Embedded Wizard Data Processing Agreement (EWDA)

Download

TARA Systems GmbH
Embedded Wizard Data Processing Agreement (EWDA)
Effective Date: 2025-11-18

This Embedded Wizard Data Processing Agreement ("Agreement" or "EWDA") is entered into between:

(1) The business customer identified in the applicable Order Form or License Certificate ("Customer" or "Controller"), and
(2) TARA Systems GmbH, Gmunder Str. 53, 81379 Munich, Germany ("TARA" or "Processor").

This EWDA forms part of and is subject to the Embedded Wizard Terms and Conditions ("EWTC"), the Embedded Wizard Support Agreement ("EWSA") and the applicable Order Form(s) between Customer and TARA (together, the "Main Agreement"). It governs TARA's processing of personal data on behalf of Customer in connection with support, maintenance, remote access and related services for the Embedded Wizard product family.

In the event of any conflict or inconsistency between this EWDA and the Main Agreement with respect to the subject matter of this EWDA (data processing on behalf of Customer), the terms of this EWDA shall prevail. In all other respects, the EWTC, EWSA and other applicable agreements remain unchanged and in full force.

This EWDA is intended exclusively for entrepreneurs (business customers) within the meaning of Section 14 of the German Civil Code (BGB), including public sector entities acting in a business capacity. It does not apply to consumers within the meaning of Section 13 BGB.

1. Definitions and Interpretation

1.1 Unless defined otherwise in this EWDA, capitalized terms have the meaning given to them in the EWTC and, where applicable, the Embedded Wizard License Agreement ("EWLA").

1.2 For purposes of this EWDA:
  (a) "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Supervisory Authority" and "Personal Data Breach" have the meanings set out in the GDPR.
  (b) "Customer Data" means any Personal Data for which Customer is Controller and which is processed by TARA as Processor under or in connection with the Main Agreement.
  (c) "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under this EWDA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679 – "GDPR") and any applicable implementing or supplementary legislation.
  (d) "Subprocessor" means any third party engaged by or on behalf of TARA to Process Customer Data on TARA's behalf as part of the services provided under the Main Agreement.
  (e) "TOMs" means the technical and organizational measures described in Appendix 1 to this EWDA, as updated from time to time in accordance with this EWDA.
  (f) "TARA Personnel" means employees of TARA and any other natural persons under TARA's direct authority (including freelancers and individual sub-contractors) who are authorized to Process Customer Data.

1.3 In case of contradiction, the following order of precedence applies for the subject matter of this EWDA: (1) this EWDA, (2) the EWSA (with respect to the scope of support services), (3) the EWTC and other parts of the Main Agreement.

2. Subject Matter, Duration, Nature and Purpose of Processing

2.1 Subject matter. This EWDA governs TARA's Processing of Customer Data as Processor in the context of providing:
  (a) technical support services, including incident handling, troubleshooting and diagnostics in accordance with the EWSA and EWTC;
  (b) remote access and remote session services, where expressly requested by Customer;
  (c) handling of error reports, diagnostic uploads, log files, configuration exports and similar artifacts provided by Customer for analysis; and
  (d) any other Processing of Customer Data as Processor that the parties expressly agree in connection with Embedded Wizard support and maintenance.

2.2 Duration. This EWDA becomes effective upon the earlier of (i) Customer and TARA entering into a Main Agreement that references this EWDA, or (ii) TARA first Processing Customer Data as Processor for Customer. It remains in force for as long as TARA Processes Customer Data on behalf of Customer under the Main Agreement and until all Customer Data has been deleted in accordance with Section 11.

2.3 Nature and purpose of Processing. The Processing operations under this EWDA include, as necessary:
  - collection, receipt and storage of Customer Data (e.g. via ticketing systems, file uploads, remote sessions);
  - organization, analysis and use of Customer Data for error analysis, troubleshooting and reproduction of issues;
  - transmission of Customer Data within TARA, to Subprocessors and back to Customer;
  - deletion and anonymization of Customer Data in line with this EWDA and the Main Agreement.

