Order processing Agreement for the use of autarc software

Order processing Agreement in accordance with Article 28 (3) of the General Data Protection Regulation (GDPR)
(as of September 2025)

‍§ 1 Subject matter and duration of processing

(1) The subject matter of the agreement is the rights and obligations of the parties in the context of the provision of services in accordance with the service description and terms and conditions (hereinafter main contract), insofar as personal data is processed by autarc GmbH (hereinafter contractor) as a contract processor for the customer as responsible (hereinafter client) in accordance with Art. 28 GDPR. This includes all activities that the contractor performs to fulfill the order and which represent order processing. In this respect, the purposes of processing arise from the main contract. This also applies unless the order expressly refers to this order processing agreement. The categories of personal data that are collected and processed are described in more detail in Appendix 1 to this Agreement.

(2) The duration of this contract (term) corresponds to the term of the main contract. It ends without the need for separate termination as soon as the main contract is terminated, expires or expires for any other reason.

§ 2 Place of data processing

The contractually agreed data processing is carried out in a member state of the European Union or the European Economic Area. Any transfer to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 et seq. of the GDPR are met.

The appropriate level of protection in the USA
☑️ is established by an adequacy decision by the Commission (Article 45 (3) GDPR);
⬜ is produced by binding internal data protection regulations (Art. 46 para. 2 lit. b in conjunction with 47 GDPR);
☑️ is produced by standard data protection clauses (Art. 46 para. 2 lit. c and d GDPR);
⬜ is produced by approved codes of conduct (Art. 46 para. 2 lit. e in conjunction with 40 GDPR);
⬜ is produced by an approved certification mechanism (Art. 46 para. 2 lit. f in conjunction with 42 GDPR).
⬜ is produced through other measures:... (Art. 46 para. 2 lit. a, para. 3 lit. a and b GDPR)

‍§ 3 Technical-organizational measures

‍(1) To the extent necessary, the contractor has implemented the technical and organizational measures in accordance with Article 32 GDPR in advance of awarding the contract. The relevant proof will be provided to the client upon request without culpable delay. Insofar as the audit/audit of the client reveals a need for adjustment, this must be implemented by mutual agreement.

(2) The contractor must establish security in accordance with Art. 28 para. 3 lit. c, 32 GDPR, in particular in conjunction with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs and the type, scope and purposes of processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 (1) GDPR must be taken into account.

(3) The technical and organizational measures are subject to technical progress and development. In this respect, the contractor is permitted to implement alternative adequate measures. The safety level of the defined measures must not fall below. Significant changes must be documented.

‍§ 4 Correction, restriction and deletion of data

(1) The contractor may not correct, delete or restrict the processing of the data processed on behalf of the client on his own authority, but only in accordance with documented instructions from the client. Insofar as a data subject contacts the contractor directly in this regard, the contractor will immediately forward this request to the client.

(2) Insofar as included in the scope of services, the deletion concept, the right to be forgotten, correction, data portability and information must be ensured directly by the contractor in accordance with documented instructions from the client.

‍§ 5 Quality assurance and other obligations of the contractor

In addition to compliance with the provisions of this order, the contractor has legal obligations in accordance with Articles 28 to 33 GDPR; in this respect, he guarantees compliance with the following requirements in particular:

a) Maintaining confidentiality in accordance with Article 28 (3) (2) (b), 29, 32 (4) GDPR. When carrying out the work, the contractor only uses employees who are committed to confidentiality and have previously been familiarized with the data protection regulations relevant to them. The contractor and any person subordinate to the contractor who has access to personal data may only process this data in accordance with the instructions of the client, including the powers granted in this contract, unless they are legally obliged to process them.

b) The implementation and compliance with all technical and organizational measures required for this mandate in accordance with Art. 28 para. 3 p. 2 lit. c, 32 GDPR, as described in Annex 2.

c) The client and the contractor (as well as his representative) shall, upon request, cooperate with the supervisory authority in the performance of their duties.

