§ 1 General

1. These Terms of Use shall apply to the provision of the cloud/mobile-based interaction, data acquisition, data analysis, data augmentation, visualization and feedback services provided by movisens through the movisens TherapyDesigner platform for MDR applications and the movisens InteractionDesigner platform for non-MDR application, including the use of the corresponding web portal(s), mobile app(s) and the backend API, enabling Customer to perform mobile research studies (hereinafter referred to as "Services"). Customers of the Services are exclusively companies and legal entities under public law.
2. The scope of the Services and the amount of fees shall be determined by the specific individual agreement (hereinafter referred to as “Subscription”). In the event of any conflict, the customer-specific provisions in the Subscription or in any other customer-specific documents shall take precedence over these Terms of Use; the Terms of Use shall take precedence over the General Terms and Conditions of movisens which shall apply as a supplement.
3. These Terms of Use in their respective current version shall also apply to all future Subscriptions between movisens and the Customer relating to the provision of the Services even if this is not expressly referred to again.
4. Terms and conditions of the Customer that conflict with, deviate from or supplement these Terms of Use or the General Terms and Conditions of movisens shall not become part of the Subscription, even if movisens does not expressly object to such terms and conditions.

§ 2 Scope of Services

1. The Services are made available by movisens to the Customer during the term of the Subscription and within the scope of the agreed availability according to § 4 below. The scope of the Services is described in detail on the movisens website valid at the time of conclusion of the Subscription. The conformity of the Services and its components with international and national compliance laws, in particular with the Medical Device Regulation, is only part of the agreed quality of the Services if and to the extent that this has been expressly agreed with the parties
2. During the term of the Subscription, movisens shall provide Customer with access to the web portal via the Internet and with storage capacity on a virtual data server at an external data center for storing data of the participants of its research studies. Data collection and interaction with the participants takes place via the mobile app. The Services include the possibility for the Customer to configure customer-specific studies and applications. Support services to assist the design, development and/or configuration of customer-specific studies and applications are not part of the Services and must be ordered separately by the Customer.
3. movisens is entitled to have the contractually agreed Services provided in whole or in part by third parties as subcontractors, whereby movisens always remains directly obligated to the Customer.
4. During the term of the Subscription movisens makes available to the Customer a service desk to answer questions on the application and use of the Services and to report problems and faults. The purpose of the support shall be to assist the Customer with technical problems in connection with the use of the Services which the Customer cannot solve itself. In particular, the support does not include the provision of professional, organizational or expert advice to the Customer. Such expert consulting services have to be ordered and paid separately by the Customer as additional service.
5. movisens regularly adapts the range of functions of the Services at its own discretion to further technological development and changed market requirements or changed system functionalities of the mobile OS manufacturers to fulfil the agreed purposes of use in the best possible way. This may involve amendments to functionalities and adaptations to new technologies. Such amendments shall only be made if they are reasonable for the Customer and the achievement of the purpose of the Subscription is not jeopardized thereby. movisens will inform the Customer of such changes in advance.
6. At its sole discretion movisens may offer and provide to the Customer additional services and development, e.g., configuration of customer-specific studies and applications, development of custom item formats, adaptions of the web portal or the mobile application, etc. The Customer will be granted a non-exclusive right to use any customer-specific modifications and/ or extensions of the Services. movisens may at its sole discretion integrate such customer-specific modifications and/ or extensions of the Services in its standard products and may make them available to other customers, e.g., in connection with a generally available update of the Services.

