Cooperation Agreement | Startup adVANce Challenge
Between Daimler AD and Startup
Cooperation Agreement "Startup adVANce Challenge" between Daimler AG and ______________________ Startup
2 Startup adVANce | Cooperation Agreement 1. Subject matter of the Agreement; Relationship to the Startup adVANce T&Cs ............. 5 2. Effectiveness of this Agreement ..................................................................................... 5 3. General Provisions for each Phase .................................................................................. 6 4. Cooperation during Phase 2 (Concept Phase) .............................................................. 13 5. Cooperation during Phase 3 (Prototype Phase) ............................................................ 14
3 Startup adVANce | Cooperation Agreement Annex Annex 3.7.3 Startup-Background-IP Annex 3.12 Free and Open Source Software Annex 3.15.8 Agreement on Data Processing on Behalf Annex 4.1.2 Description of Phase 2 (First Draft of Concept and other expected Work Results, Daimler cooperation, etc.)
4 Startup adVANce | Cooperation Agreement Cooperation Agreement "Startup adVANce" This Cooperation Agreement (including these main provisions and the annexes hereinafter referred to as "Agreement") is concluded between the following Parties: (1) Daimler AG, Mercedesstrasse 137, 70565 Stuttgart ("Daimler") and (2) ________________________________________________________________ ("Startup") (Daimler and Startup hereinafter also individually referred to as "Party" and together as "Parties"). Whereas: (A) Daimler is organizing a challenge to initiate new partnerships with the most innovative startups in the field of "Last Mile Transportation of Goods and People" as well as to develop and realize prototypes in cooperation with these startups, which satisfy the future needs of B2C or B2B customers in this field ("Startup adVANce Challenge"). More precisely, the Startup adVANce Challenge focuses on all kinds of technology solutions (hardware and software; such technology solutions "Products") in combination as well as business models that address the following three Tracks around the Last Mile Transportation of Goods and People: (i) revolutionizing the cargo space of a van, (ii) Internet of Things (IoT) and (iii) transport sharing solutions. (B) The execution of the Startup adVANce Challenge occurs in three different phases ("Phase"). The first Phase is an idea and idea alignment stage ("Phase 1 (Alignment Phase)"), the second Phase is a concept stage with the aim that the Startup, in cooperation with Daimler, develops a more detailed "Concept" based on the idea proposed and aligned in Phase 1 ("Phase 2 (Concept Phase)"), and the third Phase is a prototype stage with the aim that the Startup, in cooperation with Daimler, converts the Concept into a functionally tested prototype of a Product ("Prototype") that is ready for a field test run ("Phase 3 (Prototype Phase)"). (C) The cooperation between the Startup and Daimler only consists of technical aspects in connection with the development of the Concept in Phase 2 (Concept Phase) and the development of the Prototypes as well as their production in Phase 3 (Prototype Phase). Business aspects, e. g. the development of the business model, is carried out by the Startup individually. Daimler will also provide specific financial assistance ("Grants") to startups that qualify for Phase 2 (Concept Phase) and Phase 3 (Prototype Phase), respectively. For the avoidance of doubt, the Startup adVANce Challenge is not an acceleration or an incubation program and therefore does not include any business coaching for the startups by Daimler. (D) The Startup adVANce Challenge, in particular the participation requirements the Startup must meet, the Phases, the evaluation criteria for each Phase and the requirements for Grant eligibility, are described in more detail in the document "Startup adVANce – Terms and Conditions" ("Startup adVANce Challenge T&C"). The Startup has been provided with and has declared its acceptance of these Startup adVANce T&Cs. (E) The Parties intend to further specify their mutual rights and obligations for their cooperation in Phase 2 (Concept Phase) and, potentially, Phase 3 (Prototype Phase) of the Startup adVANce Challenge. THEREFORE IT IS AGREED AS FOLLOWS:
5 Startup adVANce | Cooperation Agreement 1. Subject matter of the Agreement; Relationship to the Startup adVANce T&Cs 1.1 Subject Matter 1.1.1 The subject matter of this Agreement is the Parties’ cooperation within the following Phases of the Startup adVANce Challenge: (a) Phase 2 (Concept Phase), and (b) potentially Phase 3 (Prototype Phase). 1.1.2 Within Phase 2 (Concept Phase), the Startup will, in cooperation with Daimler, refine and complete the draft of the Concept and such other Work Results, each as further specified in clause 4. The details of the Grant awarded by Daimler to the Startup for this Phase 2 (Concept Phase) are also further specified in clause 4. 1.1.3 Within Phase 3 (Prototype Phase), the Startup will, in cooperation with Daimler, develop several Prototypes with increasing maturity levels and such other Work Results, each as further specified in clause 5. The details of the Grant awarded by Daimler to the Startup for this Phase 3 (Prototype Phase) are also further specified in clause 5. 1.1.4 Unless this Agreement explicitly sets forth otherwise, each Phase is a distinct and separate subject matter of this Agreement with specific Work Results (e.g., the Concept and the Prototypes) to be developed in a specific period of time, as further specified in clause 4 for Phase 2 (Concept Phase) and clause 5 for Phase 3 (Prototype Phase). 1.1.5 "Work Result" shall mean any output during Phase 2 (Concept Phase) and Phase 3 (Prototype Phase) such as, but not limited to, items, data, knowledge or information, whether tangible or intangible, whatever its form or nature and whether it can be protected or not, as well as any rights attached to it, including Intellectual Property Rights. The Concept may, depending on the level of cooperation between the Parties and their contribution for its development, either be a Jointly-owned Work Result or the individual Work Result of one Party. The Prototypes are the Jointly-owned Work Results of the Parties. 1.2 Relationship to the Startup adVANce T&Cs The Startup adVANce T&Cs are an integral part of this Agreement. Therefore, the Startup adVANce T&Cs shall also apply to the cooperation of the Parties under this Agreement. In the event of a conflict between the terms of this Agreement and the terms included in the Startup adVANce T&Cs, the terms of this Agreement shall prevail. Terms defined in the Startup adVANce T&Cs shall have the same meaning when used in this Agreement, unless otherwise defined herein or required by the context. 2. Effectiveness of this Agreement 2.1 Phase 2 (Concept Phase) For Phase 2 (Concept Phase), this Agreement enters into effect when signed by both Parties (the "Phase 2 Start Date"). 2.2 Phase 3 (Prototype Phase) For Phase 3 (Prototype Phase), this Agreement enters into effect as of August 25, 2017, provided that it has been signed by both Parties and the following condition precedent (aufschiebende Bedingung) is fulfilled:
6 Startup adVANce | Cooperation Agreement (a) Daimler has provided the Startup with the Phase 3 Selection Notice (as defined in Section 1.5 of the Startup adVANce T&Cs) and (b) the Startup has submitted the signed Phase 3 Prototype Plan (as defined in Section 1.5 of the Startup adVANce T&Cs) by August 24, 2017, 23:59 (CET) at the latest (this date also the "Phase 3 Effective Date"). 3. General Provisions for each Phase 3.1 Introduction The following general provisions apply to the Parties’ cooperation in Phase 2 (Concept Phase) and, if the Startup qualifies for Phase 3 (Prototype Phase) pursuant to the Startup adVANce T&Cs, also Phase 3 (Prototype Phase). 3.2 Execution of each Phase 3.2.1 The Startup will carry out its activities in each Phase under this Agreement in an efficient and financially responsible manner. Therefore, the Startup will implement good policy and sound management and it will use any Grant received in an efficient manner and solely for the purpose for which it was awarded. 3.2.2 Each Party will perform its activities under this Agreement with utmost diligence and pursuant to state of the art standards in science and technology. 3.3 Reporting 3.3.1 The Startup has to continuously document, in comprehensive and adequately detailed manner, its activities within each Phase and each of the Work Results developed. Upon request of Daimler, the Startup has to provide such documentation and to adequately explain it as well as the Work Results. Additionally, the Startup must immediately inform Daimler of any facts and circumstances that could be of importance to Daimler with respect to a Grant and must provide any documents that relate to the facts and circumstances and, if requested by Daimler, must further explain these. 3.3.2 The Startup’s reporting and information duties pursuant to clause 3.6 and clause 5.3 of this Agreement remain unaffected. 3.4 Resources Unless otherwise set forth elsewhere in this Agreement, the Startup will be solely responsible, both legally and commercially, for procuring the required and appropriate material, equipment and human resources for the performance of its activities in each Phase, in particular the development of the Concept in Phase 2 (Concept Phase) and, if applicable, the Prototypes in Phase 3 (Prototype Phase). 3.5 Subcontractors 3.5.1 Each Party is entitled to engage third parties ("Subcontractors") for the performance of its respective obligations under this Agreement. Any engagement of a Subcontractor by the Startup requires the prior written approval by Daimler. Daimler will not unreasonably withhold such approval. 3.5.2 If a Party intends to engage a Subcontractor, this Party is obligated to select the Subcontractor carefully and, subsequently, to supervise the Subcontractor as far as necessary for the execution of this Agreement. In any case, engaging a Subcontractor does not affect the legal responsibilities of this Party against the other Party in respect of the performance of
7 Startup adVANce | Cooperation Agreement the former Party’s contractual obligations; each Party is liable for the conduct of its Subcontractor(s) as it is for its own conduct. 3.6 Grants 3.6.1 The requirements for the eligibility of the Startup for a Grant are set forth in item 1. of Section 2.7 of the Startup adVANce T&Cs. For the avoidance of doubt, meeting these Grant eligibility requirements does not give the Startup any right (for whatever legal reason) to claim the award of a Grant from Daimler. 3.6.2 The Grants shall be used solely for the purpose of the Startup adVANce Challenge, i.e. for expenses incurred by the Startup’s participation in the Startup adVANce Challenge. Only such expenses that were directly caused by the Startup’s participation in the relevant Phase are eligible, as further specified in Annex 1 of the Startup adVANce T&Cs. Value added tax, sales tax or similar taxes or duties are non-eligible expenses. Expenses must be determined in accordance with the usual accounting and management principles and practices of the Startup. The accounting procedures used in the recording of costs shall respect the accounting rules of the state in which the Startup is established. The Startup’s internal accounting and auditing procedures must permit direct reconciliation of the costs declared in respect of the Startup adVANce Challenge and, in case of Phase 3 (Concept Phase), a given Work Package / Milestone, with the corresponding financial statements and supporting documents. 3.6.3 The use of the Grants must be recorded in the accounts of the Startup. 3.6.4 Upon request by Daimler, the Startup must provide Daimler with satisfactory evidence of its compliance with the requirements of clauses 3.6.2 and 3.6.3. In particular (without limitation), Daimler may request the submission of proven financial statements, along with all the respective invoices and payment documentation. 