General Terms and Conditions ONE WARE – ONE AI

ONE WARE has developed the ONE AI software solution (hereinafter referred to as the "Software") which aims to increase the efficiency and performance of artificial intelligence (AI). The goal is to train specific AI models for various subject areas at the request of customers. For this purpose, customers can upload and edit content, in particular images, and use it to train an AI model. ONE WARE uses this data to optimize the models according to the customer's wishes and adapt them to the respective requirements and topics. This creates a customized AI solution that meets the specific needs of the customer.

With this in mind, the parties agree as follows:

1 Additional applicable provisions and order of precedence

In addition to the provisions of this usage agreement, the provisions of the annexes to the usage agreement (usage agreement and annexes together referred to as the "Agreement") apply.
In the event of any contradictions between the Annexes and the User Agreement, the respective provisions shall apply in the order specified below: 2.1. Annex 2 to the User Agreement (DPA) 2.2. Annex 1 to the User Agreement (Service Description – Specification) 2.3. Annex 3 to the User Agreement (Pricing Annex) 2.4. License Agreement

2 Subject matter and conclusion of the contract; General Terms and Conditions of the

Customer

The contract for the use of the software is concluded when the customer registers on the ONE WARE Studio website via the ONE AI Extension. To do this, the customer downloads the ONE AI Extension and selects the "Sign up" option.
During the conclusion of the contract, the customer may cancel the registration process at any time before clicking the "Register" button and may delete, supplement, or correct the information entered in the various fields. After completing the registration, the customer may access and change all data provided during registration at any time in the "Account Settings."
By completing the registration process, the customer submits a legally binding request to ONE WARE to conclude a contract. ONE WARE will send the customer confirmation of receipt of the offer to the email address provided by the customer during registration immediately after receipt of the offer by ONE WARE. However, this confirmation does not constitute acceptance of the customer's offer.
A contract between ONE WARE and the customer is only concluded when ONE WARE has accepted the offer. The customer will receive the declaration of acceptance either by email or by being provided with access to the software ("conclusion of contract").
ONE WARE does not store the contract text after conclusion of the contract. However, the customer can access the contract text at any time during the entire online contract conclusion process at https://cloud.one-ware.com/Account/TermsOfService.
The contract can be concluded in German or English. In case of discrepancies between the German and the English version, the German version shall prevail; the English version is for convenience only..
The customer's general terms and conditions shall only become part of the contract if ONE WARE expressly agrees to them in writing.
The software is intended only for entrepreneurs within the meaning of § 14 BGB (German Civil Code). ONE WARE reserves the right to request appropriate information and evidence to verify that the customer is not a consumer within the meaning of § 13 BGB. There is no entitlement to the conclusion of a contract.

3 Services provided by ONE WARE

ONE WARE shall provide the customer with access to the software via the One AI Extension for a limited period of time during the term of the contract. A customer is entitled to register multiple users in accordance with the service description. Each user is assigned their own account.
The customer can use the software in a first step ("training preparation") to save images locally as training material. The customer can edit and organize this training data set in order to prepare the training of the AI model in the best possible way. In particular, the customer can classify the images, mark relevant areas, and use pre-filters (e.g., color enhancement, focus, cropping). In addition, the customer can already make default settings for the AI model they want and, if necessary, select and define the hardware resources on which the model is to run later.
Once the customer has prepared their training data accordingly and made all necessary model and hardware settings, the customer can start the training and have it carried out by ONE WARE in return for payment of the remuneration ("Credits") described in Section 5 and in the Pricing Annex contained in Appendix 3. To do this, they upload the training data to the ONE AI Cloud. The customer can individually determine the start, time, and scope of the training.
After completing the training, the customer has the option of testing the AI model ("testing"). To do this, the customer can view how the AI model classifies data on the ONE AI Extension. The customer can also upload new data sets to evaluate whether the AI model works for the desired application. The customer also has the option of obtaining a test license for the AI model to test whether the AI model works on the respective hardware ("hardware test"). The customer can select this option by clicking on the "Export" button. Details on testing and, in particular, the hardware test are set out in Section 8 .
If the customer is satisfied with the results of the testing, the customer may purchase a license from ONE WARE to use and export the trained AI model in productive operation. For this purpose, the customer shall contact ONE WARE after completion of the testing and request such a license. The parties shall agree individually on the commercial terms of this license. Upon conclusion of the license agreement, it shall become an integral part of this contract as Annex 4.
Details of the functions of the software for training preparation, training, testing, export, and use of the AI model are set out in the service description and the specification in Appendix 1. Beyond the agreed services, the customer has no claim to a specific design or specific functionality of the software.
ONE WARE is responsible for operating and maintaining the software. The ONE WARE's data center. The customer is responsible for ensuring Internet access and any hardware required to access the software (e.g., router, smart device) and for downloading the ONE AI Extension. The customer has no right to access the source code of the software.
Unless otherwise agreed, the average availability of the software is 98% on an annual basis. This does not include necessary planned maintenance work and disruptions that are beyond ONE WARE's control (such as force majeure or failures due to incorrect operation by the customer). ONE WARE will inform the customer of planned maintenance work in writing in good time, where possible. However, ONE WARE reserves the right to carry out unannounced maintenance work if necessary, in particular if this is necessary for data and operational security.
During the training preparation, the customer is responsible for storing the training data. ONE WARE has no access to the customer's training data during this phase. If the customer uploads the training data to the ONE AI Cloud, ONE WARE will store this data on a server operated by ONE WARE. ONE WARE will delete the customer's training data uploaded to the ONE AI Cloud after 7 days, unless the customer conducts training or the parties have agreed on a longer storage period.
ONE WARE is entitled to engage subcontractors as vicarious agents at its own discretion for the purpose of providing the services.
Extensions, further developments, changes

ONE WARE may make changes to the software in the following cases:

11.1. Extensions and further development

ONE WARE is entitled to add additional information to the services at any time. Unless otherwise agreed, functions introduced by ONE WARE after conclusion of the contract shall be deemed additional services provided free of charge. ONE WARE is entitled to discontinue these after weighing the interests of both parties. ONE WARE also reserves the right to offer optional extensions and further developments only against payment of an additional fee and upon conclusion of an additional usage agreement.