d) Informing the client immediately about control acts and measures taken by the supervisory authority, insofar as they relate to this order. This also applies insofar as a competent authority investigates, as part of administrative offense or criminal proceedings, with regard to the processing of personal data during order processing by the contractor.

e) Insofar as the client is in turn exposed to control by the supervisory authority, administrative offense or criminal proceedings, the liability claim of a data subject or a third party, or any other claim in connection with order processing by the contractor, the contractor must support him to the best of his ability.

f) The contractor regularly checks internal processes and technical and organizational measures to ensure that processing in its area of responsibility is carried out in accordance with the requirements of applicable data protection law and that the rights of the data subject are protected.

g) Verifiability of the technical and organizational measures taken vis-à-vis the client within the scope of its supervisory powers in accordance with section 7 of this contract.

‍§ 6 Subcontracting

(1) Subcontracting relationships within the meaning of this provision are services which relate directly to the provision of the main service. This does not include ancillary services that the contractor uses, for example, as telecommunications services, mail/transport services, maintenance and user services or the disposal of data carriers and other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the contractor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure the data protection and security of the client's data, even in the case of outsourced ancillary services.

(2) The contractor commissions subcontractors to provide part of the services to be provided in accordance with the contract. Such sub-contract processing relationships were based — insofar as required by law — on an agreement in accordance with Article 28 (2-4) of the GDPR. The client expressly agrees to the subcontractors currently employed by the contractor, who are listed in Appendix 3.
Outsourcing to other subcontractors or changing existing subcontractors is permitted insofar as the contractor notifies the client of such outsourcing to subcontractors a reasonable amount of time in advance in writing or in text form, the client does not object to the planned outsourcing in writing or in text form to the contractor up to the time of transfer of the data and is based on a contractual agreement in accordance with Article 28 (2-4) of the GDPR.

(3) The transfer of personal data from the client to the subcontractor and his initial action are only permitted if all conditions for subcontracting have been met.

(4) If the subcontractor provides the agreed service outside the EU/EEA, the contractor ensures admissibility under data protection law by taking appropriate measures. The same applies if service providers within the meaning of paragraph 1 sentence 2 are to be used.

(5) Further outsourcing by the subcontractor requires the consent of the main contractor (at least in writing); all contractual provisions in the contract chain must also be imposed on the other subcontractor.

‍§ 7 Client's control rights

(1) The client has the right, in consultation with the contractor, to carry out checks or to have them carried out by inspectors to be appointed in individual cases. He has the right to verify that the contractor complies with this agreement in its business operations by means of sample checks, which must usually be reported appropriately in advance. In doing so, the client must ensure that the contractor's regular business operations are affected as little as possible and only to the extent absolutely necessary.

(2) The contractor shall ensure that the client is satisfied that the contractor has met its obligations under Article 28 GDPR. The contractor undertakes to provide the client with the necessary information upon request and, in particular, to prove the implementation of the technical and organizational measures.

(3) Evidence of such measures, which relate not only to the specific mandate, can alternatively also be provided by compliance with approved codes of conduct in accordance with Article 40 GDPR, certification in accordance with an approved certification process in accordance with Article 42 GDPR, current certificates, reports or report extracts from independent bodies (e.g. auditors, auditors, data protection officer, IT security department, data protection auditors, quality auditors) or appropriate certification through an IT security or data protection audit (For example, according to BSI basic protection).

(4) The contractor may assert a claim for compensation for facilitating checks by the client.

‍§ 8 Notification of violations by the contractor

(1) The contractor supports the client in complying with the obligations set out in Articles 32 to 36 of the GDPR regarding the security of personal data, reporting requirements in the event of data breaches, data protection impact assessments and prior consultations. This includes

a) ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of processing as well as the predicted probability and severity of a potential infringement due to security breaches and enable relevant infringement events to be identified immediately

b) the obligation to report breaches of personal data immediately to the client

c) the obligation to assist the client as part of its obligation to provide information to the person concerned and to provide him with all relevant information in this context without delay

d) assisting the client for its data protection impact assessment

e) assisting the client in the context of prior consultations with the supervisory authority

(2) The contractor may claim compensation for support services that are not included in the service description or are not attributable to misconduct on the part of the contractor.

