Governing Law; Venue and Jurisdiction THIS DPA WILL BE GOVERNED BY AND CONSTRUED IN ACCORDANCE WITH THE LAWS OF THE STATE OF THE LEA, WITHOUT REGARD TO CONFLICTS OF LAW PRINCIPLES. EACH PARTY CONSENTS AND SUBMITS TO THE SOLE AND EXCLUSIVE JURISDICTION TO THE STATE AND FEDERAL COURTS FOR THE COUNTY OF THE LEA FOR ANY DISPUTE ARISING OUT OF OR RELATING TO THIS DPA OR THE TRANSACTIONS CONTEMPLATED HEREBY.
APPLICABLE LAW, FORUM, VENUE AND JURISDICTION (a) This Agreement shall be construed in accordance with and governed by the laws of the State of Delaware, without regard to the principles of conflicts of law.
Place of jurisdiction The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen. Signatures , date Gunzenhausen, date 16/12/2019 Client Supplier Appendix 1 Pursuant to Art. 28 GDPR: List of Personal Data and the Purpose of Their Being Processed Types of data The following types and categories of data are the object of this additional agreement: • Personal master data • Contractual master data • Log data Affected People Those affected as a result of this additional agreement include: • The Client's customers and interested parties I. Confidentiality Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments • Physical access control • Data center parks in Nürnberg and Xxxxxxxxxxx • electronic physical entry control system with log • high security perimeter fencing around the entire data center park • documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack) • policies for accompanying and designating guests in the building • data center staff present 24/7 • video monitoring at entrances and exits; security door interlocking systems and server rooms • For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. • Monitoring • electronic physical access control system with log • video surveillance for all entrances and exits • Electronic access control • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier • The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis. • Internal access control • for the Supplier's internal administration systems • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The responsibility for access control is incumbent upon the Client. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology. • a revision-proof, compulsory process for allocating authorization for Supplier employees • Only the Client is responsible for transferred data/software with regard to security and updates. • Transfer control • Data center parks in Nürnberg and Xxxxxxxxxxx • Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped drives will be reused. • Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Xxxxxxxxxxx data center. • Isolation control • for the Supplier's internal administration systems • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes • The Client is responsible for isolation control. • for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares • Data shall be physically or logically isolated and saved separately from other data. • Backups of data shall also be performed using a similar system of physical or logical isolation. • Pseudonymization • The Client is responsible for pseudonymization.