11.2. Reasonable and insignificant changes

ONE WARE is entitled to change, restrict, or discontinue the scope of services to an extent that is reasonable for the customer. Such a change is reasonable in particular if it only affects insignificant components of the services to be provided by ONE WARE (such as mere design or presentation changes that do not impair the functionality of the service or only impair it to a minor extent) or if it becomes necessary for an important reason. An important reason exists in particular if

11.2.1 there are disruptions to the provision of services by ONE WARE's subcontractors, 11.2.2 the change is necessary for safety reasons, 11.2.3 it is necessary due to changes in legislation or case law, or 11.2.4 there are similar important reasons which, after weighing them against the interests of the customer, make the change reasonable for the customer.

Subject to Section 3.11.3, any change to the scope of functions must retain the essential performance characteristics defined in the respective order and in Appendix 1, as well as the main performance obligations of ONE WARE in full.

11.3. Other changes

ONE WARE shall be entitled to make changes to the scope of functions of the services in cases other than those specified in sections 3.11.1 and 3.11.2 , taking into account the interests of both parties. In this case, ONE WARE shall inform the customer of the planned changes two months before the changes are introduced. During this period, the customer shall have the right to declare whether or not it accepts the planned changes. If the customer does not respond within this period, the changes shall be deemed approved. If the customer objects to the changes within the specified period, ONE WARE shall be entitled, at its discretion, either to continue to provide the affected service without the planned changes or to terminate the contract with the customer with one month's notice from receipt of the customer's objection.

4 Rights of use

Upon commencement of the contract, ONE WARE grants the customer the non-exclusive, nontransferable right to use the software in accordance with the contract for the duration of the contract. The right of use may only be sublicensed to the extent that this is absolutely necessary for the intended use of the software by the customer. Further legal rights of the customer remain unaffected.
The granting of rights does not include components of the software that are recognizable to the customer as being subject to third-party rights, in particular open source licenses. Such components are deemed to be recognizable in particular if they are disclosed by ONE WARE within the software or in accompanying text files as third-party content.
The contractual rights of use with regard to AI models trained by ONE WARE on behalf of the customer under this contract arise for the testing phase from the provisions in Section 8 (Testing: Hardware test) of this Agreement to be concluded between the parties, which shall be attached to this contract as Annex 4 upon its conclusion.

5 Fees

The customer shall pay ONE WARE the remuneration agreed in the Pricing Annex in Annex 3 for the training and storage of training data and trained AI models.
The remuneration for the use and export of trained models shall be determined by the license agreement to be concluded between the parties, which shall be attached to this contract as Annex 4 upon its conclusion.
Unless expressly agreed otherwise, the fees are net plus applicable sales tax.
Unless expressly agreed otherwise, all amounts are due upon invoicing.
If the customer issues ONE WARE with a SEPA direct debit mandate, ONE WARE shall not debit the invoice amount from the agreed account before the seventh day after the invoice date and the SEPA pre-notification.

6 Obligations of the customer

The customer must keep the access data for the software safe and may only make it available to authorized employees. The customer undertakes to ensure that the access data is treated confidentially and to inform ONE WARE immediately if there is any suspicion that the access data may have become known to unauthorized persons. Furthermore, the customer undertakes to comply with all security precautions, functional and other restrictions of the software. In particular, the customer may not remove, overcome, deactivate or otherwise circumvent any protection or authentication mechanisms. 1.1. The Customer is prohibited from transferring the software to third parties unless expressly agreed otherwise. 1.2. The customer is obliged to keep the information provided during registration up to date and to notify ONE WARE immediately of any changes. This includes, in particular, data relating to the customer's contact and business information.
The customer shall regularly back up their data and content stored, processed, and otherwise transmitted to ONE WARE within the scope of the software (within the meaning of Section 6.5.1 ) in a manner appropriate to the risk, insofar as this is technically possible.
The customer shall designate a contact person within their company who is authorized to receive and issue declarations of intent in connection with the contract with ONE WARE.
It is the responsibility of the customer to ensure that they upload the training data required for the training in accordance with the technical requirements in the specification in Appendix 1 to the ONE AI Cloud and thus make it available to ONE WARE for training the AI model.

4.1. The customer undertakes to refrain from any measures that jeopardize or disrupt the function-

ing of the software and not to access or process data to which they are not authorized to access.

Contents; use of the software 5.1. All rights to information, images, texts, and other content transmitted to ONE WARE by the customer within the scope of the use of the software, in particular as training data ("Content"), remain with the customer. However, the customer grants ONE WARE a non-exclusive right to use this Content to the extent necessary to fulfill the contract with the customer. ONE WARE is entitled to grant sublicenses to its vicarious agents to the extent necessary for the fulfillment

of the contract. Otherwise, the right of use is non-transferable. ONE WARE is entitled to retain the Customer's Content beyond the term of the contract to the extent that this is technically or legally necessary.

