Terms of Service

Terms of Service

Terms of Service

Terms of Service

Last Modified: 7 April 2022

These terms of service (“Terms of Service”) apply to all agreements between steadybit GmbH, with its registered seat in Solingen, Germany, and its domestic business address at Hochstraße 11, 42697 Solingen, Germany, registered with the commercial register of the local court of Wuppertal under HRB 30206, or companies affiliated with steadybit (collectively “steadybit”), and steadybit’s clients (“Clients”; steadybit and Client together the “Parties”). These Terms of Service (including any Annexes thereto), together with the Order Form, constitute the entire agreement between steadybit and Client regarding the provision of Software and Services by steadybit (the "Agreement"). Client's general terms and conditions shall not apply, even if steadybit does not explicitly object to them or if Client refers to them in a confirmation letter. Any deviation from these Terms of Service shall only be binding if expressly agreed between the Parties in the Order Form.

1.          Defined Terms

Any terms not defined in these Terms of Service but defined or described in the Order Form shall have those definitions and/or shall be construed to have the same meaning.

1.1       Software

means steadybit’s IT analyzing and disrupting software for creating and running resilience experiments. It consists of the Platform and Agents.

1.2       Platform

means the control center of the Software. The Platform contains a user interface and API for creating and running chaos experiments. The Client may either use the Platform via Internet (Software as a Service/SaaS) or operate it via its own servers (On Premise).

1.3       Agent or Agents

mean the local agent software, deployed in Client’s IT system. Agents execute attacks in the context of resilience experiments controlled by the Platform. Further, Agents discover system metadata and submit them to the Platform. Agents must be installed on Client’s servers and application environment(s) by Client and at Client's expense.

1.4       SaaS Option

means that the Parties agree in an Order Form that Client may use the Platform via the Internet with a standard internet browser (subject to the system requirements as set forth in the Documentation) for a limited period of time (Software as a Service/SaaS). Access to the Platform is granted by steadybit solely by way of providing Client with log-in data consisting of a username-password-combination.

1.5       On Premise Option

means that the Parties agree in an Order Form that Client may host and operate the Platform on its own servers (On Premise) for a limited period of time. The Platform will be provided to Client via download or other feasible way and must be installed on Client’s servers by Client and at Client's expense.

1.6       Services

means any services relating to the Software, including cloud services (if SaaS Option is agreed), and technical Support Services as described below.

1.7       Order Form

means the document signed by both Parties, setting forth prices, quantities, and/or term of use. The Order Form may be amended, altered, or replaced with a new Order Form, by mutual agreement between the Parties from time to time.

1.8       Effective Date

means the date on which the earlier of the following occurred: (i) the Order Form as signed by Client was accepted by steadybit, either by declaration in text form or orally, or (ii) steadybit commenced with the provision of the Software and/or the Services. Client may request in the Order Form a Desired Effective Date; in this case the Desired Effective Date shall only become binding if expressly confirmed by steadybit.

1.9       Team

describes a license model provided by steadybit and means an unlimited number of employees of Client which are assigned to the same Project. A “Project” is the testing of a specific software development by performing specific experiments. The Software may be licensed for a dedicated number of Teams.

2.          Service Description

2.1       Software and Services

The Software is described in steadybit’s documentation (“Documentation”). The respective up to date Documentation is made available at https://docs.steadybit.io/.

2.2       Use of the Software

The Parties agree that the Software is explicitly designed to perform certain stress tests and create circumstances that may cause disruptions within Client’s IT environment. The Software’s use may thus result in malfunctions, failures and damages, such as (but not limited to), loss of data, system breakdowns, loss of availability, software malfunctions and defects, hardware malfunctions and defects, etc. ("Disruptions"). The Software is specifically designed for the purpose of causing Disruptions, with a view to identifying potential sources of error in software and hardware systems. For this reason, Disruptions are inherent to the contractual use of the Software. Client accepts the possibility of Disruptions, and solely Client shall be responsible for implementing appropriate measures, e.g. such as test environments and back-up systems, to ensure that Disruptions may be recovered from and do not affect the performance of Clients live and/or productive systems. Any mechanism of the Software that may lead to a Disruption shall under no circumstances be considered malicious code (e.g. as virus or any other contaminant, or disabling device). The Software must only be used in live and/or productive IT environments after the thorough conducting of the desired experiments within test environments closely similar to the live and/or productive IT environments. However, even following such thorough measures, unforeseen Disruptions may still occur. Using the Software is therefore entirely at Client’s own risk. The Software must never be used in critical infrastructures, in particular such infrastructure relating to public health, military, defense, or public utilities (e.g. gas, water, energy).

