Terms of Use / General Terms and Conditions (GTC) of Justima

1. Subject Matter and Validity of the GTC

a) The company OC Projects UG (haftungsbeschränkt), Innere Kanalstraße 15, 50823 Cologne, Germany, registered with the commercial register of the Local Court of Cologne under HRB 125023, represented by its managing director Nicolas Gabrysch (hereinafter referred to as “Justima”, “we” or “us”), operates the online platform “Justima” accessible via justima.app (hereinafter the “Platform”).

b) Justima is an AI-based information and monitoring platform designed to support users in keeping track of legal and regulatory developments relevant to their organisation. After creating an account and providing company- or organisation-related information (e.g. sector, jurisdictions, topics, legal areas), users receive a personalised newsfeed of legal and regulatory information, including:

• legal and regulatory news from European and national sources such as legislators, courts, authorities, institutions and associations,

• references to original sources where available, and

• AI-generated summaries, extractions (such as deadlines or other metadata) and structured information highlighting potential relevance for the user’s organisation

(collectively the “Content”).

c) The Platform and the Content are for informational purposes only and are not intended to constitute legal advice or any other professional advice. The Platform does not replace consultation with qualified legal counsel and does not establish an attorney–client relationship.

d) The Platform is exclusively directed at entrepreneurs within the meaning of § 14 BGB (German Civil Code), i.e. natural or legal persons or partnerships with legal capacity who, when concluding the contract, are acting in the exercise of their commercial or independent professional activity. Consumers within the meaning of § 13 BGB are not permitted to use the Platform. By registering, the user confirms that they are acting as an entrepreneur.

e) These General Terms and Conditions (“GTC”) govern the use of the Platform in the version valid at the time of registration and/or order. Deviating terms and conditions of the user shall not apply unless Justima expressly agrees to their applicability in writing.

f) No separate individual contract text is provided for the use of the Platform. The content of the contract concluded between the user and Justima consists of these GTC and the specific information provided during registration and when ordering a paid subscription, which are stored by Justima and can be accessed in the user account at any time.

g) By registering on the Platform and/or by taking out a paid subscription, the user accepts the validity and applicability of these GTC.

2. Services and Rights of Justima

a) Justima provides users with a personalised newsfeed with current legal and regulatory information from European and national sources, such as legislators, courts, authorities, institutions and associations, including an indication of original sources where available (“Newsfeed”).

b) Based on the information provided by the user regarding its organisation (e.g. company data, business activities, legal areas, jurisdictions), Justima uses generative AI and other automated methods to:

• identify and select potentially relevant legal and regulatory developments,

• generate summaries, overviews and briefings,

• highlight possible relevance for the user’s organisation, and

• extract additional information (such as deadlines or other procedural or metadata fields)

(collectively, the “AI-Generated Output”).

c) The user acknowledges that the Content and AI-Generated Output are created wholly or predominantly by automated systems and generative AI based on publicly available sources. Justima does not validate the correctness, completeness or currentness of such underlying sources. The user further acknowledges that AI-generated output is subject to inherent technological limitations and may, by its nature, contain inaccuracies

• incomplete identification or coverage of legal or regulatory developments relevant to a specific organisation;

• incorrect or incomplete extraction of information, such as deadlines, classifications of relevance or other metadata;

• the Content may contain errors, omissions, outdated information or misclassifications.

The user acknowledges these inherent limitations and remains solely responsible for verifying all information (e.g. by reviewing the references or sources as set out in connection with the AI-Generated Output) provided through the Platform and for obtaining independent legal advice where necessary.

d) The scope of the Content and the usage options (the “License”) depend on the subscription plan chosen by the user. Different subscription plans (currently: Starter, Professional, Enterprise) may include varying numbers of user accounts, legal areas, countries and additional features. The License is limited in time to the term of the respective free trial (if any) or paid subscription.

e) The rights to the Platform and the Content distributed via it are and remain with Justima and/or its licensors. The Platform software applications and Content are licensed to the user within the scope of the contractual use. Justima grants the user a non-exclusive, non-transferable, non-sublicensable, time-limited right to use the Platform and the Content for internal purposes of the user’s organisation and/or own professional information needs, subject to these GTC. To the extent that AI-Generated Output is protectable under applicable laws and Justima holds any rights therein, Justima hereby grants the user a non-exclusive, transferable, sublicensable, perpetual, irrevocable and worldwide licence to use, reproduce, modify and otherwise exploit such AI-Generated Output without further restrictions.

f) All Justima and Justima trademarks, trade names, logos, domain names and other brand features are the sole property of Justima. The License does not grant the user any rights to use these marks, names or logos, whether for commercial or non-commercial purposes, except as strictly necessary for the intended use of the Platform.

g) Justima reserves the right to modify, expand, restrict or discontinue parts of the Platform or specific functionalities, provided this is reasonable for the user. In the case of material changes that go beyond design adjustments or minor functional modifications, Justima shall notify the user in writing (email sufficient) at least two (2) weeks prior to the effective date of the change. The user shall be entitled to object to such material changes in writing within this notice period. If the user objects, Justima may, at its sole discretion, either continue to provide the services without the planned change or terminate the contract by giving one (1) month's written notice.