5.2. For clarification: ONE WARE does not use the customer's content to train AI models other than those that the customer trains themselves using the software. 5.3. The customer shall not upload or process any content via the software as training data that 5.3.1. infringe the rights of third parties (e.g., personal rights, image rights, copyrights, trademark rights, etc.) or otherwise violate applicable law; 5.3.2. contains illegal or immoral material and/or content, in particular information that serves to incite hatred, instigates criminal acts or glorifies or trivializes violence, is pornographic or sexually offensive, or is likely to seriously endanger the morals of children or young people, or contains pornographic or obscene material; or 5.3.3. contain personal data

("Prohibited Content").

7 Temporary blocking

ONE WARE is entitled to block the customer's access to the software if 1.1. there are indications that the customer's access data has been or is being misused or that the access data has been or is being disclosed to an unauthorized third party or that access data is being used by more than one natural person; 1.2. there are indications that unauthorized third parties have otherwise gained access to the IT infrastructure provided to the customer; 1.3. the blocking is necessary for technical reasons; 1.4. ONE WARE is obliged to block access due to applicable laws or by court or official order; 1.5. the customer uploads prohibited content to the software; 1.6. the customer is more than two (2) weeks in arrears with the payment of the agreed fees in accordance with Section 5 of the contract; or 1.7. the customer provides incorrect or invalid contact details and communication between ONE WARE and the customer is no longer possible.
ONE WARE should notify the customer of the blocking in text or written form at least one business day before the blocking takes effect, provided that the notification is reasonable, taking into account the interests of both parties, and compatible with the purpose of the blocking.

8 Testing; hardware test

The customer is entitled to test the AI model free of charge in the ONE AI Extension after completion of the training. The test is limited exclusively to evaluating the function of the model and may not be used for product operation.
The customer is entitled to upload new content to test the model, provided that this is done solely for the purpose of evaluating the model's functionality.
Hardware test 3.1. For a hardware test, the customer must submit a separate request to ONE WARE via the "Start Export" button . Upon approval, the customer will receive a code to export the AI model for testing on their own hardware. 3.2. Upon approval of the hardware test, ONE WARE grants the customer a non-exclusive, nontransferable right, limited to 30 days, to use the AI model exclusively for testing purposes. 3.3. The hardware test is limited to test operation and may not be used for productive purposes. After the test period has expired, the customer is obliged to discontinue test operation and delete all copies of the AI model, unless they conclude a license agreement with ONE WARE for this AI model.
The customer bears sole responsibility for the security of the test environment, in particular the hardware used.
Notwithstanding mandatory statutory provisions , the customer is not entitled to perform any form of reverse engineering of the AI model or to make any other attempts to discover the source code or the underlying components of the model.

9 Warranty

For free services, ONE WARE provides warranty in accordance with the statutory provisions.
In all other respects, ONE WARE shall provide warranty for defects in the provision of the software exclusively in accordance with the following provisions.
If the services to be provided by ONE WARE under this contract are defective, ONE WARE shall, within a reasonable period of time and after receipt of a written (email is sufficient) notice of defects from the customer, either repair the services or provide them again at its discretion. The provision of instructions for use with which the customer can reasonably circumvent defects that have occurred in order to use the software in accordance with the contract shall also be deemed a rectification.
If the defect-free provision of the services fails for reasons for which ONE WARE is responsible, even within a reasonable period set by the customer in writing, the customer may reduce the agreed remuneration by a reasonable amount. The right to reduction is limited to the amount of the monthly fixed price relating to the defective part of the service.
If the reduction pursuant to Section 9.4 reaches the maximum amount specified in Section 9.4 in two consecutive months or in two months of a quarter, the customer may terminate the contract without notice.
The customer shall notify ONE WARE immediately in writing (email is sufficient) of any defects that may occur. Furthermore, the customer shall support ONE WARE in remedying defects free of charge in a reasonable manner and, in particular, shall provide ONE WARE with all information and documents that ONE WARE requires for the analysis and elimination of defects.
In addition to reduction and termination, the customer may claim damages in accordance with the statutory provisions and the limitation of liability in section 10 .
Further warranty claims are excluded.
The limitation period for warranty claims is one year, unless they are based on intent or gross negligence or relate to damage resulting from injury to life, limb, or health.

10 Damages and liability

ONE WARE shall be liable for free services in accordance with the statutory provisions.
In all other respects, ONE WARE shall be liable without limitation for intent and gross negligence as well as for damage resulting from injury to life, limb, or health.
In cases of simple negligence, ONE WARE shall be liable for breach of a material contractual obligation. A material contractual obligation within the meaning of this clause is an obligation whose fulfillment is essential for the performance of the contract and on whose fulfillment the customer may therefore regularly rely.
ONE WARE shall not be liable for lack of economic success, lost profits, or indirect damages.
Liability is limited to the typical, foreseeable damage at the time the contract was signed.
Liability for damages due to data loss is limited to the amount of the restoration of the data that would have been incurred even if the customer had backed up the data regularly and in a manner appropriate to the risk.
The limitations of liability apply accordingly in favor of ONE WARE's employees, agents, and vicarious agents.
Any liability of ONE WARE for guarantees given (which must be expressly designated as such) and for claims under the German Product Liability Act (Produkthaftungsgesetz) shall remain unaffected.
Any further liability on the part of ONE WARE is excluded. In particular, strict liability for initial defects pursuant to Section 536a (1), 1st alternative, BGB is excluded.

