Overseer Infobase
 
© Siemens AG 2019, contact: Administrator(s)    2019-11-17 05:20 (Berlin)

Digital Services Agreement

Digital Services Agreement

October 2019

 

1.         Subject Matter and Scope

1.1.     Parties. The Digital Services Agreement ("DSA") is agreed between the Siemens entity ("we", "us", or "our") and the contracting person or entity ("you" or "your") indicated in the Order Form.

1.2.     DSA. This DSA governs your use of certain Services provided to you by us from time to time on or in relation to a cloud-based Platform, subject to our agreement on respective Order Forms. The DSA incorporates by reference the Acceptable Use Policy, the Data Processing Agreement and the Specification Documents.

1.3.     Definitions. Certain capitalized terms used in this document are defined in Section 15. Other capitalized terms shall have the meaning given to them in this document.

1.4.     Contract Formation. We are only obliged to provide you with the Services if we accept your order of Services.

1.5.    Out of Scope. The Services always exclude (i) the provision of any software or services that are not specified by Siemens in the Specification Documents , even if they interoperate with the Services; (ii) the transmission of data or software to and from the exit of the wide area network of the data centers used by us to provide the respective Service; and (iii) any hardware intended for the connection of devices, systems, or other equipment to the Platform other than explicitly specified in the Specification Documents. You are responsible for securing and maintaining an internet connection and suitable connectivity to the Services at your own expense.

2.         Provision of Services

2.1.    Service Standards. We provide the Services materially in accordance with the features and functionalities set out in the Specification Documents. We will use commercially reasonable efforts to make the Services available to you, subject to operational requirements, including maintenance and security.

2.2.    Security. We maintain a formal security program that is designed to protect against threats or hazards to the security of Your Content and prevent unauthorized access to Your Content. Providers of our cloud infrastructure are required to (i) implement and maintain a security program that complies, inter alia, with the ISO 27001 or a successor standard (if any) that is substantially equivalent to ISO 27001 and that is designed to provide at least the same level of protection as evidenced by the certification of the providers under ISO 27001 and (ii) have the adequacy of their security measures annually verified by independent auditors. The Platform (i) employs firewalls, anti-malware, intrusion detection/prevention systems (IDS/IPS) and the corresponding management processes designed to protect service delivery from malware and (ii) is operated under a security governance model aligned with ISO 27001 and IEC 62443, including regular penetration testing. This Section contains Siemens' entire obligation regarding the security of Your Content, the Platform and the Services.

2.3.    Changes to the Services. We provide Services in a multiuser environment and must therefore reserve the right to modify and discontinue Services. We may modify a Service at any time without degrading its functionality or security features For current subscriptions, we may degrade the functionality of a Service or discontinue a Service only in case of (i) legal requirements; (ii) changes in the Services imposed by Siemens' subcontractors; (iii) the termination of our relationship with a provider of software and/or services used by us which are material for the provision of such Service; (iv) lack of customer acceptance and/or (v) security risks. We will notify you of any material degradation of functionality or the discontinuation of a Service at least 80 days prior to the change effective date specified in the notice and you may terminate the degrading Service 30 days prior to the change effective date. In the event of such termination or discontinuation of a Service, we will refund any prepaid amounts for the applicable Service on a pro-rata basis for the remainder of the Subscription Term. We do not maintain prior versions of a Service.

2.4.    Changes to the DSA. The DSA published at the date of an Order Form shall apply until the end of the Subscription Term for the Services agreed in such Order Form and to all Services subsequently ordered and designated as related Services in the Order Form. Any change to the DSA will only apply from the beginning of a renewed subscription, unless a change during a current Subscription Term is required as a result of a change of Laws or permitted in a Specification Document or in order to reflect any changes in the Services agreed with or imposed by Siemens' subcontractors (including changes in open source software license terms) or  when we introduce new features, supplements, enhancements, capabilities or Services (e.g. that were not previously included with the subscription, but added for no additional fee). Should a change during a Subscription Term have a material adverse effect on your rights, obligations, or use of the Services, you may terminate the affected Service within 30 days following our notice. In such case we will refund any prepaid amounts for the applicable Service on a pro-rata basis for the remainder of the Subscription Term.

2.5.    Subcontractors, Location of Data Centers. To support the rendering of the Services, we may use personnel and resources in the various countries in the EU. The locations of data centers used by us for the storage of Your Content are only in Germany.

2.6.    Monitoring of Usage. Without limiting any of our rights in Section 5.1, Siemens or Siemens' subcontractors may monitor Users' usage of Services and Third Party Applications for Siemens' internal purposes, including: (i) for security and availability reasons; (ii) to the extent required to ensure compliance with the DSA; (iii) to detect, prevent, and suspend any use of Services exceeding the permitted use under the DSA, and otherwise as necessary for payment and billing purposes (also in relation to Third Parties); (iv) to provide you with reports on Users' use of the Services; and (v) to offer to you, in accordance with any applicable legal requirements, other products or services that are not yet part of the Services. You will not block or interfere with our monitoring, but may use encryption technology or firewalls to help keep Your Content confidential. We may also use usage information on an aggregated basis to improve the Services, other Siemens products and services, and Siemens' subcontractors' services.

2.7.    Data Privacy. Each Party shall comply with all applicable data privacy laws and regulations governing the protection of personal data in relation to their respective performance under the DSA. If we act as your processor of personal data, our Data Processing Agreement applies to your use of the relevant Services.

3.         Use of Services

3.1.    Use Rights. We grant you the non-transferable, non-sub-licensable, time-limited and revocable right to access and use, and permit Third Parties to access and use, the Services for your internal purposes as end-user, subject to the limitations set out in the DSA. In any case, Services on the Platform may only be accessed by Users (including Third Parties) via your Account using access credentials provided by you, by Siemens at your request, or by a Third Party authorized by you.

3.2.    Credentials. You shall: (i) carefully store access credentials and security tokens and protect them from unauthorized access; (ii) not gain access to the Services by any means other than your Account or other means permitted by us; (iii) not circumvent or disclose the authentication or security of your Account, the Platform or any host, network, or account related to the Platform; (iv) not use a false identity or credentials of another person to gain access to your Account, the Platform or the Services; and (v) ensure that any credentials are used only by the individual who was granted the credentials. We may change access credentials if we determine in our reasonable discretion that a change is necessary.

3.3.    Responsibility for Users and Other Persons. You are responsible for all activities that occur under your Account and any use of the Services by any User, any of your employees or any Third Party to whom you facilitate or permit access to the Services, and all liabilities or other consequences arising from such activities or use, as if these were your own acts. This does not apply to the extent damage or breach is caused by our violation of the DSA. You will ensure that all Users, your employees and any Third Party to whom you facilitate or permit access to the Services, comply with your obligations under the DSA. Should you become aware of any violation of your obligations under the DSA you will immediately terminate the relevant person's access to the Services. You acknowledge and agree that Your Users who submit declarations and/or notifications to us act on your behalf and have the legal authority to bind you.

