Annex to the Terms and Conditions

Data Processing Agreement pursuant to Art. 28 GDPR

Art. 28 GDPR sets out specific requirements for data processing on behalf of a controller. In order to comply with these requirements, the contracting parties conclude this Data Processing Agreement in addition to the General Terms and Conditions. This agreement applies to all activities related to the main contract under which employees of the processor or persons engaged by the processor process personal data (hereinafter “Data”) of the controller. The definitions of the GDPR apply.

---

Subject Matter of the Contract and Right to Issue Instructions

The subject matter of this contract comprises services provided by the processor to the controller. Reference is also made to Annex 1 to this agreement and the General Terms and Conditions. In the event of changes to the commissioned services, this Data Processing Agreement shall be amended and supplemented accordingly in Annex 1.

The controller, as the responsible entity, is solely responsible for assessing the permissibility of data processing under the GDPR.

In the performance of the services, the processor gains access to personal data and processes such data exclusively on behalf of and in accordance with the instructions of the controller, unless the processor is required by Union or Member State law to which it is subject to process the data otherwise.

The controller’s instructions are defined by this agreement and may be amended, supplemented, or replaced by individual instructions issued in at least a documented electronic format (“Individual Instruction”). If the processor is required by European Union or Member State law to carry out further processing, it shall inform the controller of such legal requirements prior to processing (Art. 28(3)(a) GDPR).

If the processor believes that an instruction of the controller violates data protection law, it shall inform the controller without undue delay. The processor is entitled to suspend the execution of the relevant instruction until it has been confirmed or amended by the controller. The processor may refuse to carry out an instruction that is manifestly unlawful without suffering any negative consequences. The controller is responsible for issuing lawful instructions (Art. 28(3) sentence 3 GDPR).

The term of this agreement corresponds to the term of the main contract, unless the following provisions provide for obligations or termination rights extending beyond this term.

---

Technical and Organizational Measures

The processor shall comply with the statutory data protection provisions. Disclosure or transfer of the controller’s information to third parties shall not take place without an explicit instruction from the controller. Documents and data shall be protected against access by unauthorized persons, taking into account the state of the art.

Within its area of responsibility, the processor shall organize its internal operations in such a way that they meet the specific requirements of data protection and shall ensure that all necessary technical and organizational measures pursuant to Art. 32 GDPR have been implemented to protect the controller’s data. Reference is made to Annex 2.

The controller shall verify the processor’s technical and organizational measures prior to the commencement of data processing and thereafter on a regular basis. Changes to the agreed security measures may be made provided that they do not fall below the agreed level of protection.

---

Confidentiality

The processor and its employees are prohibited from processing personal data without authorization. The processor undertakes to bind all persons entrusted with the processing and performance of this agreement to confidentiality.

The confidentiality obligations shall continue to apply after termination of this agreement or the employment relationship between the employee and the processor.

---

Information Obligations of the Processor

In the event of disruptions, suspected data protection breaches or breaches of contractual obligations by the processor, suspected security incidents, or other irregularities in the processing of personal data, the processor shall inform the controller without undue delay in written form or documented electronic format.

The same applies to audits of the processor by a data protection supervisory authority, insofar as they relate to this agreement.

Content of Data Breach Notifications

Where possible, the notification shall include:

• a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned;
• a description of the likely consequences of the breach; and
• a description of the measures taken or proposed by the processor to remedy the breach and mitigate possible adverse effects.

The processor shall immediately take the necessary measures to secure the data and mitigate possible adverse effects, inform the controller, and request further instructions.

If the controller’s data are endangered at the processor by seizure, confiscation, insolvency or composition proceedings, or other actions by third parties, the processor shall inform the controller without undue delay, unless prohibited by a judicial or official order. In this context, the processor shall immediately inform the relevant authorities that control over the data lies exclusively with the controller as the “controller” within the meaning of the GDPR.

The processor shall assist the controller, where possible, with appropriate technical and organizational measures in fulfilling the controller’s obligations pursuant to Art. 12–22 GDPR (Art. 28(3)(e) GDPR) and Art. 32–36 GDPR (Art. 28(3)(f) GDPR).

---

Audit and Inspection Rights of the Controller

The processor undertakes to provide the controller, upon oral, written, or electronic request and within a reasonable period of time, with all information and evidence necessary to verify compliance with the agreed technical and organizational measures.

Inspections by the controller or auditors appointed by the controller, who must not be in a competitive relationship with the processor, may be carried out during normal business hours with a notice period of 14 days. Inspections shall be limited to what is necessary and shall only disrupt the processor’s operations to a proportionate extent. The processor may charge a fee for supporting an inspection; such fee shall be agreed separately.

---

Engagement of Sub-Processors

The contractually agreed services or the partial services described below shall be performed with the involvement of the sub-processors listed in Annex 3. All additional processors already engaged and approved by the controller at the time of contract conclusion are also listed in Annex 3.

The controller grants general authorization for the engagement of additional processors in connection with the processing of the controller’s data. The processor shall inform the controller of the engagement or replacement of additional processors in text form. The controller shall be informed at least 14 days in advance of any intended changes to this list, thereby allowing sufficient time to object before the engagement of the relevant sub-processor (right to object pursuant to Art. 28(2) sentence 2 GDPR). The right to object expires if no objection is raised in writing within 14 days of receipt of the notification. In the event of an objection, both parties have the right to terminate the main contract and this Data Processing Agreement with a notice period of three months.

A sub-processor relationship does not exist where the processor engages third parties for services that are to be regarded as purely ancillary. These include, for example, postal, transport and shipping services, cleaning services, telecommunications services without specific reference to the services provided to the controller, and security services. Maintenance and inspection services constitute sub-processor relationships requiring consent insofar as they are performed for IT systems used in connection with the provision of services for the controller.