11 Confidentiality and secrecy

The parties undertake to treat confidential information and documents ("confidential information") of the other party that have been designated or marked as confidential by the disclosing party as business and/or trade secrets, to use them exclusively for the purposes of this contract, and not to make them accessible to third parties. The receiving party shall take appropriate technical and organizational measures to prevent unauthorized access to/disclosure of confidential information. Third parties within the meaning of this agreement also include companies affiliated with the receiving party in which the receiving party does not hold a majority of the capital or voting rights. The employees of the receiving party and other third parties commissioned by it (including subcontractors and freelancers) shall be bound by the same obligations.
Confidential information on the part of ONE WARE includes, in particular, the software and all technologies of ONE WARE and this agreement, including the annexes and the agreed terms and conditions.
The receiving party is entitled to pass on the information and documents made available to it to third parties if and to the extent that this is essential for the fulfillment of this contract or the exercise of contractual rights or if this is mandatory for legal or regulatory reasons. In the event of inquiries from third parties, courts, or administrative authorities regarding the disclosure of confidential information, the receiving party shall immediately inform the disclosing party thereof in writing or in text form. The receiving party shall further support the disclosing party in its efforts to prevent the disclosure of the confidential information.
The confidentiality obligation shall not apply if the confidential information was already known to the receiving party prior to disclosure, is generally known or becomes known through no fault of the receiving party, was developed by the receiving party itself without access to the confidential information of the disclosing party, or is brought to the attention of the receiving party by a third party who is entitled to do so in good faith entitled third party, or if it does not allow conclusions to be drawn about natural persons or the disclosing party. Mandatory legal disclosure obligations remain reserved. If the receiving party invokes one or more of the aforementioned reasons, it must provide evidence of this by submitting suitable proof.
The confidentiality obligation begins upon receipt of the confidential information and remains in effect for the entire term of this contract. In addition, the confidentiality obligation shall remain in effect for a period of three years after termination or expiry of the contract, unless longer periods of confidentiality are required by law. In particular, any trade secrets shall be treated as confidential for as long as they remain trade secrets.
If agreed in the service description, ONE WARE is entitled to name the customer as a reference customer in marketing materials (including websites), stating the full company name and using the company logo.
With the exception of Section 11.6 , the above provisions do not establish any intellectual property rights. All rights of use granted under this contract remain unaffected by the above provisions.

12 Data

With regard to personal data processed by ONE WARE on behalf of the customer within the scope of this contract, the parties conclude the data processing agreement in Appendix 2 ("DPA"). In the event of any contradictions between this contract and the DPA, the provisions of the DPA shall prevail.

13 Term and termination

The contract shall commence upon conclusion of the contract and shall run for an indefinite period of time .
The right of the parties to terminate for good cause remains unaffected. For ONE WARE, good cause shall include, in particular, if: 2.1. the customer repeatedly posts prohibited content on the software despite prior warnings from ONE WARE; 2.2. the customer is more than six weeks in arrears with the payment of the agreed remuneration in accordance with Section 5 and ONE WARE has given the customer two weeks' notice of termination in text or written form;

14 Final provisions

Amendments and subsidiary agreements to this contract must be made in writing. This also applies to this written form clause.
In the event of contradictions between the annexes and the contract, the provisions of the annexes shall prevail.
The customer may only offset claims against ONE WARE or assert a right of retention if the counterclaim is undisputed or has been legally established or is in a synallagmatic relationship to the respective claim.
The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods.
The exclusive place of jurisdiction for all disputes arising from or in connection with this contract is the registered office of ONE WARE, provided that the contracting parties are merchants or the customer does not have a general place of jurisdiction in Germany or in another EU member state or has moved its permanent residence abroad after these General Terms and Conditions have become effective or the place of residence or habitual abode is unknown at the time the action is brought.
References to German law are binding; translation is for convenience only.

Appendix 1 – Service description (specification)

Subject matter of the service With "ONE AI," the provider provides a software solution for the automated creation and optimization of customized AI models. The platform enables users to generate and train individual AI models based on their data and export them in various formats.
Scope of services The functions provided include in particular:

Analysis and preprocessing of image data (PNG, JPG) and associated label files (TXT)
Support for image analysis for use cases such as image classification and object recognition
AI model prediction and automated training on ONE AI servers or locally
Export of trained models in formats such as ONNX and TensorFlow Lite, export as a project in C++ for processor-based systems or VHDL for FPGA-based systems, or as an executable program for systems with the Linux operating system

Technical restrictions

Maximum data volume per project: 50 GB upload limit
Supported file formats: PNG and JPG images as well as TXT label files
Maximum image resolution: AI model predictions are only supported for images up to 8000x6000 pixels

Services not owed

The provider does not provide personal or individual advice. Support is limited to technical inquiries, error reports, and assistance with using the platform.
Feature adjustments, hardware consulting, or AI development on behalf of the customer shall only be provided upon separate written agreement.

Customer obligations to cooperate

The customer is responsible for the accuracy, formatting, and suitability of the uploaded data.
Before use, it must be ensured that the system requirements are met and that all project content complies with data protection regulations.

Appendix 2: Order Processing Agreement (DPA)

This agreement on order processing ("DPA") specifies the data protection obligations and rights of the parties in connection with the processing of personal data processed by ONE WARE GmbH (hereinafter "Contractor") for the customer (hereinafter "Client") under the ONE AI usage agreement (hereinafter "Main Agreement") concluded between the parties.

1 Scope

In providing the services under the Main Agreement, the Contractor shall process personal data provided by the Client for the purpose of providing the services and in respect of which the Client acts as the controller within the meaning of data protection law or as a processor for other processors or controllers ("Client Data"). In the event of contradictions between this DPA and provisions from other agreements, in particular from the Main Contract, the provisions of this DPA shall prevail.