3.4.    Obligations when Using Services. You are responsible that your use of the Services complies with the Laws at all times. You shall (i) obtain, at your own expense, any rights, consents and permits from vendors of software and services used by you in connection with the Services which are necessary for Siemens and its subcontractors to provide the Services and (ii) always keep up to date any software that we provide to you as part of the Services by installing updates and patches as they become available. You shall remain responsible for the security of your systems and of on-premise hardware and software.

3.5.    Your Content. You are responsible for the development, content, management, use, and quality of Your Content and the means by which you acquire and share Your Content. This includes your responsibility for: (i) the technical operation of Your Content including compatibility of any calls you make to a Service with the Platform APIs; (ii) the transfer or copying of Your Content to data centers outside your country of residence in compliance with Laws; (iii) taking your own steps to maintain legally required or otherwise appropriate security and protection, including backup and archiving, of Your Content; (iv) any document retention or archiving obligations resulting from Laws or company policies; and (v) ensuring that Your Content can be used by Siemens and its business partners as permitted under this DSA without violating Laws or rights of others. You shall properly handle any notices and claims sent to you claiming that Your Content violates Third Party's rights or Laws. We will not delete any of Your Content during the Subscription Term unless such deletion is required by a governmental body, to avoid or limit the liability of Siemens or any Third Party, or to prevent the security of Siemens' systems from being affected.

3.6.    Information Obligations. You will provide information or other materials related to Your Content as we reasonably request to verify your compliance with the DSA. If you become aware of any of the following actual or potential events you shall promptly provide us with reasonable information and assistance regarding their mitigation and resolution: (i) unauthorized use of your Account; (ii) loss or theft of your Account information; (iii) circumstances or incidents affecting the security of the Platform or Services; and (iv) measures by authorities or court decisions specifically relating to your use of Services or the Platform which may affect the Platform or the Services.

3.7.    Limited Reliance. You acknowledge and agree that (i) our Services are not designed to be used for the operation of or within a High Risk System if the functioning of the High Risk System is dependent on the proper functioning of a Service and (ii) the outcome from any processing of data through the use of the Services is beyond our control. You are responsible for the use and the interpretation of the outcome from such processing and any reliance on such outcome.

4.         Fees, Payment Terms and Taxes

4.1.    General. You agree to pay all applicable fees specified for the Services and, at the then-current price, all fees for use of Services exceeding the agreed usage or authorizations. Any change of our fees will only apply from the beginning of a renewed subscription. Fees are due upon receipt of the invoice and payable at no extra cost for us and without any deduction within 30 days of the invoice date using one of the payment methods we support. Any overdue payment shall accrue interest at the lower of (i) the rate of 2 % per month or (ii) the highest rate legally permitted.

4.2.    Taxes. All prices and payments relating to the Services are exclusive of any applicable taxes, customs and import duties, levies, and charges of any kind whatsoever. Any such taxes, customs and import duties, levies, and charges that may be imposed on or paid by us shall be borne by you. Any sums to be paid to us shall be net of any applicable taxes, duties and levies that might be levied or withheld on payments made by you to us. Should any such taxes, duties or levies be levied or withheld by you on payments due to us, then you shall gross up the net payments to us by such an amount necessary to ensure that we receive a net amount equal to the full amount we would have received had such taxes, duties or levies not been withheld. In any case, you are obligated to provide us promptly with the official tax receipt, which confirms the tax payment on your behalf.

5.         Proprietary Rights

5.1.    Rights in Your Content. We will not acquire any rights, title or interest in or to Your Content, except as granted under the DSA. Siemens and its business partners have a worldwide, non-exclusive, transferable, sub-licensable, royalty-free right to use, host, store, transmit, display, modify and reproduce Your Content for the purpose of providing the Services.

5.2.    Rights in the Platform, Services, Feedback. All right, title and interest in and to the Platform and the Services, including any know-how and any part and improvement thereof, and all intellectual property rights in or to the foregoing shall remain wholly vested in Siemens, its business partners and/or licensors. You grant Siemens a worldwide, perpetual, irrevocable, unlimited, transferable, sub-licensable, fully paid, royalty-free license to use any suggestion, recommendation, feature request, or other feedback related to the Services and/or the Platform, provided by you or on your behalf.

6.         Limited Warranty

6.1.    Conformance with Service Standards. We warrant that the Services will be provided as set forth in Section 2.1. If Services fail to perform as warranted hereunder, to the extent permissible under Applicable Law, our sole obligation and your exclusive remedy will be (i) to use commercially reasonable efforts to restore the non-confirming Service so that it conforms to the warranty, or (ii) if such restoration may not be, in our opinion, available within a reasonable time or with reasonable efforts, to terminate the non-confirming Service and refund any prepaid amounts for such Service on a pro-rata basis for the remainder of the Subscription Term.

6.2.    LIMITATIONS. SECTION 6.1 SETS OUT the exclusive warranty from us and it replaces all other express or implied warranties, including ANY WARRANTY OF NON-INFRINGEMENT, OR ANY EXPRESS OR IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, COURSE OF DEALING AND USAGE OF TRADE. WITHOUT LIMITING THE FOREGOING, SIEMENS DOES NOT WARRANT THAT THE SERVICES WILL BE FAIL-SAFE, FAULT-TOLERANT, UNINTERRUPTED, ERROR FREE, FREE OF HARMFUL COMPONENTS, OR THAT ANY CONTENT, INCLUDING YOUR CONTENT, OR THIRD PARTY SOFTWARE WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED. THIS SECTION 6.2 DOES NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.

7.         Indemnification

7.1.    Intellectual Property Infringement.If a Third Party asserts a claim against you that the Services infringe such Third Party's patent or copyright, we will defend you against or, at our option, settle such claim and pay amounts finally awarded by a court of competent jurisdiction against you or included in a settlement approved by us.

7.1.1.    Notices. You will give us prompt written notice of such claim, allow us to control the defense and settlement, and reasonably cooperate with us in this regard. Your failure to provide such notice or cooperation will release us from our obligations under this Section 7.1, if and to the extent we are materially prejudiced by such failure.

7.1.2.    Exceptions. Our obligations in this Section 7.1 shall not apply to the extent that any such infringement claims arise from: (i) your failure to use the most current version of the Services or a defect correction or patch made available by us; (ii) the combination, operation or use of the Services in conjunction with any of Your Content or with any Third Party software, equipment, materials, services or products; (iii) an adjustment or configuration of the Services not made by us; or (iv) any use of the Services following our notification to you to discontinue such use; or (v) our compliance with designs, plans or specifications provided to us by you or on your behalf.