2.3       Access to the Platform via Internet (SaaS Option)

If Client chooses the SaaS Option, the Platform will be operated by steadybit. In this case, access to the Platform is granted by way of providing to Client for each Team one set of log-in data, each consisting of a username and a password.

2.4       Operation of the Platform on Client’s own servers (On Premise Option)

If Client chooses the On Premise Option, Client must operate the Platform on Client's own servers. In this case, steadybit provides the Platform as object code only in the format of an OCI container image available at https://docker.steadybit.io. Client is solely responsible for downloading, installing and operating the Platform. Client may be required, from time to time, and subject to steadybit’s sole determination, to install updates to the Platform to continue to use the Software and/or receive the Services.

2.5       Operation the Agents on Client’s own servers (SaaS and On Premise Option)

In order to use the Software, it is necessary that Client installs the Agents on its servers. steadybit will provide the Agents as object code only, either at https://docker.steadybit.io for download as an OCI Container Image, or at https://artifacts.steadybit.io for download as an rpm or deb package. Client is solely responsible for downloading, installing and operating the Agents. Client may be required, from time to time, and subject to steadybit’s sole determination, to install updates to the Agents to continue to use the Software and/or receive the Services.

2.6       System Requirements

The use of the Software is subject to the system requirements as set forth in the Documentation.

3.          Industrial Property Rights and Copyrights

3.1       License

Subject to the Agreement and for the term of the Agreement only, steadybit grants to the Client a non-exclusive, revocable, non-sublicensable, non-transferable license to access and use the Software and the Services according the agreed option and limited to the scope of the agreed number of Teams solely for its internal business operations. In the case of the SaaS Option, the contractual use includes the use of the Platform via Internet (SaaS) and installation of the Agents on Client's own servers; in the case of the On Premise Option, the contractual use includes the installation of the entire Software including the Platform and the Agents on Client's own servers. The Client is entitled to load, display and run the Software within the scope of the selected option. steadybit retains the right, in its sole discretion and with no notice to Client, to restrict or terminate access to the Software and the Services by Client if steadybit has a good faith belief that Client has materially breached the terms of the Agreement, any steadybit policies, or is using the Software and Services as not intended (e.g. contrary to Section 2.2), or in a way that violates any applicable federal, state, local or international laws or regulations, or the rights of any third party. For the avoidance of doubt, all rights to the Software and the Services granted by steadybit to the Client under this Agreement shall automatically end upon termination or expiration of the Agreement, for whatever reason. steadybit reserves all rights of use until full payment of the remuneration payable for the respective term; until then, however, the Client is provisionally entitled to use the Software and the Services unless such right has been revoked by steadybit.

3.2       Ownership

Client acknowledges and agrees that steadybit retains all rights, title and interest in and to the Software and the Services, including without limitation copyrights, patent rights, trademarks and trade names, and trade secrets.

3.3       Restrictions on Use

Except as otherwise specifically permitted under the Agreement or under applicable mandatory law which cannot be waived by way of agreement, the Client shall not, nor will the Client permit any third party to, inter alia, (i) copy, modify, distribute, sell, assign, pledge, sublicense, lease, loan, deliver or otherwise transfer or make available the Software or the Services or any of its components to any third party in whole or in part, provided that Client may copy steadybit’s Documentation as needed for internal business use; (ii) derive or attempt to derive the source code of any portion of the Software or the Services or its components by any means; (iii) reverse engineer, decompile, disassemble, or translate the Software or the Services or its components; (iv) upload, post, mail, publish, transmit or distribute in any way the Software or the Services or its components; (v) make available through the Software or the Services any material or information that infringes the intellectual property rights, rights of publicity, or right of privacy of any entity or person, or impersonates another person including without limitation a steadybit employee. The Client is not permitted to grant access to the Software or the Services to more than the amount of Teams agreed upon in the Order Form.

