.

(3) The contract is awarded for an indefinite period and can be terminated by either party with three months' notice to the end of the month or ends automatically upon termination of the main contract. The possibility of termination without notice remains unaffected for both parties.

(4) The Client may terminate the contract at any time without notice in the event of a grossly negligent or intentional serious breach of data protection regulations or the provisions of this contract by the Contractor, if the Contractor is unable or unwilling to carry out an instruction from the Controller or if the Contractor refuses the Controller's control rights in breach of the contract. In particular, non-compliance with the obligations agreed in this contract and derived from Art. 28 GDPR constitutes a serious breach. In the event of a negligent breach by the Contractor, the Client shall only be entitled to terminate the contract without notice and for cause if it has requested the Contractor to remedy the breach within a reasonable period prior to termination and the Contractor has not complied with this request in due time.

3. Specification of the content of the order

(1) The type and purpose of the processed personal data and the categories of data subjects are specified in Annex 1 to this contract.

(2) The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the Client and may only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.

4. Obligations of the Contractor

(1) The Contractor shall process personal data exclusively in accordance with the Client's instructions, unless the Contractor is obliged to process personal data differently by the law of the Union or the Member States to which the Contractor is subject; in such a case, the Contractor shall notify the Client of these legal requirements prior to processing, unless the law in question prohibits such notification due to an important public interest.

(2) Furthermore, the Contractor shall not use the data provided for processing for any purposes other than those specified in Annex 1, in particular not for its own purposes. Furthermore, the Contractor shall not receive any rights of ownership or rights of use of any kind to the data processed in the course of the processing or to the results of the data processing. Anonymization of the data in connection with subsequent processing by the Contractor shall not take place either.

(3) The Contractor undertakes to maintain strict confidentiality during processing.

(4) The Contractor confirms that it is aware of the relevant data protection regulations and that it observes the principles of proper data processing. The Contractor warrants that it has no reason to believe that a legal provision applicable to it prevents it from fulfilling the instructions received from the Client or obligations arising from this contract.

(5) In connection with the commissioned processing, the Contractor shall support the Client - to the extent necessary - in fulfilling its obligations under data protection law, in particular in drawing up and updating the list of processing activities, in carrying out the data protection impact assessment and any necessary consultation with the supervisory authority. The required information and documentation must be kept available and forwarded to the Client immediately upon request.

(6) If the Client is subject to an inspection by supervisory authorities or other bodies or if data subjects assert rights against it, the Contractor undertakes to support the Client to the extent necessary, insofar as the processing in the order is affected.

(7) The Contractor shall forward inquiries and asserted rights of data subjects to the Client without delay, without contacting the data subject, unless the Contractor has been expressly instructed by the Client to make contact. The Contractor shall ensure that this obligation is imposed on the subcontractor in an appropriate manner.

(8) If required by law, the Contractor shall appoint a competent and reliable data protection officer. In cases of doubt, the Client may contact the data protection officer directly. If no data protection officer has been appointed, the Contractor shall appoint a contact person for data protection matters. The contact details of the current data protection officer or the contact person responsible for data protection are specified in Annex 2 to this contract.

The Client must be informed immediately of any changes to the appointment or contact details of the data protection officer or the contact person responsible for data protection.

5. Technical and organizational measures

(1) The Contractor undertakes to comply with all technical and organizational measures (TOM) required in accordance with Art. 32 GDPR. The minimum standard of the measures to be described in the TOM is attached in Annex 3. The Client confirms that these are appropriate at the time of conclusion of the contract within the meaning of GDPR. The Contractor warrants that it has implemented the TOM described in Annex 3. The Contractor is solely responsible for the creation and implementation of the TOM.

(2) The data security measures may be adapted in line with technical and organizational developments as long as they do not fall below the level agreed here or the recognized state of the art. The Contractor shall implement any necessary changes that serve to maintain data security without delay.

(3) The Contractor warrants that the data processed in the order will be strictly separated from other data stocks.

(4) Copies or duplicates shall not be created without the Client's knowledge. Exceptions to this are technically necessary, temporary duplications (e.g. backups), provided that any impairment of the level of data protection agreed here is excluded.

(5) The Contractor shall provide regular evidence of the fulfilment of its obligations, in particular the complete implementation of the agreed technical and organizational measures and their effectiveness. For this purpose, the Contractor shall provide the Client with sufficient guarantees, such as current test certificates, reports or report extracts from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditors, quality auditors) or suitable certification through IT security or data protection audits (e.g. in accordance with BSI basic protection). Compliance with approved codes of conduct or approved certification procedures can also be used as proof of sufficient guarantees. Proof must be provided to the Client on request every 12 months, but at the latest every 24 months. Evidence must be kept for at least three calendar years after the end of the commissioned processing and presented to the Client at any time upon request.

(6) Persons who may gain knowledge of the data processed in the order must undertake in writing to maintain confidentiality and data protection, unless they are already subject to a relevant confidentiality obligation by law. The Contractor shall oblige its employees to comply with further confidentiality rules if the Client is subject to such further obligations, e.g. social confidentiality, etc. The Client must instruct the Contractor accordingly, at least in text form. The duty of confidentiality shall continue to exist after the termination of the contract.

(7) The Contractor warrants that the persons employed by it for processing have been familiarized with the relevant provisions of data protection and this contract before the start of processing. Corresponding training and awareness-raising measures shall be repeated on an appropriately regular basis. The Contractor shall ensure that persons employed for commissioned processing are appropriately sensitized, instructed and monitored on an ongoing basis with regard to compliance with data protection requirements.

6. Correction, deletion and blocking of data

(1) The Contractor shall only correct, delete or block the data processed on behalf of the Client in accordance with the Client's instructions.

(2) The Contractor shall comply with the corresponding instructions of the Client at all times and also beyond the termination of this contract.

(3) The Client shall indemnify the Contractor against any liability - also on the part of third parties - insofar as the data has been corrected, deleted or blocked in accordance with the request. The provisions on termination in § 11 of this contract remain unaffected.

7. Instructions

(1) The Client reserves the right to issue comprehensive instructions regarding the processing of the order.

(2) The Client shall issue all orders, partial orders or instructions documented at least in text form. In urgent cases, instructions may be issued verbally. The Client shall immediately confirm such instructions in documented form, at least in text form.

(3) The Contractor shall specify in Annex 2 at least one person who is exclusively authorized to accept instructions.

(4) In the event of a change or a longer-term prevention of the named persons, the other party must be informed immediately of successors or representatives, documented at least in text form.

(5) The Contractor shall inform the Client immediately if, in its opinion, an instruction issued by the Client violates statutory provisions. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it has been confirmed or amended by the responsible employee at the Client.

(6) The Contractor shall document any instructions issued to it and their implementation.

8. Rights and obligations of the Client

(1) The Client is solely responsible for assessing the permissibility of the commissioned processing and for safeguarding the rights of data subjects.

(2) The Client shall inform the Contractor immediately if it discovers errors or irregularities when checking the results of the order.

(3) The Client shall be entitled to check compliance with the provisions on data protection and the contractual agreements at the Contractor's premises to an appropriate extent itself or through third parties, in particular by obtaining information and inspecting the stored data and the data processing programs as well as other on-site checks. The persons entrusted with the inspection shall be granted access and inspection by the Contractor to the extent necessary. The Contractor shall be obliged to provide the necessary information, demonstrate processes and provide the evidence required to carry out an inspection. The Contractor shall be entitled to refuse inspections by third parties if they are in a competitive relationship with the Contractor or if there are similarly important reasons.

(4) Inspections at the Contractor's premises must be carried out during normal office hours without any avoidable disruption to the Contractor's business operations. Unless otherwise indicated for urgent reasons to be documented by the Client, inspections shall take place after reasonable advance notice and during the Contractor's business hours, and not more frequently than every 24 months. Insofar as the Contractor provides evidence of the correct implementation of the agreed data protection obligations as provided for in Section 5 para. 5 of this contract, any checks shall be limited to random samples.

(5) The Client is entitled to pass on copies of this contract to certain contractual partners and authorities in order to provide proof of compliance with legal and/or contractual obligations, in particular Art. 28 para. 3 GDPR. Before forwarding, the Client shall remove any confidential business information from the copy by blacking it out.

9. Subcontracting relationships

(1) Subcontracting relationships within the meaning of this provision are those services that are directly related to the provision of the main service.