§ 3 Right to Use the Services

1. The Customer acknowledges that movisens owns all right, title and interest in and to the Services and the underlying software, including without limitation all intellectual property rights. The Customer shall only have the non-exclusive right to use the Services and the underlying software as set forth in the Subscription and these Terms of Use. The Customer will not copy, reproduce, distribute, make available, alter, modify, or create derivative works from the Services and the software.
2. Insofar as Customer’s intellectual property is used for the configuration of the Services, the Customer remains the sole owner of its intellectual property and grants movisens all necessary non-exclusive rights to use such intellectual property for the sole purpose of fulfilling the contractual obligations. The Customer warrants that it has the necessary rights and that the use of its intellectual property by movisens does not infringe any third-party rights. The Customer shall indemnify and hold harmless movisens at first request from any and all third-party claims resulting from the use of the intellectual property provided by the Customer to movisens.
3. For the term of the Subscription movisens grants to the Customer a non-exclusive, non-transferable and non-sublicensable right to use the Services for its own research or other agreed purposes and with the agreed number of users/participants. In the event that the license parameters as defined in the offer (e.g. number of participant days) is exceeded, the Customer shall be obliged to purchase additional licenses. The Customer is not entitled to use the Services for purposes other than the intended use determined by the description on the movisens website.
4. The Customer undertakes to use the Services and the underlying software exclusively in accordance with the Subscription, these Terms of Use and the agreed license scope and neither to pass it on to third parties nor to make it accessible to third parties in any other way. The Customer shall not be entitled to reverse engineer, decompile or reproduce all or any part of the underlying software. Statutory rights of the Customer to use the Services and the underlying software resulting from mandatory copyright law shall remain unaffected by these provisions.
5. movisens is entitled to check at any time and by means of appropriate technical and organizational measures if the Customer uses the Services and the underlying software in compliance with the terms of the Subscriptions and these Terms of Use.

§ 4 Availability of the Services

1. movisens warrants an availability of the Services (including access to the web portal and the Customer studies and data) at the transfer point of 99% on a calendar year average. An eligible downtime within the meaning of this availability clause shall be assumed if the Services are not available to the Customer due to circumstances for which movisens is responsible. Downtimes not attributable to movisens shall accordingly be deemed available times. Downtime attributable to movisens shall in particular not be assumed if the Services (i) are not available only for individual users or participants or (ii) are not available to the Customer due to
   1. incorrect operation or use contrary to the terms of the Subscription by the Customer and its users,
   2. planned and announced maintenance work,
   3. operational faults or other technical problems outside the sphere of influence of movisens (e.g. power failures or failures of the internet connection),
   4. cyberattacks, if and insofar as movisens or its subcontractor has taken protective measures in accordance with the state-of-the-art to prevent such attacks, or
   5. force majeure events.
2. If possible, movisens will carry out planned maintenance work at times of low data traffic (e.g. in the evenings or at weekends) and movisens will notify the Customers with a reasonable advance notice period of at least three (3) working days; in urgent cases (e.g. installation of an important security patch) this deadline may be shorter. The total duration of planned maintenance work shall not exceed ten (10) hours per month.
3. movisens may temporarily restrict access to the Services for individual or all Customers, if and insofar the security of the Services, the maintenance of network or data integrity or the avoidance of serious faults or imminent loss of data so require. In the event of such a decision, movisens shall give due consideration to the legitimate interests of the Customer, inform the Customer without delay of the measures taken and do everything reasonable to lift the access restriction as quickly as possible.