3.6.5 Further details regarding the Grant for Phase 2 (Concept Phase) are set forth in clause 4.2 of this Agreement. Further details regarding the Grant for Phase 3 (Prototype Phase), if applicable, are set forth in clause 5.2 of this Agreement. 3.7 Existing Intellectual Property Rights 3.7.1 With respect to the field of Last Mile Transportation of Goods and People and in any other aspects relevant to the Startup adVANce Challenge and its Phases, each Party already owns or has licensed from third parties Intellectual Property Rights (as defined in clause 3.7.8), that the Parties will use within their cooperation under this Agreement (generally "Background- IP", and depending on the relevant Party, either "Daimler-Background-IP" or "Startup- Background-IP"). 3.7.2 Unless expressly specified otherwise in this Agreement each Party remains the owner of its own Background-IP. 3.7.3 The Startup-Background-IP that the Startup intends to use within Phase 2 (Concept Phase) and Phase 3 (Prototype Phase) is described in Annex 3.7.3. Annex 3.7.3 also includes information if and to which extent this Startup-Background-IP is subject to legal restrictions or limits. The Startup must inform Daimler reasonably in advance if it intends to use other Startup-Background-IP; in this case, the Startup must also provide information if and to which extent this Startup-Background-IP is subject to legal restrictions or limits. 3.7.4 Subject to clause 3.7.5, each Party grants the other Party a royalty-free, worldwide, non- exclusive, non-transferrable and non-sublicensable right to use its Background-IP only to the extent that this is necessary for the other Party (i) to perform such other Party’s obligations under this Agreement, (ii) to use such other Party’s Work Results, (iii) to use the Jointly-owned Work Results or (iv) to use the Work Results of the Party first mentioned herein, in each case
8 Startup adVANce | Cooperation Agreement solely for the purpose of the Startup adVANce Challenge and in accordance with this Agreement. 3.7.5 In addition to the rights of Daimler to the Startup-Background-IP as set forth in clause 3.7.4, Daimler shall be entitled to use the Startup-Background-IP to the extent necessary to use and otherwise exploit the Jointly-owned Work Results pursuant to clause 3.9.4. 3.7.6 If Background-IP is licensed from a third party, the obligation of the Party set forth in clause 3.7.4 and the obligation of the Startup set forth in clause 3.7.5 are subject to any restrictions that may be set forth in the license terms of the existing agreement with the third party. The other Party is obligated to comply with these license terms, provided that these have been disclosed in advance to this other Party. 3.7.7 During the term of this Agreement (cf. clause 3.18), the Startup is not entitled to transfer its Startup-Background-IP to a third party or to grant an exclusive license thereto for purposes similar to the Product Idea, the Concept and the Prototypes, respectively, if this adversely affects Daimler’s rights thereto pursuant to this Agreement. 3.7.8 "Intellectual Property Rights" shall mean the following: any rights existing out of, to, or in intangible assets, including, without limitation, patents, utility models, inventions (whether or not patentable), trade and business secrets, know-how, copyrights and other rights protected under copyright laws (including database rights and rights in computer programs and neighboring rights), designs, as well as trademarks, business names and domain names, in each case whether registered or unregistered and including all applications and rights to apply for and to be granted, renewals and extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world. 3.8 Work Results 3.8.1 Unless set forth otherwise elsewhere in this Agreement, each Party owns the Intellectual Property Rights in and to those Work Results it has individually developed in connection with the cooperation of the Parties during Phase 2 (Concept Phase) and, if applicable, Phase 3 (Prototype Phase). Work Results that have been developed jointly but where the respective contributions of each Party can be established shall be deemed individually owned Work Results of each Party to the extent of each Party’s respective contribution. 3.8.2 Each Party must examine the possibility of protecting its individually owned Work Results and must adequately protect them, for an appropriate period and with appropriate territorial coverage, if: (a) the Work Results can reasonably be expected to be commercially or industrially exploited and (b) protecting them is possible, reasonable and justified (given the circumstances). 3.8.3 When deciding on protection of its individually owned Work Results, the Party must consider its own legitimate interests and the legitimate interests of the other Party. 3.8.4 Subject to clause 3.8.5, each Party grants the other Party a royalty-free, worldwide, non- exclusive, non-transferrable and non-sublicensable right to use its Work Results only to the extent that this is necessary for the other Party (i) to perform such other Party’s obligations under this Agreement, (ii) to use such other Party’s Work Results or (iii) to use the Jointly- owned Work Results, in each case solely for the purpose of the Startup adVANce Challenge and in accordance with this Agreement.
9 Startup adVANce | Cooperation Agreement 3.8.5 In addition to the rights of Daimler to the Work Results of the Startup as set forth in clause 3.8.4, Daimler shall be entitled to use these Work Results to the extent necessary to use and otherwise exploit the Jointly-owned Work Results pursuant to clause 3.9.4. 3.8.6 During the term of this Agreement (cf. clause 3.18), the Startup is not entitled to transfer its rights in and to its individually owned Work Results to a third party or to grant an exclusive license thereto for purposes similar to its similar to the Product Idea, the Concept and the Prototypes, respectively, if this adversely affects Daimler’s rights thereto pursuant to this Agreement. 3.9 Jointly-owned Work Results 3.9.1 The Parties jointly own the Intellectual Property Rights in and to Work Results if (a) they have jointly generated them and (b) it is not possible to separate them for the purpose of applying for, obtaining or maintaining their protection (such Work Results the "Jointly-owned Work Results" and the Intellectual Property Rights therein and thereto the "Shared Intellectual Property Rights"). 3.9.2 The Parties shall in good faith agree on all necessary protection measures in relation to the Shared Intellectual Property Rights (including, but not limited to, the appropriate territorial coverage) and the division of the related costs between the Parties. 3.9.3 During the term of this Agreement (cf. clause 3.18) (a) each Party is entitled to individually use the Jointly-owned Work Results only for the purpose of the Parties’ cooperation under this Agreement (including the joint test projects) on a worldwide and royalty-free basis without requiring the prior written consent of the other Party (without the right to grant sub-licenses to third parties other than affiliated undertakings according to Sec. 15 German Stock Corporation Act (Aktiengesetz; AktG), unless the other Party has given its prior written consent to such sub-licensing); and (b) neither Party is, without the prior written consent of the other Party, entitled to otherwise exploit the Shared Intellectual Property Rights. 3.9.4 When this Agreement ends (for whatever legal reason), (a) each Party shall be entitled, without requiring the prior written consent of the other Party, to use the Jointly-owned Work Results on a worldwide and royalty-free basis and to otherwise exploit the Jointly-owned Work Results (including the right to grant non- exclusive sub-licenses to third parties, but for avoidance of doubt, without the right to transfer the Jointly-owned Work Results as a whole to third parties which transfer shall require the written consent of the other Party); and (b) each Party shall be entitled to transfer its share in Shared Intellectual Property Rights (to the extent legally possible) to a third party, provided that the Startup must in such case obtain Daimler’s prior written consent; if Daimler refuses to grant this consent, Daimler is obligated to offer the Startup a fair and reasonable compensation; upon the payment of such fair and reasonable compensation, Daimler shall become the owner of the Startup’s share in the relevant Shared Intellectual Property Rights, which shall forthwith be Daimler’s sole Intellectual Property Rights. When requesting Daimler’s consent to the transfer of its share in Shared Intellectual Property Rights, the Startup shall provide Daimler with satisfactory evidence of a binding offer by the
10 Startup adVANce | Cooperation Agreement designated transferee, including the offered purchase price; such purchase price shall in any event be the maximum compensation payable by Daimler to the Startup. 3.9.5 For the avoidance of doubt, the Startup’s rights set forth in clause 3.9.4 do not include the right to use or otherwise exploit any Daimler-Background-IP or Work Results individually owned by Daimler even if this would be necessary in order to be able to use or exploit the Jointly-owned Work Results pursuant to this clause 3.9.4. 3.10 Rights of Third Parties (including Personnel) 3.10.1 Where a Party involves third parties (including personnel of one Party) in the generation of Work Results, such Party must obtain all necessary rights (transfer, licenses or other) from the third party in order to be able to respect its obligations as if those Work Results were generated by the Party itself. 3.10.2 If obtaining the rights is impossible, the Party must refrain from using the third party to generate the Work Results. 3.11 IP Indemnity 3.11.1 Each Party will ensure that the appropriate use of its individually owned Work Results (or its other materials) or its contributions to the Jointly-owned Work Results (in each case including the relevant Background-IP) by the other Party does not infringe any third party rights. If any claims in connection with the appropriate use of these (Jointly-owned) Work Results or other materials (including the relevant Background-IP) of one Party ("Indemnifying Party") are enforced against the other Party ("Indemnified Party") on the basis of an actual or alleged infringement of third party rights, the Indemnified Party will notify the Indemnifying Party without undue delay (unverzüglich). The Parties will closely cooperate regarding the defense against these claims with the Indemnified Party assuming the lead responsibility therein. The Indemnifying Party will support the Indemnified Party to a reasonable extent. 3.11.2 If the Indemnified Party incurs costs and/or damages (including reasonable legal costs for litigation) in connection with the defense or other handling of claims mentioned in clause 3.11.1, the Indemnifying Party hereby indemnifies the Indemnified Party and holds the Indemnified Party harmless against any such costs and damage. The limitation of liability set forth in clause 3.14.2 will not apply to this indemnification obligation of the Indemnifying Party. 3.12 Free and Open Source Software The Parties agree that the terms and conditions stated in Annex 3.12 shall apply with regard to the use of any free and open source software (as defined in this Annex 3.12). 3.13 Source Code Daimler may request from the Startup at any time a market standard deposition of the source code of the software owned by the Startup and/or used or developed in connection with the execution of this Agreement. The cost for the escrow will be borne by Daimler. 3.14 Liability 3.14.1 Each Party will be liable as provided by applicable laws for damages resulting from (i) willful misconduct (Vorsatz) or gross negligence (grobe Fahrlässigkeit), (ii) death or personal injury, (iii) infringement of rights of third parties, and (iv) breach of obligations on confidentiality and data protection. Each Party’s liability for any other damages that cannot be excluded or limited due to mandatory applicable laws (e.g. product liability) will remain unaffected.
