Terms of Service — Patterno HIT

Last updated: March 2026

The legally binding version of these Terms of Service is the German version. This English translation is provided for convenience only and has no legal effect. In the event of any discrepancy, the German version shall prevail.

Preamble

These General Terms and Conditions (GTC) govern the contractual relationship between Patterno GmbH, Jungfrauenthal 8, 20149 Hamburg, Germany (hereinafter "Provider"), and the respective customer (hereinafter "Customer"). Upon registration of the company in the commercial register, all rights and obligations arising from this agreement shall transfer by operation of law to the registered Patterno GmbH. No separate consent from the Customer is required for this purpose.

The offering is directed exclusively at entrepreneurs within the meaning of § 14 BGB, legal entities under public law, or special funds under public law. Consumers within the meaning of § 13 BGB are excluded from use.

§ 1 Scope, Components of the Agreement, and Order of Precedence

(1) These GTC apply to all services provided by the Provider in connection with the SaaS platform "Patterno HIT," as well as to all other services agreed upon by the parties.

(2) Deviating, conflicting, or supplementary general terms and conditions of the Customer shall not form part of the agreement, even if the Provider does not expressly object to them. This applies even where the Provider commences performance with knowledge of the Customer's deviating terms.

(3) The agreement between the parties (hereinafter "Agreement") consists of the following documents, which shall apply in the order of precedence set out below. In the event of conflicts or discrepancies, the document with higher precedence shall prevail:

The individual Proposal (hereinafter "Proposal"),
these GTC, including the Data Processing Agreement (DPA) pursuant to Art. 28 DSGVO attached as Annex 1.

(4) The Proposal sets out in particular the agreed scope of services, the remuneration, the term of the agreement, the number of users, and any individual arrangements.

§ 2 Subject Matter and Services

(1) The Provider makes available to the Customer a web-based Software-as-a-Service platform (SaaS) under the name "Patterno HIT." The platform supports the Customer in the systematic identification, evaluation, and monitoring of relevant public tenders. The scope of services agreed in the Proposal shall be authoritative.

(2) The platform may include in particular the following functional areas: automated capture of public tenders from German and European procurement platforms, AI-supported analysis and processing of tender content, intelligent tender search and qualification, retrieval of tender documents, contracting authority information, workflow management, and notification functions. The specific scope of services is set out in the Proposal.

(3) The Provider is obligated to make the software available as a tool for independent use by the Customer. The Provider does not warrant any specific business outcomes, and in particular does not guarantee the completeness of captured tenders, the accuracy of AI-based classifications and summaries, or the suitability of search results for specific procurement decisions.

(4) The software serves exclusively as a research and information system. It does not constitute and does not replace legal, tax, procurement, or business advisory services. The relevance assessments and classifications generated by the system are to be understood as working aids and do not replace professional review by qualified personnel.

(5) The availability and completeness of captured tender data depends on the accessibility of the respective procurement platforms and data sources. The Provider endeavors to continuously expand data coverage but does not warrant complete capture of all published tenders.

§ 3 Conclusion of Agreement, Registration, and Trial Period

(1) The Customer may register on the platform and, following registration, receives a free trial period of 14 days during which all functions of the software are available without restriction. No usage fees are charged during the trial period. By registering and using the trial period, the Customer acknowledges these GTC.

(2) The paid contractual relationship is established upon signature of the Proposal by both parties. The term of the agreement commences on the date stated in the Proposal. If no date is stated, the term commences upon signature of the Proposal.

(3) If the Customer does not sign a Proposal within 30 days after the expiry of the trial period, their data will be deleted after a further 30 days.

(4) The Customer warrants that the information provided upon registration is complete and accurate. Any changes must be communicated to the Provider without undue delay.

(5) The Customer is obligated to keep their access credentials confidential and to protect them from access by third parties. In the event of suspected misuse, the Provider must be informed without undue delay.