§ 5 Customer Responsibility

1. The Customer is responsible for compliance with the current minimum technical requirements regarding its IT infrastructure and the mobile devices used as defined on the movisens website and for compliance with the agreed intended use. If not agreed otherwise, the Customer will provide the participants of its studies with the mobile devices or participants devices will be used, and applications necessary for the collection of participant's data. The Customer shall ensure that customary and state-of-the-art security measures (such as anti-virus program and firewall) are installed on its IT systems and devices and that these and any application software used are regularly updated. The Customer also undertakes to set up and maintain all necessary precautions for the regular protection of its systems and data.
2. The Customer is not permitted to pass on his personal login data for the Services to unauthorized third parties. Login data shall be stored in a safe place to prevent third party access. The Customer shall inform movisens promptly if there is reason to suspect that unauthorized third parties may have become aware of this information. Customer is responsible for all unauthorized activities that occur under its account due to a non-compliance of the Customer with the provisions in this subsection. The Customer will keep its contact information up to date and make sure it can receive emails from movisens on the provided email address.
3. Within the scope of its duty to minimize damage the Customer shall take reasonable precautions for the event of a data loss (e.g., by regular data backups). Customer shall be responsible for the proper archiving and backup of its data by making regular backup copies at such intervals that are appropriate based on the risk involved.
4. The Customer agrees that it will use the Services in compliance with all applicable local, state, national, and international laws, rules and regulations. Customer shall not, shall not agree to, and shall not authorize or encourage any third party to:
   1. use the Services to upload, transmit or otherwise distribute any content that is unlawful, defamatory, harassing, abusive, fraudulent, obscene or contains viruses or other malware;
   2. use or exploit the Services for any inappropriate purposes outside the scope of the agreement;
   3. use any robot, spider, other automated device, or manual process to monitor or copy any content from the Services.
5. The Customer shall report any malfunction of the Services to movisens in a comprehensible and detailed form, stating all information relevant for the root cause analysis. In particular, the steps that led to the occurrence of the fault, the mode of appearance and the effects of the fault must be stated.
6. The Customer is obliged to comply with applicable data protection laws. The Customer will ensure that the storage and processing of personal data by movisens on behalf of the Customer does not infringe on any third party rights, e.g. by seeking the express consent from the affected participants whose personal data is transferred to the web portal. In any case, the Customer will notify the participants that their personal data is being acquired and processed by movisens and subcontractors of movisens, if the case may be. Without limiting the foregoing, the Customer will take the necessary measures to avoid that participants of its studies might be identified by movisens or any third party, in particular, by pseudonomizing or anonymizing the data before initiating the transfer to the web portal.
7. The Customer shall inform its users of the aforementioned obligations and monitor their observance by the users. In the event of a breach by the Customer or its users of legal regulations or its contractual obligations, in particular those set forth in this § 5, as well as in the event of justified suspicion of illegal or improper use of the Services, movisens shall be entitled to temporarily block the Customer's access to the Services. movisens will inform the Customer of the blocking as far as possible before, but at the latest immediately after the blocking, stating the relevant reasons for this, insofar as this is legally permissible.
8. The Customer shall indemnify and hold movisens harmless from and against all damages, costs and other claims of third parties based on an alleged or actual unlawful use of the Services by the Customer. The Customer shall defend movisens against any such claim and shall pay all litigation costs, reasonable attorney´s fees, settlement payments and any judgments for damages incurred by movisens as result of any such claim. This shall not apply to the extent that Customer is not liable for the violation of the third party rights. Any other claims of movisens remain unaffected.

§ 6 Fees and Payment Conditions

1. The amount of the fees as well as the terms of payment are set forth in the Subscription and depend on different aspects of the application of the Services by the Customer, e.g., the complexity of the interactions (e.g. test output, questionnaires, user input, audio and video output, visualizations, gamification) and data acquisition and processing realized with the specific instance (concrete runnable application for a study/project) of the Service, the agreed term of the Services, the number of participants, etc. If not agreed otherwise, the fees shall be invoiced to the Customer for the entire term of the Subscription in advance. The fees are neither refundable nor transferable to another account or project.
2. If not agreed otherwise, additional services shall be invoiced to the Customer on a time and material basis at the beginning of the month following the provision of such additional services applying the then current hourly rates of movisens.
3. Invoices shall be sent to the Customer by movisens electronically by e-mail. If applicable, the statutory value added tax shall be added to all fees. Payments shall be made by the Customer within fourteen (14) calendar days from the invoice date with no deductions. The Customer shall pay, in addition to all other amounts payable under the Subscription, all fees incurring due to payment initiated through a payment service provider (e.g. PayPal) as well as all state, federal, sales or other taxes, however designated, which are levied or imposed by reason of the provision or use of the Services provided by movisens, except for taxes imposed by German tax authorities on movisens income.
4. If the Customer is in default with the payment of an invoice for more than thirty (30) days, movisens has the right to deactivate Customer's access to the Services and the web portal (in whole or in part) after a reminder in which it threatens to block access until all outstanding and due claims have been settled. Any other rights of movisens based on the default in payment remain unaffected.