11 Startup adVANce | Cooperation Agreement 3.14.2 Subject to clause 3.14.1, each Party's liability for damages resulting from slight negligence (leichte Fahrlässigkeit) under or in connection with this Agreement will be limited to EUR 150,000.00 (in words: Euro one hundred fifty thousand). 3.15 Confidentiality and Data Protection 3.15.1 The Parties agree to use any Confidential Information (as defined in clause 3.15.6) of the other Party only for the purpose of exercising any rights or complying with any obligations under this Agreement. Each recipient of Confidential Information will use all reasonable efforts to protect such Confidential Information from unauthorized use or disclosure and, in any event, will exercise at least the same reasonable level of care to avoid any such unauthorized use or disclosure as it uses to protect its own information of a similar nature. The confidentiality obligation will survive for a duration of five (5) years beyond the termination or expiration of this Agreement. 3.15.2 Each Party may disclose Confidential Information of the respective other Party only to those employees which need the information to fulfil their tasks and who have agreed in writing to be bound to confidentiality insofar as they are not already bound to confidentiality by their employment contract. Insofar as a Party uses a third party to fulfil its contractual obligations, this Party is obligated to ensure by suitable agreement that the third party is bound by and complies with the confidentiality obligations in this clause 3.15.2. 3.15.3 Notwithstanding the foregoing, each Party may disclose Confidential Information of the other Party with prior written consent of the other Party. Each disclosure of Confidential Information has to be limited to the extent required in each case. Each Party will be free to disclose Confidential Information of the other Party without the prior written consent of the other Party only if: (a) this is demanded either by a regulatory authority or by a court in connection with a judicial procedure, or (b) this is required by mandatory applicable laws, or (c) the information in question is required by the personnel (cf. clause 3.15.2), Subcontractors approved in writing, or advisors of a Party, in each case for the fulfillment of their relevant obligations in connection with their respective tasks, provided that they are bound to confidentiality (e.g. due to the employment contract). In addition, each Party is entitled to disclose Confidential Information of the other Party to affiliated undertakings according to Sec. 15 German Stock Corporation Act (Aktiengesetz; AktG) without the consent of the disclosing Party to the extent this is required for the execution of this Agreement. 3.15.4 Additionally, in the cases of clauses 3.15.3(a) and 3.15.3(b), the other affected Party is to be informed about the disclosure reasonably in advance in order to enable the other Party to take precautionary actions for their Confidential Information, unless this is not possible or admissible in the particular case. 3.15.5 If this Agreement ends for whatever reasons, the receiving Party of each tangible item of Confidential Information will return such item to the other Party. Besides, Confidential Information shall be destroyed. Each Party may request from the disclosing Party a corresponding certificate that all items of Confidential Information in possession of the other Party have been returned or destroyed respectively. The provisions stated above do not apply to general correspondence between the Parties or to any Confidential Information whose retention is required by legal requirements. 3.15.6 "Confidential Information" are this Agreement as well as other documents and data and information in any form, which one Party got aware are or will get aware of in connection with the preparation, the conclusion, the execution or the handling of this Agreement (irrespective
12 Startup adVANce | Cooperation Agreement of whether the documents, data or information are deemed as confidential), insofar as they are not (a) generally known or accessible for the public or without the contribution of the other affected Party became public, (b) released in writing by the affected Party as non-confidential information, (c) at the time of the transfer of the item to the receiving Party were no longer subject to confidentiality, or (d) the transfer to the receiving Party from a third party occurred without an obligation to confidentiality. 3.15.7 Notwithstanding the above provisions on confidentiality, each Party will comply with the data protection regulations including confidentiality, availability, integrity and authenticity of data. 3.15.8 If the Startup collects, processes or uses personal data on behalf of Daimler, the Parties will agree on a contract on data processing on behalf as set out in Annex 3.15.8. 3.16 Communication and Publication 3.16.1 The Startup is not entitled to issue or to initiate public announcements in the press, media or in marketing materials relating to its Product Idea filed for the Startup adVANce Challenge and to this Agreement and the Parties’ cooperation (e.g., but not limited to, the Product, Concept and/or Prototypes) without the prior approval of Daimler. Daimler will inform the Startup reasonably prior to any intended press releases or statements regarding the Parties’ cooperation under this Agreement. 3.16.2 The Startup shall not use the name, logo, other company symbols and identity of Daimler (including the group companies of Daimler) without the prior written consent of Daimler. 3.17 Costs 3.17.1 Each Party bears its own costs out of and in connection with the conclusion of this Agreement and the performance of its obligations owed to the other Party for each Phase pursuant to this Agreement. 3.17.2 The Parties herewith clarify that no specific or additional remuneration for the granting of rights pursuant to clauses 3.7 through 3.9 are owed between the Parties. 3.18 Term and Termination 3.18.1 With respect to Phase 2 (Concept Phase), this Agreement has a fixed term starting from the Start of Phase 2, May 6, 2017, and until July 6, 2017. No Party is entitled to terminate this Agreement for convenience during this fixed term. 3.18.2 With respect to Phase 3 (Prototype Phase), this Agreement has a fixed term starting from the Start of Phase 3, August 25, 2017, and until November 26, 2017 at the latest, or such earlier date as jointly determined by the Parties. No Party is entitled to terminate this Agreement for convenience during this fixed term. If so requested by one Party, the Parties may enter into good faith negotiations with the aim to extend the term of this Agreement beyond November 26, 2017 and to agree on any additional terms and conditions necessary for the successful continuation of their cooperation under this Agreement. 3.18.3 Each Party may terminate this Agreement for cause (aus wichtigem Grund) without notice period. Cause is given one Party has breached a material provision of this Agreement and has not remedied such breach, if remedial action is possible and has not been refused by the
13 Startup adVANce | Cooperation Agreement other Party expressly or implicitly, within fourteen (14) days after receiving a corresponding formal notice by the other Party. 3.19 Miscellaneous 3.19.1 Within the framework of its commercial dealings with Daimler, the Startup is obligated to desist from all practices which may lead to penal liability due to fraud (Betrug) or embezzlement (Untreue), insolvency crimes (Insolvenzstraftaten), crimes in violation of competition (Straftaten gegen den Wettbewerb), guaranteeing advantages (Vorteilsgewährung), acceptance of advantages (Vorteilsannahme), bribery (Bestechung), acceptance of bribes (Bestechlichkeit) or similar crimes on the part of persons employed or retained by the Startup or other third parties. In the event of a violation of the above, Daimler has the right to immediately withdraw from, or terminate, all legal transactions existing with the Startup and the right to cancel all negotiations. Notwithstanding the above, the Startup is obligated to adhere to all laws and regulations applicable to both itself and the commercial relationship with Daimler. 3.19.2 Any amendment of, or supplement to, this Agreement (including its annexes) must be in writing to be valid (unless otherwise agreed herein). This also applies to the revocation of this requirement of written form. 3.19.3 Should a provision of this Agreement be or become invalid or unenforceable, the validity of the other provisions of this Agreement shall not be affected thereby. The invalid or unenforceable provision shall be replaced or supplemented by a legally valid arrangement which is consistent with the intentions of the Parties or what would have been the intention of the Parties if they had recognized the invalidity or unenforceability, as the case may be. The same applies to any contractual gaps or omissions. 3.19.4 This Agreement (together with the Startup adVANce T&Cs) constitutes the entire agreement between the Parties with regard to its subject matters. Any other side agreements have not been made. The Parties agree that their respective general terms and conditions shall not apply regarding this Agreement, notwithstanding any references to these in an order, order processing, order confirmation or otherwise; the effectiveness of the Startup adVANce T&Cs remains unaffected. 3.19.5 No Party to this Agreement may assign or transfer this Agreement or all or any part of its rights and obligations hereunder to a third party without the prior written consent of the other Party, whether by way of singular or universal legal succession. Section 354a of the German Commercial Code (Handelsgesetzbuch; HGB) remains unaffected. 3.19.6 This Agreement will be governed by, and construed in accordance with, the laws of the Federal Republic of Germany. The rules of private international law and the Vienna Convention on the International Sale of Goods (CISG) will not apply. 3.19.7 Exclusive venue for any dispute arising out of or in connection with this Agreement will be the courts in Stuttgart, Germany. 4. Cooperation during Phase 2 (Concept Phase) 4.1 General 4.1.1 In addition to the provisions set forth in clauses 1 through 3 of this Agreement and in the relevant Sections of the Startup adVANce T&Cs, the Parties agree on the following with respect to the execution of Phase 2 (Concept Phase), specifically regarding the activities of the Startup and the development of the Concept.