The purpose of Processing is exclusively to provide the support, maintenance, remote access and related services specified in the Main Agreement and any written instructions from Customer.

2.4 Types of personal data. Depending on how Customer uses the Embedded Wizard products and support services, Customer Data may include in particular:
  (a) Identification and contact data of Customer's employees, contractors and other users (e.g. name, business contact data, role, department, user IDs);
  (b) Technical data and logs relating to Customer's systems and Applications (e.g. device IDs, IP addresses, configuration details, error logs, stack traces);
  (c) Limited data about end users of Customer's products or systems, where such data is contained in logs, screenshots or other artifacts provided to TARA for diagnostic purposes.

Customer shall not intentionally include special categories of personal data within the meaning of Art. 9 GDPR (e.g. health data) or data relating to criminal convictions and offences (Art. 10 GDPR) in Customer Data unless (i) this is strictly necessary for the specific support case, and (ii) Customer has a valid legal basis and informs TARA in advance so that appropriate safeguards can be agreed.

2.5 Categories of data subjects. Customer Data may relate to:
  (a) Customer's employees, contractors and authorized users;
  (b) employees and contractors of Customer's own customers or partners, to the extent their data appears in logs, screenshots or other artifacts; and
  (c) other individuals whose data is included in such materials.

3. Roles and Responsibilities

3.1 Controller responsibilities. Customer is and remains the Controller for Customer Data. Customer is responsible for:
  (a) ensuring that it has a valid legal basis under Data Protection Laws for the Processing of Customer Data by TARA under this EWDA;
  (b) providing all necessary notices to Data Subjects and obtaining any required consents;
  (c) determining the purposes and essential means of Processing Customer Data; and
  (d) ensuring that Customer Data provided to TARA is, to the best of Customer's knowledge, accurate and limited to what is necessary for the support or services requested.

3.2 Processor responsibilities. TARA shall Process Customer Data only in accordance with Customer's documented instructions, as described in Section 4, and in compliance with this EWDA and Data Protection Laws applicable to TARA in its role as Processor.

4. Processing on Documented Instructions

4.1 Documented instructions. TARA shall Process Customer Data only:
  (a) on the documented instructions of Customer (including as set out in the Main Agreement and this EWDA); and
  (b) to the extent required by applicable law; in such case TARA shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

4.2 Changes to instructions. Customer may provide additional reasonable instructions regarding the Processing of Customer Data by written notice. Where Customer's instructions go beyond what is provided for in this EWDA and the Main Agreement, TARA is not obliged to follow them unless and until the parties have agreed on any additional fees and conditions that may apply. If TARA considers an instruction to be unlawful or technically infeasible, TARA shall inform Customer without undue delay; in such case, TARA may suspend the relevant Processing until the instruction has been confirmed, modified or withdrawn.

5. Confidentiality

5.1 TARA shall ensure that TARA Personnel and any other persons authorized to Process Customer Data are subject to an appropriate duty of confidentiality (whether statutory or contractual) and only Process Customer Data as necessary for their relevant duties.

5.2 TARA shall treat Customer Data as confidential and shall not disclose it to third parties except as permitted under this EWDA, the Main Agreement or as required by law.

6. Security of Processing

6.1 TARA shall implement and maintain appropriate technical and organizational measures ("TOMs") designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data, as described in Appendix 1.

6.2 TARA may update the TOMs from time to time, provided that such updates do not materially reduce the overall level of security. Upon reasonable request, TARA will provide Customer with a summary of the then-current TOMs in a manner suitable for Customer's own documentation duties.

7. Subprocessors

7.1 General authorization. Customer hereby grants TARA a general authorization to engage Subprocessors for Processing Customer Data, provided that:
  (a) TARA imposes on each Subprocessor substantially the same data protection obligations as those set out in this EWDA; and
  (b) TARA remains fully responsible to Customer for the Subprocessor's compliance with such obligations.

7.2 Current Subprocessors. As of the Effective Date, TARA uses the Subprocessors listed in Appendix 2 for the Processing of Customer Data under this EWDA. TARA may also maintain a current list of Subprocessors on its website or legal pages and may refer to such list in Appendix 2.