(2) Subcontractors may be commissioned by the Contractor on the basis of a general written authorization from the Client, which the Client hereby grants. The Contractor shall inform the Client of any intended change with regard to the involvement of new subcontractors or the replacement of existing subcontractors by others 30 days before this change takes place. The Client may object to the change without giving reasons, with the consequence that the change will not take place.

(3) If the commissioning of subcontractors is permitted in accordance with para. 2, the Contractor must ensure that the transfer of the Client's personal data to the subcontractor and the subcontractor's initial activities only take place after the Contractor has concluded a written subcontracting agreement with the subcontractor. The provisions agreed between the Client and the Contractor must also apply to the subcontractor. In particular, the Client must be entitled to carry out inspections of subcontractors or have them carried out by third parties at any time to the extent specified here. The Contractor is obliged to contractually regulate this right of the Client vis-à-vis the subcontractor.

(4) The responsibilities and obligations of the Contractor and the subcontractor must be clearly delineated.

(5) The Contractor shall carefully select the subcontractor, paying particular attention to the suitability of the technical and organizational measures taken by the subcontractor.

(6) The forwarding of data processed on behalf of the Client to the subcontractor is only permitted if the Contractor has satisfied itself in a documented manner that the subcontractor has fulfilled its obligations in full, see para. 3 sentence 2. The Contractor must submit the documentation to the Client upon request.

(7) If the subcontractor provides the agreed service outside the EU/EEA, the Contractor shall ensure admissibility under data protection law by taking appropriate measures.

(8) The Contractor shall carry out an appropriate review of the subcontractor's compliance with its obligations regularly every 12 months, but at the latest every 24 months. The inspection and its results must be documented in such a meaningful way that they are comprehensible to a competent third party. The documentation shall be submitted to the Client upon request. The Contractor shall retain the documentation on audits carried out at least until the end of the third calendar year after the end of the commissioned processing and shall submit it to the Client at any time upon request. This shall not affect the Client's own inspection rights.

(9) If the subcontractor does not comply with its data protection obligations, the Contractor shall be liable to the Client for this.

(10) The use of further subcontractors by the subcontractor is not permitted within the scope of this processing on behalf of the Client.

(11) Both parties agree that ancillary services, such as transportation and cleaning of the business premises and the use of telecommunications services or user services, are not commissioned processing within the meaning of this contract, but are the use of third-party specialist services by an independent controller. The Contractor's obligation to ensure compliance with data protection and data security in these cases remains unaffected.

(12) At present, the subcontractors specified in Annex 4 with name, address and order content are engaged in the processing of personal data to the extent specified therein and are hereby approved by the Client. The Contractor's other obligations to subcontractors set out herein shall remain unaffected.

10. Notification obligations

(1) The Contractor shall notify the Client immediately of any breaches of the protection of personal data processed on behalf of the Client. Reasonable suspicions must also be reported. The notification must be made immediately after the Contractor becomes aware of the relevant event to the data protection contact named in Annex 2.

It must contain at least the following information:

a. a description of the nature of the personal data breach, including, where possible, the categories and approximate number of individuals affected, the categories affected and the approximate number of personal data records affected;b. the name and contact details of the data protection officer or other contact point for further informationc. a description of the likely consequences of the personal data breachd. a description of the measures taken or proposed to be taken by the Contractor to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

(2) Significant disruptions in the execution of the order must also be reported immediately. In addition, notification is required of breaches of data protection provisions by the subcontractor or persons employed by the subcontractor pursuant to para. 1.

(3) The Contractor shall inform the Client immediately of any inspections or measures by supervisory authorities or other third parties, insofar as these relate to order processing.

(4) The Contractor assures to support the Client in its obligations under Art. 33 and 34 GDPR to the extent necessary.

11. Termination of the contract

(1) If personal data or copies thereof are still in the Contractor's control at the end of the contractual relationship, the Contractor shall, at the Client's discretion, either delete or destroy the data or hand it over to the Client. The Contractor may refrain from deleting or destroying the data if there are statutory retention obligations that oblige it to store the data. In this case, the Contractor must inform the Client immediately of the further storage, referring to the statutory retention obligation, and ensure that the further processing of the data concerned is limited to the purpose of complying with the statutory retention obligation.

(2) The Client must make the choice pursuant to para. 1 and inform the Contractor in text form. The destruction must be carried out in such a way that recovery is no longer possible with reasonable effort.

(3) The Contractor shall also be obliged to ensure the immediate destruction or return of subcontractors.

(4) The Contractor shall provide proof of proper destruction and submit it to the Client upon request.

(5) Documentation that serves as proof of proper data processing shall be retained by the Contractor at least until the end of the third calendar year after the end of the contract. The Contractor may hand them over to the Client for the Client's discharge.

(6) The Client shall indemnify the Contractor against any liability whatsoever - including towards third parties - in relation to the deleted or destroyed data, provided that the deletion or destruction of the personal data was carried out in accordance with the Client's request.

12. Remuneration

(1) The Contractor may demand reasonable remuneration for expenses incurred separately in the course of processing the order.

(2) Compensation shall be excluded in all cases if the additional expenditure is due to the fact that the Contractor has violated applicable law or the provisions of this contract.

13. Miscellaneous

(1) Both parties are obliged to treat as confidential all knowledge of business secrets and data security measures of the other party obtained within the scope of the contractual relationship, even after the termination of the contract. If there is any doubt as to whether information is subject to the confidentiality obligation, it shall be treated as confidential until written release by the other party.

(2) If the Client's property is jeopardized by third-party measures (such as seizure or confiscation), insolvency or composition proceedings or other events, the Contractor must inform the Client immediately.

(3) The written form and express reference to this agreement are required for collateral agreements to be effective.

(4) The defense of the right of retention within the meaning of § 273 BGB is excluded with regard to the data processed in the order and the associated data carriers.

(5) Should individual parts of this agreement be invalid, this shall not affect the validity of the remainder of the agreement.

Annex 1 - Information on data processing (to § 3 para. 1)

1. Type, purpose, location and data subjects of data processing

a) Type and purpose of processing

The scope of processing is defined in the main contract.

Processing on behalf of the controller includes the following data processing operations:

Carrying out the verification process

• Collection of the data to be verified by the Client (name of the account holder, bank sort code and account number or IBAN).
• Temporary storage of the entered data for forwarding the data to Deutsche Bank's API interface.
• Evaluation of the data provided by the bank as a result of the request regarding the validity of the account as well as the account-related data or last transaction data and/or information on the payment status if no connection to a third-party bank outside the Deutschebank Group could be established.
• Provision of the verification result in real time (real-time) or near real-time (near-time) to the Client in the portal.

Processing of support requests

Access to the Client's IT systems, in which personal data is also stored, so that it can be viewed as part of remote access when providing support services.

The processing therefore serves the following purposes:

Carrying out the verification process to:

• Ensuring the validity of bank account data before making payments or transactions.
• Reduction of incorrect transfers and fraud risks through real-time verification of account information.

Processing support requests from the Client

b) Type of data

The following types of personal data are processed:

• Names
• contact details
• account data
• transaction data
• Information on the payment status

c) Location of the processing

The Contractor provides the agreed service at a place of performance within the EU or the EEA.

2. Categories of data subjects

• Employees of the Client
• Customers of the Client
• Service providers of the Client

Annex 2 - Contact details (to Section 4 (8) and Section 7 (3))

1. The contact persons responsible for data protection (to § 4 para. 8)

The contact details of the contact person for data protection at the Contractor, if there is no data protection officer:

• First and last name: Nadine Ebmeyer
• E-mail address: nadine.ebmeyer@banqr.io

The Client must be informed immediately of any changes to the name or contact details.

2. Acceptance of instructions (to § 7 para. 3)

Authorized persons at the Contractor:

Nadine Ebmeyer (see section 1).

Annex 3 - Overview of technical and organizational measures pursuant to Art. 32 GDPR (to § 5 para. 1)

Pursuant to Art. 32 GDPR, data controllers are obliged to take technical and organizational measures to ensure the security of the processing of personal data. Measures must be selected in such a way that they ensure an adequate level of protection overall. Against this background, this overview explains which specific measures have been taken by the Contractor with regard to the processing of personal data in the specific case. This overview is intended to provide evidence of compliance with data protection regulations by Contractors.