3.4       No Trademark License

No license, right or interest in the trademarks, trade names or service marks of either Party is granted hereunder, except as either Party may agree in writing.

3.5       New IP

Any intellectual property rights as well as any know-how created by Client during the use of the Software and the Services, which consists or amounts to alterations, amendments or advances in the development of the Software, the Services and other intellectual property licensed under the Agreement, ("New IP") shall belong exclusively to steadybit and Client hereby exclusively transfers to steadybit such New IP in full. Insofar as a full transfer of right is not possible for legal reasons (e.g. in the case of copyrighted works), the Client hereby grants to steadybit the exclusive, fully paid-up, irrevocable, transferable and sublicensable right of use, with regard to all known and unknown types of use, that is unrestricted in terms of time and geography without any further remuneration to be paid by steadybit. This right of use includes, inter alia, the right to copy, distribute and/or make publicly available the New IP in all known and currently unknown types of use, including the right to edit and further develop the New IP and to use the results thereof to the aforementioned extent. The Client will enter into valid and sufficient agreements with its employees (including researchers, representatives, consultants, freelancers and subcontractors) or will take all necessary measures to ensure the transfer of the New IP created by this group of persons to steadybit.

4.          Availability (SaaS option only)

The following provisions shall only apply to the SaaS Option:

The Software can be accessed and used productively by authorized users during steadybit’s normal business hours. Outside steadybit’s normal business hours, steadybit is not obliged to make the Software available for use to the Client. Unless otherwise agreed in the Order Form, steadybit’s normal business hours shall be deemed to be 9am – 6pm CET, Monday through Friday, not including German public holidays.

steadybit undertakes to make best efforts to render the Software available at least 99 % per month during Client’s normal business hours, as defined in the previous paragraph.

Where the Platform is unavailable due to planned maintenance, emergency maintenance, or due to circumstances beyond steadybit’s reasonable control (e.g. modifications to the cloud environment for which steadybit is not responsible, Force Majeure Events, general internet outages, downtimes due to Client’s specifications, interruptions caused by the Client, failure of Client’s infrastructure or connectivity, network intrusions, denial-of-service or other criminal attacks), this shall not be counted against steadybit’s availability commitment. An overachieved of the availability level may be offset against steadybit’s failure to meet the availability level in another given month.

5.          Support Services

steadybit provides technical support for the Software and the Services (“Support Service”) solely via the mail address support@steadybit.com. The Support Service does not include any services to remedy faults resulting from operating errors by Client or use of the Software and Services that is not in accordance with the Agreement.

Client shall provide to its employees an own first level support team with well-qualified employees for the primary support for the Software and the Services. steadybit provides Support Services only to Client’s first level support team (“Second Level Support”). Only members of Client’s first level support team may directly engage with steadybit to initiate a support request.

All issues should be reported to steadybit by opening a ticket on steadybit’s support portal via mail address. steadybit will make best efforts to analyze the respective ticket and to remedy the issue, which may include workarounds. steadybit may provide Second Level Support through its Slack channel or other communication channels as determined by steadybit from time to time at steadybit’s sole discretion.

The Support Services cover the performance and support of the Software for the last major production release only. Client is responsible for having installed, at all times, the most recently updated versions of Agents in order to be eligible for Support Services.

Support Services do not include any of the underlying systems or infrastructures for which the Client is responsible, e.g. (but not limited to) server hardware, server operating systems, database applications, network infrastructure (including Client’s Internet access) and other parts of Client’s IT environment.

steadybit will usually provide Support Services during steadybit’s usual business hours. If any correction to the Software or the Services is required, steadybit will use reasonable efforts to provide the correction in due time.

6.          Client’s Obligations

6.1       Client is solely responsible for installing the Platform (under the On Premise Option) and the Agents on its IT environment and for providing all telecommunications, computer and other equipment necessary for the use of the Software and the Services. steadybit does not owe any installation service. steadybit may, at its own discretion, update, alter or modify the Software and the Services from time to time and as steadybit sees fit. Client will download and apply any updates, patches or other modifications of the Platform (under the On Premise Option) and/or the Agents.

6.2       Client undertakes to immediately change the passwords initially provided by steadybit. Client shall protect log-in data for the Software and the Services from unauthorized access by third parties and keep them safe in accordance with the industrial standards. Client shall ensure that use only occurs to the contractually agreed extent. Client shall notify steadybit immediately of any unauthorized access or use.