7.1.3.    Injunction. If a permanent injunction is obtained against you due to an infringement pursuant to Section 7.1, then we will, at our sole discretion: (i) obtain for you the right to continue using the Services; (ii) replace or modify the Services so that they no longer infringe the relevant intellectual property right; or (iii) if neither of the remedies in (i) or (ii) are reasonably available, grant you a pro-rata refund of amounts prepaid by you for use of the affected Services, and you shall immediately cease to use the affected Services. We may decide to provide the remedies specified in this Section prior to the issuance of a permanent injunction.

7.1.4.    Sole and Exclusive Remedy. To the extent permissible under Applicable Law, this Section 7.1 represents the sole and exclusive remedy available to you against Siemens for infringement of intellectual property rights under the DSA.

7.2.    Indemnity by You. You will indemnify Siemens and its suppliers and contractors and each of their respective employees, officers, directors, and representatives from and against, and, at Siemens' option, defend Siemens from, any claims, damages, liabilities, losses, costs and expenses (including reasonable attorney's fees) arising from or in connection with: (i) Your Content; (ii) any violation of Laws or rights of others by your use of the Services; (iii) any breach by you of the DSA, (iv) the operation, your combination or use of the Services in conjunction with any of Your Content and/or in conjunction with any Third Party software, materials and/or services; (v) an adjustment or configuration of the Services made by you or a Third Party to which you facilitate or permit access to the Services, including Users; (vi) our compliance with designs, plans or specifications provided to us by you or on your behalf; (vii) any claims by any User or any Third Party to which you facilitate or permit access to the Services; (x) your use of Siemens' trademarks, designations and logos in breach of the authorization granted to you in a Specification Document; and (xi) the use of a Service for the operation of or within a High Risk System, if the functioning of a High Risk System depends on the proper functioning of a Service or a Service caused a High Risk System to fail. Section 7.1.1 shall apply mutatis mutandis.

8.         Limitation of Liability

8.1.    Limitation. Except for our obligation under Section 7, Siemens' entire liability for all claims, damages and indemnities arising out of or related to the DSA, regardless of the form of action, whether in contract, tort or otherwise, will not exceed, in the aggregate, the fees paid to us by you, during the 12 months preceding the date on which the claim arose, for the specific Service that caused the damage or that is the subject matter of the claim.

8.2.    Disclaimer. In no event will Siemens be liable for any amounts for loss of production, interruption of operations, contractual claims against you by any Third Party, damage to property, loss or corruption of Your Content, loss of use, loss of interest, income, profit or savings, or indirect, incidental, consequential, exemplary, punitive, or special damages, even if Siemens has been advised of the possibility of such damages in advance, and all such damages are expressly disclaimed.

8.3.    Limitation on Claims. Any claims against Siemens shall be brought no later than 12 months after the event giving rise to the respective claim. Thereafter all claims arising out of that event against Siemens shall be barred.

8.4.    Scope of Limitations and Exclusions. The limitation and exclusion in this Section 8 shall not apply: (i) to contractual obligations the fulfillment of which is essential for the due and proper performance of the DSA (Kardinalpflichten), provided that our liability is limited to the damage or loss which is reasonably foreseeable; (ii) in cases of willful misconduct and gross negligence; (iii) in cases of bodily injuries or death caused by our, our legal representatives' or our subcontractors' negligence; (iv) in cases of fraud or fraudulent misrepresentation; and (v) to the extent that liability cannot be limited or excluded according to applicable product liability law.

8.5.    Beneficiaries. Any limitations and exclusions of liability shall also apply to the benefit of any employees, officers, directors, representatives, suppliers, subcontractors, and any person used by Siemens in performing any of our obligations.

9.         Temporary Suspension

9.1.    Our right to Suspend. We may suspend or limit Users' use of a Service immediately upon notice if we reasonably determine that there is a material breach of your obligations or a security incident or threat to the security of the Platform in connection with your access to or use of Services; or if such suspension or limitation is required by Laws, a court decision, or a request from a governmental body. Breaches for failure to pay fees within 10 days after receipt of a reminder or failure to comply with Sections 3 or 12 constitute material breaches. In addition, we may throttle or terminate computing jobs that we determine degrade the performance of the Services or any component of the Services.

9.2.    Effect of Temporary Suspension. Your obligation to pay fees remains unaffected. If you can reasonably remedy the cause of the suspension or limitation, we will notify you of the actions that you must take to reinstate the Services. The suspension or limitation will be lifted as soon as the reason for such suspension or limitation no longer exists. Our right to terminate pursuant to Section 10 and all other rights and remedies we may have remain unaffected.

10.      Term, Termination

10.1. Termination. The DSA takes effect upon our acceptance of the Order Form.

10.1.1. Termination for Convenience. The Subscription Term and any renewal of a Subscription Term will be specified in the Order Form. During a Subscription Term, the DSA and/or a Service may not be terminated for convenience.

10.1.2. Termination for Cause. Either Party may terminate a Service for cause in case of the other Party's material breach, if such breach remains uncured for a period of 30 days from receipt of notice of the breach by the other Party. Only the Service affected by the material breach may be terminated.

Events that entitle us to terminate a Service and/or the DSA for cause include: (i) acts or omissions that entitle us to a suspension or limitation as per Section 9 that remain uncured for a continuous period of 60 days; (ii) our obligation to comply with Laws or requests of a governmental body; (iii) a change in control of you and/or your Affiliates which, according to our reasonable opinion, adversely affects our position, rights or interests; and (iv) your ceasing to operate in the ordinary course, making an assignment for the benefit of creditors or similar disposition of your assets, or becoming the subject of any bankruptcy, reorganization, liquidation, dissolution or similar proceeding.

10.2. Effect of Termination. On termination of a Service for any reason, subject to Section 10.3, you shall immediately: (i) cease using the affected Services; and (ii) return or, if instructed by us, destroy or delete all Materials relating to the affected Services. The termination of the DSA shall be deemed to constitute the termination of each of the Services. Except as otherwise set out in the DSA, you must pay to us all fees due at the time of termination and all fees paid by you to us are non-refundable. In case of termination for cause by you in accordance with Section 10.1.2. (i), we will refund a reasonable portion of any prepaid amounts for the applicable Service for the remainder of the Subscription Term. Any terms and conditions of the DSA, which by their nature should survive a termination or expiry, shall survive and continue in full force and effect after such termination or expiry.