1. Pseudonymization of data (Art. 32 para. 1 lit. a GDPR)

The Contractor shall ensure that - insofar as the technical processes permit - essential identifying features of personal data are replaced by a key that can be used to re-establish a personal reference if necessary (pseudonymization).

Use of tokenization technologies to replace sensitive data with non-traceable placeholders.

2. Encryption of personal data (Art. 32 para. 1 lit. a GDPR)

Contractor ensures that personal data is only stored securely by using appropriate encryption.

• AES-256 encryption for temporary storage of data during the verification process
• Strict access restrictions to encryption keys.

3. Confidentiality of data processing (Art. 32 para. 1 lit. b GDPR)

a) Access control

Contractor shall take measures to prevent unauthorized persons from gaining access (to be understood spatially) to data processing systems used to process personal data.

• The server infrastructure is located in Microsoft data centers with ISO 27001-certified security architecture.
• Physical access is only permitted to authorized persons in Microsoft's data centers.

b) Access control

Contractor takes measures to prevent data processing equipment from being used by unauthorized persons.

Strict authentication procedures:

• Two-factor authentication (2FA) for all administrative access.
• Use of OAuth2 and mTLS for authentication and access restriction.

Password and access security policies:

• Complex password requirements and regular password changes.
• Blocking of accounts after multiple failed attempts.

c) Access control

Contractor ensures that users authorized to use IT infrastructure can only access content for which they are authorized and that personal data cannot be copied, modified or deleted without authorization during processing and after storage.

Role and authorization-based access controls (RBAC):

• Access to personal data is regulated according to the need-to-know principle.
• Employees only receive the minimum necessary authorizations for their tasks.
• Regular review and adjustment of authorizations.

Write and delete protection:

• Critical data is protected against unauthorized changes or deletions.
• Versioning and backup systems enable recovery in the event of unauthorized changes.
• Separation of identification and verification data to prevent unauthorized access or misuse.
• Real-time monitoring of system activities by SIEM (Security Information and Event Management).

d) Transfer control

Contractor prevents personal data from being read, copied, modified or deleted without authorization during electronic transmission or during transport or storage on data carriers, and that it can be determined at which points such data is intended to be transmitted in the IT system.

Secure data transmission:

• End-to-end encryption (TLS 1.2/1.3) for data transmission via the portal
• Signed and authenticated communication protocols to ensure data integrity and proof of origin.

Logging and traceability:

• Every transmission and processing of personal data is logged (logging & monitoring).
• Real-time monitoring and intrusion detection systems (IDS) to detect suspicious activities.
• SIEM systems (Security Information and Event Management) to analyze and track data flows.

4. Integrity of data processing (Art. 32 para. 1 lit. b GDPR)

a) Input control

Contractor ensures that it is possible to subsequently check whether and by whom personal data has been entered, changed or deleted.

Logging of all data processing operations:

• Every entry, change and deletion of personal data is logged.
• Logs contain the time stamp, user ID and action performed.

Audit and monitoring systems:

• Real-time monitoring of all relevant activities in the IT system.
• Access logs and change histories for personal data.

Audit-proof storage of logs:

• Logs are encrypted and stored in a tamper-proof manner.
• Access to logs is only permitted to authorized persons.

Regular review and analysis of logs:

• Automatic alerts in the event of unauthorized changes.
• Manual review by data protection or IT security officers.

b) Order control

Contractor ensures that personal data processed on behalf of the Client is processed in accordance with the Client's instructions.

Contractual obligation:

• Processing of personal data takes place exclusively on the basis of the main contract and the instructions of the Client.
• The Contractor is contractually obliged to comply with these instructions.

Instruction management:

• The Client may issue written or electronic instructions for data processing.
• The Contractor checks instructions for legality and technical feasibility and informs the Client in the event of ambiguities or problems.

Technical and organizational measures (TOMs):

• Authorization concepts and access restrictions prevent unauthorized processing.
• Use of control mechanisms (e.g. monitoring, logging) to ensure that only authorized data processing takes place.

Logging and traceability:

• All relevant processing is logged so that it can be verified that it has been carried out in accordance with instructions.
• Logs contain the date, time, person/system carrying out the processing and type of processing.

Regular training and sensitization of employees:All employees entrusted with data processing are regularly trained on GDPR requirements and specific instructions from the Client.

c) Purpose limitation and separation requirement

Contractor ensures that personal data collected for different purposes is only ever used within the scope of the respective purpose limitation and can be processed separately.

Strict purpose limitation of data processing:

• Personal data is only processed for the specified purpose in each case, e.g. contract fulfillment or marketing.
• No improper use or further processing of the data by the Contractor.

Technical separation of databases:

• Logical and physical separation of data from different Clients.
• Client-specific databases to ensure that Client data is not mixed.

Access and authorization concepts:

• Role-based access controls (RBAC) ensure that employees only have access to data that is required for their specific processing purpose.
• Strict logging of all access and processing in order to ensure that data is processed for the intended purpose.

Organizational measures:

• Training of employees to comply with the separation requirement and purpose limitation.
• Regular review of processing operations to ensure compliance with the purpose of use.

5. Availability of personal data (Art. 32 para. 1 lit. b GDPR)

Contractor ensures that personal data is protected against accidental destruction or loss.

• Automatic daily backups of all relevant data.
• Versioned storage in order to be able to restore previous data statuses
• Georedundant storage in multiple ISO 27001-certified data centers within the Microsoft Azure cloud

6. Resilience of systems and services (Art. 32 para. 1 lit. b GDPR)

Contractor ensures that its systems and services are designed to enable adequate data processing.

Scalable IT infrastructure:

• Use of Microsoft Azure cloud services with automatic scaling to adapt to peak loads.
• Highly available load balancing mechanisms to avoid server failures.

High system availability:

• System architecture with high availability (99.9% SLA).
• Automatic error detection and self-healing of systems to minimize outages.

Performance monitoring and optimization:

• Real-time monitoring of system resources to identify and resolve bottlenecks.
• Regular performance tests and load tests to ensure system resilience.

7. Recovery of data (Art. 32 para. 1 lit. c GDPR)

Contractor ensures that lost data can be recovered in the event of data loss.

Detailed recovery processes (disaster recovery plan)

• Defined processes for data recovery within a short period of time
• Regular testing of the recovery mechanisms to ensure functionality.

Protection against unintended data deletion or manipulation:

• Access controls and authorization management to prevent unintended deletion.
• Logging of all changes and deletions in order to be able to trace and correct errors or manipulations.

8. Review, assessment and evaluation (Art. 32 para. 1 lit. d GDPR)

a) Review of the measures

The measures taken must be reviewed regularly to determine whether they need to be adapted.

Regular security and data protection audits:

• Internal and external audits of the implemented protective measures.
• Review of the effectiveness of data security measures by IT and data protection experts

Risk assessment and vulnerability analysis:

• Regular risk analyses to identify potential threats and vulnerabilities.
• Adaptation to legal and technological developments:
• Monitoring new legal requirements (e.g. legislative reforms).
• Monitoring new security standards and technologies in order to continuously improve the level of protection.

b) Assessment and evaluation of the measures

The result of the review (see above) must be assessed; in addition to the existing measures, any adjustments must be evaluated and implemented.

Evaluation of the review results:

• Analysis of the results from security audits, risk analyses and data protection audits.
• Identification of weaknesses or potential for improvement in existing security measures.

Prioritization and implementation of measures:

• Creation of an action plan with priorities based on the risk to personal data.
• Implementation of necessary security improvements, taking into account the current state of the art.

Ongoing adaptation to legal and technological developments:

• Consideration of new GDPR requirements and regulatory requirements.
• Integration of new IT security standards and best practices to continuously improve the level of protection

Monitoring and checking the adjustments:

• Once the measures have been implemented, a new review is carried out to ensure their effectiveness.
• Documentation of all adjustments in order to be able to prove compliance with the GDPR and internal security guidelines

9. Instruction of subordinate employees (Art. 32 para. 4 GDPR)

Contractors must ensure that all employees involved in data processing are informed about the existing obligations and the measures to be complied with (instruction).

Regular training and awareness-raising:

• Mandatory training for all employees who have access to personal data.
• Training for new employees before they access personal data for the first time.
• Refresher training at regular intervals to take account of new legal or technical requirements.

Commitment to confidentiality:

• All relevant employees must sign a written commitment to maintain data confidentiality in accordance with Art. 28 GDPR.
• Documented confirmation of knowledge of and compliance with the internal data protection guidelines.