§ 4 Rights of Use

(1) The Provider grants the Customer, for the duration of the agreement, a simple, non-exclusive, non-transferable, and non-sublicensable right to use the software for its intended purpose in the course of the Customer's ordinary business activities. The agreed scope of use, in particular the number of users and any usage quotas, is set out in the Proposal.

(2) The Customer may create additional users within its organization up to the maximum number agreed in the Proposal. Each user account is personal and may only be used by the assigned individual. Sharing of access credentials between multiple persons is not permitted.

(3) If the agreed scope of use is exceeded, the Provider is entitled to demand additional remuneration in accordance with the terms set out in the Proposal. If no terms for excess use have been agreed, the additional remuneration shall be calculated proportionally based on the ratio of the agreed license fee to the agreed scope of use.

(4) Any use of the software beyond its intended purpose is prohibited, in particular decompilation, disassembly, resale, or making it publicly accessible.

(5) The Provider is entitled, following prior notice, to temporarily restrict use in cases of manifestly abusive use, in particular automated mass queries or systematic scraping of tender data that is clearly beyond the Customer's ordinary business activities.

§ 5 Further Development and Modifications to the Software

(1) The Provider is entitled to further develop, improve, or add functions to the software at any time. The Provider will inform the Customer of material changes within a reasonable period of time by email or within the software.

(2) If a modification results in the software no longer being usable, or being usable only with material restrictions, for the purpose agreed in the Proposal, the Customer shall have a right of extraordinary termination. The right of extraordinary termination must be exercised in text form within one month of the Customer becoming aware of the planned modification. In that case, the Agreement shall terminate on the date on which the modification takes effect, but no earlier than upon receipt of the notice of termination. The right of extraordinary termination shall lapse if the Provider refrains from implementing the modification.

§ 6 AI Functionality and Customer Responsibility

(1) The Customer acknowledges and accepts that the software is based on generative artificial intelligence (large language models), vector-based similarity search, and automated data processing. The content generated by the software, in particular summaries, classifications, relevance assessments, bid/no-bid recommendations, and search results, is based on statistical models and pattern recognition.

(2) AI-generated content may contain inaccuracies, errors, incorrect classifications, or so-called "hallucinations" (plausible-sounding but factually incorrect information). The Customer is aware that the software does not replace human expertise and that AI systems are inherently susceptible to errors.

(3) The Customer is obligated to independently verify, prior to any commercial use, the accuracy, completeness, and plausibility of all content generated by the software, in particular tender summaries, relevance assessments, knockout-criteria analyses, and bid/no-bid recommendations. In particular, the Customer is obligated to review the original documents of the relevant contracting authority before participating in procurement procedures.

(4) The Customer bears sole responsibility for its procurement decisions, in particular for the selection of tenders in which it participates and for the substantive, legal, and commercial design of its bids. Use of the software is at the Customer's own risk.

(5) Any liability of the Provider for indirect damages, consequential damages, loss of profit, or other pecuniary losses arising from the commercial use of AI-generated content or from missed tender deadlines is excluded, unless such damages result from intentional misconduct or gross negligence. The liability provisions in § 13 remain unaffected.

(6) The Customer receives full rights of use in respect of the content generated by the software, to the extent that such rights in AI-generated content arise under applicable law. The Provider reserves no rights in relation to the AI outputs prompted by the Customer.

§ 7 Data Use, Processing, and Further Development

(1) Ownership of Customer Data
The Customer retains all rights and ownership in the data and content entered, uploaded, or configured by it in the software, in particular search profiles, preferences, organizational data, and watchlist entries.

(2) Data Processing for Performance of the Agreement
The Provider processes personal data of the Customer exclusively for the purpose of performing this Agreement and providing the software pursuant to Art. 6(1)(b) DSGVO.

(3) Use of Aggregated Data for Further Development
The Provider is entitled to use the data entered or configured by the Customer in aggregated and anonymized form to further develop and improve the software, the underlying algorithms, and statistical models. Such data shall not be used to train third-party AI models.

