General Terms and Conditions

1. Scope

These are the general terms and conditions ("GTC") of Friday Finance GmbH, registered with the commercial register B of the local court of Charlottenburg under HRB 226357 B, Neue Schönhauser Straße 3-5, 10178 Berlin ("Friday Finance"). Friday Finance operates a finance management Software ("Software"). These GTC govern the business relationship between Friday Finance and persons who register for use of the Software provided by Friday Finance via the application Software ("App") ("Users")

1.1. Friday Finance provides financial management, accounting and related services ("Services"). In some cases, Friday Finance provides the Services with the involvement of partner companies.

1.2. Friday Finance provides services exclusively to Users who are entrepreneurs within the meaning of section 14 of the German Civil Code (BGB).

1.3. Deviating, conflicting or supplementary general terms and conditions of Users shall only become part of the agreement if Friday Finance has expressly consented to their application in text form. This consent requirement shall also apply if Friday Finance begins to perform the Services in the knowledge of a User’s general terms and conditions.

2. Subject of the Agreement

2.1. The App and Software enable the User to manage payment accounts, in particular track cash flow, generate cash flow forecasts, and support financial reporting.

2.2. The exact scope of Services depends on the subscription chosen by the User (Starter, Premium or Enterprise). Details can be found at www.fridayfinance.com/pricing.

2.3. The Software is accessible online via the website app.fridayfinance.com. The Software cannot be downloaded, but is only accessible online as Software-as-a-Service ("SaaS"). Therefore, an internet connection and a browser are required for any access.

2.4. The provision of the internet access required to use the App and the Software does not form part of Friday Finance's service.

2.5. Agreements related to the opening and maintenance of an account (e.g. account agreement, payment service framework agreement, payment agreements) are concluded exclusively between the User and one or more credit institutions. Friday Finance does not become a party to these agreements.

2.6. Friday Finance shall endeavor, within its sphere of influence, to maximize availability of the App and the Software, but does not guarantee any particular availability. The accessibility of the App and Software may be limited or impossible, in particular during maintenance and/or repair work. Friday Finance gives 72 hours' notice of maintenance work where possible.

2.7. The agreement concluded with Friday Finance and the User, sections 675c et seq. German Civil Code (BGB) ("User Agreement") shall be independent of and remain unaffected by the agreements existing between the User and the payment account managing payment service provider (usually a credit institution) of the User. This applies in particular with regard to possible charges levied by the User's payment account-holding payment service provider for services ordered by the User via Friday Finance.

3. General Requirements for the Use of the App and the Software

The use of the Software offered via the App initially requires registration and login via the App and the associated conclusion of a User Agreement with the associated Order data Processing Agreement (with content according to Addition 1) with Friday Finance (see section 4 below) (the “DPA”).

4. Registration, Conclusion of the Agreement, User Account

4.1. The registration of the User shall take place using the onboarding process provided for this purpose in the App. There is no entitlement to registration or to conclusion of a User Agreement with the associated DPA.

4.2. The User shall choose a personal access password with which they can log into their User Account after successful registration (access password and the User's e-mail address provided during registration hereinafter together "Access Data"). By clicking on a button provided in the onboarding process, the User submits a binding offer to Friday Finance to conclude a User Agreement with an associated data processing agreement in accordance with these GTC. After submitting the registration form, the User will receive an acknowledgement of receipt from Friday Finance. Such email does not constitute a declaration of acceptance on the part of Friday Finance. Only when the User Account is activated by Friday Finance a User Agreement with the associated DPA comes into effect with Friday Finance.

4.3. The User is obliged to provide truthful information when registering and to ensure that the data stored in the User Account is always up to date. In the event of changes or inaccuracies in the stored data, the User must update or correct this data immediately without being asked to do so. The User can do so in the User Account. If it is not possible to update or correct the data in the User Account, the participant must immediately send the updated or corrected data by e-mail to support@fridayfinance.com without being asked to do so.

4.4. The User may authorize one or more persons, such as team members, to use the User Account (hereinafter "Authorized Persons") and, if necessary, grant them different levels of authorisation. The User shall inform Friday Finance of the names and contact details of the Authorized Persons. If there is more than one Authorized Person, the User shall name to Friday Finance (1) at least one of them who will manage the User Account from a technical point of view (hereinafter "Administrator"), and (2) a contact person who is authorized with regard to the User Agreement.