2 Subject matter and scope of the assignment / Client's authority to issue instructions

The Contractor shall process the Client Data exclusively on behalf of and in accordance with the instructions of the Client, unless the Contractor is legally obliged to process the data by European Union law or the law of a Member State. In such a case, the Contractor shall inform the Client of these legal requirements prior to processing, unless the relevant law prohibits such notification on grounds of an important public interest.
The processing of client data by the contractor shall be carried out exclusively in the manner, to the extent, and for the purpose specified in Appendix 1 to this DPA; the processing shall relate exclusively to the types of personal data and categories of data subjects specified therein.
The duration of the processing shall correspond to the term of the main contract.
The Contractor is permitted to process Client data outside the European Economic Area ("EEA") or to have it processed by other processors in accordance with Section 5 if the conditions of Articles 44 to 48 GDPR are met or an exception under Article 49 GDPR applies.
The instructions are set out in the main contract. The client is only entitled to issue further instructions on the type, scope, purposes, and means of processing client data if such instructions are required under European Union or member state law or on the basis of a court or official order.
Instructions shall be given in writing or in text form. The client shall confirm verbal instructions in writing or by email.
If the contractor believes that an instruction from the client violates this DPA, the GDPR, or other data protection regulations of the Union or member states, it shall inform the client immediately in writing or text form. The contractor is entitled to suspend the execution of such an instruction until the client confirms it in writing or in text form. If, despite the concerns raised by the contractor, the client insists on the execution of an instruction, the client shall indemnify the contractor against all damages and costs incurred by the contractor as a result of executing the client's instruction. The contractor shall inform the client of any damages claimed against it and any costs incurred by it and shall not acknowledge any claims of third parties without the consent of the client and shall defend itself at its own discretion in consultation with the client or leave the defense to the client.

3 Requirements for personnel

The contractor shall oblige all persons who process client data to maintain confidentiality, unless they are subject to appropriate legal confidentiality obligations.
The contractor shall ensure that persons under its control who have access to client data process such data only in accordance with this DPAand the client's instructions, unless they are required to do so under European Union or Member State law.

4 Security of processing

The contractor shall take all appropriate technical and organizational measures that are necessary, taking into account the state of the art, the implementation costs and, insofar as known to the contractor – the nature, scope, circumstances and purposes of the processing of the Client's data and the varying likelihood and severity of the risk to the rights and freedoms of the data subjects, in order to ensure a level of security appropriate to the risk.
Before starting to process the Client's data, the Contractor shall, in particular, take the technical and organizational measures specified in Annex 2 to this DPAand maintain them for the duration of the main contract, and ensure that the processing of Client data is carried out in accordance with these measures.
It is the responsibility of the client to review the technical and organizational measures taken by the contractor, in particular whether they are sufficient in view of circumstances of data processing that are not known to the contractor.
Since the technical and organizational measures are subject to technical progress, the Contractor is entitled and obliged to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Appendix 2. If the Contractor makes significant changes to the measures specified in Appendix 2, it shall inform the Client in advance.

5 Use of additional processors

The contractor shall use the additional processors listed in Appendix 3 when processing the client's data. These shall be deemed approved upon conclusion of the DPA.
The contractor may use other processors to process the client's data under the following conditions: The contractor shall inform the client in writing or in text form at least 30 days before using the other processor at an address designated by the client for this purpose. If the client does not object within 14 days, the use shall be deemed approved.
If the client objects, the contractor shall be entitled, at its discretion, either to perform its services under the main contract without using the rejected further processor or to terminate the main contract and this DPA.
The contractor shall impose essentially the same data protection obligations on any further processors as apply to the contractor under this DPA.
The contractor is obliged to select and use only those further processors who provide sufficient guarantees that the appropriate technical and organizational measures will be implemented in such a way that the processing of the client's data is carried out in accordance with the requirements of the GDPR and this DPA.

6 Rights of data subjects

The contractor shall take all reasonable technical and organizational measures to support the client in fulfilling its obligation to respond to requests from data subjects to exercise their rights.
In particular, the contractor shall:
2.1. inform the client immediately if a data subject contacts the contractor directly with a request to exercise their rights in relation to client data; 2.2. provide the client, upon request, with all information available to it regarding the processing of client data that the client requires to respond to a request from a data subject and which the client does not have itself; 2.3. immediately correct, delete, or restrict the processing of client data at the client's request, insofar as the client cannot do so itself and this is technically possible for the contractor;
2.4. support the client, to the extent necessary, in obtaining the client data processed within the scope of the contractor's responsibility in a structured, commonly used and machine-readable format, to the extent that this is technically possible for the contractor, if a data subject asserts a right to data portability with regard to the client data vis-à-vis the client.

7 Other support obligations of the contractor

The contractor shall notify the client immediately after becoming aware of any breach of the protection of client data, in particular incidents that lead to the destruction, loss, alteration, or unauthorized disclosure of or unauthorized access to client data. The notification shall include, if possible, a description of:
1.1. the nature of the breach of the protection of the client's data, specifying, where possible, the categories and approximate number of persons affected;
1.2. the likely consequences of the breach of the protection of the client's data;
1.3. the measures taken or proposed by the Contractor to remedy the breach of the protection of the Client's data and, where appropriate, measures to mitigate its possible adverse effects.
The contractor is obliged to take all necessary and reasonable measures to remedy the breach of the protection of the client's data and, where appropriate, to mitigate its possible adverse effects in the event of any breach of the protection of the client's data.
If the client is obliged to provide information about the processing of client data to a government agency or person or to cooperate with such agencies in any other way, the contractor shall be obliged to support the client in providing such information or fulfilling other obligations to cooperate to the best of its ability.
The contractor shall support the client in complying with the obligations set out in Art. 32 GDPR, insofar as this is possible taking into account the information available to it about the specific use of the client's services.
In the event that the client is obliged to inform the supervisory authorities and/or data subjects in accordance with Articles 33 and 34 of the GDPR, the contractor shall, to the extent possible, support the client at its request in complying with these obligations. The contractor is in particular obliged to document all breaches of the protection of client data, including all related facts, in a manner that enables the client to prove compliance with any relevant legal reporting obligations.
The contractor shall support the client with the information available to it and, to the extent reasonable, in any data protection impact assessments to be carried out by it and any subsequent consultations with the supervisory authorities pursuant to Articles 35 and 36 GDPR.