Annex 4 - Consent to the commissioning of subcontractors (to Section 9 para. 12)

The Client consents to the commissioning of the following subcontractors by the Contractor:

General Terms and Conditions for the use of the "Cash365" software from BANQR (GTC)

§ 1 Scope of application

(1) These GTC apply to the contracts concluded between BANQR Digital Solutions GmbH, Thyssenstrasse 6-8, 32312 Lübbecke, represented by the Managing Director: Wolfgang Gehrlicher, registered in the Commercial Register B of the Bad Oeynhausen Local Court under HRB 19403 (hereinafter referred to as "BANQR") and customers (hereinafter jointly referred to as "Parties") for Microsoft Dynamics 365 Business Central for the following services.

(2) BANQR provides services in the field of software, in particular the creation, distribution and operation of software. This also includes the "Cash 365" software. This is an embedded banking solution that seamlessly integrates financial services into the Microsoft 365 world. It enables customers to access various banking services directly via their existing ERP and accounting systems. The solution thus offers real-time insights into account balances and transactions directly in the familiar ERP environment.

(3) The main functions of Cash365 (DB SME Connector and/or DB Enterprise Connector) are:

• Instant Payments: the SEPA Instant Payment module enables secure payments in seconds without delays.
• Real-time balance: Thanks to modern APIs, the customer receives up-to-the-second account information directly in the Cash365 dashboard and ERP system.
• Real-time transactions: API integration allows account transactions to be reconciled at any time or automatically, including end-of-day and intra-day statements.
• Automated processes: Automatic allocation of payments to invoices, creation of reports and management of payment schedules minimize manual intervention and reduce errors.
• Cash analytics: Customizable dashboards provide a real-time overview of account balances, liquidity, currency exposure, cash flows and risks.

Additional functions of the DB Enterprise Connector include:

• International account aggregation: real-time API calls enable the management of international and national accounts.
• Bulk payments / SEPA direct debits: Support for bulk payments and bulk direct debits.
• Virtual account solution: Connection to virtual accounts via the Deutsche Bank AG API platform.
• Real-time treasury: Seamless integration in Power BI, Excel and Power Automate via the BANQR real-time treasury connector.

(4) The use of Cash365 is primarily aimed at customers of Deutsche Bank AG as well as customers of its other offerings Postbank and Fyrst Bank. The Cash fin API is therefore required to make the Cash365 functions mentioned above available to customers of other banks. This adds the other functions:

• Multi-bank API connection: Connection to over 9000 banks in the EU SEPA area
• Cross-country account aggregation: real-time API calls enable the management of cross-country accounts.

(5) BANQR customers can only be natural persons, legal entities or partnerships with legal capacity who, when concluding a legal transaction, are acting in the exercise of their commercial or independent professional activity. BANQR expressly does not conclude consumer contracts.

(6) The validity of the customer's general terms and conditions is expressly rejected.

§ 2 Subject matter of the contract

(1) The subject matter of the contract is the temporary provision of the "Cash 365" software (hereinafter referred to as "Software") for a fee in conjunction with the granting of rights of use. BANQR provides the customer with the software with the usage-dependent components described in more detail in Appendix 1 (hereinafter referred to as "Subject Matter of the Contract") and under the conditions of use also specified therein.

(2) BANQR does not owe the provision of storage space; the customer is solely responsible for this.

§ 3 Provision and installation of the software

(1) BANQR provides the software to the customer for download via the Microsoft AppSource Marketplace. The customer will be provided with the information required to download the software.

(2) In addition to the software, the customer receives a manual (hereinafter referred to as "Manual"). The Manual contains instructions for installing the Software.

(3) Unless otherwise agreed between the parties, BANQR is not responsible for installing the software on the customer's systems; the customer is generally solely responsible for this.

(4) Against payment of a separate fee, BANQR will support the customer with the installation of the software.

§ 4 Maintenance

(1) BANQR is obliged to maintain the contractually agreed quality of the software during the term of the contract (hereinafter referred to as "Maintenance"). The contractually owed quality of the software is determined in accordance with Annex 1. In order to fulfill BANQR's Maintenance obligation, BANQR will carry out the Maintenance and servicing measures required according to the state of the art.

(2) BANQR is only obliged to modify or adapt the software if such a modification or adaptation is necessary to maintain the software in accordance with the state of the art. Otherwise, BANQR is only obliged to modify, adapt and further develop the software if the parties agree to this separately. Without such a separate agreement, BANQR is in particular not obliged to further develop the software.

§ 5 Rights of use to the software

(1) BANQR is the sole and exclusive owner of all rights to the software.

(2) BANQR grants the Customer a simple, non-exclusive, and non-transferable right to use the Software in accordance with its intended purpose and solely for internal business operations. This right is limited in time to the duration of this agreement and geographically extended to the territory of the European Union as well as other countries where the Customer is lawfully conducting business.

(3) Insofar as this is necessary for the contractual use, the customer is entitled to reproduce the delivered software. In particular, the loading of the software into the working memory is to be regarded as reproduction required for use in accordance with the contract. In addition, the customer is entitled to make a duplication for backup purposes (hereinafter referred to as "Backup Copy"). The customer is obliged to mark this Backup Copy as such and to affix a copyright notice from BANQR. Otherwise, the customer is not authorized to make copies, unless otherwise provided by law.

(4) The customer is not entitled to make the software or the Backup Copy available to third parties for use, either for a fee or free of charge. The customer is therefore expressly not permitted to sublet the software.

(5) The customer is not entitled to modify or edit the software, unless the modification or editing is necessary for the contractual use of the software to remedy a defect with which BANQR is in default.

§ 6 Support

(1) Provided it is not a case of warranty, BANQR provides the customer with support against payment of a separate fee. BANQR maintains a hotline for this purpose, which serves to quickly classify and process the request. The scope of the support and a more detailed description of its content, in particular availability, is regulated in Appendix 2 (hereinafter referred to as "Support").

(2) As Annex 4, the parties shall conclude a contract in accordance with Art. 28 para. 3 GDPR (hereinafter referred to as "Data Processing Agreement"), insofar as this is necessary for the agreed Support services.

§ 7 Remuneration

(1) The customer is obliged to pay a fee for the provision of the software. The remuneration is to be paid either monthly or annually, depending on which license the customer chooses.

(2) Insofar as further special services have been agreed between the parties, for example in accordance with § 3 para. 4 or § 6 para. 1 of these GTC, the prices shown in Annex 3 ("Remuneration") shall apply.

(3) All fees are subject to statutory value added tax.

(4) The amount of the total remuneration to be paid monthly and the payment information can be found in Annex 3.

(5) The total remuneration shall be invoiced monthly or annually, depending on the license.

§ 8 Duty of care

(1) The customer is obliged to take appropriate measures to ensure that unauthorized third parties cannot access the software, the Backup Copy, the Manual and other accompanying materials (hereinafter collectively referred to as "Documentation").

(2) In particular, the customer is obliged to store all existing copies of the software, including the Backup Copy and all associated documentation, in a place protected against unauthorized access by third parties. The customer shall bear the costs of storage.

§ 9 Warranty

(1) If the customer discovers defects in the software or the documentation, the customer must notify BANQR immediately in writing. A defect also exists in particular if the software does not have the components owed in accordance with Annex 1.

(2) BANQR is obliged to rectify the notified defects in the software and documentation within a reasonable period of time. BANQR shall bear the costs of rectifying the defects.

(3) The customer must allow BANQR the necessary access to the software and documentation for the purpose of remedying the defect.

(4) The customer is not entitled to claim a reduction in remuneration by independently deducting the amount of the reduction from the monthly remuneration to be paid. This shall not affect the customer's right under the law of unjust enrichment to reclaim the part of the remuneration paid in excess due to a justified reduction.

(5) In the event of failure to remedy the defect in accordance with § 9 para. 2, the customer is entitled to extraordinary termination of this contract. Failure to remedy the defect is deemed to have occurred in particular if it is impossible for BANQR to remedy the defect, if BANQR refuses to remedy the defect or if BANQR's remedy of the defect is unreasonable for the customer for other reasons.