§ 7 Claims due to Defects

1. During the term of the Subscription, movisens warrants that the Services comply with the service description on the movisens website and, subject to the conditions of § 8, are free of third-party property rights that prevent or restrict the contractual use of the Services.
2. Functional impairments of the Services resulting from the hardware or software environment of the Customer, faulty data, improper use or from other circumstances originating from the area of responsibility of the Customer do not constitute a defect. The liability for defects presupposes that (i) the Customer complies in all respects with the minimum system requirements and conditions of use, and (ii) the Customer does not modify the Services or use them contrary to the contractual specifications (e.g. for purposes other than those agreed) unless the Customer proves that the defect is independent of these circumstances. The Customer agrees to be solely responsible for the results of any studies obtained by the use of the Services.
3. Duly notified defects of the Services shall be remedied by movisens during the term of the Subscription within a reasonable period of time. The obligation to maintain and repair does not include, in particular, the adaptation of the Services to changed systems, assets or devices at the Customer.
4. If the correction of a material defect finally fails and if this constitutes an important reason for the Customer, the Customer may terminate (Kündigung) the Subscription for good cause without observing a notice period. The Customer shall not be entitled to withdraw (Rücktritt) from the Subscription. movisens shall only pay compensation for damages and futile expenses within the limits set out in § 9 of these Terms of Use.

§ 8 Infringements of IP Rights

1. During the term of the Subscription movisens warrants that the Services do not infringe any intellectual property rights of third parties that exclude or restrict the use of the Services for the agreed purposes.
2. If third parties enforce claims against the Customer due to the infringement of their intellectual property rights caused by the Services, the Customer shall inform movisens immediately. The Customer authorizes movisens to conduct the dispute with the third party on its own. Whether movisens uses this authorization is at movisens’ free discretion. The Customer will not acknowledge the claims of the third party without the consent of movisens and shall also refrain from doing anything else that could hinder the defense of the claims.
3. If the Services have a defect of title during the term of the Subscription, movisens shall provide the Customer with a lawful way to use the Services. To rectify the defect in title, movisens may alternatively at its choice modify or replace the Services. If an infringement of third party intellectual property rights and/or a legal dispute concerning the third party claims can be settled or avoided by the Customer using a more up-to-date version of the Services provided by movisens free of charge, the Customer shall be obliged to use this up-to-date version as part of its obligation to minimize damages, unless the Customer proves that the use of the more up-to-date version is unreasonable for it.
4. movisens will indemnify the Customer within the liability limits set forth in § 9 of these Terms of Use from all costs and damages arising from the infringement of intellectual property rights, insofar as these are based on a defect of title for which movisens is responsible. In particular, movisens shall not be liable for infringements of intellectual property rights which occur due to the use of the Services not authorized and intended by movisens or due to the fact that they have been modified by the Customer.
5. In all other respects, the provisions for material defects in § 8 of these Terms of Use shall apply accordingly to the Customer's claims based on defects of title.

§ 9 General Liability

1. If movisens provides the Customer with the Services free of charge, e.g. during a free trial period, movisens shall only be liable in this respect for intentional and grossly negligent breaches of duty.
2. movisens shall only be liable for defects of the Services already existing at the time of conclusion of the Subscription, if movisens is responsible for such defects.
3. In all other respects, movisens will pay compensation for damages and for futile expenses, regardless of the legal reason, only to the following extent:
   1. in the event of intent and gross negligence and insofar as movisens has expressly assumed a guarantee (Garantie) in the full amount;
   2. in all other cases only in the event of a breach of a material contractual obligation, without which the achievement of the purpose of the Subscription would be jeopardized and on the fulfilment of which the Customer may therefore rely, and in these cases restricted to compensation for typical and foreseeable damages.
4. movisens shall be liable for the restoration of data within the limits set forth in § 9 para. 3 only to the extent that the Customer has ensured that the data can be reproduced at any time with reasonable effort.
5. Liability for damages resulting from the loss of life, physical injury or injury to health as well as liability according to the German Product Liability Act (ProdhaftG) shall not be affected by the above-mentioned provisions.
6. The above-mentioned liability restrictions shall also apply to the legal representatives, agents and employees of movisens.

