Last updated: 16.11.2023
"Hosted Services" means dytab as a SaaS with its solutions and features e.g. meddevo eTD. "Platform" means the platform managed by Provider and used by Provider to provide the Hosted Services, including the application and database software for the Hosted Services, the system and server software used to provide the Hosted Services, and the computer hardware on which such application, database, system and server software is installed.
The Provider shall provide or ensure that the Platform provides the Customer with the necessary access credentials to enable the Customer to access and use the Hosted Services.
Provider hereby grants to Customer a worldwide, non-exclusive license to use the Hosted Services through the User Interface and the API for Customer's business purposes during the Term in accordance with the Documentation.
The license granted by Provider to Customer under Section 3 is subject to the following limitations:
(a) The User Interface may only be used through a supported web browser or mobile application;
(b) the User Interface may only be used by Customer's officers, employees or affiliates.
Provider acknowledges and agrees that Customer is the service entity for Customer and therefore provides certain services across entities and/or borders, including but not limited to regulatory, legal, tax, finance, supply chain and procurement.
(c) The User Interface may only be used by the named users identified in the user management within the Platform;
(d) the User Interface may not be used by more than the number of users specified in the Cloud User Management at any one time, provided that Customer may add or remove user licenses in accordance with the license change procedure defined in the Hosted Services (fair use procedure): Customer will notify Provider if there are more users who will use the system on a regular basis); and
(e) The API may only be used by one or more applications approved in writing by the Provider and controlled by the Customer.
(a) Customer may not sublicense its right to access and use the Hosted Services;
(b) Customer shall not permit any unauthorized person or application under its control to access or use the Hosted Services;
(d) Customer shall not make any changes to the Platform except as permitted in the Documentation; and
(e) Customer shall not, without the prior written consent of Provider, perform any load testing or penetration testing of the Platform or the Hosted Services, nor shall Customer cause any other person to perform such testing.
Customer shall implement and maintain reasonable security measures with respect to the Access Credentials to ensure that no unauthorized person or application can gain access to the Hosted Services using the Access Credentials.
The Provider will use reasonable efforts to maintain the availability of the Hosted Services to the Customer at the gateway between the public Internet and the network of the hosting service provider for the Hosted Services, but does not guarantee 100% availability. But in accordance with the SLA.
For the avoidance of doubt, downtime caused directly or indirectly by any of the following shall not be considered a breach of this terms
(a) an event of force majeure
(b) a fault or failure of the Internet or any public telecommunications network;
(c) any fault or failure of Customer's computer systems or networks;
(d) any breach by Customer of this Terms; or
(e) scheduled maintenance carried out in accordance with this Terms.
The Customer shall comply with the Acceptable Use Policy and shall ensure that all persons using the Hosted Services under the authority of the Customer or using the Access Credentials comply with the Acceptable Use Policy.
Customer shall not use the Hosted Services in any manner that causes or is likely to cause damage to the Hosted Services or the Platform or impair the availability or accessibility of the Hosted Services.
Customer shall not use the Hosted Services:
(a) in any way that is unlawful, illegal, fraudulent or harmful; or
(b) in connection with any unlawful, illegal, fraudulent or harmful purpose or activity.
For the avoidance of doubt, Customer shall have no right to access the software code (including object code, intermediate code and source code) of the Platform during or after the Term.
The Provider may suspend the provision of the Hosted Services if any amount payable by the Customer to the Provider under this Terms is overdue and the Provider has given the Customer at least 15 days written notice of its intention to suspend the Hosted Services on that basis.
Provider may from time to time suspend the Hosted Services for the purpose of scheduled maintenance of the Platform, provided that such scheduled maintenance must be performed in accordance with this paragraph.
The Provider shall always give the Customer at least 5 Business Days' prior written notice of any scheduled maintenance that will or is likely to affect the availability of the Hosted Services or have a material adverse effect on the Hosted Services.
The Provider shall ensure that any scheduled maintenance is carried out outside Business Hours: 07:00h - 20:00h CET
The Provider shall ensure that the total time during which the Hosted Services are unavailable as a result of scheduled maintenance does not exceed 8 hours in any calendar month.