§ 10 Liability and indemnification

(1) BANQR is liable without limitation:

a) in the event of malice, intent or gross negligence;

b) within the scope of a guarantee expressly assumed by it;

c) for damages resulting from injury to life, body or health;

d) for the breach of an essential contractual obligation, the fulfillment of which makes the proper execution of this contract possible in the first place and on the observance of which the customer regularly relies and may rely ("cardinal obligation"), but limited to the damage reasonably to be expected at the time of the conclusion of the contract;

e) in accordance with the provisions of the Product Liability Act.

(2) Any further liability on the part of BANQR is excluded. In particular, BANQR is not liable for defects already existing at the time of conclusion of the contract, insofar as no case of § 10 para. 1 exists.

(3) The data used for reconciliation does not originate from BANQR, but is provided to the customer by his bank, so that no liability is assumed for this data, in particular not for the accuracy, completeness or timeliness of the data.

(4) The above liability rules apply accordingly to the conduct of and claims against employees, legal representatives and vicarious agents of BANQR.

(5) BANQR guarantees the customer that the software does not infringe any third-party rights (hereinafter referred to as "Infringement of Property Rights"). BANQR shall indemnify the customer against all claims by third parties due to Infringements of Property Rights for which BANQR is responsible in connection with the contractual use of the software upon first request and shall also assume the reasonable costs of legal defense for the customer. The customer shall inform BANQR immediately of any claims asserted by third parties; it is not entitled to accept such claims in fact or in law unless BANQR has given its prior written consent. The right to indemnification under this § 10 para. 4 expires if the customer does not inform BANQR immediately of the assertion of claims by third parties and provided that there is no case of unlimited liability under § 10 para. 1.

(6) If a claim is made against the customer due to a defect in the software in accordance with § 9 para. 1 sentence 2 of this contract, § 10 para. 4 applies accordingly; if indemnification is not possible in the external relationship, the obligation applies in the internal relationship.

§ 11 Contract duration and termination

(1) This contract comes into force upon completion of the order process and has an indefinite term.

(2) The parties may terminate the contract with one month's notice to the end of any month for monthly subscriptions, and with three months' notice to the end of the term for annual subscriptions. Please write an email to sales@banqr.io.

(3) The right of both parties to extraordinary termination without notice at any time for good cause remains unaffected. Good cause exists in particular if BANQR or the customer intentionally or negligently breaches a material obligation under this contract and it is therefore no longer reasonable for the terminating party to adhere to the contract. In particular, BANQR is entitled to extraordinary termination of the contract without notice if the customer violates the provisions of § 5 of this contract and does not cease its acts of violation within a reasonable period of time, if BANQR has previously warned the customer to cease these acts of violation.

(4) Termination of this contract must be in writing to be effective.

§ 12 Return and deletion

(1) After termination of the contract, the customer is obliged to stop using the software and to return the software and all program copies (including the Backup Copy) as well as all documentation and other documents provided to BANQR. The return shall be at the customer's own expense.

(2) BANQR is free to waive the return in accordance with § 12 para. 1 and instead demand that the customer deletes the software and other program copies and destroys the documentation and other documents provided.

(3) In addition, the customer is obliged to completely and permanently delete all installed program copies and any stored documentation from all its servers.

(4) Any use of the software after termination of the contract is not permitted.

§ 13 Confidentiality

(1) "Confidential information" is all information and documents of the respective other party that are marked as confidential or are to be regarded as confidential due to the circumstances, in particular information about products of the respective party, including object codes, documentation and other documents, operational processes, business relationships and know-how.

(2) The parties agree to maintain confidentiality about such confidential information. This obligation shall continue for a period of time after termination of the contract.

(3) Excluded from this obligation is such confidential information:

a) which was demonstrably already known to the recipient at the time the contract was concluded or which subsequently becomes known to the recipient from a third party without violating a confidentiality agreement, statutory provisions or official orders;

b) which are publicly known at the time of conclusion of the contract or are made publicly known thereafter, insofar as this is not based on a breach of this contract;

c) which must be disclosed due to legal obligations or by order of a court or authority. To the extent permissible and possible, the recipient obliged to disclose shall inform the other party in advance and give it the opportunity to take action against the disclosure.

(4) The parties shall only grant access to confidential information to consultants who are subject to professional secrecy or who have previously been subject to obligations corresponding to the confidentiality obligations of this agreement. Furthermore, the parties shall only disclose the confidential information to those employees who need to know it for the execution of this contract and shall also oblige these employees to maintain confidentiality to the extent permitted by labor law for the period after their departure.

§ 14 Reservation of right of amendment

(1) BANQR reserves the right to amend these GTC at any time, also within the existing contractual relationships, insofar as:

a) this is necessary for valid reasons, in particular due to a change in the legal situation or supreme court rulings, technical changes or further developments, loopholes in the GTC, changes in market conditions or other equivalent reasons and does not unreasonably disadvantage the customer, and

b) the changes do not alter the essential business characteristics of the contract, in particular the paid services owed by BANQR.

(2) BANQR will inform the customer of such changes at least two (2) months before the planned entry into force of the changes. The customer can either agree to the changes before they come into effect or reject the changes. The customer shall be deemed to have given its consent if it has not notified BANQR of its rejection before the planned entry into force of the changes. BANQR will specifically point out this approval effect to the customer in its offer.

(3) If the customer rejects the changes, both parties have the right to terminate the business relationship extraordinarily. BANQR will inform the customer separately of this mutual extraordinary right of termination as part of the notification of change.

§ 15 Final provisions

(1) Should any provision of these GTC be or become invalid, this shall not affect the validity of the remaining provisions. The invalid provision shall be deemed replaced by a valid provision that comes closest to the economic purpose of the invalid provision. The same shall apply in the event of a loophole in the GTC.

(2) Appendices to which reference is made in these GTC are an integral part of the contract.

(3) The exclusive place of jurisdiction for all disputes arising from or in connection with this contract is the registered office of BANQR. BANQR remains entitled to take legal action at the customer's general place of jurisdiction.

(4) These GTC shall be governed by the law of the Federal Republic of Germany, excluding its conflict of law provisions and the United Nations Convention on Contracts for the International Sale of Goods of April 11, 1980 (UN Sales Convention).

List of annexes

• Annex 1 - Subject matter of the contract
• Annex 2 - Support
• Annex 3 - Remuneration
• Annex 4 - Data Processing Agreement

Appendix 1 - Subject matter of the contract for Cash 365

1. General description of the software

Cash 365 is a software solution for the integration of real-time banking functions in Microsoft Dynamics 365 Business Central. It enables companies to efficiently manage their financial processes through direct connection to banking systems.

2. Functions of the software

The software includes the following core functions:

• Real-time account overview: display and synchronization of account balances in Microsoft Business Central.
• Transaction processing: Support for SEPA payments, direct debits and transfers.
• Automated invoice payment: Matching and allocation of incoming payments to invoices.
• Multi-bank integration: Direct connection to multiple bank accounts via certified API interfaces.
• Security and compliance functions: PSD2-compliant authentication, encrypted communication and access controls.

3. Usage-dependent components

The use of the software depends on the following factors:

• Number of connected bank accounts
• Volume of transactions carried out

4. Conditions of use

The customer must meet the following technical and organizational requirements:

• Microsoft Dynamics 365 Business Central as ERP system
• Bank account with a supported bank with API access
• Microsoft cloud services (Azure Germany) for using the software
• Setup of user roles and authorizations within Business Central

Appendix 2 - Support

Support Services Overview

BANQR offers a Basic Support Plan which includes up to 5 support hours per month for a flat rate of EUR 350.00. Any additional support hours are charged at EUR 160.00 per hour.

Availability: Monday to Friday, from 09:00 to 18:00 (CET)
E-Mail Support: Response time within 24 hours

All support services are provided within the above service hours.

For support requests, please contact:
support@banqr.io

Appendix 3 - Remuneration

1. Price table for license

2. Prices for Support

3. Prices for special services

Individual customizations or special developments by BANQR are not part of the contract and are only commissioned on a separate project basis and billed at the following rate on a time and material basis:

160.00 € per hour (net).

This remuneration rate also applies to support services provided by BANQR.

4. Payment information

Payments are to be made by credit card directly via the Microsoft App Source.

In exceptional cases, payments can also be made by invoice. This must be agreed individually with BANQR. For this purpose, an e-mail with a corresponding message must be sent to sales@banqr.io.