6.3       Client is obliged not to store any data on the Platform which contains malicious code or which violates applicable law, official orders, third-party rights or agreements with third parties.

6.4       Client shall regularly monitor its data for malicious codes (e.g. virus or any other contaminant, or disabling device) before storing or using them in connection with the Software and the Services, and shall use state of the art measures (e.g. virus protection programs) for this purpose.

6.5       Notwithstanding other rights and remedies, in the event of infringements of Sections 6.3 and/or 6.4, steadybit may delete Client’s data and/or lock Client’s access to the Software and the Services.

6.6       Before using the Software and the Services, Client shall implement appropriate measures, such as test environments and back-up systems, to ensure that Disruptions may not cause damages and do not affect the performance of Client’s live and/or productive systems.

7.          Warranty

7.1       steadybit does not provide any guarantee for the Software and the Services. The non-culpable guarantee liability according to Section 536a (1), 1st variant of the German Civil Code (BGB) for initial defects shall not apply.

7.2       Client is aware that it is technically impossible to create error-free software.

7.3       Client acknowledges that the operability and functionality of the Software and the Services depend to a large extent on the permanent existence of a properly functioning, uninterrupted Internet connection, for which the Client is solely responsible.

7.4       Technical data, specifications and performance specifications in public statements, e.g. in advertising material, shall not be deemed to be quality specifications. The due functionality of the Software is solely determined according to the Documentation and, if any, additional agreements in the Order Form. It is the Client’s sole responsibility to determine whether the Software and the Services are suitable for its pursued purposes. steadybit does not warrant that the Software and the Services will meet Client’s specific or implied purposes if they have not been expressly agreed between the Parties.

7.5       steadybit shall provide and maintain the Software in a condition suitable for contractual use as defined in Section 2 and in the respective Order Form. The obligation to maintain does not include the adaptation of the Software to changed operating conditions or technical and functional developments, such as changes to the IT environment, e.g. changes to Client’s hardware or operating system, adaptation to the functional scope of competing products, or the creation of compatibility with new data formats.

7.6       Upon obtaining the first opportunity to access the Software, Client shall immediately inspect the Software and test it for the essential basic functionalities. Client shall notify steadybit without undue delay in text form of any detected defects. Client shall support steadybit in determining and remedying the defect and shall grant access without undue delay to any system and/or information which steadybit deems relevant for the remediation of the defect. steadybit shall remedy any material defects within a reasonable period of time after notification thereof. For this purpose, steadybit may also refer Client to reasonable workarounds.

7.7       steadybit’s warranty under any circumstances covers errors caused by (i) Client’s failure to follow operating instructions, (ii) modification or extension of the Software and/or Services, or (iii) any other Client or third-party interference with functionality, or (iv) by data transmission errors between Client’s systems and the Platform.

8.          Limitation of Liability

8.1       Client expressly agrees to use the Software and Services only within the defined scope as per Section 2 and the respective Order Form.

8.2       steadybit owes the care customary in the software industry. When determining whether steadybit is at fault, it must be taken into account that software cannot be created totally error-free.

8.3       steadybit shall be liable without limitation for intentional conduct and gross negligence.

8.4       In cases of regular or slight negligence, steadybit shall only be liable in the event of a breach of such obligations which are intended to make the performance of the Agreement possible in the first place and on the observance of which the Client may regularly rely ("Cardinal Obligations"; Kardinalpflichten). In cases of breach of Cardinal Obligations due to regular or slight negligence, steadybit's liability shall be limited to the foreseeable damages, the occurrence of which must typically be expected. 100 % of the annual remuneration shall be deemed the maximum amount of foreseeable damages. The exclusions and limitations in this Section

8.4 shall not apply in case of damage of life, body and health, or for claims under the German Product Liability Act (Produkthaftungsgesetz), or in any other cases where mandatory statutory law prohibits a limitation of liability.

8.5       Claims for damages shall become time-barred within one year, calculated from the event giving rise to liability. This shall not apply to liability under Sec. 8.3, in case of damage of life, body and health, or to claims under the German Product Liability Act (Produkthaftungsgesetz), or in any other cases where mandatory statutory law prohibits a limitation of liability.