The Provider shall provide the Customer with technical support services during the Usage Period. The Provider shall provide the Customer with a help desk integrated into the Application. The Provider shall provide the Support Services with reasonable skill and care. Customer may use the Helpdesk to request and, if applicable, receive the Support Services. The Provider shall respond promptly to all requests for Support Services made by the Customer through the Helpdesk. Regulatory consulting is not part of the included support. This can be booked optionally.
The Provider shall create a backup copy of the Cloud System at least every 24 hours. The Provider shall keep and securely store each such copy for 30 days.
The Provider shall issue invoices for the Fees to the Customer in advance of the period to which they relate.
The Customer shall pay the fees to the Provider within the number of days specified in the invoice.
(a) keep Customer's Confidential Information strictly confidential; and
(b) not disclose the Customer Confidential Information to any person without the prior written consent of the Customer and then only on terms of confidentiality approved in writing by the Customer; and
(c) use the same degree of care to protect the confidentiality of the Customer Confidential Information as the Provider uses to protect the Provider's own confidential information of a similar nature, which shall be at least a reasonable degree of care
(d) act in good faith at all times with respect to the Customer Confidential Information; and
(e) not use the Customer Confidential Information for any purpose other than the Support Service.
Notwithstanding this paragraph, Provider may disclose the Customer Confidential Information to those of Provider's officers and employees who need access to the Customer Confidential Information to perform their work with respect to this Terms and who are bound by a written agreement or professional duty to maintain the confidentiality of the Customer Confidential Information.
This paragraph shall not impose any obligations on Provider with respect to Customer Confidential Information that:
(a) is known to Provider prior to disclosure under this Terms and is not subject to any other obligation of confidentiality; or
(b) is or becomes publicly known through no act or omission of Provider; or
(c) is received by Provider from a third party in circumstances where Provider has no reason to believe that there has been a breach of confidentiality.
The restrictions in this paragraph shall not apply to the extent that Customer Confidential Information is required to be disclosed by law or regulation, by judicial or governmental order or request, or pursuant to disclosure requirements relating to the listing of the Provider's shares on a recognized stock exchange.
The provisions of this paragraph shall survive any termination of this Terms.
Each party shall comply with data protection laws. By using the Service, the parties have entered into a data processor agreement pursuant to Art. 28 GDPR. (LINK)
Provider warrants to Customer that
(a) Provider has the legal right and authority to enter into this Terms and to perform its obligations under this Terms;
(b) the Provider will comply with all applicable legal and regulatory requirements applicable to the exercise of the Provider's rights and the performance of the Provider's obligations under this Terms; and
(c) the Provider has or has access to all necessary know-how, expertise and experience to perform its obligations under this Terms.
Provider warrants to Customer that
(a) the Platform and the Hosted Services will comply in all respects with the Hosted Services Specification; and
(b) the Hosted Services will be free from Hosted Services Defects;
(c) the Platform will be free of viruses, worms, Trojan horses, ransomware, spyware, adware and other malicious software; and
(d) the Platform will incorporate security features that meet the requirements of good industry practice, including but not limited to regular security audits.
Provider warrants to Customer that the Hosted Services, if used by Customer in accordance with this Terms, will not violate any laws, statutes or regulations applicable under German law.
The Provider warrants to the Customer that the Hosted Services, when used by the Customer in accordance with this Terms, will not infringe the Intellectual Property Rights of any person in any jurisdiction and under any applicable law.
If Provider reasonably believes, or a third party claims, that Customer's use of the Hosted Services in accordance with this Terms infringes the Intellectual Property Rights of any person, Provider may, at its sole cost and expense:
(a) modify the Hosted Services so that they no longer infringe the relevant Intellectual Property Rights; or
(b) procure for Customer the right to use the Hosted Services in accordance with this Terms.
Customer warrants to Provider that it has the legal right and authority to enter into this Terms and to perform its obligations hereunder.
All warranties and representations of the parties with respect to the subject matter of this Terms are expressly set forth in this Terms. To the fullest extent permitted by applicable law, no other warranties or representations regarding the subject matter of this Terms are implied into this Terms or any related agreement.
Customer acknowledges that complex software is never entirely free from defects, errors and bugs; and subject to the other provisions of this Agreement, Provider makes no warranty or representation that the Hosted Services will be entirely free from defects, errors and bugs.