14 Startup adVANce | Cooperation Agreement 4.1.2 The first draft of the Concept and other Work Results (if any) to be developed during Phase 2 (Concept Phase) are described in detail in Annex 4.1.2 to this Agreement. The first draft of the Concept and other Work Results (if any) shall be further developed during this Phase 2 (Concept Phase) by the Startup. The level of maturity expected for the end of Phase 2 (Concept Phase) is a “ready to go concept” that can, without any need for significant further specifications, be used to build the first rough version of the Prototype. 4.1.3 The technical information and/or expertise of Daimler that the Startup deems necessary for the purpose of further developing the first draft of the Concept and the other Work Results (if any) described in Annex 4.1.2 are also described therein. Daimler may, in each case upon its sole discretion, decide if, and if so, to which extent and how, to provide such technical information and expertise to the Startup. For the avoidance of doubt, Annex 4.1.2 is in this respect not binding for Daimler and the Startup must use best efforts to perform its obligations hereunder and to further develop the Concept and the other Work Results (if any) pursuant to this Agreement even if Daimler does not provide the technical information and/or expertise suggested by the Startup in this Annex 4.1.2. 4.2 Grant 4.2.1 Subject to clause 3.6 of this Agreement, the Startup will be awarded a one-time Grant of EUR 10,000.00 (in words: Euro ten thousand) for Phase 2 (Concept Phase). 4.2.2 Daimler will pay this Grant in a lump-sum to the Startup within thirty (30) days after the Phase 2 Start Date. 4.2.3 Daimler may claim the full or partial repayment of this Grant from the Startup in the following events: (a) the Startup has used this Grant for other purposes than stated in clause 3.6.2; (b) the Startup has not, by July 23, 2017, 23:59 (CET) at the latest, submitted, a revised Concept that meets the maturity level expected for Phase 2 (Concept Phase) pursuant to the description of Phase 2 (Concept Phase) in Section 1.5 of the Startup adVANce T&Cs; (c) the Startup is excluded from participation in the Startup adVANce Challenge pursuant to Section 1.4 or item 6. of Section 2.2 of the Startup adVANce T&Cs; (d) the Startup fails to comply with any of its material obligations under Startup adVANce T&Cs or this Agreement; or (e) Daimler has terminated this Agreement for cause (cf. clause 3.18.3). 4.2.4 The obligation to pay back the Grant for Phase 2 (Concept Phase) shall not apply once the Startup has submitted the revised Concept with the maturity level expected for Phase 2 (Concept Phase) according to Section 1.5 of the Startup adVANce T&Cs. 4.2.5 If the Startup has received payments exceeding the amount set forth in clause 4.2.1 for Phase 2 (Concept Phase) from Daimler, the Startup has to repay the relevant amount to Daimler without undue delay. 5. Cooperation during Phase 3 (Prototype Phase) 5.1 General 5.1.1 In addition to the provisions set forth in clauses 1 through 3 of this Agreement and in the relevant Sections of the Startup adVANce T&Cs, the Parties agree on the following with
15 Startup adVANce | Cooperation Agreement respect to the execution of Phase 3 (Prototype Phase), specifically regarding the activities of the Startup and the joint development of the several Prototypes. 5.1.2 The Prototypes and other Work Results (if any) to be (jointly) developed during Phase 3 (Prototype Phase) are described in the Phase 3 Prototype Plan. The Phase 3 Prototype Plan includes the Work Packages and corresponding Milestones (each as defined in Section 1.5 of the Startup adVANce T&Cs). 5.1.3 The Startup shall, in cooperation with Daimler pursuant to clauses 5.1.4 and 5.1.5, build the Prototypes according to the Concept and the Phase 3 Prototype Plan. The Startup shall build several Prototypes with increasing maturity levels with the final Prototype being suited for use in a field test run. Therefore, the Parties will jointly test the different Prototypes to ensure an interactive development approach and learning effect. 5.1.4 The technical information and expertise that Daimler, in each case in its sole discretion, may provide to the Startup in this Phase 3 (Prototype Phase) are also described in the Phase 3 Prototype Plan. For the avoidance of doubt, this part of the Phase 3 Prototype Plan is not binding for Daimler and the Startup must use best efforts to perform its obligations hereunder and to develop the Prototypes and the other Work Results (if any) pursuant to this Agreement even if Daimler does not provide the technical information and/or expertise suggested by the Startup in the Phase 3 Prototype Plan. 5.1.5 In its sole discretion, Daimler may also provide technical support, material and workspace to the Startup. In this case, the following shall apply: (a) Any material which Daimler provides to the Startup must be used by the Startup exclusively for the execution of its activities in Phase 3 (Prototype Phase); the material remains in the ownership of Daimler unless ownership transfers by statutory law due to combination, mixture or manufacture. If this Agreement ends for whatever reasons, the Startup must, upon request, return such material to Daimler that is still owned by Daimler and that has not been consumed in the ordinary course of the execution of Phase 3 (Prototype Phase). (b) Any workspace (including IT systems) which Daimler provides to the Startup must be used by the Startup exclusively for the execution of its activities in Phase 3 (Prototype Phase). When accessing Daimler premises and/or IT systems, the Startup and its personnel must at any time fully comply with the terms of use generally applicable to external users, in particular the relevant security requirements. 5.2 Grant 5.2.1 If selected for Phase 3 (Prototype Phase) and subject to clause 3.6 of this Agreement, the Startup will be awarded a Grant of EUR 80,000.00 (in words: Euro eighty thousand) 5.2.2 Daimler may award the Startup an Optional Grant (as defined in item 3. of Section 2.6 of the Startup adVANce T&Cs) pursuant to item 3. of Section 2.6 of the Startup adVANce T&Cs. Any award of an Optional Grant by Daimler will be based on Daimler’s consideration of the added value that the Work Packages contribute to Daimler’s strategic needs, provided that the decision on how to allocate the Optional Grant to the Startup and the other startups selected for Phase 3 (Prototype Phase) will be in Daimler’s sole discretion. 5.2.3 Daimler will pay twenty (20) percent of the Grant for Phase 3 (Prototype Phase) (including the Optional Grant, if any) within thirty (30) days after the Startup has returned the signed copy of the Phase 3 Prototype Plan. The remaining eighty (80) percent shall be paid as linked to the Milestones in the Phase 3 Prototype Plan and following completion and joint validation of the Milestones.
16 Startup adVANce | Cooperation Agreement 5.2.4 Daimler may claim the full or partial repayment of this Grant from the Startup in the following events: (a) the Startup has used this Grant for other purposes than stated in clause 3.6.2; (b) the Startup has not build the final Prototype that is suited for use in a field test run pursuant to the description of Phase 3 (Prototype Phase) in Section 1.5 of the Startup adVANce T&Cs; (c) the Startup is excluded from participation in the Startup adVANce Challenge pursuant to Section 1.4 or item 6. of Section 2.2 of the Startup adVANce T&Cs; (d) the Startup fails to comply with any of its material obligations under Startup adVANce T&Cs or this Agreement; or (e) Daimler has terminated this Agreement for cause (cf. clause 3.18.3). 5.2.5 The obligation to pay back the Grant for Phase 3 (Prototyope Phase) shall not apply once all Milestones have been completed successfully. 5.2.6 If the Startup has received payments exceeding the amount that it is eligible for in this Phase 3 (Prototype Phase) from Daimler, the Startup has to repay the relevant amount to Daimler without undue delay. 5.3 Phase 3 (Prototype Phase) Reporting Upon completion of each Milestone, the Startup will provide Daimler with a "Milestone Reports" that must include the topics listed in item 5. of Section 2.6 of the Startup adVANce T&Cs. [signature page(s) to follow.]
17 Startup adVANce | Cooperation Agreement Stuttgart, _________ _________, _________ Daimler AG __________________________ Startup Signature: ____________________ Signature: ____________________ Name: ____________________ Name: ____________________ Signature: ____________________ Signature: ____________________ Name: ____________________ Name: ____________________
1 Startup adVANce | Cooperation Agreement - Annex 3.7.3 Annex 3.7.3 (Startup-Background-IP) to the Cooperation Agreement "Startup adVANce Challenge" between Daimler AG and Startup
2 Startup adVANce | Cooperation Agreement - Annex 3.7.3 1.Startup-Background-IP [to be completed by Startup]
Annex Free & Open Source Software for Mobile Apps Version 1/2014 1. Scope of Application 2.5 The time and expenses of Supplier incurred in 1.1 These provisions extend the terms of the contract connection with this procedure, and the resulting relating to the development and/or supply of applications obligations and their fulfillment, will be covered by the for mobile devices ('Principal Contract') between remuneration for the goods and services; the same Supplier and Daimler AG or companies affiliated with applies to the remuneration for the provision of the Daimler AG as defined in section 15 German Stock Approved FOSS and FOSS Derivatives. Corporation Act (AktG) ('Customer') with respect to the use of free software and open source software 3. Duties of Supplier (collectively referred to as 'FOSS'). To this extent they 3.1 Supplier shall fulfill all obligations arising from the use, take precedence over the provisions of the Principal Contract. Individual deviations must be agreed in modification and distribution of FOSS and FOSS writing with express reference to the provisions Derivatives, for and on behalf of Customer, unless this is concerned. not permitted under the terms of the respective FOSS License. Any restrictions in this respect may only be 1.2 Goods or services provided by Supplier may only agreed in the FOSS Disclosure Document. contain FOSS if Customer has given its express consent in writing in advance. In addition, Supplier shall enable Customer to fulfill all The term FOSS as used in this document encompasses such obligations itself, and shall ensure strict compliance all software that is, in principle, available at no cost and with the conditions and obligations agreed with which is subject to a license or other contractual Customer. provision ('FOSS License') that, as a requirement for the 3.2 Supplier shall design and structure its goods or services, modification and/or distribution of the software and/or and the software architecture in the case of software any other software associated with or derived from this development or modifications, in accordance with the software ('FOSS Derivative'), contains at least one of the requirements of Customer so that following conditions: a) software to be developed or modified for Customer a) the source code of such software and/or of a FOSS is not impaired by the FOSS or FOSS Derivatives Derivative must be made freely available to third used, in particular as a result of 'copyleft' or 'viral' parties; and/or effects. b) third parties must be allowed to create products b) the FOSS Licenses do not conflict with the digital derived from such software and/or FOSS signature of Customer. Derivatives; and/or c) certain information or documents, such as license 3.3 Approved FOSS and FOSS Derivatives must be text, must be included in the product documentation technically implemented in the goods or services in a and/or other materials supplied with the software manner that allows for them to be quickly and easily and/or agreed with the recipients. removed and replaced by a different product offering the same functions. 2. Consent of the Customer to the Use of FOSS or FOSS 3.4 Supplier must fulfill all obligations relating to the Derivatives Approved FOSS, in particular 2.1 The consent of Customer must be obtained for each a) at Customer's request, disclose and, where individual case in which Supplier wishes or intends to necessary, amend its organizational and technical modify or use FOSS or FOSS Derivatives as part of the processes with regard to FOSS (e.g. use of tools to provision of goods or services, or otherwise include detect FOSS), FOSS or FOSS Derivatives in the results of Supplier's b) provide Customer, no later than the date on which activities that are intended to remain with Customer. the goods or services are delivered, with the text of Supplier shall use the latest form provided by Customer the FOSS Licenses, the information to be included ('Free & Open Source Software (FOSS) Disclosure for in the product documentation and other components Mobile Apps', hereinafter referred to as 'FOSS required by Customer to create and use a workable Disclosure Document'). Supplier must present the fully version of the Approved FOSS (such as modified and correctly completed FOSS Disclosure Document to build scripts), including the source codes of the Customer together with or prior to the offer for the FOSS and any FOSS Derivatives and goods or services concerned. c) acquire and provide, at its own cost, licenses for industrial property rights and other third-party rights 2.2 Customer will decide at its own discretion on the use of that are required for the use of the Approved FOSS FOSS. Consent may be made dependent on certain in order to ensure that Customer is granted rights of conditions for the use of FOSS or FOSS Derivatives, use as set out in the Principal Contract. which will then become duties of Supplier under the Principal Contract. Consent will only be granted 3.5 If Supplier uses several FOSS, it will undertake expressly and in writing ('Approved FOSS'); silence appropriate measures to ensure the mutual compatibility does not imply consent. of the individual FOSS Licenses and their compatibility as a whole with any other software to be developed or 2.3 Supplier shall submit a fully and correctly completed used, e.g. by designing and structuring the software FOSS Disclosure Document for the current status of accordingly. goods or services when providing the goods or services. This is a prerequisite for the provision of the goods or 3.6 To the extent required by the respective FOSS Licenses services in full and according to the contract. or if so requested by Customer, Supplier shall provide the respective FOSS projects with the FOSS Derivatives 2.4 This procedure will apply again in the event of any created by Supplier. This will always be done in prior changes to the FOSS or FOSS Derivatives, even if the consultation with Customer and only to the extent that change only involves the release of a new version, and in the FOSS Derivatives are non-differentiating and are the event of any changes to the use approved by classified as commodities, and if there are no conflicting Customer. confidentiality agreements, patents or other legal Page 1 of 2