3. Registration with Justima

a) In order to use the services of Justima, registration on the Platform is required. Only persons with full legal capacity acting as entrepreneurs within the meaning of § 14 BGB are entitled to register. A user registering on behalf of a company, organisation or law firm represents and warrants that they are authorised to do so.

b) For registration, the user must provide an email address and a password of their choice. Additional information, including company or organisation data, may be requested during or after registration.

c) Any information required for registration and, where relevant, configuration of the organisation profile (e.g. legal areas, jurisdictions, sector) must be provided completely and correctly and must be kept up to date at all times. Justima is entitled to store and process the data provided by the user during registration and use of the Platform in accordance with applicable data protection laws and the Justima Privacy Policy.

d) The user must keep their password secret and protect access to their account. The user is solely responsible for all activities occurring under their account, unless they are not responsible for such activities. User accounts must not be shared with unauthorised third parties. Any unauthorised use of the user account, or any suspicion thereof, must be reported to Justima without undue delay at support@justima.app.

e) Users may set up additional user accounts within their organisation’s subscription (e.g. for multiple employees or colleagues) in accordance with the respective subscription plan. The main account holder is responsible for ensuring that all users within their organisation comply with these GTC.

4. Free Trial (Starter Plan)

a) Justima offers new users of the Starter plan a free trial period of 14 days (“Free Trial”). During this period, the user may use the Starter plan features without charge.

b) The user must provide valid payment details upon registration for the Free Trial. Unless the user cancels before the end of the 14-day Free Trial period, the Free Trial will automatically convert into a paid Starter subscription at the then-current price (currently €149 per month). The user will be clearly informed of this before commencing the Free Trial.

c) If the user does not wish the subscription to continue as a paid subscription, they must cancel it in accordance with section 9 before the end of the 14-day Free Trial period.

d) Justima may discontinue, restrict or change Free Trial offers at any time for the future, without prior notice.

5. Conclusion of a Paid Subscription

a) To use the services of Justima, paid subscriptions are available (“Subscription Plans”). The currently available plans are:

• Starter: €149/month – 1 user, 1 legal area, 1 country

• Professional: €479/month – 5 users included (+€89/additional user), all legal areas, all countries

• Enterprise: Custom pricing on request – unlimited users, SSO, custom monitoring, dedicated success manager

The available plans, features, prices and terms are displayed to the user in the order process on the Platform. Justima reserves the right to change plans, features and pricing for new subscriptions.

b) Subscription Plans are offered on a monthly basis unless otherwise agreed (e.g. for Enterprise plans).

c) The user makes a legally binding offer for a paid subscription when they enter the data requested in the online order form and select the corresponding button to complete the order (e.g. “Subscribe” or similar) at the end of the order process.

d) The contract is concluded when Justima issues a declaration of acceptance (order confirmation), which is sent to the user by email within a reasonable period of time, or when Justima first provides access to the paid subscription features, whichever occurs earlier.

e) These GTC are available in English language only. Customer may print or download the Terms at any time from Justima’s website. Justima does not retain a copy of this Agreement.

6. Remuneration and Payment

a) Paid subscriptions are subject to a fee and are payable from the beginning of the subscription period (or, in the case of a Free Trial converting to a paid subscription, from the end of the Free Trial period).

b) The applicable prices are those indicated at the time of the order on the Platform. All prices are exclusive of statutory value added tax (VAT), which will be added where applicable.

c) Payments are processed via a payment service provider. The available payment methods (e.g. credit card, SEPA direct debit) are displayed during the order process. Justima may change the available payment methods for future orders.

d) Within the framework of a paid subscription, the user’s payment obligation towards Justima is automatically renewed at the end of the respective subscription period (monthly) if the user does not cancel the paid subscription in due time in accordance with section 8.

e) The user is not entitled to set off their own claims against claims of Justima unless their counterclaims have been legally established, are undisputed or have been acknowledged by Justima.

f) A right of retention may only be exercised if the counterclaim arises from the same contractual relationship.

7. User Data and Usage

a) All data, information and content entered or uploaded by the user into the Platform (including company profiles, organisation data, feedback and configurations) (“User Data”) remain the exclusive property of the user. The user grants Justima a non-exclusive right to use the User Data to the extent necessary for the purposes of the contract with the user. In particular, Justima shall be entitled to reproduce the User Data for the purpose of operating the Platform and to grant sub-licences to its sub-contractors to the extent necessary for the performance of the contract.

b) Justima shall use User Data solely for the purpose of providing and improving the Platform’s services to the respective user (e.g. personalising the Newsfeed, improving relevance scoring ).

c) Justima does not use User Data for any training of generative AI foundation models. User Data is not shared with third parties except where strictly necessary for the provision of the Platform services (e.g. hosting providers, payment processors) and in accordance with the Privacy Policy.

d) Upon termination of the contract, the user may request export of their User Data within 30 days after the end of the subscription. After this period, User Data will be deleted or anonymised in accordance with applicable data protection laws, unless legal retention obligations require further storage.