Anonymization means that personal data is processed in such a way that attribution to a specific or identifiable natural person is no longer possible, even with the use of additional information.

Aggregation means the consolidation of data in such a way that individual records are no longer individually identifiable and no inferences can be drawn regarding the Customer, individual persons, trade secrets, or other company-related information. The Provider shall in particular ensure that no inferences regarding search profiles, procurement strategies, or the competitive positions of individual customers can be drawn from the aggregated data.

The Customer may object to the use of its data pursuant to this paragraph at any time in text form. The Provider shall comply with the objection within 30 days. The objection shall not affect the lawfulness of processing carried out prior to that point.

(4) Legal Basis and Processing
By agreeing to these GTC, the Customer instructs the Provider to anonymize the entered or configured data and to use it in aggregated form for the further development of the software pursuant to paragraph 3. To that extent, the Provider processes the data as a processor pursuant to this instruction. Following completed anonymization, the anonymized data no longer falls within the scope of the DSGVO. The Customer may revoke this instruction at any time in text form pursuant to paragraph 3.

(5) Public Tender Data
The tender data captured and processed by the software originates from publicly accessible sources (procurement platforms, official journals). The Customer holds no proprietary rights in this public data. The Provider is entitled to process, enrich, and make available to third parties such data without restriction.

(6) Temporal Scope
The right to use anonymized and aggregated data pursuant to paragraph 3 is unlimited in time, as anonymized data no longer constitutes personal data.

(7) Data Processing and Sub-processors
To the extent that the Provider processes personal data on behalf of the Customer, the provisions of the Data Processing Agreement (DPA) pursuant to Art. 28 DSGVO attached as Annex 1 shall apply. The DPA is an integral component of these GTC. To provide the contractual services, the Provider engages sub-processors, in particular for cloud hosting and AI processing. A current list of sub-processors engaged is set out in the DPA. The Provider shall ensure that all sub-processors are subject to at least the same level of data protection.

§ 8 Customer's Cooperation Obligations

(1) The Customer shall cooperate, without charge and to the extent required, in the provision of the contractual services. In particular, the Customer shall provide the Provider with all information and data necessary for the performance of the services.

(2) The Customer shall independently familiarize itself with the essential functional characteristics of the software and its technical requirements (in particular supported browsers and operating systems). The Customer is responsible for ensuring that its IT systems meet the technical requirements and are kept up to date.

(3) The Customer is solely responsible for its IT infrastructure, including its setup and operation. All costs associated therewith shall be borne by the Customer.

(4) The Customer is solely responsible for the regular and complete backup of its business-relevant data and documents.

(5) The Customer shall ensure that the information and documents entered into the software by it are accurate and do not contain any malicious software (viruses, Trojans, etc.). The Customer shall be liable for any damages arising from inaccurate information or documents provided by the Customer.

(6) If the Customer fails to fulfill its cooperation obligations in whole or in time, the Provider's obligation to perform shall lapse to the corresponding extent and for the corresponding period, insofar as performance depends on the Customer's prior cooperation. The Provider is entitled to demand reasonable remuneration for any additional effort caused by the Customer's failure to cooperate or delayed cooperation.

§ 9 Maintenance and Support

(1) Availability
The Provider shall make the software available with an annual average availability of 95%, calculated on the basis of 24/7 operation (8,760 hours per year), unless a different service level has been agreed in the Proposal. Excluded from the calculation are planned maintenance windows pursuant to paragraph 2 and outages due to force majeure or other circumstances not attributable to the Provider, including the unavailability of external procurement platforms and data sources.

(2) Maintenance and Updates
The Provider is entitled to temporarily restrict or shut down the software for maintenance, security, or update work. Planned maintenance shall, where possible, be announced to the Customer 48 hours in advance by email and shall, where possible, be carried out outside of normal business hours (Monday to Friday, 9:00 a.m. to 6:00 p.m. CET).