8 Data deletion and return

Upon termination of the main contract, the contractor shall delete all client data in full, unless the contractor is obliged to continue storing the client data under European Union or member state law.
However, the contractor is entitled to retain backup copies of the client's data for a period of 30 days, provided that deletion of the client's data from these backup copies is not required for technical reasons or with regard to Article 32 GDPR. For this period, the rights and obligations of the parties under this DPA shall apply to the backup copies, notwithstanding Section 2.3 .
Documentation serving as proof of the orderly and proper processing of the client's data shall be retained by the contractor in accordance with the statutory retention periods beyond the end of this GPA.

9 Proof and checks

The contractor shall ensure and regularly check that the processing of the client's data complies with this DPA, the main contract, and the client's instructions.
The contractor shall document the implementation of the obligations under this DPA in an appropriate manner and provide the client with all necessary evidence of compliance with the contractor's obligations under the GDPR and this DPA upon request.
The client is entitled to check the contractor's compliance with the provisions of this GPA, in particular the implementation of the technical and organizational measures in accordance with Annex 2, either itself or through a qualified auditor who is bound to maintain confidentiality, including through inspections. The contractor shall enable such checks and shall contribute to such checks by taking all appropriate and reasonable measures, including granting the necessary access rights and providing all necessary information.
The checks and inspections shall not, as far as possible, interfere with the Contractor's normal business operations or place an unreasonable burden on the Contractor. In particular, inspections at the Contractor's premises shall not take place more than once per calendar year without specific cause and shall only take place during the Contractor's normal business hours. The Client shall notify the Contractor of inspections in writing or in text form in good time in advance.
In accordance with the provisions of the GDPR, the client and the contractor are subject to public controls by the competent supervisory authority. At the request of the client, the contractor shall provide the supervisory authority with the requested information and give it the opportunity to carry out checks, including inspections at the contractor's premises by the supervisory authority or persons designated by it. The contractor shall grant the competent supervisory authority the necessary access, information, and inspection rights in this context.

10 Miscellaneous

Amendments and subsidiary agreements to these GTC shall require the written form. This also applies to this written form clause.
The choice of law and place of jurisdiction agreements from the main contract shall apply accordingly to this DPA.

Appendix 1 Purpose, type, and scope of data processing, type of data, and group of data subjects

Purpose of data processing	The stored data will be used for the following purposes: - Provision of the software - Ensuring the availability and security of the systems - User registration and user profile data for the provision of user accounts
Type and scope of data processing	- Storage and provision of logins to the software - Storage of customer names and address data - If agreed, implementation of onboarding me asures for the client
Type of data	The subject matter of the collection, processing, and/or use of personal data under this data processing agreement is the following types/categories of data: - Login data (name, email address, etc.) and other personal data provided during registration
Group of data subjects	Users of the software

Purpose of data processing

The stored data will be used for the following purposes:

- Provision of the software

- Ensuring the availability and security of the systems

- User registration and user profile data for the provision of user accounts

Type and scope of data processing

- Storage and provision of logins to the software

- Storage of customer names and address data

- If agreed, implementation of onboarding me asures for the client

Type of data

The subject matter of the collection, processing, and/or use of personal data under this data processing agreement is the following types/categories of data:

- Login data (name, email address, etc.) and other personal data provided during registration

Group of data subjects

Users of the software

Annex 2: Technical and organizational measures

1 Pseudonymization and encryption (Art. 32 (1) (a) GDPR) Basic measures

Encryption of data carriers in laptops/notebooks
Encryption of data during further online transfers

2 Confidentiality (Art. 32 (1) (b) GDPR)

2.1. Technical and organizational measures

Establishment of access authorizations for employees and third parties, including the relevant documentation Special security areas with separate access control ("closed shops")
Guidelines for the organization of files
Internal data processing guidelines and procedures, instructions, work instructions, process descriptions, and regulations for programming, testing, and releasing data
Personal data shall only be processed on documented instructions from the controller, including the transfer of personal data to a third country or to an international organization
Existence of a data security concept
Binding guidelines and procedures for the employees of the processor in connection with data processing
Upon request, the processor shall provide the controller with all information necessary to demonstrate compliance with the data processing agreement, even at short notice (within a maximum of 48 hours)
Upon request, the processor shall grant the controller access so that the controller can monitor compliance with this agreement by means of audits and inspections
Existence of an emergency plan (backup emergency plan)
Separation of tasks/functions between the IT department and other departments
Instructions for employees on the processing of personal data
Clear demarcation between the areas of responsibility of the controller and the processor

2.2. Access control for persons

Physical access to the premises where data is processed is logged
Documentation of key allocation
Pickup and escort of external persons by employees
Chip card/transponder locking system
Regulation of keys/codes (key issuance, etc.)
Notification of access
Manual locking system, doors are always kept locked
Only authorized employees have access to the data processing systems