4.5. User Accounts are individualized and may only be used by the User and Authorized Persons. Passing on the Access Data or otherwise permitting or enabling the use of the User Account by third parties who are not Authorized Persons is prohibited. The User is obliged to keep the Access Data secret, to store it securely and to protect it from unauthorized access by third parties. The User is also obliged to instruct Authorized Persons accordingly, in particular when allowing them to use the App and Software on their own end devices. The user is obliged to inform Friday Finance immediately in the event of suspected misuse.

• 4.5.1. The User shall be liable for the persons authorized by it as for its own breaches of duty and its own fault.
• 4.5.2. The legal relationship of the User with the operator of the app store through which the User obtains the App and the general terms and conditions of this app store shall remain unaffected.

5. User’s Obligations

5.1. By designating a payment account for inclusion in the App and Software, the User consents to Friday Finance to the fullest extent possible to all activities related to the Services with respect to such payment account. Friday Finance cannot provide any services to the User without this consent.  

5.2. The User is responsible for data and content entered into the App and Software by them or by Authorized Persons.

5.3. The User and Authorized Persons may not enter or transmit content into the App nor Software that violates legal provisions, official orders, or common decency. It is furthermore prohibited to enter or transmit data that violates the rights of any third party, in particular regarding copyrights and/or industrial property rights as well as claims under competition law (e.g., for the confidentiality of trade secrets).

5.4. The User shall indemnify Friday Finance against all claims asserted by third parties against Friday Finance for infringement of their rights or for infringements of rights based on the content provided or transmitted by the User or by Authorized Persons. In this respect, the User shall also bear the necessary costs of Friday Finance's legal defense, including court costs and lawyers' fees. The indemnification obligation shall not apply if the User is not responsible for the infringement.

5.5. The User and Authorized Persons shall refrain from any action that could jeopardize or disrupt the functioning or operation of the App and Software. They shall in particular refrain from,

• using automated Software mechanisms (such as robots, crawlers, spiders, scrapers) in connection with the App and Software;
• using the App and Software for purposes other than those provided for in the agreement, in particular not for the transmission of so-called viruses, worms or Trojans;
• using any existing technical or conventional errors of the App and/or platform to circumvent access blocks, legal prohibitions and/or harm third parties;
• distributing illegal content;
• taking any other actions that are likely to impair the smooth operation of the App and Software.

5.6. The User may not transfer the User Agreement together with the associated DPA to third parties.

5.7. The User undertakes to compensate Friday Finance for all damages arising from the culpable breach of the aforementioned obligations.

6. Blocking and Deleting Accounts

6.1. Friday Finance is entitled to block the User Account temporarily or permanently at its reasonable discretion,

• if the User provides incorrect information during registration and fails to correct this information without undue delay - if applicable, despite Friday Finance's request to do so;
• in the event of misuse, unauthorized or fraudulent use of the User Account, or if there is reason to fear such use on the basis of concrete indications;
• if the User or an Authorized Person posts content on the platform or transmits such content via the messaging and communication functions of the platform that is punishable under the applicable laws or serves to prepare punishable acts;
• if the User or an Authorized Person breaches any of the obligations under these GTC and the User fails to remedy the breach within a reasonable period of time despite a warning;
• if the User has allowed or otherwise enabled an unauthorized third party to use the Account or the Access Data for which the User is responsible; or
• if there are other circumstances that would entitle Friday Finance to terminate for cause.

6.2. When deciding on measures in accordance with section 6.1, Friday Finance will give due consideration to the legitimate interests of the User concerned.

7. Prices

7.1. Friday Finance offers a tariff system that adapts to the activity and level of use. Details of the charges levied in each tariff are given in the "Prices" section at www.fridayfinance.com/pricing. If the User exceeds one of the limits specified there for the tariff currently used by them, the next higher tariff level shall automatically apply to them as of the next month. Friday Finance shall inform the customer of this immediately in text form.

7.2. The Services that the User and Authorized Persons may access depend on the subscription that the User has taken out.

7.3. Prices are always quoted in euros and net of VAT.

7.4. Friday Finance reserves the right to change prices at any time. Friday Finance will notify the User of changes in prices in text form at least four weeks in advance. If the User does not agree to the changes, Friday Finance reserves the right to terminate the User Agreement with the associated DPA.

8. Invoicing and Payment

8.1. Friday Finance will invoice the User in advance for the fee for the relevant period. There will be no refunds or credits for periods during which the App and Software have not been used, nor in any other case, unless specified in the refund policy (section 9).  