(3) Availability Credits
If the actual availability in a calendar month falls below the agreed target, the Customer shall receive, upon request, a pro-rata refund of the usage fees paid for that period in accordance with the following tiered schedule:

At 94.0% to 94.9% availability: 5% credit
At 93.0% to 93.9% availability: 10% credit
At 92.0% to 92.9% availability: 15% credit
At 91.0% to 91.9% availability: 20% credit
Below 91.0% availability: 25% credit

Claims must be submitted within 30 days after the end of the affected month. Further claims of the Customer, in particular claims for damages pursuant to § 13, remain unaffected.

(4) Data Currency
The Provider endeavors to capture and make available tender data promptly following publication on the respective procurement platforms. Real-time availability is not warranted. The typical delay between publication and availability within the software is generally up to 24 hours.

(5) Support
The Provider offers technical support by email (info@patterno.de) during normal business hours (Monday to Friday, 9:00 a.m. to 6:00 p.m. CET, excluding public holidays in Hamburg). The Provider endeavors to respond to support requests within two business days. Alternative support terms may be agreed in the Proposal.

§ 10 Remuneration and Payment Terms

(1) Remuneration
The remuneration for use of the software is set out in the Proposal. All prices stated in the Proposal are exclusive of applicable statutory value added tax.

(2) Billing
Unless otherwise agreed in the Proposal, billing shall be made quarterly in advance. Invoices shall be issued electronically by email. The payment term is 14 days from the invoice date. The Customer consents to electronic invoicing.

(3) Default in Payment
In the event of default in payment, the Provider is entitled to charge interest on arrears at a rate of 9 percentage points above the applicable base interest rate pursuant to § 288(2) BGB. The right to claim higher default damages is reserved.

(4) Suspension for Default in Payment
If the Customer is in default with payment of two consecutive invoices or an amount equivalent to at least two quarterly fees, the Provider is entitled, following an unsuccessful written demand with a grace period of 10 business days, to temporarily suspend the Customer's access to the software. The Customer's payment obligation remains unaffected. Access shall be restored without undue delay upon full payment.

(5) Set-Off and Right of Retention
The Customer may only set off claims that are undisputed or have been finally and conclusively established, and may only assert a right of retention on the same basis.

§ 11 Term and Termination

(1) Term
The term of the agreement is set out in the Proposal. Unless otherwise agreed in the Proposal, a minimum term of three months from the commencement of the agreement shall apply. Ordinary termination by either party is excluded during the minimum term.

(2) Renewal and Ordinary Termination
Unless otherwise agreed in the Proposal, the agreement shall renew for an indefinite period upon expiry of the minimum term. Thereafter, either party may terminate the agreement on ordinary notice with one month's notice to the end of a calendar month.

(3) Form of Termination
Termination must be in text form pursuant to § 126b BGB and may be effected by email to info@patterno.de. The Provider shall confirm receipt of the notice of termination within three business days by email. If no confirmation is received, the Customer should ensure receipt of the notice of termination by other means.

(4) Extraordinary Termination
The right of either party to terminate the agreement extraordinarily for good cause remains unaffected. Good cause shall exist in particular where:

(a) there are serious or repeated breaches of these GTC or the Agreement, provided that a prior written warning specifying a reasonable cure period has been unsuccessful;
(b) a party becomes insolvent, suspends payments, or enters into liquidation;
(c) there are serious breaches of statutory provisions, in particular data protection law.

(5) Data Export and Deletion
Following termination of the agreement, the Customer has 30 days to download its data independently via the export functions provided within the software in a standard format. After expiry of this period, all personal data of the Customer, search profiles, watchlist entries, and other Customer-specific content shall be deleted, unless statutory retention obligations preclude deletion. Anonymized and aggregated data pursuant to § 7(3) remain unaffected.

(6) Cessation of Business Operations
In the event of a planned permanent cessation of business operations or of a material part of the software, the Provider undertakes to notify the Customer in writing at least three months in advance and to provide the data export function pursuant to paragraph 5. In this case, the Customer shall have a right of extraordinary termination with immediate effect.