8. User Obligations, Acceptable Use

a) The user is responsible for procuring and maintaining, at its own expense, all hardware, software, internet connectivity and other technical infrastructure required to access and use the Platform on the user's end. Justima shall not be liable for any limitations in the use of the Platform resulting from inadequate technical equipment or connectivity on the user's side.

b) The user shall not reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, underlying algorithms or other components of the Platform or any related software, except to the extent expressly permitted by mandatory applicable law.

c) The user shall comply with the Acceptable Use Policy attached as Annex 2 to these GTC ("AUP"), as amended from time to time. The AUP forms an integral part of these GTC. Any violation of the AUP shall be deemed a material breach of these GTC.

d) The user shall regularly and appropriately back up its User Data stored, processed or uploaded to the Platform, to the extent technically feasible. Section 12c)(vii) shall apply accordingly.

9. Term and Termination

a) The subscriptions run on a monthly basis and are automatically renewed for successive monthly periods unless cancelled by the user.

b) Either party may cancel the paid subscription at any time with effect at the end of the current billing month. The user may cancel via the account settings on the Platform or by contacting Justima at support@justima.app. Cancellation by Justima shall be made in writing (email sufficient) to the email address associated with the main account holder. Until the effective date of cancellation, the user retains full access to the features included in the subscription.

c) After the end of the subscription, the user’s access will be disabled.

d) If the user wishes to delete their account completely, they may do so via the settings on the Platform or by contacting Justima (support@justima.app). All personal data will then be deleted or anonymised in accordance with applicable data protection laws, unless legal retention obligations require further storage. The user may request export of their data in accordance with section 7d prior to deletion.

e) The right of both parties to terminate the contract for good cause (wichtiger Grund) remains unaffected. Good cause for Justima shall in particular be deemed to exist if:

• the user is in default with payments for more than 14 days despite reminder;

• the user violates material contractual obligations, including these GTC; or

• the user misuses the Platform, e.g. for unlawful purposes, systematic scraping, or redistribution of Content.

In such cases, Justima may also temporarily block access to the Platform.

10. Availability and Maintenance

a) Justima endeavours an availability of the Platform of 98 % per calendar year, excluding planned maintenance . Temporary restrictions may arise due to maintenance, updates, or circumstances beyond Justima's control.

b) Justima will endeavour to carry out planned maintenance outside usual business hours and to notify users in advance where reasonably possible.

c) The availability as set our in Section 10 a) does not include disruptions or unavailability of the Platform caused by events of force majeure, i.e. extraordinary, unforeseeable events beyond Justima's reasonable control, including but not limited to natural disasters, pandemics, large-scale internet outages not attributable to Justima's infrastructure, or governmental actions. Cyberattacks shall be deemed events of force majeure if Justima has implemented and maintained appropriate technical and organisational security measures in accordance with the current industry standard and the attack has nevertheless overcome such measures.

11. Warranty

a) Justima provides warranty for features and developments provided free of charge (e.g. during any trial or testing period or for the period of use under any voucher) in accordance with statutory German law.

b) Justima provides warranty for other defects in the provision of the Platform and the Content in accordance with the following provisions.

Defects are significant deviations from the services as agreed in the respective Subscription Plan.

c) If the user detects defects in the Platform (including any related documentation), the user shall notify Justima of such defects in writing (email to support@justima.app sufficient) without undue delay. The notice of defects shall contain all information reasonably available to the user that is necessary for Justima to identify, reproduce, analyse and remedy the defect. The user shall provide Justima with reasonable assistance in remedying defects free of charge.

d) If the Platform is defective, Justima shall, at its discretion, either rectify the defect or provide the affected services again (if possible) within a reasonable period of time. Where third-party software is used, the defect may be remedied by procuring and installing generally available upgrades, updates, patches or other suitable third-party software. Rectification shall also be deemed to include the provision of instructions with which the user can reasonably circumvent any defects that have occurred in order to use the Platform in accordance with the contract. Justima shall bear the costs of remedying the defect.

e) If Justima does not provide a remedy for a defect for reasons for which Justima is responsible, even within a reasonable period set by the user in writing, the user may reduce the agreed subscription fee by a reasonable amount until the defect has been remedied. The right to reduce the fee is limited to the amount of the monthly fee attributable to the defective part of the Platform.

f) If the user reduces the agreed subscription fee pursuant to section 11e) in two (2) consecutive months or in two (2) months of a quarter, the user may terminate the contract in writing without notice.

g) For claims for damages by the user, the limitations of liability set out in section 12 shall apply.

h) Further warranty claims are excluded.

i) The limitation period for warranty claims is one (1) year. For claims for damages, the provisions of section 12 shall apply.