Customer acknowledges that complex software is never entirely free from security vulnerabilities; and subject to the other provisions of this Agreement, Provider makes no warranty or representation that the Hosted Services will be entirely secure.
The Customer acknowledges that the Hosted Services are designed to be compatible only with the software and systems specified as compatible in the Hosted Services Specification and the Provider does not warrant or represent that the Hosted Services will be compatible with any other software or systems.
Customer acknowledges that Provider is not providing any legal, financial, accounting or tax advice under this Agreement or in connection with the Hosted Services; and except as expressly provided in this Agreement, Provider does not warrant or represent that the Hosted Services or Customer's use of the Hosted Services will not give rise to any legal liability on the part of Customer or any other person.
(a) limit or exclude any liability for death or personal injury resulting from negligence; or
(b) limit or exclude liability for fraud or fraudulent misrepresentation;
(c) limit any liability in any way not permitted by applicable law; or
(d) exclude any liability which may not be excluded under applicable law.
The limitations and exclusions of liability set forth in this Section and elsewhere in this Agreement:
(a) are subject to this paragraph; and
(b) apply to all liabilities arising out of or in connection with this Agreement, including liabilities in contract, tort (including negligence) and for breach of statutory duty, except as otherwise expressly provided in this Agreement.
Neither party shall be liable to the other for
(a) any loss arising from an event of force majeure
(b) any loss of (i) profits or anticipated savings, (ii) revenue or income, (iii) use or production, (iv) business, contracts or opportunities.
(c) any special, indirect or consequential loss or damage.
If a Force Majeure Event results in a failure or delay in the performance by either party of any obligation under this Agreement (other than an obligation to make a payment), such obligation shall be suspended for the duration of the Force Majeure Event.
A party that becomes aware of a Force Majeure Event that causes or is likely to cause a failure or delay in that party's performance of any obligation under this Agreement shall:
(a) promptly notify the other; and
(b) inform the other of the period of time for which such failure or delay is expected to continue.
A party whose performance of its obligations under this Agreement is affected by a Force Majeure Event shall take reasonable steps to mitigate the effects of the Force Majeure Event.
If any provision of this Terms is determined by any court or other competent authority to be unlawful and/or unenforceable, the other provisions of this Agreement will continue in effect. If any unlawful and/or unenforceable provision would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the provision will continue in effect (unless that would contradict the clear intention of the parties, in which case the entirety of the relevant provision will be deemed to be deleted). Sec. 139 German Civil Code is excluded.
dytab GmbH may display the customer as a reference customer on its websites. This is done with the insertion of the customer's logo.
dytab offers a management system (Data, Documents and Processes) for regulatory needs for medical device and IVD manufacturers. dytab is providing a System Validation and will keep it up to date. Pre-validation performed according to ISO/TR 80002-2:2017 "Validation of software for medical device quality systems" and ISO 13485:2016 "Chapter 4.1.6. Validation of systems". Including digital approval of documents and data entries in accordance with 21 CFR Part 11.
In order to fulfil the retention periods of all resulting records for all regulatory requirements (resulting from the MDD, MDR, ISO 13485:2016 and FDA 21 CFR part 820-170), all records (data, records and documents) are kept and archived for at least 20 years when using dytab - meddevo.
Applicable server security standards are: ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2019, ISO/IEC 9001:2015
This Acceptable Use Policy (the "Policy") sets out the rules that apply to you:
(a) the use of the website at app.meddevo-cloud.com, any successor website and the services available on this website or any successor website (the "Services"); and
(b) the transmission, storage and processing of content by you or anyone on your behalf using the Services ("Content").
References in this policy to "you" are to any customer of the Services and any individual user of the Services (and "your" should be construed accordingly); and references in this policy to "us" are to meddevo (and "we" and "our" should be construed accordingly).
By using the Services you agree to be bound by the rules set out in this Policy.
We will ask you to expressly agree to the terms of this Policy before you upload or submit any Content or otherwise use the Services.
General Rules of Use
You must not use the Services in any way that causes or is likely to cause damage to the Services or impair the availability or accessibility of the Services.