obstacles. In cases of doubt, Customer will decide. 6.3 Upon request, Supplier shall cease to use subcontractors for Customer in connection with FOSS if Customer has 4. Liability and Warranty good cause to doubt the subcontractors’ reliability and 4.1 This document does not establish a responsibility of willingness to cooperate in terms of compliance with Customer's requirements for the use of FOSS. Supplier Supplier for the FOSS and FOSS Derivatives per se, shall bear any costs thereby incurred. save where permitted by the respective FOSS License. Nevertheless, Supplier is obliged to assume liability and provide a warranty for goods or services supplied under 7. General Provisions the terms of the Principal Contract, including those in 7.1 The provisions of the Principal Contract concerning which FOSS or FOSS Derivatives are used. intellectual property rights and rights to use the goods or 4.2 As part of its warranty obligations Supplier shall, services also apply to modified versions of FOSS. without restriction to its duties under clause 3 and save for where this is not permitted under the terms of the If the foregoing clause or any FOSS Licenses give rise respective FOSS License, provide at its own cost to restrictions on the duties of Supplier arising from the maintenance services for the FOSS and FOSS Principal Contract or from this document with respect to Derivatives in accordance with the Principal Contract, in the distribution of unchanged FOSS, such restrictions particular for the rectification of defects. This includes must be expressly agreed in writing in advance and must the obligation to examine the FOSS and FOSS make explicit reference to this document and the Derivatives for potential faults prior to initial use, and Principal Contract. continuously thereafter, and to remedy such faults, in 7.2 Upon request, Supplier shall take all action required to particular if they have security implications. Such be taken by Customer in order to be able to grant rights corrections will be included in the scope of goods or to third parties (such as customers) in accordance with services if Customer grants its consent. the respective FOSS License, in particular making the 4.3 Supplier shall provide integration support for the FOSS source codes publicly available. This also includes the and FOSS Derivatives as requested by Customer and in preparation and publication of documentation, the accordance with the provisions of the Principal Contract, archiving and version management of the individual unless this is not permitted under the terms of the FOSS and FOSS Derivatives, their clear allocation to respective FOSS License. individual goods or services and, if necessary, the 4.4 If Supplier breaches an obligation described herein, it provision and dissemination of the FOSS and FOSS shall indemnify Customer and its affiliated companies Derivatives to third parties in accordance with the and the sales partners, dealers and end customers of respective FOSS Licenses on behalf of Customer. Customer in respect of all claims, losses and costs 7.3 Supplier shall give the required information concerning arising as a result and shall defend the aforementioned the FOSS covered by this document. The nature and parties against third-party claims. Customer may also extent of the information will be agreed with Customer. opt to defend itself. Supplier shall bear the costs of court and out-of-court proceedings including reasonable 7.4 No separate remuneration will be paid for the provision attorney’s fees, even if the defense relates to a merely of Approved FOSS and FOSS Derivatives. The alleged claim. remuneration according to the Principal Contract remains unaffected. 5. Changes 7.5 This document is governed exclusively by the law of the 5.1 Any changes to the FOSS approved by Customer will Federal Republic of Germany, to the exclusion of the require the prior consent of Customer. The procedure for UN Convention on Contracts for the International Sale first use of FOSS will apply accordingly. Supplier shall of Goods (CISG). The courts of Stuttgart have exclusive obtain Customer's approval for changes in good time, jurisdiction for all disputes. This is without prejudice to stating the planned date on which the changes are to be mandatory statutory jurisdictional requirements. No included in the goods or services provided. The arbitration or conciliation agreement has been procedure for changes described in the Principal concluded. Contract will apply in respect of any further implications 7.6 The German version of this document is authoritative. that changes to FOSS may have for the goods or services Translations are provided for convenience only. covered by the Principal Contract. 5.2 Customer may, at its own reasonable discretion and in consideration of Supplier's interests, demand reasonable changes and additions to the use of FOSS at any time until the respective goods or services are delivered or accepted. 6. Duties of Subcontractors 6.1 The use of subcontractors is governed by the provisions of the Principal Contract. The commissioning of subcontractors does not affect Supplier's responsibility to Customer for the provision of the contracted goods or services, in particular with regard to the granting of rights to use the work results. 6.2 Supplier shall select any subcontractors carefully with respect to the requirements set out herein, monitor them and include them in its information and work processes concerning FOSS. This will be demonstrated by suitable documentation, such as excerpts from the corresponding agreements. Customer will be entitled to contact subcontractors directly in order to clarify queries relating to the FOSS used. in such a case Supplier will be informed. Page 2 of 2
Document on FOSS-Disclosure Disclosure of Free Software and Open-Source-Software (FOSS) in App [NAME OF THE SUPPLIER ADDRESS ADDRESS] SUPPLIER NUMBER CREATION DATE [Please check one of the following boxes] □ Application for approval regarding the use of FOSS for the specific product or □ Statement of full compliance regarding the use of FOSS under an existing approval for the specific product or □ Statement that no FOSS components are used 1. Purpose of the Form, Process The statement on the disclosure of FOSS comprises of this document and its attached FOSS Disclosure Bill of Material (hereinafter referred to as “Items List”) (Annex 1). 1.1 Application for Approval Regarding the Use of Free Software/Open-Source-Software Components of free software and open-source-software (“FOSS-Components”) may only be used with Daimler’s (hereinafter referred to as “DAI”) explicit prior consent. Subject of the approval is the use of any FOSS-Component for an application for mobile devices to be created (“App”, hereinafter also referred to as “Product”), that has been acquired under a license for free software/open-source-software (“FOSS-License”). By submission of this duly completed document including the Items List (Annex 1) regarding the disclosure of FOSS (“FOSS-D”), the supplier applies to Daimler for the approval to use those particular FOSS-Components listed in this FOSS-D that have been acquired under the FOSS-Licenses described herein for the use in the Product described herein (“Product”). Daimler will inform the supplier explicitly in writing about the decision regarding the proposed use of the FOSS-Components. This decision may be a rejection, an approval or an approval with certain limitations or statutory requirements. Also a full rejection of the applied use of FOSS-Components is without prejudice to the supplier’s obligation in particular towards the fulfillment of all existing contractual obligations towards Daimler. The Items List (Annex 1) contains for informational purposes (unbinding) only, a list of FOSS- Licenses frequently approved by Daimler (including particular combinations) and frequently non- approved FOSS-Licenses. The current version of this FOSS-License list is also available under [add address for download of the current FOSS-License list]. From the content of the FOSS- License list no entitlement or claim for an approval of a FOSS-Component or FOSS-License by Daimler may be derived. 1.2 Statement of Unreserved Compliance with the Granted Approval With every delivery of the Product the supplier will by submission of this duly completed FOSS- D confirm without restriction or limitation that the Product fully complies with Daimler’s approval FOSS Disclosure Doc for Apps_2013-12-11_engl.docx Page 1 of 6
Document on FOSS-Disclosure of the use of FOSS. Any deviation from an approval granted by Daimler requires a new application for approval. 1.3 Statement That no FOSS-Components are Used The supplier states that in the Product described herein no FOSS-Components are used. For this statement the document is signed, although Sections 2 and 3 are not completed. Daimler does not approve the use of any FOSS-Components. 1.4 Completeness and Accuracy of the Information regarding FOSS-Disclosure Contained in this Document By submission of this FOSS-D the supplier states that its use of any FOSS-Components in connection with the Product has been and will be limited to the categories of usage explicitly approved by Daimler. The supplier approves and assures that all information in this form is valid, complete and accurate. The supplier is fully liable for invalid, wrong, incomplete or missing information in this FOSS-D. 2. Overview on FOSS-Components and Associated License Obligations 2.1 Complete Table of FOSS-Components The Items List (Annex 1) contains a list of all FOSS-Components that are used in the Product as well as the associated FOSS-Licenses including the date and the source of supply of the supplier. 2.2 Disclosure Statement The Product will only contain the FOSS-Components specified in the Items List (Annex 1). The use of a FOSS-Component is governed by the conditions of the respective FOSS-License. By a FOSS-License additional rights may be granted to the user of the Product that might exceed the rights for normal use of the Product. A FOSS-License may impose certain obligations on the user that may be a requirement for the right to use the respective FOSS-Component. The right to use is granted under the respective FOSS-License free of charge. In case of inconsistencies or contradictions the FOSS-License terms on the respective FOSS-Component have priority over different terms of other licenses that relate to the use of the Product. 2.3 Required Information The supplier has to provide the following information on the individual FOSS-Components with this FOSS-D: A) Exact name and indication of the FOSS-Component and its version, B) Source code of the FOSS-Component (the original version acquired by the supplier and, if applicable, the current modified version that is supposed to be used with regard to the Product), C) Exact name and indication of FOSS-Licenses for the individual FOSS-Components, D) Origin or source of the FOSS-Component and the respective FOSS-License as well as date of acquisition. 2.4 List of FOSS-Licenses The Product will include FOSS-Components that are subject to the FOSS-Licenses listed in the Items List (Annex 1). The supplier ensures as a whole that this list is complete and accurate. The supplier also ensures that no conflicts arise between the FOSS-Licenses for the FOSS- Components that will be included in the Product. This applies in particular for the FOSS- Licenses listed above. FOSS Disclosure Doc for Apps_2013-12-11_engl.docx Page 2 of 6
Document on FOSS-Disclosure 2.5 Overview on the Obligations in Connection with the Use of FOSS-Components The following obligations summarized under this Section 2.5 are associated with the use of the FOSS-Licenses with regards to the granting or transfer of usage rights in the respective FOSS- Components. In particular it is to be included if the respective obligation has been completed by the supplier or if this has to be completed by Daimler (abbreviation: DAI). 2.5.1 List of Copyright-Notices The Product must contain these Copyright Notices for the following FOSS-Components: Completed To be FOSS-Component Copyright-Notice (Wording) by Supplier Comleted by DAI […………………………] Copyright © Copyright © Copyright © Copyright © Copyright © The supplier ensures that all copyright notices are contained in the Product unless and only as far as stated differently, explicitly and in detail (“to be completed by DAI”) in this list in this Section 2.5.1. 2.5.2 List of References to Authorship The Product must contain these references to authorship for the following FOSS-Components: Reference to Authorship Completed To be FOSS-Component (Wording) by Supplier Completed by DAI […………………………] The supplier ensures that all references to authorship are contained in the Product unless and only as far as stated differently, explicitly and in detail (“to be completed by DAI”) in this list in this Section 2.5.2. FOSS Disclosure Doc for Apps_2013-12-11_engl.docx Page 3 of 6