12. No Legal Advice and Limitation of Liability

a) No Legal Advice / No Attorney–Client Relationship

i) The Platform, the Content and the AI-Generated Output are for general information purposes only. They do not constitute legal advice or any other professional advice and must not be used as a substitute for legal advice from a qualified lawyer.

ii) Justima does not provide legal representation or legal services and does not enter into an attorney–client relationship with users. This also applies where users are lawyers, in-house counsel or law firms using Justima for their own information and monitoring purposes.

iii) Users remain solely responsible for:

• assessing the legal relevance and implications of any Content;

• verifying the accuracy, completeness and timeliness of information; and

• obtaining appropriate legal advice from qualified professionals before taking decisions or actions based on the Content.

b) AI and Information Limitations

The Platform relies on generative AI and other automated processes as well as external data sources. Therefore, the Content and AI-Generated Output may be incorrect, incomplete, outdated, misleading or not suitable for the user’s specific circumstances.

The user must independently check and verify all information before relying on it.

c) General Limitation of Liability

i) Justima is liable for damages without limitation in cases of intent and gross negligence, as well as for injury to life, body or health.

ii) In the event of a slightly negligent breach of essential contractual obligations (cardinal obligations), Justima’ liability is limited to the foreseeable damage typical for the contract. Essential contractual obligations are those obligations whose fulfilment enables the proper performance of the contract and on whose fulfilment the user may regularly rely.

iv) Any further liability of Justima for slight negligence beyond the cases set out in section 12c(i) and (ii) is excluded.

v) The above limitations of liability also apply to breaches of duty by legal representatives, employees and vicarious agents of Justima.

vi) Liability under mandatory statutory provisions (e.g. under the German Product Liability Act) remains unaffected.

vii) Liability for data loss is limited to the typical recovery cost that would have arisen if the user had made regular and appropriate backup copies of its data.

13. Confidentiality

a) "Confidential Information" means all information and data disclosed by one party ("Disclosing Party") to the other party ("Receiving Party"), which is either labelled as confidential or whose confidentiality derives from the nature of the information or the circumstances of the disclosure. Subject to section 13c), Justima shall treat all business-related and personal information entered by the user into the Platform as Confidential Information. Any feedback in relation to the Platform provided by the user to Justima shall not be considered Confidential Information.

b) Confidential Information may only be disclosed to employees or agents of the Receiving Party who need to know such information for the purposes of performing the contract and who are bound by obligations of confidentiality.

The Receiving Party may disclose Confidential Information to the following authorised third parties ("Authorised Third Parties"):

• its own employees or employees of affiliated companies within the meaning of §§ 15 et seq. of the German Stock Corporation Act (AktG);

• subcontractors, in particular sub-processors within the meaning of Art. 28 GDPR (as defined in Annex 1); and

• advisors,

provided that such Authorised Third Parties are bound by either (i) contractual confidentiality obligations no less protective than the obligations under this contract or (ii) confidentiality obligations by law or by applicable professional conduct rules (e.g. attorneys or tax advisors).

c) The confidentiality obligations under this section 13 shall not apply to Confidential Information which:

• was already known to the Receiving Party at the time of disclosure;

• was developed independently by the Receiving Party without using any Confidential Information of the Disclosing Party;

• was or will be disclosed to the Receiving Party by a third party without breach of any non-disclosure agreement or other confidentiality obligation;

• is or becomes publicly known during the contractual relationship without the Receiving Party or an Authorised Third Party being at fault; or

• is required to be published or disclosed pursuant to a binding decision of a court or public authority.

If a court or public authority requests disclosure of Confidential Information from the Receiving Party, the Receiving Party shall – to the extent permitted by law – notify the Disclosing Party without undue delay and shall, in coordination with the Disclosing Party, take adequate legal measures to prevent disclosure of the Confidential Information.

d) The obligations under this section shall survive the termination of the contract for a period of two (2) years.

14. Data Protection

For details on data processing, Justima refers to its privacy policy. With regard to personal data that Justima processes on behalf of the user under this contract, the parties enter into the Data Processing Agreement attached as Annex 1 to these GTC ("DPA"). In the event of contradictions between these GTC and the DPA, the provisions of the DPA shall prevail.