10.3. Post-Termination Phase. After termination of a Service, we will remove Your Content that is associated with such Service from the Platform, unless otherwise provided under the DSA or agreed in writing. However, upon your request made within 30 days following the termination date, we will assist you in transitioning certain parts of Your Content to an alternate technology for additional fees and under separately agreed terms, to the same extent that we make such services generally available to all our customers. You acknowledge that some of Your Content may be retained by us as part of our disaster recovery backup of the Platform until deletion of such files in accordance with our policies.

11.      Confidentiality, Compelled Disclosure

11.1. Confidentiality Obligations. Each Party shall treat Confidential Information disclosed by the other Party or its Affiliates as confidential, only use it in connection with the Services or as otherwise permitted under the DSA, and not disclose such Confidential Information to anyone except to those Users, employees, Affiliates, business partners and advisors, and the respective employees of such Affiliates, business partners and advisors who need to know that information for the implementation of the DSA and who are bound to appropriate confidentiality obligations.

11.2.Compelled Disclosure. We will not disclose Confidential Information and/or any of Your Content to any Third Party except (i) as instructed by you, (ii) as permitted in the DSA, (iii) as required by Laws or governmental order. Should any Third Party (including governmental bodies) contact us with a request to disclose Confidential Information and/or any of Your Content, we will redirect such Third Party to request that data directly from you and may provide your basic contact information unless we are prevented from doing so by Laws or governmental order. If we are compelled to disclose Confidential Information and/or any of Your Content to any Third Party, we will promptly notify you and provide a copy of the request unless we are prevented from doing so by Laws or governmental order. We may further disclose Confidential Information and/or Your Content to Third Parties in order to report to them potential violations of Laws in connection with your use of the Services.

12.      Export Control and Sanctions Compliance

12.1.Export and Sanctions Laws. You agree to comply with all applicable sanctions (including embargoes) and (re-)export control laws and regulations including (to the extent applicable) those of the Federal Republic of Germany, the European Union and the United States of America (collectively "Export and Sanctions Laws").

12.2.Your Obligations. You are obliged: (i) to deny and prevent access to Services from any location prohibited by or subject to sanctions or license requirements according to Export and Sanctions Laws; (ii) to continuously check any of your customers and any Users against applicable sanctioned party lists; (iii) not to grant access to the Services, including any Materials, or the Platform to any individual or entity designated on any of these lists; and (iv) ensure that Your Content is neither classified under EU / German (AL = N) nor US export control regulations ("not subject to EAR" [ECCN = N] or, if subject to EAR, not classified under CCL [ECCN = EAR99]).

12.3.Information Requirements. If required to enable authorities or Siemens to conduct export control or sanctions compliance checks, you, upon request by Siemens, shall promptly provide Siemens with all information pertaining to the particular destination, end user, and particular intended use of Services provided by Siemens, including information on you, your customers, and Users.

12.4.Right to Withhold Performance. We shall not be obligated to perform under the DSA if such performance is prevented by any impediments arising out of national or international foreign trade or customs requirements or any embargoes or other sanctions. You further acknowledge that Siemens may be obliged under Export and Sanctions Laws applicable to Siemens to limit or suspend access by you and/or Users to the Services.

13.     Limitations for Free of Charge Services

13.1. Provision of Services Free of Charge. Where we enable you to access and use Services free of charge, e.g., certain free online support services, services for testing and evaluation purposes, "trial" services, "pre-release", "beta" or "preview" versions (such Services collectively "Free of Charge Services"), the limitations under this Section 13 apply in addition to any further limitations in the DSA, including Sections 6.2 and 8.

13.2.Change, Limitation, Suspension. We may change, limit, or discontinue any Free of Charge Service and your access to and use of any Free of Charge Service in our sole discretion. Your Content may be deleted upon the expiration or discontinuation of the Free of Charge Service, unless specific migration to the related paid Services is available.

13.3. Service Standards and Limited Use Right. Free of Charge Services for testing or evaluation and any "pre-release", "beta" or "preview" versions may only be used for the purpose of evaluating their functionality and to provide feedback to Siemens. Such Free of Charge Services may not comply with the normal security standards as per Section2.2, their performance and availability may be lower than paid Services, personal data may not be processed, and productive use is at your own risk.

13.4. Warranty and Liability. Except to the extent prohibited by Applicable Law, Free of Charge Services are provided "as is" without warranties of any kind and in their then-current version made available by us from time to time without support and availability commitments. We are not obliged to offer post-termination assistance. Siemens' entire liability for all claims, damages and indemnities arising out of or related to your use of a Free of Charge Service will not exceed, in the aggregate, the amount of EUR 1,000.00 (or equivalent in local currency).

14.     General Provisions

14.1. Assignment. The DSA will extend to and be binding upon the successors and permitted assigns of the Parties. We may assign the DSA or any right granted therein or individual orders to any of our Affiliates that assume our obligations. You shall not assign the DSA, in whole or in part, or any of the rights granted therein without our prior written consent.

14.2. Set-off, Retention. You may only set off claims or assert a right of retention with regard to claims that are uncontested by us, are ready for decision or have been confirmed by final court judgment.

14.3. Force Majeure. Neither Party shall be liable for any failure or delay in its performance under the DSA due to any cause beyond its reasonable control, including acts of God, earthquake, fire, flood, embargo, riot, sabotage, attacks on IT systems by Third Parties (e.g., hacker attacks), labor shortage or dispute, acts or omissions of civil or military authorities, war, acts of sabotage or terrorism.

14.4. Dispute Resolution. All disputes arising out of or in connection with the DSA, including the formation, interpretation, amendment, breach or termination thereof, shall be finally settled under the rules of arbitration of the International Chamber of Commerce (ICC) by one or more arbitrators appointed in accordance with such rules. The seat of arbitration shall be Zurich, Switzerland. The language to be used in the arbitration shall be English. Any orders for the production or disclosure of documents shall be limited to the documents on which each Party specifically relies in its submission(s). Nothing in this Section 14.4 shall restrict the right of the Parties to seek interim relief intended to preserve the status quo or interim measures in any court of competent jurisdiction.

14.5. Applicable Law. The DSA shall be governed by and construed in accordance with the Laws of Switzerland, without giving effect to any choice-of-law rules that may require the application of the law of another jurisdiction. The UN Convention on Contracts for the International Sale of Goods shall not apply.

14.6. Notices. We may provide notice to you under the DSA by: (i) posting a notice on your Account; or (ii) sending a message to the email address provided to us as part of the ordering process for an Order Form or then associated with your Account. It is your responsibility to regularly visit your Account and to keep your email address current. If you do not comply with such obligation or if the receipt of a notice by you fails because of technical issues related to equipment or services which are under your or your subcontractors' control, notices shall be deemed to have been provided to you 2 days following the date of such notice. Notwithstanding the foregoing, notices of claims or notices regarding disputes shall always be sent by facsimile or postal mail to the contact addresses provided in the respective Order Form.