7.3 Changes to Subprocessors. TARA shall inform Customer of any intended addition or replacement of Subprocessors in a timely manner (e.g., by email, a support portal notification, or an update on the legal pages referenced in the Main Agreement). Customer may object to the change on reasonable data protection grounds within thirty (30) days after receiving notice. If Customer reasonably objects, the parties will discuss in good faith a commercially reasonable solution. If no solution can be found, Customer may, as its sole and exclusive remedy, terminate the affected services in writing with thirty (30) days' notice; any prepaid fees for periods after the termination date will be refunded in accordance with the EWTC.

7.4 International transfers by Subprocessors. Where a Subprocessor is located outside the EU/EEA in a country without an adequacy decision, TARA shall ensure that appropriate safeguards are implemented (for example, Standard Contractual Clauses, the EU-U.S. Data Privacy Framework, or other mechanisms permitted under Chapter V GDPR) and shall ensure that any additional measures required by Data Protection Laws are taken.

8. Assistance to Customer

8.1 Data subject rights. Taking into account the nature of the Processing, TARA shall, to the extent reasonably possible, assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligations to respond to requests for exercising Data Subjects' rights under Chapter III GDPR (e.g. rights of access, rectification, erasure, restriction, portability and objection) in relation to Customer Data. If a Data Subject submits a request directly to TARA that relates to Customer Data, TARA will, where reasonably identifiable, forward the request to Customer without undue delay and will not respond to the request except on the documented instructions of Customer or where required by law.

8.2 Data protection impact assessments. Taking into account the nature of Processing and the information available to TARA, TARA shall provide reasonable assistance to Customer in fulfilling its obligations under Articles 35 and 36 GDPR (data protection impact assessments and prior consultations) to the extent that the Processing under this EWDA is relevant for such assessments or consultations. Such assistance may be subject to reasonable fees where the effort goes beyond what can be expected from a standard processor relationship.

9. Personal Data Breaches

9.1 Notification. In the event of a Personal Data Breach affecting Customer Data, TARA shall notify Customer without undue delay after becoming aware of the breach. Such notification shall include, where reasonably available:
  (a) a description of the nature of the Personal Data Breach, including, as far as possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned;
  (b) the likely consequences of the Personal Data Breach; and
  (c) the measures taken or proposed to be taken by TARA to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.2 Further information. Where it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay. TARA will cooperate with Customer and provide reasonable assistance in investigating and remedying the Personal Data Breach, including providing information required for Customer's notifications to Supervisory Authorities and Data Subjects, to the extent such notifications are required under Data Protection Laws.

9.3 No admission of fault. Any notification by TARA under this Section 9 shall not be construed as an acknowledgment of fault or liability.

10. Records, Information and Limited Audit Mechanism

10.1 Records. TARA shall maintain records of Processing activities carried out on behalf of Customer in accordance with Article 30(2) GDPR.

10.2 Information and documentation. At Customer's written request and subject to reasonable prior notice, TARA shall make available to Customer such information as is reasonably necessary to demonstrate TARA's compliance with this EWDA and Article 28 GDPR, including summaries of relevant policies, TOMs and, where available, third-party certifications or audit reports.

10.3 Primary reliance on documentation. The Parties agree that TARA may satisfy its obligations under Article 28(3)(h) GDPR primarily by providing the information, documentation and independent third-party reports referred to in Section 10.2. Customer shall rely on such information as the primary means to verify TARA's compliance with this EWDA.

10.4 On-site inspections as last resort. Only where (i) Data Protection Laws require Customer to conduct or commission an on-site or system-level inspection of TARA as processor, and (ii) the information and documentation made available under Sections 10.2 and 10.3 are objectively insufficient to meet such legal requirement, shall Customer be entitled to carry out such an inspection. In that case, any on-site inspection shall:
  (a) be conducted during regular business hours and in a manner that minimizes disruption to TARA's business and other customers;
  (b) comply with TARA's reasonable security and confidentiality policies;
  (c) not involve access to systems or data of other customers; and
  (d) not take place more than once in any twelve (12) month period, unless there is a reasonable suspicion of material non-compliance or a Personal Data Breach affecting Customer Data.