15. Amendment of the GTC

a) Justima reserves the right to modify these GTC with effect for the futurethere is a valid reason for the modification and the changes are reasonable considering the mutual interests of both contracting parties. A valid reason exists, in particular, in the event of a significant and unforeseeable disruption of the equivalence relationship (Äquivalenzverhältnis) existing at the time of contract conclusion, in the case of regulatory, technical, or legal developments requiring adaptation, or to incorporate newly introduced features of the Platform that require contractual regulation. Any modification that alters the core contractual obligations (Hauptleistungspflichten) of the parties is explicitly excluded from this right of modification.

b) Justima will inform the user about any changes and/or amendments of the GTC at least four (4) weeks before the amended GTC come into force by sending the new version to the email address provided by the user or by notification on the Platform. In the notification of changes, Justima will specifically and inform the user at the beginning of the notice period of the right to object, the applicable objection period, and the legal consequence that a failure to object within the given timeframe will be legally deemed as an explicit consent to the amended GTC.

c) The amended GTC shall be deemed accepted and effectively incorporated into the contractual relationship if the user does not expressly object to the modifications in text form prior to the specified effective date.

d) If the user objects in due time as set out herein, the contractual relationship continues under the previously agreed GTC. In this case, however, Justima shall be entitled to extraordinarily terminate the contractual relationship (including any paid subscription) with a notice period of two (2) weeks to the end of the current billing month.

16. Vouchers and Special Offers

a) If the user holds a Justima voucher or a similar code that grants the use of a certain subscription plan for a specified period, this entitles the user to use the Platform during that period, subject to these GTC and any additional conditions stated on the voucher or in the respective offer.

b) To redeem a voucher or code, the user must register with Justima (if not already done) and select either the “Starter” or the “Professional” as the Follow-on-Subscription and then activate the code on the page provided for this purpose on the Platform.

c) Vouchers and other codes cannot be redeemed for cash and cannot be refunded, exchanged or used to purchase other codes, unless otherwise required by mandatory law.

d) After the expiry of the respective voucher period, the Subscription will automatically end. The user will be clearly informed of this before commencing the end of the gift/voucher period.

17. References

The user agrees that during the term of the contract, Justima is authorised to identify the user and its organisation in social media channels, commercial advertisements, promotional materials, sales presentations and press releases for the purpose of indicating that the user is a customer of Justima. This authorisation includes the use of the user's word and image trademarks on the Justima website. The user may revoke this authorisation at any time by written notice to support@justima.app.

18. Final Provisions

a) Should any provision of these GTC be or become invalid or unenforceable, the remaining provisions shall remain unaffected. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that most closely reflects the economic intent of the invalid provision. The same shall apply in case of a gap in these GTC.

b) These GTC and the contractual relationship between the user and Justima shall be governed by the laws of the Federal Republic of Germany, excluding the provisions of the UN Convention on Contracts for the International Sale of Goods (CISG).

c) The exclusive place of jurisdiction for all disputes arising from or in connection with the contractual relationship shall be Cologne, Germany.

d) Justima may transfer its rights and obligations under this contract to a third party, provided this does not result in any material disadvantage for the user. The user will be notified of any such transfer.

Annex 1 - Data Processing Agreement
Standard contractual clauses

SECTION I
Clause 1
Purpose and scope

1. The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2. The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.
3. These Clauses apply to the processing of personal data as specified in Annex II.
4. Annexes I to IV are an integral part of the Clauses.
5. These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
6. These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

Clause 2
Invariability of the Clauses

1. The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.
2. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 3
Interpretation

1. Where these Clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively, those terms shall have the same meaning as in that Regulation.
2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively.
3. These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 5
Docking clause

1. Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing the Annexes and signing Annex I.
2. Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex I.
3. The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES
Clause 6
Description of processing(s)
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.
Clause 7
Obligations of the Parties
7.1. Instructions

1. The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
2. The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.

7.2. Purpose limitation
The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.
7.3. Duration of the processing of personal data
Processing by the processor shall only take place for the duration specified in Annex II.
7.4. Security of processing

1. The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosureor access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
2. The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.5. Sensitive data
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.
7.6 Documentation and compliance

3. The Parties shall be able to demonstrate compliance with these Clauses.
4. The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.
5. The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.
6. The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
7. The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.

7.7. Use of sub-processors

1. The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least 60 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.
2. Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
3. At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
4. The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.
5. The processor shall agree a third party beneficiary clause with the sub-processor whereby - in the event the processor has factually disappeared, ceased to exist in law or has become insolvent - the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

7.8. International transfers

1. Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.
2. The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.

Clause 8
Assistance to the controller

1. The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.
2. The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions
3. In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
4. the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
5. the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
6. the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
7. the obligations in Article 32 Regulation (EU) 2016/679.
8. The Parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 9
Notification of personal data breach
In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 Regulation (EU) 2016/679 or under Articles 34 and 35 Regulation (EU) 2018/1725, where applicable, taking into account the nature of processing and the information available to the processor.
9.1 Data breach concerning data processed by the controller
In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:

1. in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
2. in obtaining the following information which, pursuant to Article 33(3) Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:
3. the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
4. the likely consequences of the personal data breach;
5. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

3. in complying, pursuant to Article 34 Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2 Data breach concerning data processed by the processor
In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

1. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
2. the details of a contact point where more information concerning the personal data breach can be obtained;
3. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.
SECTION III – FINAL PROVISIONS
Clause 10
Non-compliance with the Clauses and termination

1. Without prejudice to any provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.
2. The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:
3. the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
4. the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;
5. the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
6. The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.
7. Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.