8.2. Payments can be made by direct debit, credit card or PayPal. In case of payment by direct debit, the User authorises Friday Finance to collect the payments to be made by them from a payment account to be named by the User. The User shall be obliged to notify their bank of the direct debit authorisation and to ensure sufficient coverage of the payment account. The User shall bear the costs of a chargeback for which they is responsible plus a further processing fee of EUR 20 net.

8.3. Invoices are due upon receipt.

8.4. The statutory provisions on default and interest on arrears shall apply.

8.5. If an invoice is not paid immediately after the due date, Friday Finance will send the User a reminder in text form. Friday Finance may block the User Account two days after sending this reminder until the outstanding amount has been paid. This shall not give rise to any claims on the part of the User.

8.6. Claims for damages and termination rights of Friday Finance shall remain unaffected.

9. Refund Policy

9.1. The User has a special right of termination within the first month of use.

9.2. If the User exercises the special right of termination under the previous paragraph, Friday Finance shall refund the fee paid by the User in full (net) and without interest. The User Account will be downgraded to the free subscription.

10. Amendments of the App and Software

10.1. Friday Finance reserves the right to make further developments to the App and Software and associated changes to the scope of Services, e.g. through the use of newer or different technologies, systems, procedures or standards. Friday Finance will inform the User of significant changes to the Services and the date of their implementation ("Change Date") at least one month before the Change Date. If the User demonstrably suffers material disadvantages as a result of the further development or change in performance, he shall be entitled to terminate the User Agreement and the associated DPA with extraordinary effect as of the Change Date. The termination can only be declared to Friday Finance in text form within two weeks after receipt of the change notification by the participant.

10.2. Friday Finance does not have to  give notice of insignificant changes in performance.

11. Term and Termination of the Agreement 

11.1. The term and termination of the User Agreement with the associated DPA shall be governed by the provisions of the subscription concluded by the customer.

11.2. Unless otherwise provided, the User Agreement with the associated DPA shall be automatically renewed after the expiry of the original term for a period corresponding to the duration of the first term, unless the User Agreement with the associated DPA is duly terminated by one of the parties at least two weeks before the expiry of the respective term.

11.3. The right to extraordinary termination shall remain unaffected. Reasons for extraordinary termination on the part of Friday Finance include a delay in payment by the User lasting longer than one week or the opening of insolvency proceedings against the assets of the User.  

11.4. Any termination must be in text form (e-mail). The User also has the option to terminate the User Agreement with the associated DPA in the corresponding area of the App.

11.4. Thirty (30) days after the effective date of termination, Friday Finance will delete all contents of a User Account, unless Friday Finance is required or permitted to retain them for legitimate interests. The User shall be responsible for the storage of any data that he may still need after the termination of the agreement.

12. Copyright and Intellectual Property

12.1. The homepage layout, the graphics and images used, the collection of contents as well as individual contents including the system presentation texts of Friday Finance as well as all other manifestations and functionalities of App and Software may be subject to industrial property rights and/or copyrights and other rights of Friday Finance or the respective inventor or author or other holder of rights (hereinafter collectively "Protected Contents"). Unless expressly agreed otherwise in text form or regulated by law, reproduction or use of this Protected Content by the User is not permitted.

12.2. The User is not permitted to modify, adapt, translate, decompile, disassemble, reverse engineer or otherwise attempt to derive the source code of the App or Software.

12.3. If the User or Authorized Persons post content in the App or Software for the purpose of editing, the ownership rights, property rights and copyrights thereto shall remain with the User. The User warrants to Friday Finance that it also holds the rights to such content posted by Authorized Persons. The User hereby grants Friday Finance a royalty-free, non-exclusive right of use, unlimited in time and place, with respect to all content posted by the User or Authorized Persons. The transfer of rights includes in particular the right to reproduce, store and edit as well as the right to display, broadcast and distribute the content via the platform. The rights granted to Friday Finance by the participant under this license are limited to the purpose of operating the App and Software and providing the associated Services.

12.4. The User undertakes not to infringe any rights to the Protected Content. The User undertakes not to make the documentation associated with the App and Software available to unauthorized third parties, either directly or indirectly, in any capacity, form or for any reason whatsoever.

13. Reference

Friday Finance may use the name of the User for reference purposes in commercial transactions unless the User expressly prohibits this in text form.

14. Confidentiality

14.1. For the purposes of the User Agreement, "Confidential Information" means all trade secrets that the User or Authorized Persons post on the platform.