‍

Annex 4: Data Processing Agreement pursuant to Art. 28 GDPR

Scope of application

(1) This Data Processing Agreement (hereinafter referred to as the "Agreement") governs the rights and obligations of BANQR Digital Solutions GmbH, Thyssenstrasse 6-8, 32312 Lübbecke, represented by the Managing Director: Wolfgang Gehrlicher, registered in the Commercial Register B of the Bad Oeynhausen Local Court under HRB 19403, (hereinafter referred to as the "Contractor") and its customer (hereinafter referred to as the "Client") in the context of processing personal data on behalf of the Client. For the purposes of data protection, the Client is the "Controller" and the Contractor is the "Processor" (hereinafter also jointly referred to as the "Parties").

(2) This contract applies to all activities in which the Contractor or employees of the Contractor process personal data of the Client on behalf of the Client.

(3) Terms used in this contract are to be understood in accordance with their definition in the General Data Protection Regulation (hereinafter referred to as "GDPR") in its current version.

(4) Insofar as declarations in the following are to be made in "text form", § 126b BGB applies.

Subject matter and duration of the contract

(1) The subject matter of the contract for the processing of personal data is defined in the main contract. The Contractor shall undertake the following data processing in accordance with the assignment in the main contract:

Provision of support services on the Client's IT systems.

(2) The Client guarantees that the data passed on to the Contractor and processed in the order was obtained lawfully.

(3) The contract is awarded for an indefinite period and can be terminated by either party with three months' notice to the end of the month or ends automatically upon termination of the main contract. The possibility of termination without notice remains unaffected for both parties.

(4) The Client may terminate the contract at any time without notice in the event of a grossly negligent or intentional serious breach of data protection regulations or the provisions of this contract by the Contractor, if the Contractor is unable or unwilling to carry out an instruction from the Controller or if the Contractor refuses the Controller's rights of control in breach of the contract. In particular, non-compliance with the obligations agreed in this contract and derived from Art. 28 GDPR constitutes a serious breach. In the event of a negligent breach by the Contractor, the Client shall only be entitled to terminate the contract without notice and for cause if it has requested the Contractor to remedy the breach within a reasonable period of time prior to termination and the Contractor has not complied with this request in due time.

Specification of the content of the order

(1) The type and purpose of the processed personal data and the categories of data subjects are specified in Annex 1 to this contract.

(2) The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the Client and may only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.

Obligations of the Contractor

(1) The Contractor shall process personal data exclusively in accordance with the Client's instructions, unless the Contractor is obliged to process personal data differently by the law of the Union or the Member States to which the Contractor is subject; in such a case, the Contractor shall notify the Client of these legal requirements prior to processing, unless the law in question prohibits such notification due to an important public interest.

(2) Furthermore, the Contractor shall not use the data provided for processing for any purposes other than those specified in Annex 1, in particular not for its own purposes. Furthermore, the Contractor shall not receive any rights of ownership or rights of use of any kind to the data processed in the course of the processing or to the results of the data processing. Anonymization of the data in connection with subsequent processing by the Contractor shall not take place either.

(3) The Contractor undertakes to maintain strict confidentiality during processing.

(4) The Contractor confirms that it is aware of the relevant data protection regulations and that it observes the principles of proper data processing. The Contractor warrants that it has no reason to believe that any legal provision applicable to it prevents it from fulfilling the instructions received from the Client or obligations arising from this contract.

(5) In connection with the commissioned processing, the Contractor shall support the Client - to the extent necessary - in fulfilling its obligations under data protection law, in particular in drawing up and updating the list of processing activities, in carrying out the data protection impact assessment and any necessary consultation with the supervisory authority. The required information and documentation must be kept available and forwarded to the Client immediately upon request.

(6) If the Client is subject to an inspection by supervisory authorities or other bodies or if data subjects assert rights against it, the Contractor undertakes to support the Client to the extent necessary, insofar as the processing in the order is affected.

(7) The Contractor shall forward inquiries and asserted rights of data subjects to the Client without delay, without contacting the data subject, unless the Contractor has been expressly instructed by the Client to make contact. The Contractor shall ensure that this obligation is imposed on the subcontractor in an appropriate manner.

(8) If required by law, the Contractor shall appoint a competent and reliable data protection officer. In cases of doubt, the Client may contact the data protection officer directly. If no data protection officer has been appointed, the Contractor shall appoint a contact person for data protection matters. The contact details of the current data protection officer or the contact person responsible for data protection are specified in Annex 2 to this contract.

The Client must be informed immediately of any changes regarding the appointment or contact details of the data protection officer or the contact person responsible for data protection.

Technical and organizational measures

(1) The Contractor undertakes to comply with all technical and organizational measures (TOM) required in accordance with Art. 32 GDPR. The minimum standard of the measures to be described in the TOM is attached in Annex 3. The Client confirms that these are appropriate at the time of conclusion of the contract within the meaning of GDPR. The Contractor warrants that it has implemented the TOM described in Annex 3. The Contractor is solely responsible for the creation and implementation of the TOM.

(2) The data security measures may be adapted in line with technical and organizational developments as long as they do not fall below the level agreed here or the recognized state of the art. The Contractor shall implement any necessary changes that serve to maintain data security without delay.

(3) The Contractor shall ensure that the data processed in the order is strictly separated from other data stocks.

(4) Copies or duplicates shall not be created without the Client's knowledge. Exceptions to this are technically necessary, temporary duplications (e.g. backups), provided that any impairment of the level of data protection agreed here is excluded.

(5) The Contractor shall provide regular evidence of the fulfilment of its obligations, in particular the complete implementation of the agreed technical and organizational measures and their effectiveness. For this purpose, the Contractor shall provide the Client with sufficient guarantees, such as current test certificates, reports or report extracts from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditors, quality auditors) or suitable certification through IT security or data protection audits (e.g. in accordance with BSI basic protection). Compliance with approved codes of conduct or approved certification procedures can also be used as proof of sufficient guarantees. Proof must be provided to the Client on request every 12 months, but at the latest every 24 months. Evidence must be kept for at least three calendar years after the end of the commissioned processing and presented to the Client at any time upon request.

(6) Persons who may obtain knowledge of the data processed in the order must undertake in writing to maintain confidentiality and data protection, unless they are already subject to a relevant confidentiality obligation by law. The Contractor shall oblige its employees to comply with further confidentiality rules if the Client is subject to such further obligations, e.g. social confidentiality, etc. The Client must instruct the Contractor accordingly, at least in text form. The duty of confidentiality shall continue to exist after the termination of the contract.

(7) The Contractor warrants that the persons employed by it for processing have been familiarized with the relevant provisions of data protection and this contract before the start of processing. Corresponding training and awareness-raising measures shall be repeated on an appropriately regular basis. The Contractor shall ensure that persons employed for commissioned processing are appropriately sensitized, instructed and monitored on an ongoing basis with regard to compliance with data protection requirements.

Correction, deletion and blocking of data

(1) The Contractor shall only correct, delete or block the data processed on behalf of the Client in accordance with the Client's instructions.

(2) The Contractor shall comply with the corresponding instructions of the Client at all times and also beyond the termination of this contract.

(3) The Client shall indemnify the 4 against any liability - also on the part of third parties - insofar as the data has been corrected, deleted or blocked in accordance with the request. The provisions on termination in § 11 of this contract remain unaffected.

Instructions

(1) The Client reserves the right to issue comprehensive instructions regarding the processing of the order.

(2) The Client shall issue all orders, partial orders or instructions documented at least in text form. In urgent cases, instructions may be issued verbally. The Client shall immediately confirm such instructions in documented form, at least in text form.

(3) The Contractor shall specify in Annex 2 at least one person who is exclusively authorized to accept instructions.

(4) In the event of a change or a longer-term prevention of the named persons, the other party must be informed immediately of successors or representatives, documented at least in text form.

(5) The Contractor shall inform the Client immediately if, in its opinion, an instruction issued by the Client violates statutory provisions. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it has been confirmed or amended by the responsible employee at the Client.

(6) The Contractor shall document any instructions issued to it and their implementation.

Rights and obligations of the Client

(1) The Client is solely responsible for assessing the permissibility of the commissioned processing and for safeguarding the rights of data subjects.

(2) The Client shall inform the Contractor immediately if it discovers errors or irregularities when checking the results of the order.