8.6       The provisions of Section 8 shall also apply in favour of the steadybit's board of directors, members of other corporate bodies, employees and vicarious agents.

9.          Confidential Information

9.1       The Parties undertake during the term of this Agreement and thereafter, to maintain secrecy regarding all information of which they gain knowledge in connection with the Agreement, whether such information is described as confidential, or is identifiable as confidential or as company or business secrets for other reasons (“Confidential Information”). In particular the following shall be deemed steadybit’s Confidential Information: the Software and any other proprietary software, whether in source or in object code, financial information, documentation, data, benchmark tests, specifications, marketing strategies, business practices as well as any other proprietary information and trade secrets according to Section 2 (1) of the German Trade Secrets Act (Geschäftsgeheimnisgesetz). Each Party undertakes neither to record such information nor to forward it to third parties nor to use it in any other way not in accordance with the Agreement, except where necessary for the performance of this Agreement or where disclosure is made to a professional advisor under a duty of confidentiality (e.g. to lawyers). Each Party shall protect the other Party’s Confidential Information against unauthorized access with at least the same level of care that it exercises with regard to its own confidential information, however, at least in accordance with industry standards. Upon learning of any unauthorized use or disclosure of the other Party’s Confidential Information, the respective Party shall immediately notify the other Party.

The following information shall not be deemed Confidential Information:

●           information that a Party was already aware of prior to the start of the business relationship, or that was forwarded by third parties without breach of a confidentiality obligation; or

●           information that is in the public domain, or is placed in the public domain, without liability or actions by the Parties; or

●           information that is to be disclosed due to official or court rulings; (in this case, the disclosing Party shall inform the respective other Party without delay prior to disclosure and shall restrict such disclosure to the minimum.)

●           information developed independently by either Party without reference to the Confidential Information.

Reverse engineering of the Software and the Services is strictly prohibited. The provisions in this Section 9 do not affect or diminish statutory obligations in respect of confidentiality (e.g. under the German Trade Secrets Act (Geschäftsgeheimnisgesetz).

9.2       Upon written request of the Party disclosing the Confidential Information (“Disclosing Party”), the other Party shall promptly return to the Disclosing Party all documents and other tangible materials representing the disclosing Party’s Confidential Information, together with all copies thereof; at Disclosing Party’s expense. For the avoidance of doubt, all Confidential Information shall remain the property of the Disclosing Party.

10.       Fees

The fees and amounts due to steadybit shall usually be set forth in one or more Order Forms. All fees are non-refundable, and do not include VAT or other applicable taxes. Fees are usually invoiced at the beginning of a contract year for the full contract year. All payments are due within 30 days from the date of invoice. All payments not made within the above period shall be deemed in default. In case of default, steadybit shall be entitled to demand interest at a rate of 9  percentage points above the base rate of the European Central Bank, notwithstanding steadybit’s other statutory rights and remedies in case of default. In case of default, steadybit is also entitled to temporarily suspend Client’s access to the Software and the Services until the default has been remedied.

11.       Term and Termination

11.1    Term of the Agreement

Unless expressly agreed otherwise in the Order Form, the Agreement has an initial term of one (1) year, commencing on the Effective Date. Upon expiry of the initial or any subsequent term the Agreement shall, in each case, automatically extend by a further 12 months, provided the Agreement has not been terminated pursuant to the following provisions.

11.2    Termination for Convenience

Each Party is entitled to terminate the Agreement towards the end of a Term by observing a two (2) months' written notice period.

11.3    Termination for Cause

Both Parties’ right to terminate for good cause shall remain unaffected. A good cause for termination by steadybit shall in particular be deemed to exist if Client remains in default for longer than 30 days, or if the Client’s account remains inactive for 180 consecutive days or longer.

11.4    Effect of Termination

Upon termination of the Agreement, Client must uninstall the Software and delete any remaining recognizable remnants of the Software from its IT environment. At the request of steadybit, Client must confirm in writing that the aforementioned obligations have been fulfilled.

Where the Agreement was terminated due to Client’s breach, Client shall pay any outstanding amounts for the remainder of the agreed Terms to steadybit, and shall not be entitled to a refund.

12.       Miscellaneous

12.1    Insofar as the use of the Software and the Services also include or require the processing of personal data for which the Client is responsible, or the possibility of steadybit having access to such personal data cannot be excluded (“Client Data”), such data processing shall be based on the data processing agreement provided in the Annex DPA to these Terms of Service.