14.2. Friday Finance is obliged, 

• to keep Confidential Information strictly confidential and to use it only for the purpose of fulfilling its contractual obligations under the User Agreement with the associated Order Processing Agreement, 
• not to disclose or permit access to any Confidential Information to any third party, 
• to take reasonable steps to prevent unauthorized persons from gaining access to Confidential Information; and
• to secure the Confidential Information against unauthorized access by third parties by taking appropriate confidentiality measures and to comply with the legal and contractual provisions on data protection when processing the Confidential Information. This also includes technical security measures adapted to the current state of the art (Art. 32 GDPR) and the obligation of employees to maintain confidentiality and to observe data protection (Art. 28 (3) lit. b GDPR).

14.3. The obligations under section 14.2 do not apply to Confidential Information that must be disclosed due to mandatory legal provisions or a decision of a court and/or a public authority.

14.4. The obligations under this section 14 shall remain in force for a period of 3 years beyond the termination of the User Agreement. Legal provisions for the protection of business secrets shall remain unaffected.  

15. Data Protection

15.1. Friday Finance shall comply with the applicable provisions on data protection. This also includes the conclusion of an DPA in connection with the conclusion of the User Agreement.  

15.2. The data that the User or Authorized Users enter into the App and Software will be hosted on Google's servers in the European Union.

15.3. The User consents to Friday Finance processing his/her personal data in the course of registration and use of the App and Software. If the User allows Authorized Persons to use the App, this constitutes a declaration that they have consented to the processing of their personal data. Further information on how Friday Finance processes personal data and the legal basis for data processing can be found in Friday Finance's privacy policy, which is available at www.fridayfinance.com/privacy-policy ("Privacy Policy").

16. Liability

16.1. Friday Finance shall be liable without limitation for intent and gross negligence on the part of Friday Finance, its vicarious agents and legal representatives, but for slight negligence only in the event of a breach of material contractual obligations. Material contractual obligations are obligations the fulfilment of which is a prerequisite for the proper performance of the User Agreement and on the observance of which the User may regularly rely.

16.2. Liability in the event of negligence shall be limited to the damage typical for the agreement, the occurrence of which Friday Finance had to anticipate at the time of conclusion of the agreement on the basis of the circumstances known at that time, but at most to the amount of the fee for one year following the subscription selected by the User.

16.3. The above limitations of liability shall not apply in the event of the assumption of express warranties, in the event of claims due to the lack of warranted characteristics and for damages arising from injury to life, limb or health. Liability under the Product Liability Act shall also remain unaffected.

17. Information regarding Account Information Services

17.1. In order to be able to make full use of Friday Finance's services, it is necessary for the User to enter into an agreement with an account information service provider for the provision of account information services and to instruct the account information service provider to forward account information to Friday Finance. 

17.2. The account information service provider is not a vicarious agent of Friday Finance and will act independently.

17.3. Friday Finance shall at no time have access to the User's security features required to access the User's payment account.

17.4. Friday Finance shall not be liable for the completeness and accuracy of the account information provided to Friday Finance by the User's payment account servicing payment service provider or by the account information service provider and that it has been provided without violating banking secrecy and other legal provisions.

18. Subcontractors for the Provision of Services, Transfer of the Agreement

18.1. Friday Finance is entitled to use subcontractors at its discretion and to enter into sub-  order data processing agreements with them as required.

18.2. Friday Finance shall be entitled to transfer the User Agreement in its entirety to a third party. Friday Finance shall notify the User thereof in due time, but no later than one month before the transfer takes effect. The User shall then be entitled to extraordinary termination for good cause within two weeks of receipt of the notification.

19. Severability

Invalidity of a provision shall not affect the validity of the remaining provisions of the User Agreement.

20. Changes to these GTC

20.1. Changes to these GTC shall be offered to the User in text form no later than two months before their proposed effective date.

20.2. The changes offered by Friday Finance shall only become effective if the User accepts them, if applicable by way of deemed consent as set out below.

20.3. The consent of the User shall be deemed to have been given if the User has not notified Friday Finance of his rejection before the proposed date of entry into force of the changes (deemed consent). Friday Finance will specifically draw the User's attention to this effect of approval in its offer of changes. 

If the User has agreed on an electronic communication channel with Friday Finance within the framework of the business relationship or if such a channel is usually used, the changes may also be offered by this means.