ANNEX I (DPA): LIST OF PARTIES

Controller(s): Customer as set out in the subscription confirmation
Processor(s): Justima as set out in the r subscription confirmation.

ANNEX II (DPA): DESCRIPTION OF THE PROCESSING
Categories of data subjects whose personal data is processed
Customer employees
Categories of personal data processed
Names, contact details, titles, pay & transactional data and access credentials of Customer employees
Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Justima restricts access to sensitive data to certain roles within the company and uses multiple controls (e.g. encryption, auditing, pen test, safe deletion) to ensure secure processing of sensitive data. Transferring sensitive data of any customer requires active allowance of such customer. This can be done by the data owner or the general management of the affected company.
Nature of the processing
Providing access to the Software and providing the Services (incl. Billing process, CRM and error analysis) as set out in the Agreement. If permission has been granted, data may be used for analyzing trends, statistics, or reach measurements.
Purpose(s) for which the personal data is processed on behalf of the controller
Justima processes personal data for the purpose of fulfilling its obligations under the agreement
Duration of the processing
Term of the agreement plus the contractually agreed backup retention time
For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

ANNEX III (DPA): TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
This Annex describes the technical and organisational measures implemented by Justima to ensure an appropriate level of security for the processing of personal and confidential data.

1. General Information Security Principles

Justima is committed to protecting its information and IT assets, including but not limited to computers, mobile devices, network equipment, software, and sensitive data, against all internal and external, intentional or accidental threats.
The objective is to mitigate risks associated with theft, loss, misuse, damage, or impairment of such assets.

The information security framework is based on the following core principles:

• Confidentiality: Protection of information against unauthorised disclosure.
• Integrity: Protection of information against unauthorised alteration.
• Availability: Ensuring that authorised parties have access to information when required.
• Compliance: Compliance with, and where possible exceeding, applicable national legal and regulatory requirements, standards, and recognised best practices.
• Continuous Improvement: Ongoing enhancement of the information security management system through corrective and improvement measures.
• Business Continuity: Development, maintenance, and testing of business continuity plans to ensure operational resilience.
• Security Awareness: Continuous security awareness and training for all employees, with security responsibilities reflected in job descriptions and embedded in the organisational culture.
• Whistleblower Protection: Protection of employees who report information security issues or contact the Head of Information Security Management directly, unless the disclosure clearly indicates illegal activity, gross negligence, or repeated intentional non-compliance.

2. Technical and Organisational Measures
3. Access Control

Purpose: Prevention of unauthorised access to confidential data.
Measures implemented:

• Access to confidential data is strictly limited to authorised personnel who require such access to perform their assigned duties.
• Robust authentication mechanisms are implemented to ensure that only individuals with appropriate authorisation can access data.
• Allocation of access rights and privileges is strictly controlled and reviewed on a regular basis.
• Users may only access information assets for which they have been explicitly authorised.

2. Encryption

Purpose: Protection of data confidentiality during storage and transmission.
Measures implemented:

• Strong encryption is used for the storage of confidential data.
• Strong encryption is used for the transmission of confidential data within internal networks.
• Strong encryption is also applied when transmitting data over public networks.

3. Data Classification and Labelling

Purpose: Ensuring appropriate handling and protection of confidential data.
Measures implemented:

• Confidential data is clearly labelled and classified in a way that makes it readily identifiable.
• Data classification enables the application of appropriate technical and organisational protection measures based on the sensitivity of the data.

4. Secure Storage

Purpose: Protection of confidential data against unauthorised access and loss.

Measures implemented:

• Confidential data is stored in secure, access‑controlled environments.
• Physical documents containing confidential data are stored in locked cabinets or equivalent secure storage.
• Digital confidential data is stored on encrypted, password‑protected servers or databases with restricted access.

5. Data Minimisation, Retention and Deletion

Purpose: Reduction of data processing risks.

Measures implemented:

• Only the minimum amount of confidential data necessary for legitimate business purposes is collected and retained.
• Confidential data is securely deleted or destroyed once it is no longer required for its intended purpose.

6. Secure Disposal

Purpose: Prevention of unauthorised recovery of data.

Measures implemented:

• Paper-based confidential data is securely destroyed, e.g. by shredding.
• Digital confidential data is securely deleted using appropriate methods to prevent recovery.

7. Regular Audits and Reviews

Purpose: Verification of compliance and effectiveness of measures.

Measures implemented:

• Regular audits and reviews of confidential data and related processing activities are conducted.
• Audits ensure compliance with internal policies as well as applicable legal and regulatory requirements.
• Identified deficiencies are addressed through corrective measures as part of continuous improvement.

8. Training and Awareness

Purpose: Strengthening human security awareness.

Measures implemented:

• Employees receive regular training on the importance of protecting confidential data.
• Employees are trained on applicable procedures for handling confidential data.
• Security awareness is maintained as an ongoing organisational responsibility.