---

Liability

The controller and the processor shall be liable to data subjects in accordance with Art. 82 GDPR.

---

Termination of the Main Contract

Upon termination of the main contract or at any time upon request by the controller, the processor shall return all documents, data, and data carriers provided to it or, at the controller’s request and unless there is a statutory obligation to retain the personal data, delete them. This also applies to any backups held by the processor. The processor shall provide documented proof of the proper deletion of any remaining data.

The processor is obliged to treat all data that became known to it in connection with the main contract confidentially even after termination of the main contract. This agreement shall remain valid beyond the termination of the main contract for as long as the processor retains personal data that were transmitted by the controller or collected on its behalf.

---

Final Provisions

• The parties agree that the processor may not assert a right of retention with respect to the data or the associated data carriers.
• Amendments and supplements to this agreement must be made in writing or in a documented electronic format.
• Should individual provisions of this agreement be wholly or partially invalid or unenforceable, the validity of the remaining provisions shall remain unaffected, and the statutory provisions of Art. 28 GDPR shall apply.
• This agreement is governed by Austrian law.

---

Annexes

Annex 1 – Description of Data Subjects and Categories of Data

Subject Matter of the Processing

LeadMetrics is a system for integrating and managing data from various advertising platforms and lead generation sources. It is used to collect, analyze, and present all relevant KPIs (Key Performance Indicators) of advertising campaigns and funnel providers in a user-friendly dashboard. LeadMetrics enables the connection of advertising accounts, including Meta, LinkedIn, Google, and TikTok, as well as funnel platforms via webhooks, and additionally allows the viewing of specific lead information.

Nature and Purpose of the Processing

The processing includes the collection, storage, analysis, visualization, and reporting of data. The processed data include, among others, advertising campaign KPIs and lead information such as first name, last name, email address, telephone number, postal code, and answers to specific questions asked during lead generation. Data are processed automatically and in real time to ensure continuous updating of relevant KPIs. In addition, automated reports are generated and alerts are triggered for certain events (e.g., lead or budget thresholds). The purpose of the processing is to provide LeadMetrics users with a centralized and clear platform to monitor and analyze all essential KPIs of their advertising campaigns and lead sources in real time, enabling informed decisions to optimize marketing measures. The processing also serves to increase efficiency through automated reporting and alerts, as well as detailed insight into and management of leads for targeted communication and follow-up.

Categories of Personal Data

The categories of personal data processed depend on the specific use of LeadMetrics by the controller. In particular, the following data are processed:

• Contact data: first name, last name, email address, telephone number, postal code
• Lead-specific information: answers to specific questions asked during lead generation
• Usage data: information on the use of advertising platforms and interactions with campaigns (e.g., clicks, conversions)
• Technical data: IP address, device data, browser type, access times, and other technically relevant information for campaign optimization

Categories of Data Subjects

• Employees of the controller
• Customers of the controller
• Leads of the controller

---

Annex 2 – Technical and Organizational Measures of the Processor

The following measures to ensure confidentiality, integrity, availability, and resilience, as well as procedures for regular review, assessment, and evaluation, have been implemented.

Confidentiality

Access control to data processing facilities
Measures to prevent unauthorized access to data processing facilities:

• Access rights for online folders
• Office locking
• Personal on-site meetings only by appointment

Microsoft Azure
Certifications such as ISO 27001:
https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-iso-27001

System access control
Measures to prevent unauthorized use of data processing systems:

• Two-factor authentication where possible
• Login via username and password
• Password complexity rules
• Automatic screen locking
• Encryption of smartphones, laptops, and tablets
• User authorization based on the need-to-know principle
• Careful selection of service providers
• Clean desk policy

Further technical and organizational measures of Microsoft Azure:
https://learn.microsoft.com/de-de/azure/security/fundamentals/technical-capabilities

Access control
Measures ensuring that only authorized persons can access data:

• Access logging (e.g., logging of input, modification, and deletion)
• Authorization concepts, including access to backups
• Rights management by system administrators, limited to the necessary minimum

Pseudonymization / Anonymization

• Deletion or full anonymization of personal data after expiry of statutory retention periods

Separation control

• Logical tenant separation at software level
• Logical separation (folder structures, structured file storage)
• Separation of development, test, and production environments
• Multi-tenancy capability
• Database access rights

---

Integrity

Disclosure control

• No transmission of sensitive data by email
• Prohibition of certain transfer media (e.g., USB sticks, CDs, tapes)
• Data transfer only in anonymized or pseudonymized form
• Transfer strictly based on the need-to-know principle
• HTTPS encryption of the website
• Careful selection of service providers

Input control

• Machine-based logging of changes
• Differentiated user rights (read, modify, delete)
• Individual user accounts
• Logging of administrative activities

Order control

• Processing of controller data exclusively in accordance with instructions
• Conclusion of a Data Processing Agreement
• Engagement of sub-processors only in accordance with contractual provisions

---

Availability and Resilience

• Use of redundant systems
• Implemented backup concept

---

Regular Review, Assessment, and Evaluation

• Continuous review of TOMs
• Maintenance of records of processing activities
• Employee training
• Documented GDPR compliance processes (e.g., responding to data subject requests, reporting breaches to supervisory authorities)
• Careful selection of service providers
• Implementation of the purpose limitation principle

---

Annex 3 – Approved Sub-Processors

Approved sub-processors pursuant to Section 6 of this agreement:

A Data Processing Agreement has been concluded with Microsoft. Data transfers to the USA take place on the basis of the EU–US Data Privacy Framework.