Document on FOSS-Disclosure 2.5.3 List of License Texts The Product has to be delivered with the FOSS-Licenses for the following FOSS-Components: FOSS-License Text Delivered Completed To be FOSS-Component as by completed (exact name/ Copy/File Supplier by DAI indication) […………………………] The supplier ensures that all FOSS-License Texts are properly delivered with the Product unless and only as far as stated differently, explicitly and in detail (“to be completed by DAI”) in this list in this Section 2.5.3. 2.5.4 List of Exclusions of Guarantee and Warranty The FOSS-Licenses provide that the following exclusions of guarantee and warranty have to be passed on: FOSS-License (exact Exclusion of Guarantee Completed To be name/indication) and Warranty (Wording in by Supplier Completed FOSS-License) by DAI […………………………] The supplier ensures that all these exclusions of guarantee and warranty are passed on with the Product unless and only as far as stated differently, explicitly and in detail (“to be completed by DAI”) in this list in this Section 2.5.4. 2.5.5 List of the provided Source Codes The FOSS-Licenses contain the obligation to provide the users with source codes of the following FOSS-Components: FOSS-Component Source Code of the Completed by To be (exact name/indication) FOSS-Component Supplier completed by (File-name) DAI FOSS Disclosure Doc for Apps_2013-12-11_engl.docx Page 4 of 6
Document on FOSS-Disclosure […………………………] The supplier ensures that all these source codes are provided to the users of the Product by the supplier beginning with the delivery of the Product until the end of the envisaged lifecycle of the Product unless and only as far as stated differently, explicitly and in detail (“to be completed by DAI”) in this list in this Section 2.5.5. 2.5.6 Other License Obligations The FOSS-Licenses provide for the following further obligations that need to be fulfilled: FOSS-Component (exact Content of the License Completed To be name/indication) Obligation by Supplier Completed by DAI […………………………] The supplier ensures that all these other license obligations are properly fulfilled unless and only as far as stated differently, explicitly and in detail (“to be completed by DAI”) in this list in this Section 2.5.6. 3. Annexes Attached to this document as an annex (Annex 1) is the Items List that forms an integral part of this FOSS-D, which is fully covered by the supplier’s statement and – as a consequence – whose signature also extends to the statements made therein. Date: ________________________ _______________________________________ SUPPLIER By: ________________________________ Name: [___________________] Title: [___________________] FOSS Disclosure Doc for Apps_2013-12-11_engl.docx Page 5 of 6
Document on FOSS-Disclosure By: ________________________________ Name: [___________________] Title: [___________________] FOSS Disclosure Doc for Apps_2013-12-11_engl.docx Page 6 of 6
AGREEMENT ON DATA PROCESSING ON BEHALF between (Please insert Controller.) - as Controller - and (Please insert Processor) - as Processor - Contact details Controller Name Zip code, town/city No., street, P.O. box no. Contact name - Tel. - Email Data protection officer / coordinator - Tel. - Email Information security officer - Tel. - Email Processor Name Zip code, town/city No., street, P.O. box no. Contact name - Tel. - Email Data protection officer - Tel. - Email Information security officer - Tel. - Email
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 Contents Agreement on Data Processing on Behalf .......................................................................................... 1 Part 1: Contract Ensuring Data Protection and Information Security .................................................... 3 1 DESCRIPTION OF THE CONTRACT ...................................................................................................... 3 2 NON-DISCLOSURE ............................................................................................................................ 4 3 DATA PROTECTION ........................................................................................................................... 4 4 INFORMATION SECURITY .................................................................................................................. 5 5 SUBCONTRACTORS AND ACCESS CONTROL....................................................................................... 6 6 CHECKS ........................................................................................................................................... 6 7 DATA PROCESSING IN A NON-EEA COUNTRY ................................................................................... 7 Part 2: Data Protection and Information Security Strategy .................................................................... 8 1. Access control (physical) ...................................................................................................... 8 2. Access control (systems) ...................................................................................................... 9 3. Access control (user rights) ................................................................................................10 4. Disclosure control .................................................................................................................12 5. Input control ..........................................................................................................................13 6. Job control ..............................................................................................................................14 7. Availability control ................................................................................................................15 8. Segregation principle ...........................................................................................................16 9. Organizational security criteria..........................................................................................17 Part 3: Approved subcontractors ...........................................................................................................19 Part 4: Signatures ....................................................................................................................................20 Page 2 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 PART 1: CONTRACT ENSURING DATA PROTECTION AND INFORMATION SECURITY 1 DESCRIPTION OF THE CONTRACT (1) The subject matter of the Contract is the collection, processing, and use of personal data by Processor on behalf of Controller and in accordance with Controller's instructions as part of the service described in the Main Agreement. This Contract also applies mutatis mutandis to (remote) testing and maintenance of automated procedures or data processing systems if it is not possible to rule out access to personal data when such work is carried out. Reference Main Agreement; describe the subject matter of the contract, if there is no Main Agreement or if the Main Agreement does not include regulations regarding data processing) (2) 7erm of this Contract Processor will collect, process or use Controller's data for the following term: (Please specify contract term. In case a Main Agreement exists, and contract terms are identical, reference to the Main Agreement is possible) (3) Type of personal data used Processor will have access to the following personal data: (Please list relevant data, e.g. name, address, user-ID etc.) (4) Scope, nature, and purpose involved in collecting, processing, and/or using personal data: Processor shall provide the following services for Controller in relation to the data specified in subclause 3: (Please describe in concrete terms which services the Processor shall provide in connection with the Data Processing on Behalf. If these services are already described in the Main Agreement, a reference to the Main Agreement may be used: e.g. “Processor provides the services as described under section … of the Main Agreement”) Page 3 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 (5) The group of people (data subjects) affected by the handling of their personal data in the context of this Contract is as follows: (Please describe in concrete terms whose data are affected by the service, e.g. employees of company XY , customer of service A, users of application B, drivers, suppliers, etc. Should this already be described in the Main Agreement, a reference to the Main Agreement may be used: e.g. “The persons concerned by the services are described under section … of the Main Agreement”) 2 NON-DISCLOSURE (1) Processor undertakes to treat as confidential all information – including, but not limited to, technical and commercial information, plans, findings, intelligence, designs, and documents – that becomes known to it or that it receives from Controller under this Agreement, not to disclose this information to third parties, to protect it from third-party access, to use it only for purposes in connection with this Agreement, and only to disclose it to employees who are themselves under an obligation to observe confidentiality, unless otherwise agreed in writing between the Parties. (2) This confidentiality undertaking shall not apply in respect of information • that can be proven to have been known to Processor before this Agreement came into effect, • that can be proven to have been lawfully obtained by Processor from a third party without being subject to a confidentiality obligation, • that is already in the public domain or that enters into the public domain without any infringement of the obligations under this Agreement, • that can be proven to have been developed by Processor during the course of its own independent work. (3) As far as the Controller is a financial services company and is obliged to observe requirements of banking secrecy, the same requirements shall apply to the Processor. (4) Processor agrees to impose upon its employees to whom this information is disclosed the same duty of confidentiality as Processor has entered into above unless these employees are already subject to an equivalent non-disclosure obligation by virtue of their contracts of employment. (5) If notified of any development results that are capable of being protected by intellectual property rights, the Parties reserve all rights in respect of any such property rights subsequently applied for or granted. (6) The non-disclosure obligations in respect of information that has been made available during the term of this Agreement shall continue to apply for a period of five years after the Agreement has ended. 3 DATA PROTECTION (1) Processor collects, processes, and uses personal data on behalf of Controller. Controller is responsible for complying with the provisions of data protection law. (2) Processor shall follow solely the instructions issued by Controller when collecting, processing, and using personal data. Such instructions must be given in writing or by electronic mail. Other than as instructed by Controller, Processor may not use, either for its own purposes or the purposes of third parties, the data to Page 4 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 which it has been given access for processing or use or the data it has collected. In accordance with the instructions issued by Controller, Processor must amend, delete, or block the data it is processing on behalf of Controller. (3) Processor shall assist Controller in satisfying the rights of the persons whose personal data is stored (data subjects), which may include correcting, deleting, blocking, or providing information about such data. If a data subject contacts Processor directly to ask for information or request that his/her personal data be corrected, deleted, or blocked, Processor shall forward this request to Controller without delay. (4) Processor undertakes to provide data protection training for its employees entrusted with the processing and use of the data provided by Controller and to impose on such employees an obligation to observe data secrecy (obligation not to disclose personal data). (5) Processor must provide Controller with the details of contacts for data protection and information security. If Processor is subject to a statutory obligation to appoint a data protection officer, Processor shall appoint such an officer in writing and shall send Controller the name(s) of the person(s) concerned. (6) Upon request, Processor shall provide Controller with the information necessary to enable Controller to satisfy reporting obligations and maintain a systems and procedures overview. (7) Processor shall inform Controller without delay of any checks or action taken by the relevant regulatory authorities in its organization or in connection with the IT infrastructure it uses. 4 INFORMATION SECURITY (1) Processor undertakes, as part of an information security strategy, to use state of the art technology to safeguard all Controller's information and data immediately and effectively against unauthorized access, modification, destruction or loss, unauthorized transfer, other unauthorized processing, and other misuse. The security strategy must be described in detail by completing the fields in Part 2. Processor shall agree its information security strategy with Controller's relevant information security officer. Part 2 need not be completed if Processor has suitable certification (for example, in accordance with ISO 2700x) covering the services that form the subject matter of this Contract. In this case, a reference to the certification must be inserted and the certification attached as an annex to this Agreement. If this certification becomes invalid and re-certification is not obtained within a reasonable period, this Agreement and the Main Agreement may be terminated by