You may not use the Services
(a) in any way that is unlawful, illegal, fraudulent, deceptive or harmful; or
(b) in connection with any unlawful, illegal, fraudulent, deceptive or harmful purpose or activity.
You must ensure that all Content complies with this Policy.
Content must not be illegal or unlawful, violate the rights of any person or give rise to any legal action against any person (in each case in any jurisdiction and under any applicable law).
The Content, and our use of the Content in any manner licensed or otherwise authorized by you, must not be
(a) be defamatory or maliciously false
(b) be obscene or indecent;
(c) infringe any copyright, moral right, database right, trade mark right, right of publicity, right of passing off or any other intellectual property right; or
(d) be in breach of any right of confidence, right of privacy or right under data protection legislation
(e) constitute negligent advice or contain negligent statements;
(f) constitute an incitement to commit a criminal offence, instructions for the commission of a criminal offence or the promotion of such an offence.
You must ensure that the Content is not and has not been the subject of any threatened or actual legal proceedings or similar complaints.
You shall not engage in any systematic or automated data scraping, data mining, data extraction or data harvesting or any other systematic or automated data gathering activity through or in connection with the Services.
You must not link to any material on or through the Services that, if made available through the Services, would violate the provisions of this Policy.
The Content must not contain or consist of, and you must not promote, distribute or run through the Services, any viruses, worms, spyware, adware or other harmful or malicious software, programs, routines, applications or technologies.
The Content shall not contain or consist of, and you shall not promote, distribute or execute through the Services, any software, program, routine, application or technology that will or is likely to have a material adverse effect on the performance of a computer or introduce a material security risk to a computer.
Data processing on behalf of the Controller "DPA" is concluded between the Client (Controller) and the Provider (Processor).
The Controller and the Processor are individually referred to as the "Party", and jointly the "Parties"
This DPA sets out the obligations of the Parties under data protection legislation and comprises all activities during which the Processor or – if admissible – persons acting on the Processor´s behalf process personal data of the Controller, as defined in the EU Data General Data Protection Regulation 2016/679 ("GDPR"), in particular – if applicable – in connection with activities under the Agreement (as defined below). Unless the Parties agree otherwise, the terms of the GDPR shall apply to this DPA.
The Processor shall provide services on behalf of the Controller in accordance with the Agreement on the Software as a Service meddevo Cloud ("Agreement"). (jointly referred to as "Services").
The Processor shall process the types of personal data of thecategories of data subjects referred to in the following. This concerns allrelevant information that is required to provide the service, including the following:
Categories of personal data
Except where agreed otherwise, the processing of data shall exclusively take place in Germany, in a Member State of the EU or in the EEA. Any (full or partial) outsourcing of the processing to a third country requires the prior notification to the Controller and may only be performed by the Processor, if the conditions pursuant to Art. 44 et seqq. GDPR have been fulfilled. Thus, in this event the Processor must ensure compliance with these conditions. The Processor must ensure that the data is transferred on a lawful basis, e.g.
Responsibility and Instructions
Pursuant to Art. 4 No. 7 GDPR, the Controller is responsible for the lawfulness of the data processing, including the specification of the scope, purpose and means. If necessary, he may, inter alia, request the rectification, blocking, erasure or disclosure of personal data. Personal data shall be processed exclusively in accordance with the agreements concluded and the documented instructions of the Controller.
The Controller is entitled to modify, supplement or replace its instructions at any time. This will generally be done in writing or in a documented electronic format. The Controller shall at least confirm verbal instructions in writing.
Changes in the subject matter of processing and changes in procedures must be mutually agreed upon and documented.
If the Processor believes that an instruction given by the Controller violates the law, including data protection laws, he shall notify the Controller thereof without undue delay. The Processor shall be entitled to suspend the execution of the relevant instruction until the Controller has examined and confirmed or amended the instruction.
The following persons are authorized to give instructions to the Processor on behalf of the Controller: Users with the Role "Administrator"
The following persons are authorized to receive instructions from the Controller on behalf of the Processor:
Michael M. Kania/ CEO/ firstname.lastname@example.org
Matthias Risto/ CTO/ email@example.com
In the event of a change or prolonged absence of the contact persons, the other party shall be notified of the relevant representatives, at least in electronic form.