(7) Surviving Provisions
Upon termination of the Agreement — regardless of the legal basis — those provisions shall continue to apply that, by their nature and purpose, are intended to continue beyond the termination of the mutual performance obligations. This applies in particular to the provisions on confidentiality (§ 14), liability (§ 13), remuneration until final settlement (§ 10), and the final provisions (§ 17).

§ 12 Price Adjustments and Amendments to the GTC

(1) Price Adjustments
The Provider is entitled to adjust the agreed remuneration at the earliest twelve months after the commencement of the agreement, and thereafter at most once per calendar year, with two months' prior notice, to a reasonable extent in order to reflect cost increases and functional enhancements. In cases of doubt, an adjustment is reasonable if the agreed remuneration is increased by no more than 5%. Relevant cost factors include in particular costs for AI infrastructure and API services, cloud hosting, data sources and platform access, personnel, and changes in statutory levies.

If the Customer exercises its right of objection in text form within four weeks of receipt of the adjustment notification, the Provider shall have the right to terminate the Agreement within four weeks of receipt of the objection. If the Customer does not object in time, the new remuneration shall be deemed agreed. Amendments to the remuneration agreed in the Proposal may not be effected by way of an amendment to these GTC.

(2) Amendments to the GTC
The Provider is entitled to amend these GTC with at least two months' prior notice, provided that the amendment is reasonable for the Customer taking into account the Provider's interests. Amendments that alter the core scope of services pursuant to § 2, the remuneration pursuant to § 10, or the liability provisions pursuant to § 13 to the Customer's detriment are excluded from this right of amendment and require a separate individual agreement. The amendment shall be communicated to the Customer in text form. The amendment notification must specify the individual changes made and must expressly and prominently draw the Customer's attention to the legal consequence of silence (deemed approval) and to the right of objection. The Customer may object to the amendment in text form within four weeks of receipt of the amendment notification. If the Customer objects, the Provider is entitled to terminate the Agreement with one month's notice to the planned effective date of the amendment. If the Customer does not object, the amendments shall be deemed approved.

§ 13 Warranty and Liability

(1) Defect Notifications
The Customer is obligated to report defects in the software without undue delay upon discovery in text form (email to info@patterno.de), describing the defect as precisely as possible and, where possible, enclosing records or other documents that illustrate the defect. The Provider shall confirm receipt of the defect notification and shall endeavor to remedy it promptly.

(2) Subsequent Performance
In the event of a defect, the Provider has the right to render subsequent performance. Subsequent performance shall be effected, at the Provider's election, by remedying the defect, providing a defect-free version of the software, or by indicating reasonable ways to avoid the effects of the defect. The Provider is entitled to two attempts at subsequent performance.

(3) Further Warranty Rights
If subsequent performance fails, the Customer may, at its election, reduce the fee or withdraw from the Agreement. There is no right to self-remedy, in particular by analogy with § 536a(2) BGB.

(4) Limitation in Respect of External Data Sources
Warranty claims are excluded to the extent that a defect is attributable to the unavailability, incompleteness, or incorrect provision of data by external procurement platforms, data sources, or third-party providers, unless the Provider failed to take reasonable measures to detect and communicate such disruptions.

(5) Exclusion for Misuse
The warranty is excluded to the extent that malfunctions are attributable to (a) the Customer or its authorized users having used the software other than for its intended purpose, in particular not in accordance with available documentation, or (b) the Customer having failed to fulfill its cooperation obligations in whole or in time.

(6) No Warranties
The Provider provides no warranty within the meaning of § 443 BGB in respect of specific characteristics of the software, in particular not regarding the completeness of captured tenders, the accuracy of AI-based classifications, or the relevance of search results, unless expressly agreed in writing.

(7) Exclusion of Liability Independent of Fault
Liability without fault for initial defects that existed at the time of conclusion of the Agreement (§ 536a(1) BGB by analogy) is excluded to the extent that the parties have not expressly entered into an agreement as to the characteristics of the software.