14.7. Validity and Enforceability. If any provision of the DSA is held to be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions will not in any way be affected or impaired, and such provision will be deemed to be restated to reflect the original intentions of the Parties as nearly as possible in accordance with Applicable Law.

14.8. Publicity. Except as may be required by Applicable Law, neither Party shall issue a press release in connection with the subject matter hereof without the prior written consent of the other Party, which shall not be unreasonably withheld. Notwithstanding the foregoing, Siemens and you shall have the limited right to disclose the terms of the DSA to their bona fide financial, tax and legal advisors subject to appropriate confidentiality obligations.

14.9. Entire Agreement. The DSA constitutes the full and complete statement of the terms agreed between the Parties with respect to the subject matter thereof and supersedes any previous or contemporaneous agreements, understandings or communications, whether written or verbal, relating to its subject matter. The reference to a document that refers to another document shall be deemed to also include such other document, unless otherwise stated therein. Subject to Section 2.4, the DSA may not be varied other than in writing executed by the duly authorized representatives of both Parties or via an online mechanism, if so provided explicitly for such purpose by us. No other terms and conditions shall apply.

14.10. Order of precedence. In the event of a conflict or inconsistency the documents prevail in the following descending order: (i) Order Form; (ii) Specification Documents; (iii) the Data Processing Agreement; (iv) the Acceptable Use Policy; and (v) this document at hand. If a document is provided in different languages, the English language version of that document prevails.

14.11. Independent Contractors. For all purposes, the Parties will be deemed to be independent contractors and nothing contained in the DSA will be deemed to constitute a joint venture, partnership, employer-employee relationship or other agency relationship. Neither Party is, nor will either Party hold itself out to be, vested with any power or right to contractually bind or act on behalf of the other Party.

15.      Definitions

15.1. "Acceptable Use Policy" means the policy listed in Exhibit 1.

15.2. "Account" means one or more web-based accounts, individually or collectively, enabling access to and use of certain Services provided on the Platform through a unique URL (i.e. web-address) assigned by Siemens, including any subtenants established under the Account.

15.3. "Affiliate" means a corporation or other legal entity, directly or indirectly, owned or controlled by, or owning or controlling or under common control with one of the Parties where "control" shall mean to have, directly or indirectly, the power to direct or cause the direction of the management and policies of a corporation or other entity.

15.4. "Applicable Law" means the law specified in Section 14.5.

15.5. "Application" means software that is deployed on the Platform and/or interoperates with the Platform via Platform APIs.

15.6."Confidential Information" means any information disclosed by a Party or its Affiliate to the other Party under or in connection with the DSA and which is - when disclosed - identified as "Confidential" or consists of information that, by its nature or context, is sufficient to put the receiving Party on notice of its confidential nature. In addition, any information and materials obtained by you in connection with the DSA or your receipt of Services, including the performance and availability of the Services, the Platform, information regarding Siemens' or our business partners' business strategies and practices, methodologies, trade secrets, know-how, pricing, technology, software, application programming interfaces, application programming interface signatures, product plans, and information regarding Siemens' employees, clients, vendors and consultants, are deemed to be our Confidential Information. Confidential Information does not include information that: (i) is generally available to the public without breach of the DSA and without any wrongdoing; (ii) is or becomes available to the recipient from a source other than the Party who discloses the Confidential Information, provided that the recipient has no reason to believe that such source is itself bound by a confidentiality obligation or that such source has obtained the information through any wrongful or tortious conduct; (iii) was lawfully in the recipient's possession prior to receipt from the other Party without a corresponding obligation of confidentiality; (iv) is independently developed by the recipient without the use of, or reference to, Confidential Information; or (v) has been released by the disclosing Party for non-confidential use e.g. in a Specification Document.

15.7. "Data Processing Agreement" or "DPA" means the terms listed in Exhibit 2.

15.8. "High Risk System" means a device or system that requires enhanced safety functionalities such as fail-safe or fault-tolerant features to maintain a safe state where it is reasonably foreseeable that failure of the device or system could lead directly to death, personal injury, or catastrophic property damage. Without limitation, High Risk Systems may be required in critical infrastructure, direct health support devices, aircraft, train, boat or vehicle navigation or communication systems, air traffic control, weapons systems, nuclear facilities, power plants, medical systems and facilities, and transportation facilities.

15.9. "Laws" means any law, rule, regulation, norm, and directive including, without limitation, industry or company specific regulations, co-determination rights of the works council, data privacy, telecommunication, energy law, IT security law, export control, sanctions, and regulation pertaining to the protection of classified information.

15.10.   "Material" means any software, sample code, scripts, libraries, software development kits, technology, documentation, and other proprietary material or information made available to you by or on behalf of us in relation to our provision of Services.

15.11.   "Order Form" means a document, electronic form or an online instrument provided by Siemens for the ordering of Services.

15.12.   "Platform APIs" means Siemens' application programming interfaces that are integrated with the Platform. Platform APIs are part of the Platform and the Services.

15.13.   "Party" means you and/or us, depending on the context

15.14.   "Platform" means a Siemens proprietary cloud-based platform solution on which the Services are provided.

15.15.   "Services" means the cloud services as described in the Specification Documents and Materials.

15.16.   "Siemens" means Siemens AG (Germany) and its Affiliates.

15.17.   "Specification Documents" means the documents which describe and/or further govern the Services and which are referenced in the Order Form.

15.18.   "Subscription Term" means the period for which a Service is agreed as specified in the Order Form.

15.19.   "Third Party" means any person or legal entity other than you or Siemens. Third Party includes your Affiliates.

15.20.   "User" means an individual who has access credentials to your Account, including individuals of Third Parties or who is otherwise authorized by you to access your Account. Access to your Account includes access to any subtenant that you establish under your Account, to any Application associated with your Account, to Your Content and/or the Services.

15.21. "Your Content" means any information, program, software, Application, code in any form, script, library, or data that is entered, uploaded onto or stored on the Platform in connection with your or any User's use of Services under your Account. Your Content excludes the Services and the Platform.

 

Exhibit 1 - Acceptable Use Policy

January 2018

 

 

This Acceptable Use Policy ("Policy") sets out terms with which you must comply when using our Services.

1.         Definitions

Capitalized terms shall have the meaning given to them in the terms governing the Services.

2.         No Illegal, Harmful, or Offensive Use of Your Content

You shall not use, or encourage, promote, facilitate, or instruct others to use, the Services for any illegal, harmful, or offensive use. Your Content must not be illegal, harmful, or offensive. In particular, your use of the Services, Your Content and your use of Your Content shall not:

(i)         be in violation of any Laws or rights of others;

(ii)       be harmful to others, or Siemens' operations or reputation, including by offering or disseminating fraudulent goods, services, schemes, or promotions, make-money-fast schemes, ponzi or pyramid schemes, phishing, farming, or other deceptive practices;

(iii)      enter, store or send hyperlinks, enable access to external websites or datafeeds, including embedded widgets or other means of access, in or as part of Your Content, for which you have no authorization or which are illegal;

(iv)      be defamatory, obscene, abusive, invasive of privacy, or otherwise objectionable;

(v)       subject Siemens or its business partners to liability.