§ 10 Confidentiality, Data Protection

1. The contracting parties shall be obliged to maintain confidentiality regarding all business and trade secrets of the other contracting party entrusted to them, made accessible to them or which become known to them in another way, as well as about other business relationships and operational facts. Confidential information is in particular all internal information on the Services (e.g. algorithms, interfaces, source code of proprietary software, internal components of the documentation).
2. The receiving party is obliged to use such confidential information only for the contractually intended purpose and not to disclose it to third parties. The receiving party shall grant access to the confidential information only to those of its employees and subcontractors who need to know it in order to fulfill the purposes of the Subscription.
3. The Customer is prohibited from obtaining confidential information by means of reverse engineering. Reverse engineering is understood to mean all actions, including observation, testing, examination and deconstruction, with the aim of obtaining confidential information. Any mandatory statutory provisions of copyright law remain unaffected.
4. The obligation to maintain confidentiality shall not apply to confidential information which was already known to the receiving party without the obligation to maintain confidentiality or is or becomes generally known without the receiving party being responsible or which is legally disclosed to the receiving party by a third party without an obligation to maintain confidentiality or was proven to have been independently developed by the receiving party.
5. Any additional statutory confidentiality obligations (e.g. with regard to business or trade secrets or with regard to personal data under the General Data Protection Regulation (GDPR)) remain unaffected.
6. As movisens processes personal data on behalf of the Customer, the contracting parties shall conclude the Data Processing Agreement (DPA) attached to these Terms of Use as an Annex which forms an integral part of these Terms of Use and the Subscription (cf. Annex below). According to the DPA movisens will process and use the personal data of the Customer and its users and participants solely for the purpose of fulfilling the Subscription and exclusively according to the instructions of the Customer.

§ 11 Term and Termination

1. The Subscription shall come into effect and shall have a binding term as set forth in the Subscription. If not agreed otherwise the right to terminate for convenience is excluded during the agreed term of the Subscription.
2. The right of both parties to terminate the Subscription for good cause remains unaffected by the above provisions. Good cause shall be deemed to exist for movisens, in particular, (i) if the Customer is more than two (2) months in default with the payment of the fees, (ii) if the Customer breaches material contractual obligations in any other way and does not cease or cure this breach within one (1) week even after being requested to do so by movisens or (iii) if legal or regulatory changes (e.g. referring to data protection laws) result in the impossibility or material aggravation to render the Services in a lawful manner. If movisens terminates the Subscription due to good cause for which the Customer is responsible, the Customer shall not be reimbursed for any prepaid subscription fees.
3. movisens may terminate the Subscription any time, including during the binding term, by giving three (3) months' advance notice if movisens decides in its sole discretion to finally cease the operation of its Services in its entirety. In this case Customer may request a refund proportionate to the remaining term of the Subscription.
4. Upon expiration or termination of the Subscription movisens is entitled to deactivate the account of the Customer and to delete the data stored by the Customer on the web portal. The Customer has to transfer the data on its own equipment outside the web portal. Upon expiration or termination of the Subscription, the Customer shall cease use of the Services including the web portal and the mobile application. The Customer shall immediately return or destroy any software provided by movisens as well as any other confidential information in its possession as directed by movisens and, if requested by movisens, confirm in writing the fulfilment of this obligation.
5. Any termination can be declared in writing or by e-mail.

§ 12 Final Provisions

1. The Customer may only assign or transfer contractual rights and obligations to third parties – including companies affiliated with the Customer – with the prior written consent of movisens.
2. Any amendments and additions to these Terms of Use or the Subscription must be made in writing or in text form in order to be effective (notifications by e-mail shall be sufficient). This requirement of written or text form may itself only be waived in writing by the parties.
3. These Terms of Use and the Subscription shall be governed by the laws of the Federal Republic of Germany, excluding the conflict of laws rules of private international law and excluding the UN Convention on Contracts for the International Sale of Goods. The exclusive place of jurisdiction for all disputes arising out of or in connection with the Subscription shall be the registered office of movisens. movisens shall be entitled to take legal action at any other national or international court of competent jurisdiction.
4. If individual clauses of these Terms of Use or of the Subscription are or become invalid, or if the contracts contain a loophole, the validity of the other clauses shall not be affected. The invalid or missing clause shall be replaced by a valid clause which comes as close as possible to the intended economic intentions of the contracting parties at the time of conclusion of the contract.

***

Annex I DPA

The contracting parties conclude the following Data Processing Agreement (DPA) pursuant to Art. 28 GDPR:

1. Subject of the Agreement

1. The Customer uses a cloud/mobile service based on TherapyDesigner/InteractionDesigner platform the Supplier provides.
2. This data processing agreement („DPA“) will be agreed upon between the Supplier and the Customer. Together the Customer and the Supplier will be called the „Parties“. This DPA complements the subscription the Terms of Services for TherapyDesigner/InteractionDesigner services of the Supplier (https://www.movisens.com/TherapyDesigner/tos, hereinafter referred to as „Subscription“).
3. In the course of rendering services it is necessary that the Supplier deals with personal data with regard to which the Customer acts as a controller in terms of data protection law (hereinafter referred to as ”Customer Data‟). This agreement specifies the data protection obligations and rights of the parties in connection with the Supplier´s use of Customer Data to render the services under the Subscription.