11. Return and Deletion of Data

11.1 Deletion during the term. During the term of the Main Agreement, Customer may instruct TARA to delete specific Customer Data where technically feasible and not in conflict with statutory retention obligations or legitimate interests (such as documentation of support activities). TARA shall follow such instructions within a reasonable time frame, taking into account the nature and scope of the data.

11.2 Deletion after termination. After the end of the Processing of Customer Data on behalf of Customer, TARA shall delete all Customer Data and existing copies, unless applicable law requires storage of the Personal Data. If Customer requires a copy or export of Customer Data, the Parties may agree separately on a data export service subject to technical feasibility and additional fees; such export, if any, shall not affect TARA's deletion obligations under this Section 11.

11.3 Backups and logs. Deletion obligations may extend to backups and logs only to the extent reasonably practicable. Where deletion of Customer Data from backups is not practicable without undue effort, TARA may continue to store such data in backups, provided that (i) such backups are subject to appropriate TOMs, (ii) they are only accessible to authorized personnel with a genuine need to access them, and (iii) the Customer Data contained in backups is not actively used for any purpose other than backup and recovery.

12. International Data Transfers

12.1 TARA will not intentionally transfer Customer Data to a third country outside the EU/EEA unless:
  (a) such transfer is necessary for the provision of the services under the Main Agreement (e.g. where a Subprocessor is located in such third country); and
  (b) an appropriate safeguard or derogation under Chapter V GDPR applies.

12.2 In particular, where Customer Data is transferred to a country without an adequacy decision, TARA shall ensure that the transfer is subject to appropriate safeguards, such as:
  (a) Standard Contractual Clauses adopted by the European Commission, including any supplementary measures required by the European Data Protection Board's recommendations; or
  (b) participation of the relevant recipient in an approved certification or adequacy scheme.

13. Liability and Limitation of Liability

13.1 The liability provisions in the EWTC (including any caps and exclusions) apply to this EWDA and to any claims arising out of or in connection with the Processing of Customer Data under this EWDA, unless expressly stated otherwise in this Section 13.

13.2 For the avoidance of doubt, nothing in this EWDA shall limit:
  (a) either party's liability to the extent such limitation is not permitted under applicable law; or
  (b) the Customer's rights against TARA under the EWTC with respect to any breach of this EWDA.

13.3 This EWDA does not grant any additional warranties or indemnities beyond those expressly set out in the EWTC and the Main Agreement.

14. Miscellaneous

14.1 Amendments. TARA may update this EWDA as described in the change mechanisms of the EWTC, with effect for the future. Material changes that adversely affect Customer's legitimate interests will be notified in text form with reasonable advance notice. If Customer does not agree with a material change, Customer may exercise any special termination rights granted in the EWTC with respect to the affected services.

14.2 Severability. If any provision of this EWDA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid or unenforceable provision shall be deemed replaced by a valid provision that comes closest to its economic intent.

14.3 Governing law and jurisdiction. The governing law and jurisdiction provisions of the EWTC apply correspondingly to this EWDA.

14.4 Order of documentation. This EWDA is concluded in electronic form (including by reference and acceptance through the Subscription Portal or Order Forms). No separate handwritten signature is required unless expressly requested by Customer and accepted by TARA.

APPENDIX 1 – Technical and Organisational Measures (TOMs)

TARA maintains technical and organisational measures appropriate to the risk to ensure an appropriate level of security for Customer Data, including, as appropriate:

1. Organisation of Information Security
  - Information security policies and procedures defining roles, responsibilities and escalation paths.
  - Regular review of security policies and TOMs, including risk assessments relevant to support and remote access services.

2. Access Control and Authentication
  - Role-based access control for systems Processing Customer Data; access is granted on a need-to-know and least-privilege basis.
  - Strong authentication mechanisms (including multi-factor authentication where reasonable) for administrative access and remote support tools.
  - Regular review and revocation of user accounts and permissions upon role changes or termination.