3.         No violation of use restrictions

You shall not:

(i)         copy, sell, resell, license, transfer, assign, sublicense, rent, lease, or otherwise make available the Services or the Platform in whole or in part to any Third Party (unless permitted otherwise by us or required by Laws);

(ii)       translate, disassemble, decompile, reverse engineer or otherwise modify, tamper with, repair or attempt to discover the source code of any software contained in the Services or the Platform (unless permitted otherwise by us or required by Laws);

(iii)      create derivative works of, or based on, any parts of the Services or the Platform;

(iv)      change or remove any notices or notations from the Services or the Platform that refer to intellectual property rights or brand names; and

(v)        imitate the "look and feel" of any of Siemens' website or other user interface, nor the branding, color combinations, fonts, graphic designs, product icons or other elements associated with Siemens; and

(vi)      upload to the Platform any of Your Content that is subject to a license that, as a condition of use, access, and/or modification of such content, requires that any Siemens' or Siemens' business partners' software or service provided by Siemens and interacting with or hosted alongside Your Content: (a) are disclosed or distributed in source code form; (b) are licensed to recipients for the purpose of making derivative works; (c) are licensed at no charge; (d) are not used for commercial purposes; or (e) are otherwise encumbered in any manner.

4.         No Abusive Use

You shall not do any of the following:

(i)         use the Services in a way intended to avoid or work around any use limitations and restrictions placed on such Services, such as access and storage restrictions or to avoid incurring fees;

(ii)       access or use the Services for the purpose of conducting a performance test, building a competitive product or service or copying its features or user interface or use the Services in the operation of a business process outsourcing or other outsourcing or a time-sharing service;

(iii)      interfere with the proper functioning of any of Siemens' systems, including any overload of a system by mail bombing, news bombing, broadcast attacks, or flooding techniques;

(iv)      engage in any activity or modification or attempt to modify the Platform or the Services in such a way as to negatively impact on the performance of the Platform or the Services.

5.         No Security Violations

You shall not use the Services in a way that results in, permits, assists or facilitates any action that constitutes a threat to the security of the Platform or the Services. You shall in particular:

(i)         before accessing the Services, during use, and when transferring Your Content, take all reasonable precautions against security attacks on your system, on-site hardware, software or services that you use to connect to and/or access the Platform, including appropriate measures to prevent viruses, trojan horses or other programs that may damage software;

(ii)       not interfere with or disrupt the integrity or performance of the Services or other equipment or networks connected to the Platform, and in particular not transmit any of Your Content containing viruses, trojan horses, or other programs that may damage software;

(iii)      not use the Services in a way that could damage, disable, overburden, impair or compromise any of Siemens' systems or their security or interfere with other Users of the Platform;

(iv)      not perform any penetration test of or on the Services or the Platform without obtaining our express prior written consent; and

(v)       not connect devices to the Services that do not comply with industry standard security policies (e.g., password protection, virus protection, update and patch level).

6.         Reporting

If you become aware of any violation of this Policy, you will immediately notify us and provide us with assistance, as requested by us, to stop, mitigate or remedy the violation.

 

 

 Exhibit 2 - Data Processing Agreement ("DPA")

(October 2019)

1.      Scope of the DPA and compliance with applicable data protection law

1.1    This DPA serves as written commissioned data processing agreement between Company and Siemens and applies to services (as further specified in Attachment 1) provided under the Agreement that involve the Processing of Personal Data by Siemens acting in its role as Processor (each such service hereinafter referred to as "Service"). The DPA describes Company's and Siemens' data protection related rights and obligations with regard to the Services; all other rights and obligations shall be exclusively governed by the other parts of the Agreement.

1.2    When providing the Services, Siemens will com-ply with all data protection laws and regulations directly applicable to Processors. However, Siemens is not responsible for compliance with any data protection laws or regulations applicable to Company or Company's industry that are not generally applicable to Processors. Company shall ensure that Siemens and its Sub-Processors are allowed to provide the Services as de-scribed in this DPA.

2.      Details of the Processing operations provided by Siemens

The details of the Processing operations conducted by Siemens, including the scope, the nature and purpose of the Processing, the types of Personal Data Processed and the categories of affected data subjects, are specified in Attachment 1. 

3.      Company's instructions and disclosure of customer data

3.1    As Processor, Siemens will only Process Personal Data upon Company's documented instructions. The Agreement (including this DPA) constitutes Company's complete and final instructions for the Processing of Personal Data by Siemens as Company's Processor. Any additional or alternate instructions must be agreed between Siemens and Company in writing and may be subject to additional costs. Siemens shall inform Company if, in the opinion of Siemens, an instruction infringes applicable data protection law. Siemens shall, how-ever, not be obligated to perform any legal examination of Company's instructions.

3.2    Siemens shall be entitled to disclose or to entitle its Sub-Processors to disclose Personal Data to comply with applicable laws and/or governmental orders. In case of such a request, Siemens or the Sub-Processor will (i) use reasonable efforts to redirect such requesting entity to request data directly from Company and may provide Company's basic contact information, and (ii) promptly notify Company and provide a copy of the request, un-less Siemens is prevented from doing so by applicable laws or governmental order.

4.      Technical and organizational measures

4.1    Siemens shall implement the technical and organizational measures described in Attachment 2. Company hereby confirms that the level of security provided is appropriate to the risk inherent with the Processing by Siemens on behalf of Company.

4.2    Company understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, Siemens shall have the right to implement adequate alternative measures as long as the security level of the measures is maintained.

5.      Confidentiality of the processing

Siemens will ensure that personnel who are involved with the Processing of Personal Data under this DPA have committed themselves to confidentiality.

6.      Sub-Processors

6.1    Siemens shall not engage Sub-Processors with-out prior specific or general authorization of Company. Company hereby authorizes the Sub-Processors listed in Attachment 1.

6.2    Siemens may remove or add new Sub-Processors at any time. In such case, Siemens will obtain Company's approval to engage new Sub-Processors in accordance with the following process: (i) Siemens shall notify Company with at least 20 days' prior notice before authorizing any new Sub-Processors to access Company's Personal Data; (ii) if Company raises no reasonable objections that include an explanation of the grounds for non-approval in writing within this 20 day period, then this shall be taken as an approval of the new Sub-Processors; (iii) if Company raises reason-able objections, Siemens will - before authorizing the Sub-Processors to access Company's Personal Data - use reasonable efforts to (a) recommend a change to Company's configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-Processors or (b) propose other measures that ad-dress the concerns raised in the objection; (iv) if the pro-posed changes or measures cannot eliminate the grounds for non-approval, Company may terminate the affected Service with 10 days' notice following Siemens' response to Company's objection. If Company does not terminate the affected Service within the 10-day period, this shall be taken as an approval of the Sub-Processors by Company.