2. Scope of the commissioning

1. The Supplier shall process the Customer Data on behalf and in accordance with the instructions of the Customer within the meaning of Art. 28 GDPR (Processing on Behalf). The Customer remains the controller in terms of data protection law.
2. The processing of Customer Data by the Supplier occurs in the manner and the scope and for the purpose determined in Annex 1 to this agreement; the processing relates to the types of personal data and categories of data subjects specified therein. The duration of processing corresponds to the term of the Subscription.
3. The processing of Customer Data by the Supplier shall in principle take place inside the European Union or another contracting state of the European Economic Area (EEA). The Supplier is nevertheless permitted to process Customer Data in accordance with the provisions of this agreement outside the EEA if he informs the Customer in advance about the place of data processing and if the requirements of Art. 44 to 48 GDPR are fulfilled or if an exception according to Art. 49 GDPR applies.

3. Right of the Customer to issue instructions

1. The instruction is the definite handling of personal data regarding data safety (e.g. anonymizing, deleting, locking, releasing) of the Supplier with the directed order of the Customer.
2. The Supplier processes the Customer Data in accordance with the instructions of the Customer, unless the Supplier is legally required to do otherwise. In the latter case, the Supplier shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3. The instructions of the Customer are in principle conclusively stipulated and documented in the provisions of this agreement. Individual instructions which deviate from the stipulations of this agreement or which impose additional requirements shall require the Supplier´s consent and shall be made in accordance with the change request procedure laid down in the Subscription, in which the instruction shall be documented and any additional costs incurred by the Supplier as a result thereof shall be borne by the Customer. Individual instructions which deviate from the stipulations of this agreement or which impose additional requirements shall be documented in text form; the contracting parties shall mutually agree on the assumption of the additional costs resulting from the implementation of the individual instruction.
4. The Supplier shall ensure that the Customer Data is processed in accordance with the instructions given by the Customer. If the Supplier is of the opinion that an instruction given by the Customer infringes this agreement or applicable data protection law, he is after correspondingly informing the Customer entitled to suspend the execution of the instruction until the Customer confirms the instruction.

4. Legal Responsibility of the Customer

1. The Customer is solely responsible for the permissibility of the processing of the Customer Data and for safeguarding the rights of data subjects in the relationship between the parties.
2. The Customer is responsible to provide the Supplier with the Customer Data in time for the rendering of services according to the Subscription and he is responsible for the quality of the Customer Data. The Customer shall inform the Supplier in a timely manner and completely if during the examination of the of the Supplier´s results he finds errors or irregularities with regard to data protection provisions or his instructions.

5. Requirements for personnel and systems

1. The Supplier shall commit all persons engaged in processing Customer Data to confidentiality with respect to the processing of Customer Data.

6. Security of processing

1. The Supplier takes according to Art. 32 GDPR necessary, appropriate technical and organisational measures, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the Customer Data, as well as the different likelihood and severity of the risk to the rights and freedoms of the data subjects, in order to ensure a level of protection of Customer Data appropriate to the risk. A list of these measures taken by the Supplier can be found under https://www.movisens.com/en/products/therapydesigner/data-processing/.
2. The Supplier shall have the right to modify technical and organisational measures during the term of the agreement, as long as they continue to comply with the statutory requirements.