3. Physical Security
  - Secured office and data center facilities with access control mechanisms (e.g. badges, locks).
  - Measures to prevent unauthorized physical access to servers, storage systems and workstations used for Processing Customer Data.

4. Data Protection in Transit and at Rest
  - Encryption of data in transit over untrusted networks (e.g. TLS for web-based access, VPN for remote access sessions where appropriate).
  - Encryption at rest for key systems and storage locations where Customer Data is stored, where technically reasonable and proportionate to the risk.
  - Use of secure transfer mechanisms (e.g. secure upload portals) for diagnostic files and artifacts.

5. System and Application Security
  - Hardening of servers and applications used for ticketing, support and remote access (e.g. regular patching, secure configuration).
  - Separation of environments (e.g. development, test, production) where appropriate.
  - Logging and monitoring of access to systems Processing Customer Data, with alerts for suspicious activities where reasonable.

6. Business Continuity and Backup
  - Regular backups of relevant systems and data to enable recovery in case of incidents.
  - Testing of backup and recovery procedures on a periodic basis.
  - Business continuity planning for critical support systems.

7. Incident and Breach Management
  - Defined incident response procedures for security incidents and Personal Data Breaches.
  - Logging, investigation and documentation of security incidents, including root cause analysis and remediation.
  - Processes to ensure timely notification to Customer in case of Personal Data Breaches in accordance with Section 9 of this EWDA.

8. Data Minimisation, Retention and Deletion
  - Collection and Processing of Customer Data limited to what is necessary for the specific support or remote access case.
  - Retention of diagnostic artifacts, logs and other Customer Data only for as long as necessary for the support case and any follow-up verification, subject to legal retention obligations.
  - Scheduled deletion or anonymisation of Customer Data after closure of support cases and expiry of relevant retention periods.

9. Personnel Awareness and Training
  - Employment contracts or policies with confidentiality obligations for TARA Personnel, including sub-contractors and freelancers where applicable.
  - Regular awareness measures on data protection and information security topics relevant to support and remote access services.

10. Subprocessor Management
  - Selection of Subprocessors based on their ability to provide appropriate security and data protection guarantees.
  - Conclusion of data processing terms with Subprocessors in line with Article 28 GDPR and regular review of their compliance where appropriate.

TARA may adapt and enhance these TOMs over time to reflect technological progress, new security risks or regulatory requirements, provided that such changes do not materially reduce the overall level of protection for Customer Data.

APPENDIX 2 – Subprocessors for Support and Remote Services

As of the Effective Date, TARA engages the following categories of Subprocessors for Processing Customer Data in connection with support and remote services under this EWDA:

1. Ticketing and Support Platform
  - Zammad GmbH (Germany/EU) – Support and ticketing system used to manage support requests, conversations and related artefacts. Hosting location: EU. Data processing governed by data processing terms compliant with Article 28 GDPR.

2. Hosting and Infrastructure for Support Systems
  - Hetzner Online GmbH (Germany/EU) – Hosting provider for support portals, ticketing systems and storage of diagnostic artefacts (e.g. uploaded logs, configuration files, reproducer projects). Hosting location: EU. Data processing governed by data processing terms compliant with Article 28 GDPR.

3. Remote Access and Collaboration Tools (where expressly requested by Customer)
  - Selected remote support or screen-sharing tools (e.g. conferencing or remote desktop tools) may be used on Customer's express request to perform remote sessions. Such tools process limited Personal Data (e.g. names, email addresses, session metadata, screen content) as necessary for the remote session. TARA will use providers offering appropriate contractual and technical safeguards (e.g. EU Standard Contractual Clauses or equivalent mechanisms for any transfers to third countries).

TARA may update this Appendix 2 from time to time, for example to add or replace Subprocessors as permitted under Section 7 of this EWDA. The then-current list of Subprocessors may also be made available on Embedded Wizard's legal pages. Where required by law or contract, TARA will inform Customer of material changes to this list in advance and grant Customer an opportunity to object as described in Section 7.3.

END OF AGREEMENT