6.3    Siemens shall be entitled to perform Emergency Replacements of Sub-Processors. In such case Siemens shall inform Company of the Emergency Re-placement without undue delay and the process as de-scribed in Section 6.2 shall apply mutatis mutandis after Company's receipt of the notification

6.4    In case of any subprocessing, Siemens shall enter into a contract with each Sub-Processor imposing appropriate contractual obligations on the Sub-Processor that are no less protective than this DPA. Siemens re-mains responsible for any acts or omissions of its Sub-Processors in the same manner as for its own acts and omissions hereunder

7.      Data processing location

Personal Data will only be Processed on: (a) Servers and networks located in the EEA; and (b) locations in the EEA from which Siemens provides support. We shall not move or transfer Personal Data from servers and networks within the EEA to any other destination without Customer's prior approval.

8.      Rectification and erasure

Siemens shall, at its own discretion, either (i) provide Company with the ability to rectify or erase Personal Data via the functionalities of the Services, or (ii) rectify or erase Personal Data as instructed by Company.

9.      Personal Data Breach

In the event of any Personal Data Breach, Siemens shall notify Company of such breach without undue delay after Siemens becomes aware of it. Siemens shall (i) reasonably cooperate with Company in the investigation of such event; (ii) provide reasonable support in assisting in Company's security breach notification obligations under applicable data protection law (if applicable); and (iii) initiate respective and reasonable remedy measures.

10.    Further notifications and support

10.1  Siemens shall notify Company without undue delay of (i) complaints or requests of data subjects whose Personal Data are Processed pursuant to this DPA (e.g. regarding the rectification, erasure and restrictions of Processing of Personal Data) or (ii) orders or requests by a competent data protection authority or court which relate to the Processing of Personal Data under this DPA.

10.2  At Company's request, Siemens shall reasonably support Company in (i) dealing with complaints, requests or orders described in Section 10.1 above (especially in fulfilling Company's obligation to respond to requests for exercising data subject's rights) or (ii) fulfilling any of Company's further obligations as Controller under applicable data protection law (such as the obligation to con-duct a data protection impact assessment). Such support shall be compensated by Company on a time and material basis.

11.    Audits            

11.1  Company shall have the right to audit, by appropriate means - in accordance with Sections 11.2 to 11.4 below - Siemens' and Sub-Processors' compliance with the data protection obligations hereunder annually (in particular in regard to the technical and organizational measures implemented), unless additional audits are necessary under applicable data protection law; such audit being limited to information and data processing systems that are relevant for the provision of the Ser-vices provided to Company.

11.2  Siemens and Sub-Processors may use (internal or external) auditors to perform audits to verify compliance with the data protection obligations hereunder. In such case each audit will result in the generation of an audit report (e.g. Service Organization Controls 1, Type 2 reports and Service Organization Controls 2, Type 2 reports). Where a control standard and framework implemented by Siemens or our Sub-Processors provides for audits, such audit will be performed according to the standards and rules of the regulatory or accreditation body for each applicable control standard or framework. Upon Company's request, Siemens shall provide such relevant audit reports and corresponding information (together "Audit Reports") for the Services concerned.

11.3  Company agrees that these Audit Reports shall first be used to address Company's audit rights under this DPA. In case Company can demonstrate that the Audit Reports provided are not reasonably sufficient to allow Company to comply with applicable audit require-ments and obligations under applicable data protection law, Company shall specify the further information, documentation or support required. Siemens shall render such information, documentation or support within a reasonable period of time at Company's expense.

11.4  The Audit Reports and any further information and documentation provided during an audit shall constitute Confidential Information. In case audits relate to Sub-Processors, Company may be required to enter into non-disclosure agreements directly with the respective Sub-Processor before issuing Audit Reports to Company.

12.    Term and Termination

This DPA shall have the same term as the Agreement. Upon termination of the DPA, unless otherwise agreed between the Parties, Siemens shall erase all Personal Data made available to Siemens or obtained or generated by Siemens on behalf of Company in connection with the Services. The erasure shall be confirmed by Sie-mens in writing upon request.

13.    Definitions

13.1  "Agreement" means [insert name of agreement that form the commercial basis for the provision of the services] dated [insert date].

13.2  "Company" means the contracting entity indicated in the Order Form.

13.3  "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

13.4  "DPA" shall mean this Data Processing Agreement.

13.5  "EEA" shall mean the European Economic Area.

13.6  "Emergency Replacement" refers to a short-term replacement of a Sub-Processor which is necessary (i) due to an event outside of Siemens' reasonable control and (ii) in order to provide the Services without interruptions (such as if the Sub-Processor unexpectedly ceases business, abruptly discontinues services to Siemens, or breaches its contractual duties owed to Siemens).

13.7  "GDPR" shall mean the General Data Protection Regulation (EU) 2016/679.

13.8  "Personal Data" has the meaning given to that term in the applicable data protection law. Personal Da-ta, for the purposes of this DPA, includes only such Personal Data entered by Company into the Services;

13.9  "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed under the terms of this DPA.

13.10       "Processor" means a natural or legal person, public authority, agency or any other body which Processes Personal Data on behalf of a Controller,

13.11       "Processing" means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combi-nation, restriction, erasure or destruction.

13.12       "Siemens" means the Siemens entity indicated in the Order Form

13.13       "Sub-Processor" shall mean any further Processor engaged in the performance of the Services pro-vided under the terms of this DPA. Sub-Processor shall only mean a subcontractor with access to Personal Da-ta, a subcontractor without access to Personal Data shall not qualify as Sub-Processor in the meaning of this DPA.

 

 

Attachment 1 to the Data Processing Agreement

Description of the Processing Operations

Processing operations

Siemens will Process Personal Data as follows:

•       to provide the Services

•       to provide storage and backup of Personal Data in data centers

Data Subjects

The Personal Data Processed concerns the following categories of Data Subjects:

Data Subjects include employees, contractors, business partners or other individuals whose Personal Data is stored in the Services.

Categories of data

The Personal Data Processed concerns the following categories of personal data:

Customer determines the categories of Personal Data that will be Processed in connection with the Services. The Personal Data Processed and contained in content stored in the Services may include name, phone number, email address, time zone, address data.

Special Categories of Personal Data (if appropriate)

The Services are not intended for the processing of Special Categories of Personal Data.