2.3. User control

Definition of access authorizations for employees and third parties, including the relevant documentation
Regular checks on the validity of authorizations
Access authorizations are only granted to specific individuals
Departures, team changes, and inactive users (e.g., parental leave, sabbatical) are implemented in a timely manner (user accounts removed/deactivated/adjusted)
Securing computer workstations during absences and when the system is running
Use of intrusion detection systems, antivirus programs, hardware and software firewalls, and central smartphone administration software (e.g., for external data deletion)
Isolation of internal networks against external access
Access to devices is password-protected
Login only possible after identification
All IT systems are password protected
Passwords are to be assigned in accordance with the recommendations of the German Federal Office for Information Security (BSI), as set out in the current IT-Grundschutz Compendium (available via www.bsi.bund.de→ IT-Grundschutz).
Use of professional password management
Automatic screen locks when inactive
2-factor authentication for critical systems and data
Processes for checking and approving programs
Provisions for third parties (e.g., IT service providers)
Setup and maintenance of virus scanners on all devices used for processing
User passwords for data and programs
Encryption procedures for files
Protective measures for data entry into memory and for reading, locking, and deleting stored data
Special access rules for procedures, control cards, process control methods, and authorizations for cataloging programs
User names and passwords on all devices
Log file for events (monitoring of intrusion attempts)
Separation of production and test environments for libraries and data files
Special control when using auxiliary programs, insofar as these are capable of circumventing security measures
Deletion or destruction of all deletable data and electronic media (e.g., notebooks and laptops, hard drives, CDs, DVDs, USB sticks, audio tapes, data carriers, memory cards, etc.) after the (contractually agreed) end of processing

2.4. Access and data carrier control

Creation of an authorization concept
Continuous review and evaluation of access authorizations
Management of rights by system administrator
User control via Active Directory
Encryption of data carriers
Monitoring of system administration activities
Logging of access to applications (in particular entry, modification, deletion, and destruction of data)
User accounts shall be automatically locked after a defined number of unsuccessful login attempts. Password assignment shall follow the recommendations of the German Federal Office for Information Security (BSI).
Physical deletion of data carriers before reuse
Proper and data protection-compliant destruction of data carriers using document shredders or service providers and logging of the destruction
Data protection-compliant deletion on systems
Documentation of access authorizations and administration by a closed group of persons
Logging of access
Differentiated access rules for different systems
Issuing and securing identification codes
Employees are bound to confidentiality/data secrecy
Protection of internal networks against unauthorized access (e.g., through firewalls)
Automatic blocking of accounts in the event of unauthorized access attempts
Installation and maintenance of virus scanners on all devices used for processing 2.5. Separability
Clear internal guidelines for data collection and processing
Definition of database rights
Separation of production and test environments
Logical client separation (software-based)
Storage of data belonging to different responsible parties on separate data carriers (physical separation)
Provision of data records with purpose limitation/data fields

3 Integrity (Art. 32 (1) (b) GDPR)

3.1. Transfer and transport control

Determination of transmission channels and data recipients
Securing the transmission or transport route
Careful selection of transport services, personal collection, and execution of transport
Monitoring the completeness and accuracy of data transmission (end-to-end control)
Guidelines for transmission/dispatch
Digital signature
Deletion of data or disposal of data carriers by a certified service provider
External storage media are always encrypted
Use of document shredders or service providers (with data protection certification where possible)
Restriction of the use of external storage media (in particular USB sticks, external hard drives, SD cards, CD and DVD burners) by technical means (e.g., software for controlling interfaces or complete deactivation of interfaces)
Control of the disposal of data carriers
Secure storage and release of data carriers to authorized persons only
Regular checking of files and controlled and documented destruction of data carriers
Blocking of confidential data carriers (e.g., USB interface)
In the event of a data breach, the processor will immediately inform the controller
Storage/transfer of data in encrypted form
Transfer of data in anonymized or pseudonymized form
Documentation of recipients, duration of use, or agreed deletion period
Documentation of remote locations/destinations to which a transfer is to take place and the transfer route (logical route)
Formalized data processing, including lists of access and transmission processes

3.2. Input and storage control

Logging of data entry, modification, and deletion; storage of logs as and for as long as necessary
Traceability of data entry, modification, and deletion through individual user names (not user groups)
Assignment of rights to input, change, and delete data based on an authorization concept
Maintenance of audit-proof access authorizations
Creation of an overview of retrieval and transmission programs
Creation of an overview showing which applications can be used to modify and delete data
Storage of forms from which data has been extracted for automatic processing

With regard to the diagnostic devices to be maintained, the following measures are also implemented:

4 Availability and resilience (Art. 32 (1) (b) GDPR)

4.1. Availability and recoverability

Fire and smoke alarm systems
Air conditioning in server rooms
Protective socket strips in server rooms
Fire extinguishers in server rooms
No storage of potentially flammable materials (e.g., paper, cardboard) without supervision
Devices for monitoring temperature and humidity in server rooms
Server rooms and IT equipment must be specially protected against environmental influences (e.g., server rooms must not be located under sanitary facilities; fire protection; temperature control)
Set up the server in a separately secured room or data center
Creation of a backup & recovery concept
Creation of an emergency plan (backup emergency plan, testing of data recovery)
Backups (specify if necessary, e.g., daily incremental, weekly full backup)
Guidelines for checking backups
Regular verification of the recoverability of backups
Access to the data in the backups is restricted to authorized personnel
Software-based monitoring of systems and error messages
Updating the software used (e.g., through updates, corrections, bug fixes, etc.)
Checking that computing power is sufficient
Resilience of the IT system, even under (very) high loads
Formal approval procedures for hardware, software, and IT processes
Central procurement of hardware and software
Internal data processing guidelines and procedures, instructions, work instructions, process descriptions, and regulations for programming, testing, and approving data
Data mirroring