9. Incident Response and Data Breach Management

Purpose: Timely and effective response to security incidents.

Measures implemented:

• Justima applies its internal data breach notification and incident response plan.
• The plan ensures prompt identification, assessment, containment, and remediation of security incidents.
• Incidents involving unauthorised access or data breaches are handled in a structured and documented manner.

10. Third Party Management

Purpose: Protection of data when processed by third parties.

Measures implemented:

• Any third parties granted access to confidential data are subject to protection standards equivalent to those applied by Justima.
• Third‑party access is limited to what is necessary for legitimate purposes.

11. Vulnerability Management and Penetration Testing

Purpose: Identification and mitigation of technical security weaknesses.

Measures implemented:

• Justima operates a structured vulnerability management process.
• Regular vulnerability scans are performed to identify security weaknesses.
• Identified vulnerabilities are assessed and remediated in a timely, risk‑based manner.
• Penetration tests are conducted on a regular basis and on an event‑driven basis.
• Penetration tests simulate realistic attack scenarios, validate the effectiveness of existing security measures, and support continuous improvement of the overall security posture.

3. Review and continuous improvement

The technical and organisational measures described in this Annex are subject to regular review and are continuously improved to ensure an appropriate level of protection in light of technological developments, organisational changes, and evolving threats.

ANNEX IV (DPA): LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors:

1. Name: Google

   Address: ABC-Straße 19, 20354 Hamburg

   Description of the processing: Cloud-Plattform, data storage, Backend-infrastructure, AI modells

2. Name: Stripe

   Address: 510 Townsend Street, San Francisco, CA 94103, United States of America

   Description of the processing: Payment (credit card, other pay methods)

3. Name: Scalingo

   Address: 9 rue de la Krutenau, 67000 Strasbourg, Frankreich

   Description of the processing: Hosting, Website provider

4. Name: Telekom Cloud Hosting

   Address: Landgrabenweg 151, 53227 Bonn

   Description of the processing: Cloud-Plattform, data storage, Backend-infrastructure

5. Amazon Web Services EMEA SARL

   Address: 38, avenue John F. Kennedy, L-1855 Luxembourg

   Description of the processing: Cloud-Plattform, AI models, Backend-infrastructure

6. Name: Outseta

   Address: 230 Freeman Street, 02446 Brookline, MA, USA

   Description of the processing: CRM System

7. Annex 2 - Acceptable Use Policy

Customer may not use any provided Service for the following purposes:

Legal and Ethical Use

• Violates any applicable law, regulation, or binding legal obligation;
• Infringes or misappropriates the intellectual property rights, privacy rights, or other rights of Justima or any third party;
• Involves, promotes, facilitates, or assists illegal, fraudulent, deceptive, or harmful activities, including but not limited to terrorism, child sexual exploitation or abuse, phishing, pyramid schemes, or similar activities;
• Creates or distributes content that enables illegal activities or violations of laws, including instructions for obtaining illegal or regulated substances, goods, or services;
• Creates or distributes content that promotes or encourages self-harming behaviour.

Harmful, Abusive, or Deceptive Content

• Creates, distributes, or facilitates unlawful, invasive, defamatory, fraudulent, or non‑consensual content, including non‑consensual explicit imagery (NCEI);
• Use our Services or services of subprocessors to create, upload, transmit, or otherwise make available content that promotes, incites, or encourages violence, hatred, or discrimination against individuals or groups based on protected characteristics, including but not limited to race, ethnicity, nationality, religion, sex, sexual orientation, disability, or age;
• Creates or distributes sexually explicit content, including content created for pornographic purposes or sexual gratification;
• Impersonates any individual or entity, falsifies identity or contact information, or otherwise misleads others as to the origin or legitimacy of communications or data;
• Impersonates the identity of another person – whether living or deceased – without explicit disclosure and with deceptive intent;
• Makes misleading claims regarding expertise or competency in sensitive areas (e.g. health, finance, governmental services, or law) with the intent to deceive;
• Makes misleading claims in connection with governmental or democratic processes, or health-harmful practices, with the intent to deceive;
• Uses the Services for intentional disinformation or deception;
• Misrepresents the origin of generated content by claiming that such content was created exclusively by a human, with the intent to deceive;
• Harass, threaten, abuse, or intimidate any individual, including Justima's employees, agents, suppliers, subprocessors, or other users, whether through the Services, related communications, or support channels.

Security, Integrity, and Availability

• Introduces malware or other harmful components, including viruses, worms, Trojan horses, corrupted files, hoaxes, or similar destructive or deceptive items;
• Gains or attempts to gain unauthorized access to the Services, systems, networks, or data of Justima, its subprocessors, or any third party;
• Circumvents, disables, interferes with, or otherwise undermines security‑related features, safeguards, filtering mechanisms, or access controls of the Services or any related systems;
• Intentionally circumvents safety filters or security features, or manipulates AI/ML models or Services into acting in a manner that violates applicable policies;
• Tests, scans, probes, reverse engineers, decompiles, or otherwise attempts to discover vulnerabilities, limitations, or source code of the Services, except where expressly permitted under the Agreement.