 

List of approved Sub-Processors

This document lists the Sub-Processors Siemens engages when providing Services to Company.

Sub-Processor name               Sub-Processor Address

Siemens AG            Werner-von-Siemens-Str. 1, 80333 Munich, Germany

 

 

 

Attachment 2 to the Data Processing Agreement

Technical and Organizational Security Measures

Customer shall be responsible to implement measures in addition to the TOMs described below that fall in Customer's own sphere of responsibility, such as implementing physical and system access control measures for Customer's own premises and assets.

1.      Physical and Environmental Security

Siemens implements suitable measures to prevent unauthorized persons from gaining access to the data processing equipment (namely database and application servers and related hardware). This shall be accomplished by: 

a)      establishing security areas;

b)      protecting and restricting access paths;

c)      securing the decentralized data processing equipment and personal computers;

d)      establishing access authorizations for employees and third parties, including the respective documentation;

e)      regulations on access cards;

f)      restrictions on access cards;

g)      all access to the data center where Personal Data is hosted will be logged, monitored, and tracked;

h)      the data center where Personal Data is hosted is secured by restricted access controls, and other appropriate security measures; and

i)       maintenance and inspection of supporting equipment in IT areas and data centers shall only be carried out by authorized personnel.

 

2.      Access Control (IT-Systems and/or IT-Application)

2.1    Siemens implements a roles and responsibilities concept.

2.2    Siemens implements an authorization and authentication framework including, but not limited to, the following elements:

a)      role-based access controls implemented;

b)      process to create, modify, and delete accounts implemented;

c)      access to IT systems and applications is protected by authentication mechanisms;

d)      appropriate authentication methods are used based on the characteristics and technical options of the IT system or application;

e)      access to IT systems and applications shall require, at least, two-factor authentication for privileged accounts;

f)      all access to personal data is logged, monitored, and tracked;

g)      authorization and logging measures for inbound network connections to IT systems and applications (including firewalls to allow or deny inbound network connections) implemented;

h)      privileged access rights to IT systems, applications, and network services are only granted to individuals who need it to accomplish their tasks (least-privilege principle);

i)       privileged access rights to IT systems and applications are documented and kept up to date;

j)       access rights to IT systems and applications are reviewed and updated on regular basis;

k)      password policy implemented, including requirements re. password complexity, minimum length and expiry after adequate period of time, no re-use of recently used passwords;

l)       IT systems and applications technically enforce password policy;

m)    access rights of employees and external personnel to IT systems and applications is removed immediately upon termination of employment or contract; and

n)      use of secure state-of-the-art authentication certificates.

2.3    IT systems and applications lock down automatically or terminate the session after exceeding a reasonable de-fined idle time limit.

2.4    Siemens limits privileged access to cloud assets to single or specific ranges of IP addresses.

2.5    Privileged access to cloud assets is done through a bastion host.

2.6    Siemens maintains log-on procedures on IT systems with safeguards against suspicious login activity (e.g. against brute-force and password guessing attacks).

3.      Availability Control

3.1    Siemens protects systems and applications against malicious software by implementing appropriate and state-of-the-art anti-malware solutions.

3.2    Siemens defines, documents and implements a backup concept for IT systems, including the following technical and organizational elements:

a)      backups storage media is protected against unauthorized access and environmental threats (e.g., heat, humidity, fire);

b)      defined backup intervals; and

c)      the restoration of data from backups is tested regularly based on the criticality of the IT system or application.

3.3    Siemens stores backups in a physical location different from the location where the productive system is host-ed.

3.4    IT systems and applications in non-production environments are logically or physically separated from IT systems and applications in production environments

3.5    Data centers in which Personal Data is stored or processed are protected against natural disasters, physical attacks or accidents.

3.6    Supporting equipment in IT areas and data centers, such as cables, electricity, telecommunication facilities, water supply, or air conditioning systems are protected from disruptions and unauthorized manipulation.

4.      Operations Security

4.1    Siemens maintains and implements an Information Security Framework which is regularly reviewed and updated.

4.2    Siemens logs security-relevant events, such as user management activities (e.g., creation, deletion), failed logons, changes on the security configuration of the system on IT systems and applications.

4.3    Siemens continuously analyzes the respective IT systems and applications log data for anomalies, irregularities, indicators of compromise and other suspicious activities.

4.4    Siemens scans and tests IT systems and applications for security vulnerabilities on a regular basis.

4.5    Siemens implements and maintains a change management process for IT systems and applications.

4.6    Siemens maintains a process to update and implement vendor security fixes and updates on the respective IT systems and applications.

4.7    Siemens irretrievably erases data or physically destroys the data storage media before disposing or reusing of an IT system.

5.      Transmission Controls

5.1    Siemens documents and updates network topologies and its security requirements on regular basis.

5.2    Siemens continuously and systematically monitors IT systems, applications and relevant network zones to detect malicious and abnormal network activity by

a)      firewalls (e.g., stateful firewalls, application firewalls);

b)      proxy servers;

c)      Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS);

d)      URL Filtering; and

e)      Security Information and Event Management (SIEM) systems.

5.3    Siemens administers IT systems and applications by using state-of-the-art encrypted connections.

5.4    Siemens protects the integrity of content during transmission by state-of-the-art network protocols, such as TLS.

5.5    Siemens encrypts, or enable you to encrypt, your data that is transmitted over public networks.

5.6    Siemens uses secure Key Management Systems (KMS) to store secret keys in the cloud.

6.      Security Incidents

         Siemens maintains and implements an incident handling process, including but not limited to

a)      records of security breaches;

b)      customer notification processes; and

c)      an incident response scheme to address the following at time of incident:(i) roles, responsibilities, and communication and contact strategies in the event of a compromise (ii) specific incident response procedures and (iii) coverage and responses of all critical system components.

7.      Asset Management, System Acquisition, Development and Maintenance

7.1    Siemens identifies and documents information security requirements prior to the development and acquisition of new IT systems and applications as well as before making improvements to existing IT systems and applications.

7.2    Siemens establishes a formal process to control and perform changes to developed applications.

7.3    Siemens plans and incorporates security tests into the System Development Life Cycle of IT systems and ap-plications.

7.4    Siemens implements an adequate security patching process that includes:

a)      monitoring of components for potential weaknesses (CVEs);

b)      priority rating of fix;

c)      timely implementation of the fix; and

d)      download of patches from trustworthy sources.

8.      Human Resource Security

8.1    Siemens implements the following measures in the area of human resources security:

a)      employees with access to Personal Data are bound by confidentiality obligations; and

b)      employees with access to Personal Data are trained regularly regarding the applicable data protection laws and regulations.

8.2    Siemens implements an offboarding process for our employees and external vendors.