7. Engagement of further processors

1. The Customer grants the Supplier the general authorization to engage further processors with regard to the processing of Customer Data. The currently used processors are listed under https://www.movisens.com/en/products/therapydesigner/data-processing/. In general, no authorization is required for contractual relationships with service providers that are concerned with the examination or maintenance of data processing procedures or systems by third parties or that involve other additional services, even if access to Customer Data cannot be excluded, as long as the Supplier takes reasonable steps to protect the confidentiality of the Customer Data.
2. The Supplier shall notify the Customer of any intended changes in relation to the consultation or replacement of further processors by sending a message to the contact entered in the platform. In individual cases, the Customer has the right to object to the engagement of a potential further processor. An objection may only be raised by the Customer for important reasons which have to be proven to the Supplier. Insofar as the Customer does not object within 14 days after receipt of the notification, his right to object to the corresponding engagement lapses. If the Customer objects, the Supplier is entitled to terminate the Subscription and this agreement with a notice period of 3 months.
3. The agreement between the Supplier and the further processor must impose the same obligations on the latter as those incumbent upon the Supplier under this agreement. The parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this agreement, respectively if the obligations laid down in Art. 28 para. 3 GDPR are imposed on the further processor.
4. Subject to compliance with the requirements of Section 2.4 of this agreement, the provisions of this Section 7 shall also apply if a further processor in a third country is involved.

8. Data subjects´ rights

1. The Supplier shall support the Customer within reason by virtue of technical and organisational measures in fulfilling the latter´s obligation to respond to requests for exercising data subjects´ rights.
2. As far as a data subject submits a request for the exercise of his rights directly to the Supplier, the Supplier will forward this request to the Customer in a timely manner.
3. The Supplier shall inform the Customer of any information relating to the stored Customer Data, about the purpose of storage, as far as the Customer does not have this information at his disposal and as far as he is not able to collect it himself.
4. The Supplier shall, within the bounds of what is reasonable and necessary, against reimbursement of the expenses and costs incurred by the Supplier as a result of this and to be proven enable the Customer to correct, delete or restrict the further processing of Customer Data, or at the instruction of the Customer correct, block or restrict further processing himself, if and to the extent that this is impossible for the Customer.
5. Insofar as the data subject has a right of data portability vis-à-vis the Customer in respect of the Customer Data pursuant to Art. 20 GDPR, the Supplier shall support the Customer within the bounds of what is reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Supplier as a result of this and to be proven in handing over the Customer Data in a structured, commonly used and machine-readable format, if the Customer is unable to obtain the data elsewhere.

9. Notification and support obligations of the Supplier

1. Insofar as the Customer is subject to a statutory notification obligation due to a breach of the security of Customer Data (in particular pursuant to Art. 33, 34 GDPR), the Supplier shall inform the Customer in a immediately of any reportable events in his area of responsibility. The Supplier shall assist the Customer in fulfilling the notification obligations at the latter´s request to the extent reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Supplier as a result thereof and to be proven.
2. The Supplier shall assist the Customer to the extent reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Supplier as a result thereof and to be proven with data protection impact assessments to be carried out by the Customer and, if necessary, subsequent consultations with the supervisory authority pursuant to Art. 35, 36 GDPR.
3. The Contractor shall support the Client in the preparation of the list of processing activities pursuant to §30 (1) by presenting existing documents.

10. Deletion and return of Customer Data

1. The Supplier shall delete the Customer Data upon termination of this agreement, unless the Supplier is obligated by law to further store the Customer Data. Further information on data deletion is listed at https://www.movisens.com/en/products/therapydesigner/data-processing/
2. The Supplier may keep documentations, which serve as evidence of the orderly and accurate processing of Customer Data, also after the termination of the agreement.