Technical and Organisational Measures ("TOM") of the Processor
The Processor shall structure its organization in such a way as to protect personal data against misuse and loss in accordance with the specific data protection requirements and, in particular, to ensure the security of the processing (Art. 28 III, 32 GDPR in conjunction with Art. 5 I and II GDPR). This means, among other things, ensuring a level of security appropriate to the risk in terms of the ability to ensure the confidentiality, integrity, availability and resilience of the systems. The state of the art, the cost of implementation and the nature, scope and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of data subjects must be taken into account.
The TOM are set out below, which the Processor shall provide and comply with in order to secure and protect the personal data. The Processor shall provide evidence of these TOM to the Controller and, if necessary, to the competent supervisory authorities at any time upon written request. The Processor shall regularly monitor its internal processes and the TOM in order to ensure that the processing is carried out in compliance with current data protection legislation and to protect the rights of the data subjects. The TOM are subject to technological progress and continuous development. The processor may implement alternative appropriate measures provided that the contractually agreed level of data protection is maintained. Significant changes shall be documented and reported to the Controller.
Cloud Security: ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 9001
Application Security: Regular Penetration Tests by 3rd party, Information Security Policy
Security Features: 2FA, Password Policy, Security Audits, End-to-End Tests
Further Obligations of the Processor
The processor must ensure compliance with the legal obligations pursuant to Art. 28 to 33 GDPR. This applies in particular to
Purpose limitation: The Processor and all persons under its authority, including authorized subcontractors, who process personal data may do so only within the scope of this DPA, unless the applicable law within the EU provides for a different type of processing.
Notification: The Processor shall, without undue delay, fully inform the Controller if, during the course of the control of the processing activities, the Processor identifies errors or irregularities with respect to the data protection provisions or this DPA.
Data Protection Officer(s): The Processor has appointed a Data Protection Officer (Art. 38 GDPR). He or she may be contacted at the following contact information: Michael M. Kania. Additional contact information will be provided to the Controller upon request. The Controller will be informed of any changes without undue delay.
Data Secrecy/Confidentiality: The Processor shall only authorize persons to process personal data who have agreed to maintain confidentiality and who have been previously briefed on the relevant data protection provisions. They must be informed that data confidentiality may continue to apply even after their duties have ceased. This shall not affect the processor's legal duty of disclosure. The Processor is aware that it is obliged to maintain confidentiality with regard to secrets (e.g. § 203 of the German Criminal Code; or similar provisions in the respective country; including telecommunications secrets) which have been entrusted to it or otherwise made known to it in the course of its activities and that this obligation shall survive the termination of this Agreement. He shall inform the persons employed by him for the performance of this DPA and, if applicable, subcontractors about the applicable legal content and the consequences of a violation of the obligations and shall insist on the corresponding confidentiality.
Sub-contractual Relationships and Sub-contracting
Sub-contractual relationships with sub-processors are those services that are directly related to the provision of the Processor's main service, i.e. they are not ancillary services such as postal or logistical services or the mere disposal of data carriers. Even in the case of outsourced ancillary services, the Processor is required to implement legally compliant arrangements, including monitoring measures, to ensure data protection and security.
The Processor shall carefully select subcontractors and may only instruct or replace the subcontractor with the Controller's prior consent (at least in text form). In accordance with Art. 28 GDPR, it shall impose on all sub-processors the same data protection obligations as set out in this Agreement, in particular with regard to confidentiality, TOM and control rights, and shall ensure compliance therewith. Prior to the commencement of data processing by the sub-processor, and on a regular basis thereafter, the Processor shall review the implementation of the measures by the sub-processor, document the result and provide this information to the Controller upon request. The Controller may at any time request the Processor to provide information regarding the obligations of the sub-processors or other service providers in connection with this Agreement or the Policy.
If the Sub-Processor provides its services outside the EU and/or the EEA, the Processor shall ensure compliance with data protection laws.
Provided that the requirements of this paragraph are met, the Controller consents to the instruction of the following Sub-Processors:
Sub-contractors (including business address and place of processing)
Cooperation and Information
The Controller is obliged to maintain the data subject's right to information, access and other rights of the data subject. The Processor shall cooperate with the Controller in fulfilling these obligations, in particular with respect to ensuring the right to data portability, and shall provide the Controller with the information necessary to fulfill these obligations.