20.4. If the above deemed consent does not apply for any reason whatsoever, the User's silence shall only be deemed to constitute acceptance of the change offer if

• 20.4.1. Friday Finance's change offer is made in order to restore the conformity of the contractual provisions with a changed legal situation, because a provision of the GTCs

• no longer corresponds to the legal situation due to a change in the law, including directly applicable legal provisions of the European Union, or
• becomes invalid or may no longer be used due to a final court decision, including a court of first instance, or
• is no longer in compliance with regulatory obligations due to a binding order of a national or international authority competent for Friday Finance (e.g. the German Federal Financial Supervisory Authority or the European Central Bank), 

• and
• 20.4.2. the User has not rejected Friday Finance's change offer prior to the proposed effective date of the changes.

20.5. Friday Finance shall in any case inform the User of the consequences of their silence in the change offer.

20.6. The fictitious consent shall in any case not apply in the case of 

• in the case of modifications affecting the principal obligations of the agreement, or
• amendments which are equivalent to the conclusion of a new agreement, or
• in the case of amendments which would significantly shift the previously agreed relationship between performance and consideration in favor of Friday Finance.

In such cases, Friday Finance will obtain the User's consent to the changes by other means.

20.7. If Friday Finance makes use of the fictitious consent, the User may also terminate the agreement without notice and free of charge before the proposed date on which the changes take effect.

20.8. Friday Finance shall specifically draw the User's attention to this right of termination in its change offer.

21. Applicable Law and Place of Jurisdiction

21.1 Place of performance and exclusive place of jurisdiction for all disputes arising from and in connection with the contractual relationship including these GTC between Friday Finance and the User shall be Berlin. Friday Finance shall, however, remain entitled to take legal action at the registered office of the User.

21.2 The law of the Federal Republic of Germany shall apply under exclusion of the UN Convention on Contracts for the International Sale of Goods.

‍

Addition 1: Data processing agreement (“DPA”)

Preamble‍

The Controller has commissioned the Data Processor in a contract already concluded (hereinafter referred to as the "Main Contract") for the services specified therein. Part of the execution of the contract is the processing of personal data. In particular, Art. 28 GDPR imposes specific requirements on such commissioned processing. To comply with these requirements, the Parties enter into the following Data Processing Agreement (hereinafter referred to as the “Agreement”), the performance of which shall not be remunerated separately unless expressly agreed.

§ 1 Definitions

(1) Pursuant to Art. 4 (7) GDPR, the Controller is the entity that alone or jointly with other Controllers determines the purposes and means of the processing of personal data.

(2) Pursuant to Art. 4 (8) GDPR, a Data Processor is a natural or legal person, authority, institution, or other body that processes personal data on behalf of the Controller.

(3) Pursuant to Art. 4 (1) GDPR, personal data means any information relating to an identified or identifiable natural person (hereinafter "Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(4) Personal data requiring special protection are personal data pursuant to Art. 9 GDPR revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of Data Subjects, personal data pursuant to Art. 10 GDPR on criminal convictions and criminal offenses or related security measures, as well as genetic data pursuant to Art. 4 (13) GDPR, biometric data pursuant to Art. 4 (14) GDPR, health data pursuant to Art. 4 (15) GDPR, and data on the sex life or sexual orientation of a natural person.

(5) According to Article 4 (2) GDPR, the processing is any operation or set of operations that is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(6) Pursuant to Article 4 (21) GDPR, the supervisory authority is an independent state body established by a Member State pursuant to Article 51 GDPR.

§ 2 Subject of the contract

(1) The Data Processor provides the services specified in the Main Contract for the Controller. In doing so, the Data Processor obtains access to personal data, which the Data Processor processes for the Controller exclusively on behalf of and in accordance with the Controller's instructions. The scope and purpose of the data processing by the Data Processor are set out in the Main Contract and any associated service descriptions. The Controller shall be responsible for assessing the admissibility of the data processing.

(2) The Parties conclude the present Agreement to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this Agreement shall take precedence over the provisions of the Main Contract.

(3) The provisions of this contract shall apply to all activities related to the Main Contract in which the Data Processor and its employees or persons authorized by the Data Processor come into contact with personal data originating from the Controller or collected for the Controller.

(4) The term of this Agreement shall be governed by the term of the Main Contract unless the following provisions give rise to further obligations or termination rights.

§ 3 Right of instruction

(1) The Data Processor may only collect, process or use data within the scope of the Main Contract and in accordance with the instructions of the Controller. If the Data Processor is required to carry out further processing by the law of the European Union or the Member States to which it is subject, it shall notify the Controller of these legal requirements prior to the processing.

(2) The instructions of the Controller shall initially be determined by this Agreement. Thereafter, they may be amended, supplemented, or replaced by the Controller in writing or text form by individual instructions (Individual Instructions). The Controller shall be entitled to issue such instructions at any time. This includes instructions with regard to the correction, deletion, and blocking of data. 