Controller. (2) Processor must store Controller's data for a period of six months, even after the relevant service agreement has ended. Within this six-month period, the data must be returned in a generally readable format or, if instructed, deleted. If the data is deleted, action must be taken to ensure that the data cannot be reconstructed. Processor shall prove to Controller and confirm in writing or by electronic mail that all the data, copies, and storage media have been returned and deleted. Controller may at any time specify an earlier date for data deletion. Regardless of this provision, Processor shall be under an obligation to surrender the data in a generally readable format at any time upon request by Controller. (3) Processor must ensure that the technical and organizational measures described in Part 2 are implemented before data processing begins and that the associated activities are regularly reviewed and adjusted. Processor must inform Controller in writing or by electronic mail if there are any material changes to data Page 5 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 processing. In the event of any foreseeable reduction in the effectiveness of the data protection, the consent of Controller must be obtained in writing or by electronic mail before the related change is carried out. 5 SUBCONTRACTORS AND ACCESS CONTROL (1) If Processor involves subcontractors or freelancers it must first obtain the prior consent of Controller in writing or by electronic mail. The contractual arrangements between Processor and the subcontractor or freelancer must be drafted in such a way that they correspond with the arrangements contained in the contractual relationship between Controller and Processor. In particular, Processor must ensure that Controller can also carry out the checks specified in clause 6 of this Contract in respect of the subcontractors or freelancers. Controller is entitled to receive information from Processor concerning the essential contractual provisions and the implementation of the obligations in this Contract – if necessary by means of inspecting the relevant contract documents. (2) Controller is deemed to have consented to the subcontractors and functions listed in Part 3 when Controller signs this Agreement. Processor must ensure that these subcontractors comply with the technical and organizational requirements specified in Part 2 in the same way as Processor itself. If subcontractors are replaced or added during the course of the contractual relationship, Processor must first obtain the consent of Controller in writing or by electronic mail. (3) Processor may only authorize access to Controller's data for its own employees in accordance with the authorization rules and only to the extent necessary to allow the employee concerned to carry out the relevant task in connection with fulfillment of contractual requirements. If it is necessary to issue access authorizations to employees of subcontractors or to freelancers to facilitate fulfillment of contractual requirements, this can only be done with the prior consent of Controller in writing or by electronic mail and only to the extent necessary for the task concerned. Upon request, Processor must supply Controller with the names of persons or groups of persons to whom access authorization has been granted. Processor undertakes not to disclose to any unauthorized person the access authorizations granted to enable Processor to use the system. (4) If Processor is granted access to the IT systems of Controller, its representatives, or subcontractors, Processor undertakes only to access the data and information necessary to enable it to satisfy its obligations under this Agreement. 6 CHECKS (1) Controller or its representatives have the right to carry out checks on compliance with the requirements of this Agreement. Processor shall provide the desired information and, at the request of Controller and within a reasonable period, submit documentary evidence that it has met its obligations by completing a questionnaire supplied by Controller. (2) Subject to advance notice, Controller or its representative shall be granted access to the offices and IT systems in/on which Controller's data is used or processed so that the implementation of the contractual agreements and the appropriateness of the technical and organizational data security measures can be verified. Page 6 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 (3) Processor must inform Controller without delay should any suspicion arise that there has been a violation of data protection requirements (in particular, unlawful forwarding of Controller’s data to third parties or unlawful access by third parties to Controller’s data), a violation of banking secrecy, a breach of security, or other manipulation during data processing. In consultation with Controller, Processor must initiate all necessary steps to rectify the problem and prevent further data protection and/or security violations. (4) If Controller's data held by Processor is placed at risk as a result of seizure, distraint, judicial inquiries, or other enforcement of legal control by relevant authorities, as a result of insolvency or composition proceedings, or as a result of other events or action taken by third parties, Processor must inform Controller without delay. Processor shall inform all parties involved in any such action without delay that the power of control over the data subject to this Agreement lies with Controller and shall not transfer any data to third parties or allow access to the data by third parties without the consent of Controller. 7 DATA PROCESSING IN A NON-EEA COUNTRY (1) If Processor or its subcontractor processes personal data emanating from the European Union (EU) outside the European Economic Area (EU member states together with Iceland, Liechtenstein, Norway) or outside a country recognized by the European Commission as having an appropriate level of data protection, or if Processor or its subcontractor accesses EU-sourced personal data from outside the countries specified above • Controller must come to a written agreement with Processor or its subcontractor to include the EU's standard contractual clauses governing Data Processing on Behalf in non-EEA countries, or • Processor must participate in a certification system recognized by the EU and satisfy the requirements of this system, or • the data processing must be subject to binding rules and regulations that have been put in place by Processor and are recognized by a relevant regulatory authority as providing a sufficient basis for creating an appropriate level of data protection within the meaning of EU law. (2) In the case of personal data that emanates from countries other than those specified in subclause 1 and that also gives rise to requirements under data protection law in respect of data processing abroad, appropriate measures must be implemented in accordance with provisions under national law. Page 7 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 PART 2: DATA PROTECTION AND INFORMATION SECURITY MEASURES This section must be used to document the technical and organizational measures implemented in order to safeguard the security of data processing activities. It must be clearly stated whether the action concerned is taken by Controller (Co) or by Processor (Pr). There is no requirement to implement all the action points listed below; the parties need to ensure that there is an appropriate level of protection from an overall perspective in each case. Completion of this section may be replaced by documentary evidence of suitable certification (for example, in accordance with ISO 2700x) provided that the certification covers the services involved. In this case, a copy of the certification must be attached to the Agreement documents. 1. Access control (physical) Definition: Physical access control means the action taken to deny unauthorized persons physical access to data processing systems in which personal data is processed or used. b) Who holds overall responsibility for implementing and ensuring compliance with physical access control? Controller Processor c) What action is taken to implement physical access control and who carries out this action? (Please select appropriate answers and mark with a cross, as applicable) Co Pr • Specification of authorized persons, including scope of authority ................................ ☐ ☐ • Admittance authorization IDs issued ............................................................................ ☐ ☐ • Rules and regulations for visitors in place .................................................................... ☐ ☐ • Rules and regulations governing keys implemented ..................................................... ☐ ☐ • All individuals recorded in and out ............................................................................... ☐ ☐ • Physical protection measures in place and regularly checked: o Secure entrance (e.g. locking system, ID readers) ......................................... ☐ ☐ o Burglar-resistant windows.............................................................................. ☐ ☐ o Equipment secured against theft, manipulation, damage ............................... ☐ ☐ o Surveillance installation (e.g. alarm system, CCTV)........................................ ☐ ☐ o Separation system (e.g. turnstiles, double-door system) ............................... ☐ ☐ Page 8 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 o Security guards .............................................................................................. ☐ ☐ • Areas divided into different security zones ........................................................ ☐ ☐ d) Please use the following field (free text) for details of additional or other measures you have implemented or if you would like to provide more specific information on the above items: (Please use additional sheet if necessary.) e) If physical access control is not relevant to the services subject to this Agreement, please briefly state the reasons below: (Please use additional sheet if necessary.) 2. Access control (systems) Definition: Systems access control means the action taken to prevent unauthorized persons from using data processing systems. a) Who holds overall responsibility for implementing and ensuring compliance with systems access control? Controller Processor b) What action is taken to implement systems access control (user identification and authentication) and who carries out this action? (Please select appropriate answers and mark with a cross, as applicable) Co Pr • Authorization concept designed and implemented o Authorization concept for terminal devices (computers) ................................ ☐ ☐ o Authorization concept for systems ................................................................ ☐ ☐ • User identified and authorization verified ..................................................................... ☐ ☐ • User identity management system implemented .......................................................... ☐ ☐ • Access attempts monitored, including response to security issues .............................. ☐ ☐ Page 9 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 • Access authority specified and checked ...................................................................... ☐ ☐ • Authentication procedure based on required level of protection for the information (classification) ............................................................................................................. ☐ ☐ • Appropriate password protection (binding requirements, encrypted storage) .............. ☐ ☐ • Special security software (e.g. anti-malware, VPN, firewall) ......................................... ☐ ☐ • Rules and regulations for visitors in place .................................................................... ☐ ☐ • Access function using tokens ....................................................................................... ☐ ☐ c) Please use the following field (free text) for details of additional or other measures you have implemented or if you would like to provide more specific information on the above items: (Please use additional sheet if necessary.) d) If systems access control is not relevant to the services subject to this Agreement, please briefly state the reasons below: (Please use additional sheet if necessary.) 3. Access control (user rights) Definition: Access control (user rights) comprises the action taken to ensure that the persons authorized to use a data processing system can only access the data corresponding to their access authorization and that personal data cannot be read, copied, amended, or removed without authorization during processing or use, or after the data has been saved. a) Who holds overall responsibility for implementing and ensuring compliance with access control (user rights)? Controller Processor Page 10 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 b) What action is taken to implement access control (user rights) and who carries out this action? (Please select appropriate answers and mark with a cross, as applicable) Co Pr • Authorization and roles concept implemented for applications .................................... ☐ ☐ • Rules and regulations for authorizing users and data access implemented .................. ☐ ☐ • Regular review of authorizations .................................................................................. ☐ ☐ • Functions restricted (in terms of function and time)..................................................... ☐ ☐ • Access restrictions imposed (based on principles of need-to-know and least privilege) ☐ ☐ • Encrypted storage of personal data ............................................................................. ☐ ☐ • Logging o Read-access logged ....................................................................................... ☐ ☐ o Write-access logged ...................................................................................... ☐ ☐ o Unauthorized access attempts logged ........................................................... ☐ ☐ o Regular analyses carried out .......................................................................... ☐ ☐ o Ad hoc analyses carried out ........................................................................... ☐ ☐ • Implementation of retention periods for data .............................................................. ☐ ☐ • Rules and regulations on handling digital storage media implemented ......................... ☐ ☐ • Rules and regulations on disposing of storage media implemented ............................. ☐ ☐ • Integrity checks carried out .........................................................