4.2. Resilience of the systems

Automated reporting of malfunctions
Use of anti-virus software
Use of a hardware firewall
Regular system maintenance
Routine measures to secure systems in the event of error messages
Centralized and standardized procurement of hardware and software
Continuous updating of the software used

5 Procedures for regular review, assessment, and evaluation (Art. 32 (1) (d), 25 (1) GDPR)

5.1. Order control

Ensuring that personal data processed on behalf of the client can only be processed in accordance with the client's instructions (order control)

Employee confidentiality obligations
SOPs for employees to ensure processing in accordance with the order
Ensuring the destruction of data after completion of the order
Clear division of responsibilities between the client and the contractor

Insofar as the contractor is permitted to engage a sub-processor in accordance with the data processing agreement, order control shall be ensured by the following measures:

Selection of subcontractors based on due diligence criteria (in particular with regard to data security)
Order data processing agreement in accordance with Art. 28 GDPR
Effective control rights agreed with the contractor
The contractor must appoint a data protection officer, if necessary
Prior review and documentation of the security measures taken by the contractor
Ongoing review of the contractor and its activities

5.2. Data protection management

Basic measures to be taken by the contractor:

Appointment of a data protection officer
Appointment of a security officer
Internal data processing guidelines, guidelines, work instructions, procedural rules for handling personal data
An IT and data security concept exists for the regular review, assessment, and evaluation of technical and organizational measures for data security
Regular training of employees
The hardware and software used is regularly checked for functionality
Existence of a record of processing activities

Appendix 3: Other processors

Name	Address	Type of data	Purpose	Place of processing guarantees
HubSpot, Inc.	25 First Street, Cambridge, MA 02141, USA	Customer master data, contact details, billing information	Creation, management, and dispatch of invoices	USA – Standard Contractual Clauses (SCC) pursuant to Art. 46 GDPR
Paddle.com Market Ltd.	Judd House, 18-29 Mora Street, London EC1V 8BT, United Kingdom	Payment data, billing information	Payment processing and billing	United Kingdom – Adequacy decision of the EU Commission pursuant to Art. 45 GDPR

Appendix 3 – Pricing Annex

Part I – Remuneration for use of the software, training, and storage space

1 Purchase of credits, credit pricing model

The customer purchases credits from ONE WARE to pay for the services.
The customer purchases the credits from ONE WARE in packages of at least 1000 credits each.
The price for 1000 credits is EUR 20.00.
Credits cannot be transferred to other customer accounts.
The services are priced according to the credit pricing model in accordance with the table below.

Service	Price (in credits)
Training of AI models	50 credits/minute

Time-limited discounts for training and volume discounts

ONE WARE may, at its sole discretion, offer time-limited discounts or volume discounts for training (e.g., during off-peak hours). ONE WARE will notify the customer if such discounts apply. Otherwise, the customer has no claim to such discounts.
Welcome credit for new customers

Upon initial registration, each user will receive a one-time welcome credit of 25,000 credits. The welcome credit will only be granted once per user.

2 Billing terms

The customer can purchase credits in advance and use these credits as desired to use the software.
Credits purchased in advance can be redeemed during the entire term of the contract. If the customer issues a SEPA direct debit mandate, the customer may, in addition to any prepaid credits, use further credits under a post‑payment option. ONE WARE will invoice the additional credits used monthly in arrears.
The customer has the option of specifying a maximum monthly amount within the scope of the additional payment option.

3 Central user management

If the customer uses central user management, credits are managed centrally via an admin account. Users (e.g., employee accounts) are granted access to the software without user-specific invoicing.

In this case, billing and invoicing are carried out centrally by the customer alone. The customer is responsible for the consumption of all users assigned to the customer.**

4 Price adjustment

ONE WARE may adjust prices at its reasonable discretion at the earliest two years after conclusion of the contract. Such an adjustment may not exceed 10% of the remuneration for the relevant service in the preceding twelve-month period. The customer will be notified of this in writing three months in advance.

Part II – Remuneration under the license agreement 1 Scope

If the parties have concluded a license agreement in accordance with Appendix 4 to this contract for an AI model trained by the customer on ONE AI ("License Object"), the license fee and billing terms shall be governed by the following provisions.

2 License model per execution unit

ONE WARE grants the customer the right to commercially use a licensed item in connection with a specific product, machine, or software instance in accordance with the provisions of the license agreement in return for payment of an annual license fee.
The amount of the license fee is specified in the license description in the license agreement, which is attached to the usage agreement as Appendix 4. Unless otherwise agreed in the license agreement, the license fee applies per year and per defined unit.
A defined unit is a specific physical or digital product specified in the license description as the "scope of application" (product type, model series, software solution, etc.).
The licensed product may be updated, improved, or retrained as desired within the licensed development environment (IDE).
If the customer wishes to use the licensed product in a different area of application, a new license agreement must be concluded. There will be no (proportional) refund of the license fee for the previous license agreement. This also applies if the new license agreement is concluded during the current license year.

3 Included credits

ONE WARE is free to grant any number of credits, either once or repeatedly, for the use of ONE AI (e.g., training, analysis, storage) free of charge ("inclusive credits").
Included credits are only valid in the respective calendar month and expire if not used. They cannot be transferred to subsequent months or converted into other services.

4 Price adjustment

ONE WARE may adjust prices at its reasonable discretion no earlier than two years after conclusion of the license agreement. Such an adjustment may not exceed the license fee for the preceding twelvemonth period by more than 10%. The customer will be notified of this in writing three months in advance.