(3) All instructions issued shall be documented by the Controller. Instructions that go beyond the service agreed in the Main Contract shall be treated as a request for a change in service.

(4) If the Data Processor is of the opinion that an instruction of the Controller violates data protection provisions, it shall notify the Controller thereof without undue delay. The Data Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. The Data Processor may refuse to carry out an obviously unlawful instruction.

§ 4 Types of data processed, group of Data Subjects, third country

(1) Within the scope of the implementation of the Main Contract, the Data Processor shall have access to the personal data specified in more detail in Annex 1. 

(2) The group of Data Subjects affected by the data processing is listed in Annex 2.

(3) A transfer of personal data to a third country may only take place under the conditions of Art. 44 et seq. GDPR.

§ 5 Protective measures of the Data Processor

(1) The Data Processor shall be obliged to observe the statutory provisions on data protection and not to disclose information obtained from the Controller's domain to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.

(2) The Data Processor shall organize the internal organization within its field of responsibility in such a way that it meets the special requirements of data protection. It shall have taken the technical and organizational measures specified in Annex 3 to adequately protect the Controller's data pursuant to Art. 32 GDPR, which the Controller acknowledges as adequate. The Data Processor reserves the right to change the security measures taken while ensuring that the contractually agreed level of protection is not undercut.

(3) The persons employed in the data processing by the Data Processor are prohibited from collecting, processing or using personal data without authorization. The Data Processor shall oblige all persons entrusted by it with the processing and performance of this contract (hereinafter "Employees") accordingly (obligation of confidentiality, Art. 28 (3) lit. b GDPR) and shall ensure compliance with this obligation with due care.

(4) The Data Processor has appointed a data protection officer. The Data Processor’s data protection officer is heyData GmbH, Kantstr.  99, 10627 Berlin, datenschutz@heydata.eu, www.heydata.eu. 

§ 6 Information obligations of the Data Processor

(1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Data Processor, suspected security-related incidents or other irregularities in the processing of personal data by the Data Processor, by persons employed by it within the scope of the contract or by third parties, the Data Processor shall inform the Controller without undue delay. The same shall apply to audits of the Data Processor by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:

(a) a description of the nature of the personal data breach, including, to the extent possible, the categories and the number of Data Subjects affected, the categories affected and the number of personal data records affected;

(b) a description of the measures taken or proposed by the Data Processor to address the breach and, where applicable, measures to mitigate its possible adverse effects;

(c) a description of the likely consequences of the personal data breach.

(2) The Data Processor shall immediately take the necessary measures to secure the data and to mitigate any possible adverse consequences for the Data Subjects, inform the Controller thereof and request further instructions.

(3) In addition, the Data Processor shall be obliged to provide the Controller with information at any time insofar as the Controller's data are affected by a breach pursuant to paragraph 1.

(4) The Data Processor shall inform the Controller of any significant changes to the security measures pursuant to Section 5 (2).

§ 7 Control rights of the Controller

(1) The Controller may satisfy itself of the technical and organizational measures of the Data Processor prior to the commencement of data processing and thereafter regularly on a yearly basis. For this purpose, the Controller may, for example, obtain information from the Data Processor, obtain existing certificates from experts, certifications or internal audits or, after timely coordination, personally inspect the technical and organizational measures of the Data Processor during normal business hours or have them inspected by a competent third party, provided that the third party is not in a competitive relationship with the Data Processor. The Controller shall carry out checks only to the extent necessary and shall not disproportionately disrupt the operations of the Data Processor in the process.

(2) The Data Processor undertakes to provide the Controller, upon the latter's verbal or written request and within a reasonable period of time, with all information and evidence required to carry out a check of the technical and organizational measures of the Data Processor.

(3) The Controller shall document the results of the inspection and notify the Data Processor thereof. In the event of errors or irregularities which the Controller discovers, in particular during the inspection of the results of the inspection, the Controller shall inform the Data Processor without undue delay. If facts are found during the control, the future avoidance of which requires changes to the ordered procedure, the Controller shall notify the Data Processor of the necessary procedural changes without delay.

§ 8 Use of service providers

(1) The contractually agreed services shall be performed with the involvement of the service providers named in Annex 4 (hereinafter “Sub-processors”). The Controller grants the Data Processor its general authorization within the meaning of Article 28 (2) s. 1 GDPR to engage additional Sub-processors within the scope of its contractual obligations or to replace Sub-processors already engaged.