The Parties shall cooperate with respect to requests from data subjects or supervisory authorities. Where data subjects contact the Processor directly, the Processor shall promptly forward such information to the Controller.
The Processor shall assist the Controller in complying with its obligations under data protection law regarding the security of personal data, notification of personal data breaches, data protection impact assessments and prior consultation (Articles 32 to 36 of the GDPR). Within the framework of the legal provisions, this includes, inter alia
- Ensuring an adequate level of security by TOM, including prompt identification of relevant breaches.
- Prompt notification of personal data breaches.
- Assisting with communication obligations to data subjects.
- Assist with regulatory matters,
- Assistance in providing information to data subjects regarding the collection, processing or use of personal data.
The Processor shall inform the Controller without undue delay upon becoming aware of any breach of data protection on its part or on the part of persons or sub-processors employed by it, regardless of the cause. This includes, in particular, the loss, unlawful disclosure or acquisition of knowledge of personal data, as well as serious operational disruptions that may trigger the obligation to notify pursuant to Art. 33 GDPR. The duty to provide information shall apply mutatis mutandis to any inspections or other measures of the supervisory authority at the premises of the Processor, insofar as these are related to the processing of personal data under this Agreement or to the Controller in general. The Processor shall take all necessary measures to secure the data and to mitigate any possible adverse consequences for the Data Subjects and the Controller, and shall immediately consult with the Controller in this regard.
To the extent that the Controller is subject to supervision by a supervisory authority, an administrative offense or criminal proceeding, a liability claim by a data subject or a third party, or any other claim in connection with the processing under this DPA, the Processor shall provide the Controller with reasonable assistance.
The Processor shall grant the Controller a full right of inspection and access. The Processor shall ensure that the Controller can verify the Processor's compliance with its obligations pursuant to Art. 28 GDPR and shall, in particular upon request, provide the Controller with all information and relevant evidence (e.g. data processing agreement with sub-processors) and verify the implementation of the TOM, e.g. through expert opinions from independent agencies.
The Controller may ensure that the Processor complies with this DPA and the applicable data protection regulations by conducting, at its own expense, its own audits or audits conducted by third parties who are bound to secrecy on the premises of the Processor. Except in the event of imminent danger, such audits shall be announced with reasonable notice, shall be conducted during normal business hours and shall not unreasonably interfere with the business operations of the Processor. The Processor shall participate in such inspections as required.
Erasure and Return of Personal Data
The Processor shall, in principle, refrain from making copies or duplicates of the data without the knowledge of the Controller, except for the backup of data or copies necessary for the processing or for other activities pursuant to this DPA. In principle, personal data shall only be modified or deleted by the Processor on the instructions of the Controller or in order to comply with legal obligations.
The Processor shall hand over or destroy all records, results of processing and use as well as databases related to the processing and this DPA to the Controller upon termination of this DPA, in accordance with the legal provisions. Upon written request, the Processor shall provide the Controller with confirmation of the destruction.
Notwithstanding the foregoing, the Processor may be required to comply with statutory retention periods or relevant obligations regarding storage, i.e. documentation, etc. may have to be retained after the termination of the Contract, in particular if they have the purpose of proving the commissioned and proper processing. At the end of these periods, the documentation must be destroyed in accordance with data protection regulations.
Any liability of the Parties is specified in the law, particularly in Art. 82 GDPR.
Should individual provisions of this DPA be invalid or unenforceable in whole or in part or become invalid or unenforceable due to changes in the legal situation after the conclusion of the contract, this shall not affect the remaining provisions and the validity of the DPA as a whole. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that comes closest to the purpose of the invalid or unenforceable provision. In the event of a loophole in the DPA, a provision shall be deemed to have been agreed which corresponds to the purpose of the DPA and which would have been agreed if the parties had been aware of the loophole.
In the event of a conflict between the provisions of this DPA and its appendices, the provisions of this DPA shall prevail. Amendments and supplements to this DPA, including its appendices, must be made in writing, unless otherwise specified. This also applies to any waiver of this formal requirement.
German law shall apply. The place of jurisdiction is the domicile of the Controller.