11. Evidence and audits

1. The Supplier shall provide the Customer, at the latter´s request, with all information required and available to the Supplier to prove compliance with his obligations under this agreement.
2. The Customer shall be entitled to audit the Supplier with regard to compliance with the provisions of this agreement, in particular the implementation of the technical and organisational measures; including inspections.
3. In order to carry out inspections in accordance with Section 11.2., the Customer is entitled to access the business premises of the Supplier in which Customer Data is processed within the usual business hours (Mondays to Fridays from 10 a.m. to 6 p.m.) after timely advance notification in accordance with Section 11.5 at his own expense, without disruption of the course of business and under strict secrecy of the Supplier´s business and trade secrets.
4. The Supplier is entitled, at his own discretion and taking into account the legal obligations of the Customer, not to disclose information which is sensitive with regard to the Supplier´s business or if the Supplier would be in breach of statutory or other contractual provisions as a result of its disclosure. The Customer is not entitled to get access to data or information about the Supplier´s other customers, cost information, quality control and contract management reports, or any other confidential data of the Supplier that is not directly relevant for the agreed audit purposes.
5. The Customer shall inform the Supplier in good time (usually at least four weeks in advance) of all circumstances relation to the performance of the audit. The Customer may carry out one audit per calendar year. Further audits shall be carried out at most in the event of a concrete reason, e.g. concrete suspicion of a data protection violation. In the event of an onsite inspection by the Customer, the Contractor shall be entitled to remuneration according to the actual time and effort expended. This shall not apply in the event that the Contractor has given reasonable cause for the inspection through its own actions or omissions. Inspections of up to a total of 4 hours per contractual year shall be exempt from the obligation to pay remuneration. In all other respects, Clause 14.5 shall apply.
6. If the Customer commissions a third party to carry out the audit, the Customer shall obligate the third party in writing the same way as the Customer is obliged vis-à-vis the Supplier according to this Section 11 of this agreement. In addition, the Customer shall obligate the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional obligation of secrecy. At the request of the Supplier, the Customer shall immediately submit to him the commitment agreements with the third party. The Customer may not commission any of the Supplier´s competitors to carry out the audit.
7. Upon agreement between the contracting parties, proof of compliance with the obligations under this agreement may be provided, instead of an inspection, by submitting an appropriate, current opinion or report from an independent authority (e.g. auditor, audit department, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit – e.g. according to BSI-Grundschutz – (”audit report‟), if the audit report makes it possible for the Customer in an appropriate manner to convince himself of compliance with the contractual obligations.

12. Contract term and termination

1. The term and termination of this agreement shall be governed by the term and termination provisions of the Subscription. A termination of the Subscription automatically results in a cancellation of this agreement. An isolated termination of this contract is excluded.

13. Liability

1. As far as third parties assert claims against the Supplier which are caused by the Customer´s culpable breach of this agreement or one of his obligations as the controller in terms of data protection law affecting him, the Customer shall upon first request indemnify and hold the Supplier harmless from these claims.
2. The Customer undertakes to indemnify the Supplier upon first request against all possible fines imposed on the Supplier corresponding to the Customer´s part of responsibility for the infringement sanctioned by the fine.

14. Final provisions

1. In case individual provisions of this agreement are ineffective or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The parties undertake to replace the ineffective provision by a legally permissible provision which comes closest to the purpose of the ineffective provision and that thereby satisfies the requirements of Art. 28 GDPR.
2. In case of conflicts between this agreement and other arrangements between the parties, in particular the Subscription, the provisions of this agreement shall prevail regarding data processing operations.
3. The parties agree that, at the same time as the start of this agreement, any existing processing agreements between the parties to the main contract may be terminated by mutual agreement.
4. This agreement and its interpretation and execution are exclusively subject to German law, including the GDPR. The place of jurisdiction for all disputes arising from and in connection with this agreement is the registered office of the Supplier.
5. Insofar as claims for remuneration, reimbursement of expenses or costs are provided for in this agreement, the Supplier shall first submit an offer to the Customer and base this on its respective current hourly rates. Claims shall only arise upon confirmation of the offer by the Customer.

Annex 1: Purpose, type and extent of the processing of Customer Data, types of personal data and categories of data subjects

The data processing is divided in two categories of data subjects:

1. Customers and other users of the TherapyDesigner/InterventionDesigner Web application (e.g. study personnel, coaches, advisors, therapists)

Purpose of data processing	User and role management, account management, acquiring data for the study or other clinical trial, operation of the customised application / study
Type and extent of data processing	Acquisition and storage and evaluation
Types of personal data	Name, first name, title, communication data (e-mail), profile foto, contract data, payment data, link to organisation, studies and patients/participants, roles and authorisations, configurations of studies/applications, audit log of configuration changes and log of application usage and logins, cookies for authentication

2. Participants partaking in a study / other clinical trial of the customer

Purpose of data processing	Acquiring data for the study or other clinical trial, operation of the customised application / study
Type and extent of data processing	Acquisition, storage, processing and possibly evaluation of data for the customer and / or participant
Types of personal data	Depending on the requirements defined by the customer for the study / other clinical trial: subjective and objective data from self-reports, interactions, physiological measurements, mobile sensing data, context data, location data, communication data, phone usage data and multimedia data.

Change History

• 2024-04-04, V1