(2) The Data Processor shall inform the Controller in advance by e-mail newsletter of any intended change regarding the involvement or replacement of a Sub-processor. The email newsletter will be received by the Controller after sending an email with the subject "Subscribe" to hello@fridayfinance.com. The Controller may object to an intended enlistment or substitution of a Sub-processor for good cause under data protection law.

(3) The objection to the intended involvement or replacement of a Sub-processor must be raised within 2 weeks of the information being sent in the email newsletter. If no objection is raised, the  involvement or replacement shall be deemed approved. If there is a good cause under data protection law and a mutually agreeable solution cannot be found between the Controller and Data Processor, the Data Processor shall have a special right of termination at the end of the month following the objection.

(4) When engaging Sub-processors, the Data Processor shall oblige them in accordance with the provisions of this Agreement. 

(5) A Sub-processor relationship within the meaning of these provisions does not exist if the Data Processor commissions third parties with services that are regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, telecommunications services without any specific reference to services provided by the Data Processor to the Controller and guarding services. Maintenance and testing services constitute Sub-processor relationships requiring consent insofar as they are provided for IT systems that are also used in connection with the provision of services for the Controller.

§ 9 Requests and rights of Data Subjects

(1) The Data Processor shall support the Controller with suitable technical and organizational measures in fulfilling the Controller's obligations pursuant to Articles 12-22 and 32 to 36 GDPR.

(2) If a Data Subject asserts rights, such as the right of access, correction or deletion with regard to his or her data, directly against the Data Processor, the latter shall not react independently but shall refer the Data Subject to the Controller and await the Controller's instructions.

§ 10 Liability

(1) In the internal relationship with the Data Processor, the Controller alone shall be liable to the Data Subject for compensation for damage suffered by a Data Subject due to inadmissible or incorrect data processing under data protection laws or use within the scope of the commissioned processing.

(2) The Data Processor shall have unlimited liability for damage insofar as the cause of the damage is based on an intentional or grossly negligent breach of duty by the Data Processor, its legal representative or vicarious agent.

(3) The Data Processor shall only be liable for negligent conduct in the event of a breach of an obligation, the fulfilment of which is a prerequisite for the proper performance of the contract and the observance of which the Controller regularly relies on and may rely on, but limited to the average damage typical for the contract. In all other respects, the liability of the Processor - including for its vicarious agents - shall be excluded.

(4) The limitation of liability pursuant to § 10.3 shall not apply to claims for damages arising from injury to life, body, health or from the assumption of a guarantee.

§ 11 Termination of the Main Contract

(1) After termination of the Main Contract, the Data Processor shall return to the Controller all documents, data and data carriers provided to it or - at the request of the Controller, unless there is an obligation to store the personal data under Union law or the law of the Federal Republic of Germany - delete them. This shall also apply to any data backups at the Data Processor. The Data Processor shall on request provide documented proof of the proper deletion of any data.

(2) The Controller shall have the right to control the complete and contractual return or deletion of the data at the Data Processor in an appropriate manner.

(3) The Data Processor shall be obligated to keep confidential the data of which it has become aware in connection with the Main Contract even beyond the end of the Main Contract. The present Agreement shall remain valid beyond the end of the Main Contract as long as the Data Processor has personal data at its disposal which have been forwarded to it by the Controller or which it has collected for the Controller.

§ 12 Final provisions

(1) To the extent that the Data Processor does not expressly perform support actions under this Agreement free of charge, it may charge the Controller a reasonable fee therefore, unless the Data Processor's own actions or omissions have made such support directly necessary.

(2) Amendments and supplements to this Agreement must be made in writing. This shall also apply to any waiver of this formal requirement. The priority of individual contractual agreements shall remain unaffected.

(3) If individual provisions of this Agreement are or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions.

(4) This agreement is subject to German law.

‍

Annex

Annex 1 - Description of the data/data categories

Name, e-mail, IP address, business name, (business) telephone number, bank details

Annex 2 - Description of affected Data Subject/groups of affected Data Subjects

Controller, employees of the controller, business partners of the controller

Annex 3 - Technical and organizational measures of the Data Processor

1. Introduction

This document summarises the technical and organisational measures taken by the processor within the meaning of Art. 32 (1) GDPR. These are measures with which the processor protects personal data. The purpose of the document is to support the processor in fulfilling its accountability obligation under Art. 5 (2) GDPR.