12.2    The laws of the Federal Republic of Germany shall govern all legal relationships arising out of or in connection with the Agreement, without reference to its conflict of law principles and without recourse to the CISG. Solingen, Germany, is agreed as the exclusive place of jurisdiction for all disputes regarding the legal relationship between the Parties.

12.3    All notices must be in written form or electronic form with digital signature (regardless of whether such signature is qualified) if a stricter form is not required by applicable law. Unless instructed otherwise in writing, Client’s address as indicated in the Order Form shall be deemed sufficient for serving any notices or other communication to Client.

12.4    Except for Client’s obligations to make payments as set forth in the Agreement, each party shall be excused from performance for any period during which, and to the extent that, it or its subcontractor(s) is prevented from performing any obligation or service under the Agreement, in whole or in part, as a result of causes beyond its reasonable control and without its fault or negligence. Such acts shall include without limitation acts of God, strikes, lockouts, riots, acts of war, epidemics, governmental laws and regulations imposed after the fact, fire, communication line failures, power failures, earthquakes, floods or other natural disasters (a “Force Majeure Event”). Delays in delivery or in meeting completion dates due to Force Majeure Events shall automatically extend the Term of the Agreement accordingly.

Annex DPA


Data Processing Agreement


Insofar as the use of the Software and the Services also include or require the processing of personal data for which the Client is responsible, or the possibility of steadybit having access to such personal data cannot be excluded (“Client Data”), such data processing shall be based on the following data processing agreement (“Data Processing Agreement” or “DPA”). The DPA is hereby incorporated into the Agreement by way of reference and does not require a separate signature. In case of conflicts between this DPA and the remaining provisions of the Agreement, this DPA shall prevail.

1.          Description

The object of the commissioned processing is the provision of the Software and the Services.

2.          Subject Matter, Term, Nature, Purpose, Data Subjects, Personal Data, DPO

2.1       Subject Matter and Term

Provision of the Software and the Services according to, and for the term of, the Agreement.

2.2       Nature and Purpose

The purpose of the Agreement is not to process personal data, but to provide Software and Services. Processing only occurs as a side-effect if Client chooses to provide steadybit with personal data. As the information processed by steadybit is mainly technical information, such data will usually only include meta data on the use of the Platform (in the SaaS Option).

2.3       Categories of Data Subjects

Usually only Client’s employees.

2.4       Types of Personal Data

Name, login data including e-mail address and password, meta data on the use of the Platform.

2.5       Places of Processing

The processing takes place exclusively via servers hosted in the EU/EEA area.

3.          Responsibility and Instructions

Client remains the sole controller within the meaning of Art. 4. no. 7 GDPR. steadybit shall only process the personal data on Client’s documented instruction (also with regard to the transfer of personal data to a third country or an international organization), unless steadybit is obliged to do so by the law of the EU or the member states to which steadybit is subject. Limited to the scope of the agreed services, Client my issue instructions, which shall be given in text form. In urgent cases, instructions may exceptionally be issued verbally. Verbal instructions shall be confirmed by in text form without delay. steadybit shall process Client Data for its own purposes (e.g. for developing, troubleshooting and/or improving the Software and the Services) only in anonymized form, which no longer has any reference to individuals, for which Client hereby gives steadybit the appropriate instruction. If steadybit is legally obliged to process, steadybit shall notify Client of such legal requirements prior to processing, unless the relevant law prohibits such notification due to an important public interest. steadybit shall inform Client without undue delay if steadybit is of the opinion that an instruction violates applicable data protection provisions of the European Union or the Federal Republic of Germany, e.g. the GDPR and the German Federal Data Protection Act (Bundesdatenschutzgesetz). In this case, steadybit is entitled to suspend the implementation of the corresponding instruction until Client confirms or changes the instruction.

4.          Confidentiality Obligation

steadybit warrants to deploy in the performance of the work only employees who have committed themselves in writing to confidentiality, e.g. to maintaining data secrecy and compliance with the obligations under this DPA, or who are subject to an appropriate statutory duty of confidentiality. steadybit shall make their employees familiar with the relevant data protection provisions.