(8) Unlimited Liability
The Provider's liability is unlimited:

(a) in cases of intentional misconduct and gross negligence;
(b) in cases of injury to life, body, or health;
(c) under the Produkthaftungsgesetz (Product Liability Act);
(d) to the extent of a warranty expressly assumed by the Provider.

(9) Liability for Slight Negligence — Cardinal Obligations
In the event of slightly negligent breach of material contractual obligations (cardinal obligations), the Provider's liability shall be limited in amount to the damage that was typically foreseeable at the time of conclusion of the Agreement. Liability is capped per individual claim at the annual remuneration agreed in the Proposal, but in no event exceeding EUR 25,000. In the event of multiple claims arising within one contract year, total liability is capped at twice the annual remuneration, but in no event exceeding EUR 50,000.

(10) Exclusion of Liability Otherwise
In the event of slightly negligent breach of non-material obligations, the Provider shall not be liable.

(11) Liability for Indirect and Consequential Damages
Liability for indirect damages, consequential damages, loss of profit, missed tender deadlines, unidentified tenders, business interruption, and damages arising from third-party claims against the Customer is excluded, unless paragraph 8 applies.

(12) Data Loss
Liability for loss of data is limited to the typical cost of recovery that would have been incurred had the Customer made regular and appropriate data backups.

(13) Vicarious Agents
The foregoing limitations and exclusions of liability apply equally for the benefit of the Provider's vicarious agents, employees, representatives, statutory representatives, and all sub-contractors of the Provider.

(14) Limitation Period
Warranty claims shall become time-barred after twelve months. Claims for damages shall become time-barred after twelve months from the statutory commencement of the limitation period. This does not apply to claims pursuant to paragraph 8, in cases of breach of material contractual obligations (cardinal obligations) pursuant to paragraph 9, in cases of fraudulent concealment, or where longer mandatory statutory limitation periods apply. In such cases, the statutory limitation periods shall apply.

§ 14 Confidentiality

(1) Both parties undertake to keep confidential all information that comes to their knowledge in the course of the business relationship and that is designated as confidential or whose confidential nature is apparent from the circumstances (hereinafter "Confidential Information"), and not to disclose it to third parties. Confidential Information includes in particular prices and terms of this Agreement, business strategies, technical information, and customer data.

(2) Confidential Information may only be used for the purpose of performing the Agreement. Each party shall be liable for breaches by its directors, senior employees, employees, advisors, and representatives as if they were its own breaches. The duty of confidentiality shall continue to apply for a period of three years after termination of the Agreement.

(3) Information shall not be regarded as confidential if it:

(a) was already publicly known at the time of disclosure;
(b) became publicly known after disclosure without fault on the part of the receiving party;
(c) was demonstrably already known to the receiving party prior to disclosure;
(d) was lawfully obtained or received from a third party not bound by a duty of confidentiality;
(e) must be disclosed by virtue of a statutory or regulatory requirement; the receiving party shall inform the disclosing party thereof without undue delay, to the extent permitted by law.

(4) The use of anonymized and aggregated data pursuant to § 7(3) does not constitute a breach of the confidentiality obligations under this section.

(5) The parties may name the other party in press releases, product brochures, on their websites, and in informational materials, and may indicate that a contractual relationship exists or has existed. Either party may revoke this authorization at any time in text form vis-à-vis the other party.

§ 15 Assignment

(1) The Customer is not entitled to transfer or assign rights and obligations under this Agreement to third parties without the prior written consent of the Provider. Excepted from this are assignments in the context of business sales, mergers, or comparable restructurings, provided that the legal successor assumes the obligations under this Agreement. The first sentence does not apply to monetary claims.

(2) The Provider is entitled to assign the Agreement to an affiliated company within the meaning of §§ 15 et seq. AktG or in the context of a business sale in which the material economic assets are transferred to a purchaser.