System Misuse and Performance Abuse

• Damages, disrupts, overburdens, or otherwise adversely affects the availability, reliability, stability, or performance of the Services or any connected systems or networks;
• Creates or distributes content that enables the abuse, damage, impairment, or disruption of the infrastructure or services of Justima, its subprocessors, or third parties;
• Uses automated means (including bots, spiders, scrapers, or similar tools) or manual processes to monitor, extract, or copy content or data from the Services or related systems without prior written authorization;
• Bypasses technical restrictions, rate limits, or robot exclusion mechanisms.

Account, Identity, and Access Integrity

• Shares individual user accounts with multiple persons outside permitted delegation features;
• Creates accounts for non‑human users or business functions where accounts are intended for individual natural persons;
• Creates or controls multiple personal accounts without authorization, including through the use of false, temporary, or misleading identity information;
• Use account names, identifiers, or other representations that are offensive, vulgar, obscene, misleading, or not lawfully available for use;
• Provides false, inaccurate, or misleading personal, financial, or identification information.

Data Protection and Privacy

• Collects, harvests, processes, or discloses personal data without a valid legal basis, required consent, or under false or misleading pretenses;
• Uses the Services for unlawful tracking, surveillance, or identification of individuals, or for processing personal or biometric data without legally required consent;
• Uses the Services to reproduce the voice or likeness of a person without their consent or other applicable rights, including for the purpose of identity fraud or non‑consensual sexual depictions;
• Creates or distributes content designed to observe or monitor individuals without their consent;
• Records audio or video communications without legally required consent in the relevant jurisdiction(s);
• Discloses sensitive business or confidential information through publicly accessible or inappropriate channels.

Third‑Party and Subprocessor Compliance

• Uses the Services in a manner that violates the terms, acceptable use policies, or contractual restrictions of Justima's subprocessors or other third‑party service providers;
• Misuses customer support, communication channels, or services of Justima or its subprocessors for purposes outside their intended use;
• Takes any action that may reasonably cause Justima to lose access to infrastructure, hosting, connectivity, payment, or other essential third‑party services.

Commercial Misuse

• Sends or facilitates unsolicited or unauthorized mass communications, advertising, or promotional messages ("spam");
• Resells, sublicenses, or embeds the Services or user accounts into a commercial offering without authorization.

High‑Risk and Safety‑Critical Use

• Uses the Services in hazardous or safety‑critical environments requiring fail‑safe performance, where failure could reasonably result in death, personal injury, or significant physical or environmental damage;
• Uses the Services to execute a lethal function in a weapon without human authorization or control.

Cooperation and Enforcement

• Refuses to cooperate with investigations into suspected violations, including by failing to confirm identity or provide reasonably requested information;
• Fail to promptly report any suspected or actual violation of this Acceptable Use Policy or misuse of the Services, or refuse to cooperate in good faith with investigations, remediation measures, or compliance requests relating to such violations;
• Uses the Services in a manner that exposes Justima or its suppliers to civil, criminal, or regulatory liability.

Artificial Intelligence and Automated Processing

• Uses the Services or any outputs thereof to train, fine‑tune, benchmark, or extract models or algorithms, except where expressly permitted by Justima;
• Represents outputs generated by the Services as legally binding, authoritative, or as a substitute for professional judgment without appropriate human review;
• Uses the Services to make or fully automate high-risk decisions that may adversely affect the rights of individuals – such as in the areas of employment, healthcare, finance, law, housing, insurance, or social benefits – without adequate human oversight;
• Where AI/ML outputs are used for consequential decisions affecting fundamental rights, health, or safety of individuals (e.g. medical diagnoses, legal proceedings, access to housing, employment decisions, or financial or legal advice), Customer must assess the potential risks of the use case and implement appropriate human oversight, testing, and other use-case-specific safeguards to mitigate those risks;
• Relies on AI/ML outputs as definitive without review for accuracy and appropriateness, given that such outputs are probabilistic and may be inaccurate or inappropriate;
• Submits prompts, inputs, or data that the Customer is not legally entitled to use or disclose;
• Uses the Services to harm or abuse minors, including grooming or sexual exploitation of children.

Export Controls and Sanctions

• Uses or accesses the Services in violation of applicable export control, sanctions, or trade compliance laws, including by making the Services available to sanctioned persons, entities, or jurisdictions.

Abuse Monitoring and Incident Response Cooperation

• Interferes with, disables, or attempts to evade logging, monitoring, or abuse‑detection mechanisms used to ensure the security and integrity of the Services;
• Fails to promptly notify Justima of suspected misuse, security incidents, or unauthorized access relating to the Customer’s use of the Services.

Violation of this Acceptable Use Policy may result in suspension or termination of the Services in accordance with the Agreement.