2. Confidentiality (Art. 32 para. 1 lit. b GDPR)

2.1 Access control

The following implemented measures prevent unauthorised persons from gaining access to the data processing facilities:

• Alarm system
• Protection of building shafts
• Automatic access control system
• Chip card/transponder locking system
• Light barriers / motion detectors
• Security locks
• Video surveillance of the entrances
• Bell system with camera
• Checking people at the gatekeeper or reception
• Logging of visitors (e.g. visitor book)
• Key regulation / key book
• Careful selection of security personnel
• Obligation to wear staff and guest badges
• Visitors only accompanied by staff
• Careful selection of cleaning staff

2.2 Access control

The following implemented measures prevent unauthorised persons from accessing the data processing systems:

• Authentication with user and password
• Use of anti-virus software
• Use of firewalls
• Use of 2-factor authentication
• Checking people at the gatekeeper or reception
• Logging of visitors (e.g. visitor book)
• Key regulation / key book
• General company policy on data protection or security
• Company policy "Delete/Destroy

2.3 Access control

The following implemented measures ensure that unauthorised persons do not have access to personal data:

• Use of document shredders (with cross cut function)
• Logging of access to applications (especially when entering, changing and deleting data)
• Use of an authorisation concept
• Number of administrators is kept as small as possible
• Secure storage of data media
• Management of user rights by system administrators
• Instruction to employees that only absolutely necessary data is printed out
• Instruction to staff that data will only be deleted after consultation

2.4 Separation control

The following measures ensure that personal data collected for different purposes are processed separately:

• Creation of an authorisation concept
• Setting database rights

3. Integrity (Art. 32 para. 1 lit. b GDPR)

3.1 Transfer control

It is ensured that personal data cannot be read, copied, changed or removed without authorisation during transfer or storage on data carriers and that it is possible to check which persons or bodies have received personal data. The following measures are implemented to ensure this:

• E-mail encryption
• WLAN encryption (WPA2 with strong password)
• Logging of accesses and retrievals
• Provision of data via encrypted connections such as SFTP or HTTPS
• Use of signature procedures

3.2 Input control

The following measures ensure that it is possible to check who has processed personal data in data processing systems and at what time:

• Instruct staff to delete data only after consultation

4. Availability and resilience (Art. 32 para. 1 lit. b GDPR)

The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client:

• Fire extinguishers in server rooms
• Fire and smoke detection systems
• Devices for monitoring temperature and humidity in server rooms
• Air conditioning in server rooms
• Protective socket strips in server rooms
• Uninterruptible Power Supply (UPS)
• Data protection safe
• RAID system / hard disk mirroring
• Video surveillance in server rooms
• Alarm message in case of unauthorised access to server rooms
• Regular backups
• Creation of a backup & recovery concept
• Control of the backup process
• Keeping data backup in a secure, off-site location
• Create an emergency plan (e.g. BSI IT-Grundschutz 100-4)
• Regular data recovery tests and logging of results
• No sanitary facilities in or above the server room
• Separation of operating systems and data
• Hosting (at least of the most important data) with a professional hoster

5. Procedures for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)

5.1 Data protection management

The following measures are intended to ensure that an organisation that meets the basic requirements of data protection law is in place:

• Use of the heyData platform for data protection management
• Appointment of the data protection officer heyData
• Obligation of employees to data secrecy
• Regular training of employees in data protection
• Keeping an overview of processing activities (Art. 30 GDPR)

5.2 Incident response management

The following measures are intended to ensure that notification processes are triggered in the event of data protection breaches:

• Notification process for data protection violations pursuant to Art. 4 No. 12 GDPR vis-à-vis the supervisory authorities (Art. 33 GDPR)
• Data breach notification process pursuant to Art. 4 No. 12 GDPR vis-à-vis data subjects (Art. 34 GDPR)
• Involvement of the data protection officer in security incidents and data breaches
• Use of anti-virus software
• Use of firewalls

5.3 Data protection-friendly default settings (Art. 25 (2) GDPR)

The following implemented measures take into account the requirements of the principles "Privacy by design" and "Privacy by default":

• Training of employees in "Privacy by design" and "Privacy by default".
• No more personal data is collected than is necessary for the respective purpose.

5.4 Order control

The following measures ensure that personal data can only be processed in accordance with the instructions:

• Written instructions to the contractor or instructions in text form (e.g. by order processing contract)
• Ensuring the destruction of data after completion of the order, e.g. by requesting corresponding confirmations.
• Confirmation from contractors that they commit their own employees to data secrecy (typically in the order processing contract)
• Careful selection of contractors (especially with regard to data security)
• Ongoing review of contractors and their activities

Annex 4 – Current Sub-processors