☐ ☐ • Separation of test and productive environment ............................................................ ☐ ☐ c) Please use the following field (free text) for details of additional or other measures you have implemented or if you would like to provide more specific information on the above items: (Please use additional sheet if necessary.) Page 11 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 d) If access control (user rights) is not relevant to the services subject to this Agreement, please briefly state the reasons below: (Please use additional sheet if necessary.) 4. Disclosure control Definition: Disclosure control refers to the action taken to ensure that personal data cannot be read, copied, amended, or removed without authorization during electronic transmission, during storage on data media, or during transit on such media, and to ensure that it is possible to establish and review the points at which it is envisaged it will be necessary to transfer personal data using data transfer facilities. a) Who holds overall responsibility for implementing and ensuring compliance with disclosure control? Controller Processor b) What action is taken to implement disclosure control and who carries out this action? (Please select appropriate answers and mark with a cross, as applicable) Co Pr • Forms of data forwarding fully documented (e.g. printout, data media, automated transfer) .......................................................... ☐ ☐ • Data recipients listed (enter under c)) .......................................................................... ☐ ☐ • Interfaces, retrieval and transmission programs documented ...................................... ☐ ☐ • For printouts and data media: o Regular inventory checks carried out ............................................................. ☐ ☐ o Transit security measures implemented (e.g. containers, encrypted storage media, handover records) ................................................. ☐ ☐ • For electronic forwarding: o Data transfer encrypted ................................................................................. ☐ ☐ o Data forwarding or transfer logged ................................................................ ☐ ☐ • Plausibility, completeness, and accuracy checks carried out ....................................... ☐ ☐ Page 12 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 • Action taken to prevent uncontrolled information outflow: o USB interface deactivation............................................................................ ☐ ☐ o Restriction of rights for data transfer ............................................................. ☐ ☐ o Regular checks on permitted recipients ......................................................... ☐ ☐ o Forwarding restricted to permitted recipients by technical measures ............ ☐ ☐ c) Please use the following field (free text) for details of additional or other measures you have implemented or if you would like to provide more specific information on the above items: (Please use additional sheet if necessary.) d) If disclosure control is not relevant to the services subject to this Agreement, please briefly state the reasons below: (Please use additional sheet if necessary.) 5. Input control Definition: Input control refers to the action taken to ensure that retrospective checks can be carried out to establish whether personal data in data processing systems has been entered, modified, or removed and, if so, by whom. a) Who holds overall responsibility for implementing and ensuring compliance with input control? Controller Processor b) What action is taken to implement input control and who carries out this action? (Please select appropriate answers and mark with a cross, as applicable) Co Pr • Inputs/Changes logged .............................................................................................. ☐ ☐ Page 13 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 • Regular review of logs .................................................................................................. ☐ ☐ • Inputting responsibilities specified in organizational structure ..................................... ☐ ☐ c) Please use the following field (free text) for details of additional or other measures you have implemented or if you would like to provide more specific information on the above items: (Please use additional sheet if necessary.) d) If input control is not relevant to the services subject to this Agreement, please briefly state the reasons below: (Please use additional sheet if necessary.) 6. Job control Definition: Job control means the action taken to ensure that personal data being processed on behalf of Controller can only be processed in accordance with the instructions issued by Controller. a) Who holds overall responsibility for implementing and ensuring compliance with job control? Controller Processor b) What action is taken to implement job control and who carries out this action? (Please select appropriate answers and mark with a cross, as applicable) Co Pr • System implemented for regularly checking the commissioning process o Submission of self-assessments .................................................................... ☐ ☐ o Submission of agreements with subcontractors ........................................... ☐ ☐ o Checks on subcontractors by Processor ........................................................ ☐ ☐ Page 14 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 c) Please use the following field (free text) for details of additional or other measures you have implemented or if you would like to provide more specific information on the above items: (Please use additional sheet if necessary.) d) If job control is not relevant to the services subject to this Agreement, please briefly state the reasons below: (Please use additional sheet if necessary.) 7. Availability control Definition: Availability control means the action taken to ensure that personal data is protected against accidental destruction or loss. a) Who holds overall responsibility for implementing and ensuring compliance with availability control? Controller Processor b) What action is taken to implement availability control and who carries out this action? (Please select appropriate answers and mark with a cross, as applicable) Co Pr • System condition regularly checked (monitoring) ........................................................ ☐ ☐ • Backup and recovery plan in place (regular data backups) ........................................... ☐ ☐ • Data archiving strategy implemented ........................................................................... ☐ ☐ • Documented contingency plans (business continuity, disaster recovery) .................... ☐ ☐ • Contingency plans regularly tested .............................................................................. ☐ ☐ • Presence of redundant IT systems assessed (servers, storage, etc.) ........................... ☐ ☐ • Fully operational physical protection systems in place (fire protection, energy, A/C) .. ☐ ☐ Page 15 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 c) Please use the following field (free text) for details of additional or other measures you have implemented or if you would like to provide more specific information on the above items: (Please use additional sheet if necessary.) d) If availability control is not relevant to the services subject to this Agreement, please briefly state the reasons below: (Please use additional sheet if necessary.) 8. Segregation principle Definition: The segregation principle requires the implementation of measures to ensure that data collected for different purposes can be processed separately. a) Who holds overall responsibility for implementing and ensuring compliance with the segregation principle? Controller Processor b) What action is taken to implement the segregation principle and who carries out this action? (Please select appropriate answers and mark with a cross, as applicable) Co Pr • Segregation of functions documented ......................................................................... ☐ ☐ • Policies and procedural instructions in place ............................................................... ☐ ☐ • Procedure documentation in place .............................................................................. ☐ ☐ • Multi-client capability: o Physical separation ........................................................................................ ☐ ☐ o Separation at system level ............................................................................. ☐ ☐ o Separation at data level ................................................................................ ☐ ☐ Page 16 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 • Regular checks carried out to ensure fully compliant use of information and IT systems .................................................................................................................. ☐ ☐ c) Please use the following field (free text) for details of additional or other measures you have implemented or if you would like to provide more specific information on the above items: (Please use additional sheet if necessary.) d) If the segregation principle is not relevant to the services subject to this Agreement, please briefly state the reasons below: (Please use additional sheet if necessary.) 9. Organizational security criteria Definition: The organizational security criteria are the rules and processes used to protect personal data. a) Who holds overall responsibility for implementing and ensuring compliance with the organizational security criteria? Controller Processor b) What action is taken to implement the organizational security criteria and who carries out this action? (Please select appropriate answers and mark with a cross, as applicable) Co Pr • Data protection responsibilities fixed in writing ............................................................ ☐ ☐ • Information security responsibilities fixed in writing ..................................................... ☐ ☐ • Appropriate information security management system in place ................................... ☐ ☐ • Appropriate incident management system in place ...................................................... ☐ ☐ • Information classification system implemented ........................................................... ☐ ☐ Page 17 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 • Clarification and awareness sessions regularly carried out for employees and managers ..................................................................................................................... ☐ ☐ c) Please use the following field (free text) for details of additional or other measures you have implemented or if you would like to provide more specific information on the above items: (Please use additional sheet if necessary.) d) If organizational security criteria are not relevant to the services subject to this Agreement, please briefly state the reasons below: (Please use additional sheet if necessary.) Page 18 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 PART 3: APPROVED SUBCONTRACTORS Subcontractor name, address (1) Name Zip code, town/city No., street, P.O. box no. Country Data protection contact Information security contact Brief description of the function carried out by this subcontractor: Subcontractor name, address (2) Name Zip code, town/city No., street, P.O. box no. Country Data protection contact Information security contact Brief description of the function carried out by this subcontractor: (Provide details for any further subcontractors) Processor shall ensure that the subcontractors listed above are contractually bound by the obligations specified in Part 1 and have implemented the technical and organizational measures in accordance with the specifications in Part 2 or can furnish proof that they have been awarded suitable certification (for example, ISO 2700x). Page 19 of 20
Contractual standards for Data Processing on Behalf, last revised December 8, 2014 PART 4: SIGNATURES Note: This part is only to be filled, and a signed version to be attached to the contract, if the legislation applicable to the controller demands for hand-written signatures of the parties. Place, date Place, date -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- Controller signature(s) Controller signature(s) Place, date Place, date -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- Processor signature(s) Processor signature(s) Page 20 of 20
1 Startup adVANce | Cooperation Agreement - Annex 4.1.2 Annex 4.1.2 (Detailed Description of Phase 2) to the Cooperation Agreement "Startup adVANce Challenge" between Daimler AG and Startup
2 Startup adVANce | Cooperation Agreement - Annex 4.1.2 1.Description of Concept [to be completed by Startup] 2.Other Work Results (if any) [to be completed by Startup, if applicable] 3.Daimler Cooperation The Startup deems the following cooperation by Daimler necessary for the purpose of developing the Concept and the other Work Results: (a) [to be completed by Startup, if applicable] (b) [to be completed by Startup, if applicable] (c) [to be completed by Startup, if applicable]