§ 16 Force Majeure

(1) Both parties are released from their performance obligations to the extent and for as long as performance is rendered impossible or unreasonable by force majeure. Force majeure means unforeseeable, extraordinary events that cannot be averted even with the exercise of the utmost care, including in particular natural disasters, war, terrorist attacks, pandemics, strikes, governmental orders, or widespread failures of telecommunications infrastructure.

(2) The affected party is obligated to inform the other party without undue delay of the occurrence and anticipated end of the force majeure event.

(3) If the force majeure event continues for more than two months, either party is entitled to terminate the Agreement with immediate effect.

§ 17 Final Provisions

(1) Governing Law
The laws of the Federal Republic of Germany shall apply, to the exclusion of the UN Convention on Contracts for the International Sale of Goods (CISG). The conflict-of-law rules of private international law shall not apply.

(2) Jurisdiction
The exclusive place of jurisdiction for all disputes arising from or in connection with this Agreement shall be, to the extent permitted by law, Hamburg, Germany.

(3) Form Requirement
Amendments and supplements to this Agreement must be made in text form pursuant to § 126b BGB. This applies equally to this clause itself. Electronic communication (email) satisfies the text form requirement.

(4) Severability
Should any provision of these GTC be or become invalid or unenforceable, the validity of the remaining provisions shall not be affected. The invalid or unenforceable provision shall be replaced by the applicable statutory rule.

(5) Place of Performance
The place of performance for all services shall be, unless otherwise agreed, the Provider's registered office in Hamburg.

Contact Details

Patterno GmbH
Jungfrauenthal 8
20149 Hamburg
Germany

Represented by: Leon Brunner, Managing Director
Email: info@patterno.de
Website: www.patterno.de

Annex 1: Data Processing Agreement (DPA) pursuant to Art. 28 DSGVO

§ 1 Subject Matter and Duration

(1) This Data Processing Agreement (DPA) sets out the data protection obligations of the parties in connection with the processing of personal data pursuant to Art. 28 DSGVO in the context of the main agreement (GTC and Proposal).

(2) The Processor (Provider) processes personal data on behalf of the Controller (Customer) exclusively in connection with the provision of the SaaS platform "Patterno HIT."

(3) The duration of processing corresponds to the term of the main agreement. Following termination of the main agreement, the provisions of § 10 of this DPA shall apply.

§ 2 Nature and Purpose of Processing

The processing of personal data is carried out for the purpose of:

(a) providing and operating the SaaS platform "Patterno HIT";
(b) user management and authentication;
(c) storage and management of search profiles, watchlists, and workflow settings;
(d) sending notifications and newsletters to the Customer's users;
(e) providing support services;
(f) generating anonymized and aggregated usage statistics pursuant to § 7 GTC.

§ 3 Categories of Personal Data

The following categories of personal data are subject to processing:

(a) Master data: surname, given name, email address, user role, organizational affiliation;
(b) Usage data: login times, search histories, search profiles, watchlist entries, work status, Copilot queries;
(c) Communication data: support requests, notification settings;
(d) Technical data: IP addresses, browser type, session data.

§ 4 Categories of Data Subjects

The data subjects are:

(a) employees, freelancers, and agents of the Customer who are registered as users on the platform;
(b) contact persons and administrators of the Customer's organization.

§ 5 Obligations of the Processor

(1) The Processor shall process personal data exclusively on documented instructions from the Controller. The provisions set out in this DPA and in the main agreement shall constitute instructions from the Controller. Instructions that go beyond the contractually agreed service require a separate agreement.

(2) The Processor shall ensure that persons authorized to process personal data have undertaken to maintain confidentiality or are subject to an appropriate statutory duty of confidentiality.

(3) The Processor shall implement the technical and organizational measures required pursuant to Art. 32 DSGVO (§ 6 of this DPA).

(4) The Processor shall assist the Controller in fulfilling its obligations pursuant to Art. 32 to 36 DSGVO, in particular in connection with data protection impact assessments and the reporting of personal data breaches.

(5) The Processor shall inform the Controller without undue delay, and in any event within 48 hours, upon becoming aware of any personal data breach.