(3) The Client shall be entitled to check compliance with the provisions on data protection and the contractual agreements at the Contractor's premises to an appropriate extent itself or through third parties, in particular by obtaining information and inspecting the stored data and the data processing programs as well as other on-site checks. The persons entrusted with the inspection shall be granted access and inspection by the Contractor to the extent necessary. The Contractor shall be obliged to provide the necessary information, demonstrate processes and provide the evidence required to carry out an inspection. The Contractor shall be entitled to refuse inspections by third parties if they are in a competitive relationship with the Contractor or if there are similarly important reasons.

(4) Inspections at the Contractor's premises must be carried out during normal office hours without any avoidable disruption to the Contractor's business operations. Unless otherwise indicated for urgent reasons to be documented by the Client, inspections shall take place after reasonable advance notice and during the Contractor's business hours, and not more frequently than every 24 months. Insofar as the Contractor provides evidence of the correct implementation of the agreed data protection obligations as provided for in Section 5 (5) of this contract, any checks shall be limited to random samples.

(5) The Client is entitled to pass on copies of this contract to certain contractual partners and authorities in order to provide proof of compliance with legal and/or contractual obligations, in particular Art. 28 para. 3 GDPR. Before forwarding, the Client shall remove any confidential business information from the copy by blacking it out.

Subcontracting relationships

(1) Subcontracting relationships within the meaning of this provision are those services that are directly related to the provision of the main service.

(2) Subcontractors may be commissioned by the Contractor on the basis of a general written authorization from the Client, which the Client hereby grants. The Contractor shall inform the Client of any intended change with regard to the involvement of new subcontractors or the replacement of existing subcontractors by others 30 days before this change takes place. The Client may object to the change without giving reasons, with the consequence that the change will not take place.

(3) If the commissioning of subcontractors is permitted in accordance with para. 2, the Contractor must ensure that the transfer of the Client's personal data to the subcontractor and the subcontractor's initial activities only take place after the Contractor has concluded a written subcontracting agreement with the subcontractor. The provisions agreed between the Client and the Contractor must also apply to the subcontractor. In particular, the Client must be entitled to carry out inspections of subcontractors or have them carried out by third parties at any time to the extent specified here. The Contractor is obliged to contractually regulate this right of the Client vis-à-vis the subcontractor.

(4) The responsibilities and obligations of the Contractor and the subcontractor must be clearly delineated.

(5) The Contractor shall carefully select the subcontractor, paying particular attention to the suitability of the technical and organizational measures taken by the subcontractor.

(6) The forwarding of data processed on behalf of the Client to the subcontractor is only permitted if the Contractor has documented that the subcontractor has completely fulfilled its obligations, see para. 3 sentence 2. The Contractor must submit the documentation to the Client upon request.

(7) If the subcontractor provides the agreed service outside the EU/EEA, the Contractor shall ensure the admissibility under data protection law by taking appropriate measures.

(8) The Contractor shall carry out an appropriate review of the subcontractor's compliance with its obligations regularly every 12 months, but at the latest every 24 months. The inspection and its results must be documented in such a meaningful way that they are comprehensible to a competent third party. The documentation shall be submitted to the Client upon request. The Contractor shall retain the documentation on the audits carried out at least until the end of the third calendar year after the end of the commissioned processing and shall submit it to the Client at any time upon request. This shall not affect the Client's own inspection rights.

(9) If the subcontractor does not comply with its data protection obligations, the Contractor shall be liable to the Client for this.

(10) The use of further subcontractors by the subcontractor is not permitted within the scope of this processing on behalf of the Client.

(11) Both parties agree that ancillary services, such as transportation and cleaning of the business premises and the use of telecommunications services or user services, are not commissioned processing within the meaning of this contract, but are the use of third-party specialist services by an independent controller. The Contractor's obligation to ensure compliance with data protection and data security in these cases remains unaffected.

(12) At present, the subcontractors specified in Annex 4 with name, address and order content are engaged in the processing of personal data to the extent specified therein and are hereby approved by the Client. The Contractor's other obligations to subcontractors set out herein shall remain unaffected.

Notification obligations

(1) The Contractor shall notify the Client immediately of any breaches of the protection of personal data processed on behalf of the Client. Reasonable suspicions must also be reported. The notification must be made to the data protection contact named in Annex 2 immediately after the Contractor becomes aware of the relevant event.

It must contain at least the following information:

a. a description of the nature of the personal data breach, including, where possible, the categories and approximate number of individuals affected, the categories affected and the approximate number of personal data records affected;

b. the name and contact details of the data protection officer or other contact point for further information

c. a description of the likely consequences of the personal data breach

d. a description of the measures taken or proposed to be taken by the Contractor to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

(2) Significant disruptions in the execution of the order must also be reported immediately. In addition, notification is required of breaches of data protection provisions by the subcontractor or persons employed by the subcontractor pursuant to para. 1.

(3) The Contractor shall inform the Client immediately of any inspections or measures by supervisory authorities or other third parties, insofar as these relate to order processing.

(4) The Contractor assures to support the Client in its obligations under Art. 33 and 34 GDPR to the extent necessary.

Termination of the contract

(1) If personal data or copies thereof are still in the Contractor's control at the end of the contractual relationship, the Contractor shall, at the Client's discretion, either delete or destroy the data or hand it over to the Client. The Contractor may refrain from deleting or destroying the data if there are statutory retention obligations that oblige it to store the data. In this case, the Contractor must inform the Client immediately of the further storage, referring to the statutory retention obligation, and ensure that the further processing of the data concerned is limited to the purpose of complying with the statutory retention obligation.

(2) The Client must make the choice pursuant to para. 1 and inform the Contractor in text form. The destruction must be carried out in such a way that recovery is no longer possible with reasonable effort.

(3) The Contractor shall also be obliged to ensure the immediate destruction or return of subcontractors.

(4) The Contractor shall provide proof of proper destruction and submit it to the Client upon request.

(5) Documentation that serves as proof of proper data processing shall be retained by the Contractor at least until the end of the third calendar year after the end of the contract. The Contractor may hand them over to the Client for the Client's discharge.

(6) The Client shall indemnify the Contractor against any liability whatsoever - including towards third parties - in relation to the deleted or destroyed data, provided that the deletion or destruction of the personal data was carried out in accordance with the Client's request.

Remuneration

(1) The Contractor may demand reasonable remuneration for expenses incurred separately in the course of processing the order.

(2) Compensation shall be excluded in all cases if the additional expenditure is due to the fact that the Contractor has violated applicable law or the provisions of this contract.

Miscellaneous

(1) Both parties are obliged to treat as confidential all knowledge of business secrets and data security measures of the other party obtained within the scope of the contractual relationship, even after the termination of the contract. If there is any doubt as to whether information is subject to the confidentiality obligation, it shall be treated as confidential until written release by the other party.

(2) If the Client's property is jeopardized by third-party measures (such as seizure or confiscation), insolvency or composition proceedings or other events, the Contractor must inform the Client immediately.

(3) The written form and express reference to this agreement are required for collateral agreements to be effective.

(4) The defense of the right of retention within the meaning of § 273 BGB is excluded with regard to the data processed in the order and the associated data carriers.

(5) Should individual parts of this agreement be invalid, this shall not affect the validity of the remainder of the agreement.

Annex 1 - Information on data processing

1. Type, purpose, location and data subjects of data processing

a) Type and purpose of processing

The scope of processing is defined in the main contract.

Processing on behalf of the Client includes the following data processing:

Access to the Client's IT systems, in which personal data is also stored, so that it can be viewed as part of remote access when providing support services.

The processing therefore serves the following purposes:

Processing the Client's support requests.

b) Type of data

The following types of personal data are processed:

• Names
• Contact details
• Account data
• Transaction data
• Bank details

c) Place of processing

The Contractor provides the agreed service at a place of performance within the EU or the EEA.

2. Categories of data subjects

• Employees of the Client
• Customers of the Client
• Service providers of the Client

Annex 2 - Contact details

1. The contact persons responsible for data protection

The contact details of the contact person for data protection at the Contractor, if there is no data protection officer:

• First and last name: Nadine Ebmeyer
• E-mail address: nadine.ebmeyer@banqr.io

The Client must be informed immediately of any changes to the name or contact details.

2. Acceptance of instructions

Authorized persons at the Contractor:

Nadine Ebmeyer (see section 1).