5.          Technical and Organizational Data Protection Measures:

steadybit shall take appropriate technical and organizational measures in accordance with Art. 32 GDPR to ensure a level of protection appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Client shall ensure that the measures taken, which steadybit will inform the Client of in documented form at any time upon request, meet its requirements and needs against the background of Client’s data protection responsibilities. In order to adapt to technical progress, steadybit is permitted to alter and improve adequate technical and organisational measures.

6.          Subcontractors

Clients hereby grants steadybit a general authorization to engage subcontractors in the provision of the Software and the Services (whether in whole or in part). Upon request, steadybit shall inform the Client at any time in documented form of the subcontractors engaged upon conclusion of this DPA. steadybit shall also inform Client of any intended change with regard to the further involvement or replacement of subcontractors. Such notice may be given within the Documentation. Client has the option to object to the change in text form within a period of two weeks after receipt of the information about the change for good cause. In the event of such an objection, steadybit may, at its own discretion, (i) provide the Software or the Services without the intended change, or (ii) (if it cannot reasonably be expected to continue to provide the Software or the Services without the intended change and no mutually agreeable solution is reached between the parties within a further period of two weeks – terminate the Agreement for good cause. Any subcontractors shall be carefully selected by steadybit. Before using a subcontractor, steadybit shall satisfy itself that the subcontractor is capable of implementing the technical and organizational measures provided for in this Order Processing Agreement. steadybit shall ensure by means of a written contract that the provisions agreed in this DPA also apply to subcontractors in an equivalent manner. The subcontractor must be obliged to implement suitable technical and organizational measures which correspond to or go beyond the measures provided for in this DPA. If the subcontractor fails to comply with its data protection obligations, steadybit shall – subject to the liability limitations as agreed between the Parties – be liable to Client for subcontractor’s compliance.

7.          Support in Responding to Requests from Data Subjects

Client is responsible for safeguarding the rights of data subjects. If a data subject contacts steadybit directly, steadybit shall forward this request to Client. However, in light of the nature of the processing, steadybit will, where possible, support the Client, at Client's request and expense, with appropriate measures to comply with its obligation to respond to requests for the exercise of the data subject rights referred to in Chapter III of the GDPR. The respective costs and efforts incurred by steadybit shall be reimbursed by Client.

8.          Assistance in Complying with Client's Obligations

Taking into account the type of processing and the information available to steadybit, steadybit shall, at the Client's request and expense, assist Client in complying with its obligations under Articles 32 to 36 GDPR. steadybit undertakes to forward to Client any enquiries from the data protection supervisory authorities. steadybit shall support Client in the preparation of necessary data protection documentation and in responding to enquiries from data protection supervisory authorities. The respective costs and expenses incurred by steadybit are to be reimbursed by the Client.

9.          Deletion or Return

At the end of the term of this DPA, steadybit shall delete or hand over the Client Data to Client, in accordance with Client’s instructions, unless steadybit is under an obligation to store the personal data under EU law or the law of the Member States. The fulfilment of the aforementioned obligation shall be confirmed to the Client in text form upon request. If additional costs are incurred due to the return or deletion of the data, these shall be borne by Client. Insofar as an obligation to store personal data exists under EU law or the law of the Member States, steadybit shall inform the Client thereof, indicating the data or categories of data concerned. Steadybit’s legal storage obligations under German trade and tax laws remain unaffected and are hereby deemed to have been notified to the Client.

10.       Audits

steadybit shall provide Client with all information necessary to demonstrate compliance with the obligations set out in Art. 28 GDPR and shall enable and contribute to audit (including inspections) carried out by Client or another auditor commissioned by Client. Inspections shall be limited to one (1) inspection in a period of twelve months and to a reasonable extent. If, in individual cases, inspections by Client or an auditor commissioned by Client should be necessary, these shall be carried out during steadybit’s normal business hours without disrupting operations, and only subject to prior notification, taking into account a reasonable lead time. steadybit may make the inspection dependent on prior notification with a reasonable lead time and on the signing of a customary confidentiality agreement with regard to the data of other customers, the technical and organisational measures set up and other confidential information of steadybit. If the commissioned auditor is in a competitive relationship with steadybit, steadybit shall have a right of objection. The expenses incurred by steadybit as a result from Client’s audit are to be reimbursed by Client.