‍§ 9 Client's authority to issue instructions, liability

(1) The contractor will confirm oral instructions immediately (at least in text form).

(2) The contractor must immediately inform the client if he believes that an instruction violates data protection regulations. The contractor is entitled to suspend execution of the corresponding instruction until it is confirmed or amended by the client.

(3) The client alone is responsible to the person concerned for compensation for damage suffered by a data subject as a result of data processing or use in the context of order processing that is inadmissible or incorrect under data protection laws in the context of order processing.

(4) Each party undertakes to compensate the other party for all damages and expenses arising as a result of a culpable breach of an obligation under this Agreement (including its appendices) by the party required to indemnify, its legal representative, subcontractors, employees or other vicarious agents.

‍§ 10 Deletion and return of personal data testing phase

(1) Copies or duplicates of the data will not be made without the knowledge of the client. This does not include backup copies, insofar as they are necessary to ensure proper data processing, as well as data required to comply with legal storage obligations.

(2) After completion of the contractually agreed work or earlier upon request by the client — at the latest upon termination of the service agreement — the contractor must hand over to the client all documents, processing and use results created and data relating to the contractual relationship or destroy them in accordance with data protection law after prior consent. The same applies to test and scrap material.

(3) Documentation that serves as proof of the order and proper data processing must be kept by the contractor beyond the end of the contract in accordance with the respective retention periods. To relieve him, he may hand them over to the client at the end of the contract.

‍
Appendix 1 to the Order Processing Agreement

‍Categories of data subjects and data

user data
● Title
● First name and last name
● Address (zip code, city, street and house number, additional address, if applicable)
● Email address
● Telephone number and/or mobile number
● Company data

End customer data
● Title
● First name and last name
● Address (zip code, city, street and house number, additional address, if applicable)
● Email address
● Telephone number and/or mobile number
● Payment information
● Type of heating system
● Consumption values
● Number of residents
● Year of construction of the building
● Spaces and dimensions of the building's architecture
● Heating area data
● Photos and documents of the object

Appendix 2 to the Order Processing Agreement

Technical-organizational measures

1. Confidentiality (Article 32 (1) (b) GDPR)
● Access control
No unauthorised access to data processing systems, e.g. magnetic or smart cards, keys, electrical
door openers, factory security or doormen, alarm systems, video systems;
● Access control
No unauthorized system use, e.g.: (secure) passwords, automatic locking mechanisms, two-factor
authentication, disk encryption;
● Access control
No unauthorized reading, copying, changing or removal within the system, e.g.: Authorization concepts
and needs-based access rights, logging of accesses;

2. Integrity (Art. 32 para. 1 lit. b GDPR)
● Transfer control
No unauthorised reading, copying, alteration or removal during electronic transmission or transport, e.g.:
encryption, virtual private networks (VPN), electronic signature;
● Input control
Determining whether and by whom personal data has been entered into data processing systems, changed
or have been removed, e.g.: logging, document management;

3. Availability and resilience (Article 32 (1) (b) GDPR)
● Availability control
Protection against accidental or deliberate destruction or loss, e.g.: backup strategy (online/offline; on-site/off-
site), uninterruptible power supply (UPS), virus protection, firewall, reporting channels and emergency plans;
● Quick recoverability (Art. 32 para. 1 lit. c GDPR);

4. Procedure for regular review, evaluation and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para.
1 GDPR)
● data protection management;
● incident response management;
● Data protection-friendly default settings (Article 25 (2) GDPR);
● Order control
No order data processing within the meaning of Art. 28 GDPR without appropriate instructions from the client,
e.g.: Clear contract drafting, formalized order management, strict selection of service provider,
Preliminary verification, follow-up checks.

Annex 3 Approved Sub-Processors

‍