(6) The Processor shall inform the Controller without undue delay if it is of the opinion that an instruction infringes the DSGVO or other data protection provisions.

§ 6 Technical and Organizational Measures

(1) The Processor shall implement in particular the following measures pursuant to Art. 32 DSGVO:

(a) Confidentiality

Access control: Role-based permissions system, personalized user accounts
Access management: Encrypted password storage, multi-factor authentication for administrative access
Isolation control: Tenant separation through organization-based data isolation

(b) Integrity

Input control: Logging of data modifications
Transmission control: Encrypted data transmission (TLS 1.2+)

(c) Availability and Resilience

Regular data backups
Hosting with certified cloud providers with redundant infrastructure
Monitoring and alerting in the event of system outages

(d) Recoverability

Documented recovery procedures
Regular testing of data backups

(2) The Processor shall regularly review the effectiveness of the technical and organizational measures and, where necessary, adapt them to reflect the current state of the art.

§ 7 Sub-processors

(1) The Controller hereby grants a general authorization for the engagement of sub-processors. The Processor shall inform the Controller of any intended change regarding the addition or replacement of sub-processors at least 30 days prior to the planned change in text form. The Controller may object to the change within 14 days of receipt of the notification in text form. In the event of a substantiated objection, the Processor is entitled to terminate the main agreement with one month's notice.

(2) The Processor shall ensure that the same data protection obligations as set out in this DPA are imposed on sub-processors, in particular sufficient guarantees that appropriate technical and organizational measures are implemented so that processing is carried out in accordance with the requirements of the DSGVO.

(3) At the time of conclusion of the Agreement, the Processor engages the following sub-processors:

Sub-processor	Service	Location / Legal Basis
Google Cloud EMEA Ltd.	Cloud Run (Application Hosting), Cloud SQL (PostgreSQL Database), Cloud Storage (Document Storage), Cloud Build (CI/CD), Cloud Scheduler (Job Orchestration), Secret Manager	EU — Region europe-west3 (Frankfurt)
Google Cloud EMEA Ltd.	Vertex AI / Gemini (AI Enrichment, Embedding, Copilot Chat)	EU — Region europe-west4 (Netherlands)
Google LLC	Gmail SMTP (Email dispatch for notifications and newsletters)	EU (EU-US Data Privacy Framework)

§ 8 Rights of Data Subjects

(1) The Processor shall, where possible, assist the Controller by appropriate technical and organizational measures in fulfilling its obligations to respond to requests for the exercise of data subjects' rights pursuant to Chapter III DSGVO (access, rectification, erasure, restriction, data portability, objection).

(2) If a data subject submits a request pursuant to paragraph 1 directly to the Processor, the Processor shall forward the request to the Controller without undue delay.

§ 9 Audit Rights of the Controller

(1) The Controller has the right to verify compliance with the provisions of this DPA. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in Art. 28 DSGVO.

(2) Inspections and audits may be conducted following prior coordination (notice period: at least 14 business days) during normal business hours. The Processor is entitled to demonstrate compliance also by providing current certifications, reports from independent auditors, or appropriate documentation.

(3) The costs of an inspection or audit shall be borne by the Controller, unless the inspection reveals material breaches by the Processor of this DPA.

§ 10 Deletion and Return of Personal Data

(1) Following termination of the main agreement, the Processor shall delete all personal data processed on behalf of the Controller, unless a statutory retention obligation precludes deletion. Deletion shall take place in accordance with § 11(5) GTC (30-day export period following termination of the agreement).

(2) The Processor shall confirm complete deletion to the Controller upon request in text form.

(3) The authorization to use anonymized and aggregated data pursuant to § 7 GTC is unaffected by the deletion obligation, as anonymized data no longer constitutes personal data.

§ 11 Liability

The liability of the parties under or in connection with this DPA shall be governed by the provisions of the main agreement (§ 13 GTC), unless mandatory data protection provisions (in particular Art. 82 DSGVO) provide for different liability rules.