Annex 3 - Overview of technical and organizational measures pursuant to Art. 32 GDPR

Pursuant to Art. 32 GDPR, data controllers are obliged to take technical and organizational measures to ensure the security of the processing of personal data. Measures must be selected in such a way that they ensure an adequate level of protection overall. Against this background, this overview explains which specific measures have been taken by the Contractor with regard to the processing of personal data in the specific case. This overview is intended to provide evidence of compliance with data protection regulations by Contractors.

1. Pseudonymization of data (Art. 32 para. 1 lit. a GDPR)

Contractor shall ensure that - insofar as the technical processes permit - essential identifying features of personal data are replaced by a key that can be used to re-establish a personal reference if necessary (pseudonymization).

Use of tokenization technologies to replace sensitive data with non-traceable placeholders.

2. Encryption of personal data (Art. 32 para. 1 lit. a GDPR)

Contractor ensures that personal data is only stored securely by using appropriate encryption.

• AES-256 encryption protects stored personal data.
• Strict access restrictions to encryption keys.

3. Confidentiality of data processing (Art. 32 para. 1 lit. b GDPR)

a) Access control

Contractor takes measures to prevent unauthorized persons from gaining access (to be understood spatially) to data processing systems with which personal data is processed.

• The server infrastructure is located in Microsoft data centers with ISO 27001-certified security architecture.
• Physical access is only permitted to authorized persons in Microsoft's data centers.

b) Access control

Contractor takes measures to prevent data processing equipment from being used by unauthorized persons.

• Strict authentication procedures:
  • Two-factor authentication (2FA) for all administrative access.
  • Use of OAuth2 and mTLS for authentication and access restriction.
• Password and access security policies:
  • Complex password requirements and regular password changes.
  • Blocking of accounts after multiple failed attempts.

c) Access control

Contractor ensures that users authorized to use IT infrastructure can only access content for which they are authorized and that personal data cannot be copied, modified or deleted without authorization during processing and after storage.

• Role and authorization-based access controls (RBAC):
  • Access to personal data is regulated according to the need-to-know principle.
  • Employees only receive the minimum necessary authorizations for their tasks.
  • Regular review and adjustment of authorizations.
• Write and delete protection:
  • Critical data is protected against unauthorized changes or deletions.
  • Versioning and backup systems enable recovery in the event of unauthorized changes.
• Separation of identification and verification data to prevent unauthorized access or misuse.

d) Transfer control

Contractor prevents personal data from being read, copied, modified or deleted without authorization during electronic transmission or during transport or storage on data carriers, and that it can be determined at which points such data is intended to be transmitted in the IT system.

• All data transmissions are made via encrypted connections (TLS 1.2/1.3).
• Signed and authenticated communication protocols to ensure data integrity and proof of origin.

4. Integrity of data processing (Art. 32 para. 1 lit. b GDPR)

a) Input control

Contractor ensures that it is possible to subsequently check whether and by whom personal data has been entered, changed or deleted.

• Logging of all data processing operations:
  • Every entry, change and deletion of personal data is logged.
  • Logs contain the time stamp, user ID and action performed.
• Audit and monitoring systems:
  • Real-time monitoring of all relevant activities in the IT system.
  • Access logs and change histories for personal data.
• Audit-proof storage of logs:
  • Logs are encrypted and stored in a tamper-proof manner.
  • Access to logs is only permitted to authorized persons.

b) Order control

Contractor ensures that personal data processed on behalf of the Client is processed in accordance with the Client's instructions.

• Contractual obligation:
  • Personal data is processed exclusively on the basis of the main contract and the Client's instructions.
  • The Contractor is contractually obliged to comply with these instructions.
• Instruction management:
  • The Client may issue written or electronic instructions for data processing.
  • The Contractor checks instructions for legality and technical feasibility and informs the Client in the event of ambiguities or problems.
• Technical and organizational measures (TOMs):
  • Authorization concepts and access restrictions prevent unauthorized processing.
  • Use of control mechanisms (e.g. monitoring, logging) to ensure that only authorized data processing takes place.
• Logging and traceability:
  • All relevant processing is logged so that it can be verified that it has been carried out in accordance with instructions.
  • Logs contain the date, time, person/system carrying out the processing and type of processing.
• Regular training and sensitization of employees:

All employees entrusted with data processing are regularly trained on GDPR requirements and specific instructions from the Client.

c) Purpose limitation and separation requirement

Contractor ensures that personal data collected for different purposes is only ever used within the scope of the respective purpose limitation and can be processed separately.

• Strict purpose limitation of data processing:
  • Personal data is only ever processed for the specified purpose, e.g. contract fulfillment or marketing.
  • No improper use or further processing of the data by the Contractor.
• Technical separation of databases:
  • Logical and physical separation of data from different Clients within the Microsoft Azure Cloud (Microsoft Azure AD Tenant Isolation).
  • Client-specific databases to ensure that Client data is not mixed.
• Access and authorization concepts:
  • Role-based access controls (RBAC) ensure that employees only have access to data that is required for their specific processing purpose.
  • Strict logging of all access and processing in order to ensure that data is processed for the intended purpose.
• Organizational measures:
  • Training of employees to comply with the separation requirement and purpose limitation.
  • Regular review of processing operations to ensure compliance with the purpose of use.

5. Availability of personal data (Art. 32 para. 1 lit. b GDPR)

Contractor ensures that personal data is protected against accidental destruction or loss.

• Automatic daily backups of all relevant data.
• Versioned storage in order to be able to restore previous data statuses
• Georedundant storage in multiple ISO 27001-certified data centers within the Microsoft Azure cloud

6. Resilience of systems and services (Art. 32 para. 1 lit. b GDPR)

Contractor ensures that its systems and services are designed to enable adequate data processing.

• Cloud-native architecture with scalable resources
• Regular load tests and security checks

7. Recovery of data (Art. 32 para. 1 lit. c GDPR)

Contractor ensures that the lost data can be recovered in the event of data loss.

• Defined processes for data recovery within a short time.
• Regular testing of recovery mechanisms to ensure functionality.
• Monitoring and alerting systems to detect data loss at an early stage and initiate countermeasures.

8. Review, assessment and evaluation (Art. 32 para. 1 lit. d GDPR)

a) Review of the measures

The measures taken must be reviewed regularly to determine whether they need to be adapted.

• Regular security and data protection audits:
  • Internal and external audits of the implemented protective measures.
  • Review of the effectiveness of data security measures by IT and data protection experts
• Risk assessment and vulnerability analysis:
  • Regular risk analyses to identify potential threats and vulnerabilities.
  • Creation and implementation of action plans to minimize identified risks.
• Adaptation to legal and technological developments:
  • Monitoring new legal requirements (e.g. GDPR updates, regulatory changes).
  • Integration of new security standards and technologies to continuously improve the level of protection
• Logging and documentation:
  • All checks and adjustments are documented in order to be able to prove compliance with the GDPR.
  • Employee training on new security and data protection requirements.

b) Assessment and evaluation of the measures

The result of the review (see above) must be assessed; in addition to the existing measures, any adjustments must be evaluated and implemented.

• Evaluation of the review results:
  • Analysis of the results from security audits, risk analyses and data protection audits.
  • Identification of weaknesses or potential for improvement in existing security measures.
• Prioritization and implementation of measures:
  • Creation of an action plan with priorities based on the risk to personal data.
  • Implementation of necessary security improvements, taking into account the current state of the art.
• Ongoing adaptation to legal and technological developments:
  • Consideration of new GDPR requirements and regulatory requirements.
  • Integration of new IT security standards and best practices to continuously improve the level of protection
• Monitoring and checking the adjustments:
  • Once the measures have been implemented, a new review is carried out to ensure their effectiveness.
  • Documentation of all adjustments in order to be able to prove compliance with the GDPR and internal security guidelines

9. Instruction of subordinate employees (Art. 32 para. 4 GDPR)

Contractors must ensure that all employees involved in data processing are informed about the existing obligations and the measures to be complied with (instruction).

• Regular training and awareness-raising:
  • Compulsory training for all employees who have access to personal data.
  • Training for new employees before they access personal data for the first time.
  • Refresher training at regular intervals to take account of new legal or technical requirements.
• Commitment to confidentiality:
  • All relevant employees must sign a written commitment to maintain data confidentiality in accordance with Art. 28 GDPR.
  • Documented confirmation of knowledge of and compliance with the internal data protection guidelines.

Annex 4 - Consent to the commissioning of subcontractors

The Client consents to the commissioning of the following subcontractors by the Contractor: