Cozero
Legal

Terms of Service

1. Scope

1.1 Cozero GmbH, Zionskirchstraße 73a, 10119 Berlin (hereinafter referred to as “Cozero”) operates a business-to-business software-as-a-service platform which allows business customers to collect, evaluate & manage emission data in order to optimize their carbon footprint and sustainability communication.

1.2 These Terms of Service (hereinafter referred to as “Terms”) apply to all contracts concluded in the context of the business relationship between Cozero and its business customers in connection with the software-as-a-service solutions offered by Cozero.

1.3 These Terms shall apply exclusively. Differing, conflicting or additional terms and conditions on the part of the Customer shall only become part of the Contract to the extent to which Cozero has expressly agreed to their validity in writing. This requirement for agreement shall apply even if Cozero unreservedly begins providing the services despite being aware of the Customer’s own general terms and conditions.

1.4 In case of contradictions between provisions of the Individual Contract and these Terms, the provisions of the Individual Contract shall prevail.

2. Definitions

The capitalised terms used in these Terms shall have the meanings as defined in this Clause 2:

2.1. “​Additional Services” means the additional services, if any, to be provided by Cozero under the Individual Contract.

2.2. “​Authorised Users​” means the Customer’s employees who are authorised to access the SaaS Services within the scope of the rights of use acquired by the Customer.

2.3. “Co-Creation” means the period of time that is characterized by a project-based collaboration between Cozero and the Customer to set up the SaaS-platform to the preferences and requirements of Customer organization and underlying business processes.

2.4. “​Confidential Information​” means all information disclosed to one party by the other party, whether in writing, electronically or orally, digitally or in any other form, insofar as such information (a) involves the trade secrets protected under Sect. 2(1) of the German Trade Secrets Act (GeschGehG), and/or (b) relates to the business interests and affairs of the respective party or those of affiliated enterprises within the meaning of Sect. 15 of the German Stock Corporation Act (AktG) and is expressly marked as “confidential” or should be considered confidential due to the nature of the information or the circumstances of its disclosure. Confidential Information includes, but is not limited to, information relating to technologies, inventions, software and/or hardware, new products, intellectual property, know-how, marketing plans, financial situations, business strategies, business relationships, business plans, business calculations, pricing policy or personnel matters of one of the parties. Confidential Information also includes the content of the Individual Contract concluded between the Customer and Cozero.

2.5. “Consulting Services” means individually agreed consulting services, which Cozero provides to the Customer on the basis of an Individual Contract.

2.6. “​Contract​” is the Individual Contract including these Terms.

2.7. “​Contractual Services​” are the SaaS Services and/or Additional Services to be provided according to the Individual Contract.

2.8. “​Customer​” means Cozero’s contractual partner named in the Individual Contract.

2.9. “​Customer Data​” means all profile information and data as well as other content and information that the Customer provides to Cozero in connection with the use of the SaaS Services. Customer Data includes Emission Data.

2.10. “Emission Data” means all non-personal information and data provided by users that serve as a basis to calculate and/or analyze the footprint of a Customer, including the information from Logs, which the Customer collects from suppliers and own customers and/or processes by means of the SaaS Services.

2.11. “Feedback” means Customer's opinions, comments or suggestions regarding any possible development, modification, correction, improvement or enhancement of Cozero's software, products and/or services.

2.12. “Force Majeure” means events or circumstances that could not have been foreseen at the time of Contract conclusion despite reasonable care, are beyond Cozero’s sphere of influence, and could not have been avoided or overcome by reasonable measures on the part of Cozero. In particular, these include but are not limited to: a) war and other military conflicts, terrorist attacks, civil war, riots, insurrections; b) currency and trade restrictions, embargoes; c) explosions and fires not caused by Cozero; d) floods, earthquakes, typhoons and other natural disasters or extreme natural events; e) epidemics/pandemics and diseases; f) labour unrest not caused by Cozero, such as industrial action; g) actions, failures to act or measures of a government or official orders; h) faults or failure of operating facilities (or parts thereof) not caused by Cozero, which are necessary for the fulfilment of the Contract.

2.13. “​GDPR​” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

2.14. “​Individual Contract​” means the SaaS contract concluded between the Customer and Cozero for the provision of SaaS Services and/or Consulting Services. An Individual Contract is also a contract that is concluded exclusively online via the Website. In these cases, the Individual Contract comes into effect with the order confirmation from Cozero.

2.15. “Personal Data” means personal identifiable information as defined in Art. 4 Nr. 1 GDPR.

2.16. “​Platform​” means the software-as-a-service platform operated by Cozero and accessible via the Website.

2.17. “​SaaS Services​” means the SaaS-based services provided by Cozero via the Platform by means of a software-as-a-service solution, including customer information and retention services.

2.18. “Support Services” means technical support services where Cozero will handle errors or faults that occur in the SaaS Service and have been reported to Cozero. An error exists in particular if the SaaS Service does not fulfil the functions specified in the Individual Contract or the service description. An error shall not be deemed to exist if the aforementioned malfunctions occur as a result of improper handling of the SaaS Service and/or breaches of obligations by the Customer.

2.19. “Website​” means the website operated by Cozero, which is ​available at: https://cozero.io/.

3. Object of the Contract, Contract conclusion, amendments to the Terms

3.1. The object of the Contract is the provision of the SaaS Services commissioned by the Customer and agreed in the Individual Contract as well as the provision of additional services, if and insofar as these are specified in the Individual Contract.

3.2. Cozero reserves the right to amend or supplement these Terms with effect for the future. Cozero shall inform the Customer about any amendments and supplements by notifying the Customer of the content of the amended or supplemented provisions in text form (e.g. by email or by notification when logging onto the Platform) in advance and with a reasonable period of notice, but at least four weeks before the amendments/supplements are scheduled to take effect. The amendments/supplements shall be deemed accepted by the Customer if it does not object to the amendments/supplements in text form within four weeks of receipt of the notification. If, however, the Customer objects in accordance with the previous sentence, the Contract shall continue to apply unchanged under the previous conditions. In its notice of the change, Cozero shall point out to the Customer separately the Customer’s right of objection and the aforementioned legal consequences of not responding.

4. Scope of service, authority to change

4.1. Cozero shall make the contractual SaaS Services available to the Customer for temporary use by means of remote access via the internet. For this purpose, Cozero stores the Platform on a server which the Customer can access via an internet connection.

4.2. The concrete scope of services and functions of the SaaS Services as well as the scope of the other Contractual Services shall be specified in the Individual Contract. A description of the SaaS services is available at https://wiki.cozero.io/.

4.3. This Contract covers neither the Customer’s connection to the internet and maintenance of the network connection nor the procurement and provision of the hardware required for this on the part of the Customer. The Customer shall be obliged to create and maintain the technical prerequisites for access to the SaaS Services in its own area, at its own expense and risk.

4.4. The SaaS services can be used without additional support from Cozero. If the Customer wishes to make use of onboarding services or other services in connection with configuration, customizing, integration, Co-Creation, training or adaptation of the SaaS Services a separate assignment and a separate remuneration is required.

4.5. Cozero shall take suitable precautions against data loss and to prevent unauthorised access by third parties to Customer Data, as far as this is possible with reasonable financial and technical effort. In particular, Cozero shall make regular backups and install state-of-the-art firewalls and regularly updated virus scanners on the Cozero servers in order to prevent unauthorised access to Customer Data and to prevent the transmission of malicious code (viruses, Trojans, diallers, etc.).

4.6. Cozero continuously develops and enhances the SaaS Services and the Platform. Updates to the core product shall always be provided to the Customer free of charge. However, in the event of extensive updates and extensions of the functional scope (e.g. the addition of modules) of the Platform or the SaaS Services, Cozero shall be entitled to classify these as a new product or upgrade and make them available to the Customer for an additional fee. Insofar as Cozero provides such upgrades and extensions free of charge, the Customer shall have no legal claim to their provision. Cozero shall inform the Customer about any discontinuation of the free services.

4.7. Cozero reserves the right to make changes in order to adapt the Platform and SaaS Services to the state of the art, changes for optimisation purposes (in particular to enhance user-friendliness), as well as changes to content, insofar as the latter are necessary to correct errors, for updating and completing content, for technically optimising programs or for licensing reasons. If such a change leads to a not only insignificant devaluation of the Contractual Services, the Customer shall be entitled to either demand a reduction of the remuneration in line with the devaluation or terminate the Contract without notice. This right of termination may be exercised within a period of eight weeks from the occurrence of the change.

5. User account, access data

5.1. The Customer’s access to the SaaS Services shall be password-protected via the Platform, using the access data assigned to the Customer by Cozero. Cozero shall provide the Customer with access data for the number of users agreed upon in the Individual Contract. For technical reasons, access data for a personal login will only be sent by email with an encrypted link. For this reason, the Customer must inform Cozero of the corresponding email addresses of the Authorised Users. The access data is individualised and may only be used by the Customer concerned or the Authorised Users. The Customer shall instruct the Authorised Users to choose a sufficiently secure password and to keep their access data, including the password, secret and to protect this information against unauthorised access by third parties. For security reasons and to prevent misuse, Cozero recommends that Customers change their passwords at regular intervals.

5.2. The sharing of access data and otherwise permitting or enabling the use of user accounts or the SaaS Services by third parties is strictly prohibited.

5.3. The Customer shall be obliged to inform Cozero without undue delay if it is aware of or suspects misuse of access data or passwords. In the event of misuse or suspected misuse, Cozero shall be entitled to block access to the Platform until the circumstances have been clarified and the misuse has ceased. Cozero also reserves the right to change the Customer’s access data for security reasons; in such cases, Cozero shall inform the Customer without undue delay. This shall not affect the assertion of further rights and claims by Cozero, in particular claims for damages.

6. Availability of the SaaS Services (Service-Level Agreement – SLA)

6.1. During the Contract period, the Cozero shall provide the Customer with the SaaS Services with an availability of 99.5% (per calendar year). This means the availability of the SaaS Services at the handover point where the system interfaces with the internet.

6.2. Availability shall be calculated according to the following formula: Availability = (total time - total downtime) / (total time * 100 %)

6.3. The following times shall not be considered when calculating the total downtime:

A. Periods of unavailability due to scheduled maintenance work on the Platform.

B. Periods of unavailability due to essential unscheduled maintenance work required to eliminate faults; if possible, Cozero shall inform the Customer of this by means of a notice on the Website.

C. Periods of unavailability that are due to internet faults or other circumstances beyond Cozero’s control, in particular Force Majeure.

7. Support Services

7.1. Cozero will provide the Customer with Support Services during the Contract period without additional remuneration. Depending on the Customer’s choice, Support Services shall be provided by the Customer Success Manager assigned to the Customer (by phone or email), or by Cozero’s general email support (which is available at: support@cozero.io). The Customer’s dedicated Customer Success Manager shall be informed about each support case and assist in finding a solution. Support Services shall be available from Monday to Friday from 9am until 6pm (CET). This shall not apply on days that are public holidays in Berlin or on 24 and 31 December of each year. Requests received outside of these support hours shall be deemed to have been received during the next working day. During business hours, the initial response to all support requests shall occur within no more than 24 hours. All support requests shall be processed as quickly as possible and prioritised according to the following disruption severity levels:

A. First severity level: Critical software fault leading to a total failure of the SaaS Services.

B. Second severity level: The use of the SaaS Services is considerably limited, as the main features of the SaaS Services are not available.

C. Third severity level: Minor faults affecting non-essential features of the SaaS Services.

7.2. Support Services shall not include any Consulting Services or other Additional Services, such as, customizing, integration, Co-Creation and training or adaptation of the Platform and/or SaaS Services.

7.3. Support Services will not be provided during the period of Co-Creation.

8. Consulting Services

8.1. If Consulting Services are agreed in an Individual Contract, the Terms of this Contract shall apply. The specific scope of Consulting Services and the remuneration for them shall be regulated in the respective Individual Contract.

8.2. Cozero shall provide the Consulting Services through suitable employees or subcontractors. A right to claim the performance of services by certain persons does not exist. The Customer is not authorized to give instructions to the employees of Cozero.

8.3. Cozero shall determine the manner of service provision itself, unless otherwise agreed. The Customer shall only be entitled to a specific form of presentation of the results if this has been expressly agreed.

9. Duties of cooperation on the part of the Customer

9.1. The Customer shall support the execution of the Contract by actively cooperating in an appropriate manner. In particular, the Customer shall be responsible for ensuring, at no charge, all prerequisites within its sphere of operation that are necessary for the proper provision of Cozero’s services. This shall include, in particular, the conditions set out in the Individual Contract as well as those specified in the following Clauses 9.2 to 9.4.

9.2. The Customer shall be required

A. to create and maintain the technical prerequisites for access to the SaaS Services in its own area, particularly with regard to the hardware and operating system software used, connection to the internet and ensuring that its browser software is up to date;

B. to take the necessary precautions to secure its systems during the entire Contract period, in particular to use the standard browser security settings and to employ up-to-date protection mechanisms to guard against malware;

C. to ensure that the data stored in its user account is always up to date. In the event of changes or inaccuracies in the stored data, the Customer must update or correct this information without undue delay and without being asked​.

9.3. Notwithstanding Cozero’s obligation to back up data according to Clause 4.5 the Customer shall be responsible for maintaining and protecting the Customer Data and undertakes to back these up regularly. Every data backup by the Customer must be carried out in such a way that the recovery of Customer Data is possible at any time. The SaaS Service provides corresponding backup functionalities.

9.4. The Customer shall be required to inform Cozero in text form about any service disruptions (service defects, lack of availability) without undue delay after becoming aware of them, and shall use reasonable efforts to assist Cozero in eliminating the service disruptions.

10. Further obligations on the part of the Customer, prohibited activities, indemnification

10.1. The Customer shall be required to use the SaaS Services provided by Cozero only to the contractually agreed extent and for the contractually intended purpose and within the framework of the applicable legal provisions, and to refrain from all actions that could endanger or disrupt the functioning of the SaaS Services.

10.2. In particular, the Customer shall be obliged

A. not to use the SaaS Services to create, store or send any content that is pornographic, glorifies violence, is discriminatory, prohibited by law, harmful to young people, in violation of moral standards or harmful to public order and safety;

B. not to violate any copyright (e.g. for photos, graphics), trademarks (e.g. logos) and other property rights or other legally protected goods of Cozero or third parties (e.g. personal rights) when using the SaaS Services;

C. when using the SaaS Services, to observe and comply with all existing statutory information obligations (e.g. the obligation to provide a provider identification in accordance with Sect. 5 of the German Telemedia Act (TMG));

D. not to use the SaaS Services to send unsolicited messages that could be considered spam;

E. to access the SaaS Services exclusively via the interfaces provided by Cozero;

F. to ensure that its information and data transmitted via the SaaS Services are not infected with viruses, worms or Trojans;

G. not to use any devices, products or other means that serve to circumvent or overcome technical measures used by Cozero for the prevention of unauthorised use;

H. not to use any web crawlers, robots, spiders, site search/retrieval applications or other automated means or comparable technologies to access the SaaS Services or to retrieve or evaluate content.

10.3. The Customer shall be obliged to inform the Authorised Users of the above provisions and to ensure compliance with them.

10.4. The Customer shall indemnify Cozero against all claims asserted by third parties against Cozero due to violation of their rights or due to rights infringements caused by content created or transmitted by the Customer using the SaaS Services. The Customer shall also bear the necessary costs of Cozero’s legal defence in this regard, including court and lawyer fees. This indemnification shall not apply if the Customer is not responsible for the rights infringement. This shall not affect the assertion of further rights and claims by Cozero, in particular the right of extraordinary termination for good cause and claims for damages.

11. Intellectual property, rights of use, naming of references

11.1. The Platform and the SaaS Services, including the homepage layout, the graphics and images used, the content as a whole as well as individual pieces of content including the system presentation texts, as well as the software code on which the SaaS Services and the Platform are based and any work result of Additional Services by Cozero may be protected in whole or in part by copyright or other intellectual property rights. All rights are exclusively reserved by Cozero or Cozero’s licensors.

11.2. In particular, the Customer shall be prohibited from

A. reproducing, modifying, adapting, translating, decompiling, disassembling or deriving the Platform or the SaaS Services, performing reverse engineering, or otherwise attempting to derive the source code underlying the SaaS Services or the Platform.

B. using, evaluating or displaying the Platform or the SaaS Services in order to construct, modify or otherwise create a network environment, a program, an infrastructure or parts thereof with features comparable to those of the SaaS Services or the Platform.

This shall not affect the mandatory legal regulations on permissible use pursuant to Section 69d para. 2 and 3 and Section 69e of the German Copyright Act.

11.3. In accordance with the Individual Contract and the following provisions, the Customer shall be granted the non-exclusive, non-transferable right, limited to the duration of the Individual Contract, to access the SaaS Services and the Platform and to use work result of Additional Services. This right of use shall be limited to the number of Authorised Users specified in the Individual Contract. Cozero shall be entitled to take technical measures to prevent use beyond the permissible scope, in particular to install access barriers.

11.4. In its relationship with Cozero, the Customer shall be entitled to all rights to the Emission Data. However, the Customer shall grant Cozero the irrevocable right, free of charge, to collect Emission Data in anonymous form to the extent permitted by law, and to use this to create statistical reports and presentations, to provide and enhance the Platform and SaaS Services, and to provide enhanced features. The Customer shall have no rights whatsoever to the aggregated data and results.

11.5. Cozero shall be entitled to include the Customer in Cozero’s reference list and to name the Customer in a suitable manner as a reference on the Website and in printed and digital marketing and advertising materials. For this purpose, the Customer shall grant Cozero free of charge a non-exclusive, worldwide, non-transferable right to use the Customer’s company name and logo. If using the company name and/or logo is subject to particular requirements, the Customer shall inform Cozero of these without request. The Customer shall be entitled to withdraw the granted right of use at any time, with effect for the future, by submitting a notification to that effect in text form.

12. Remuneration and payment, payment terms

12.1. The remuneration owed by the Customer for the Contractual Services shall be specified in the Individual Contract.

12.2. The remuneration for the Contractual Services shall be paid in advance for the service or billing period specified in the Individual Contract and the subsequent extension periods.

12.3. Unless otherwise expressly agreed in the Individual Contract, invoices issued by Cozero shall be due for payment in full within 7 days after receipt by the Customer. Cozero shall be entitled to send invoices to the Customer by email or to make them available to the Customer online.

12.4. Any set-off of claims by the Customer against claims of Cozero shall only be possible to the extent to which the Customer’s claims are legally established or not disputed.

12.5. All prices are in euros and – unless they are expressly referred to as gross prices – do not include the statutory turnover tax applicable at the relevant time. Unless expressly stated otherwise, the Customer shall be responsible for all other taxes and duties that apply to the sale and use of the SaaS Services and Additional Services. The Customer shall pay Cozero for the SaaS Services and Additional Services without any deductions for such taxes and duties. If Cozero is obligated to levy or pay such taxes and duties, Cozero shall invoice the Customer for these taxes and duties, unless the Customer submits to Cozero a valid exemption certificate issued by the competent tax office which states that no tax needs to be levied.

13. Restriction/blocking of the user account

13.1. Cozero reserves the right to temporarily or permanently restrict the Customer’s use of the SaaS Services or to temporarily or permanently block the Customer’s access to the SaaS Services if

A. there is concrete evidence that the Customer has allowed or in any other way deliberately enabled an unauthorised third party to use the user account or the access data;

B. there is concrete evidence that a breach of one of the obligations under Clauses 10.1 and 10.2 has occurred;

C. there is concrete evidence of misuse, unauthorised or fraudulent use of the user account or such use is to be feared on the basis of concrete evidence;

D. the Customer fails to pay the remuneration owed within 30 days of the due date, despite a reminder;

E. the Customer repeatedly violates other provisions of these Terms despite a warning;

F. other circumstances exist that would entitle Cozero to terminate the Contract for good cause.

13.2. When selecting measures according to Clause 13.1, Cozero shall take into account its own operational requirements and liability risks as well as the legitimate interests of any claimants and the Customer (e.g. fault, weight of the breach of duty, risks, statement by the Customer) in an appropriate manner.

13.3. Cozero shall inform the Customer without undue delay of any temporary or permanent restriction or blocking of its user account, stating the reasons.

14. Limitations of Liability

14.1. Cozero shall only be liable without limitation for damages in case of intent and gross negligence on the part of Cozero, its vicarious agents and/or legal representatives. With regard to damages caused by slight negligence, Cozero shall only be liable in case of a breach of an essential contractual obligation. Essential contractual obligations are those obligations whose fulfilment make possible the correct execution of the Contract in the first place and on whose compliance the Customer may regularly rely. In the event of a breach of such an essential contractual obligation, the liability of Cozero shall be limited to the damages typical for this type of contract which Cozero could have foreseen at the time when the Contract was concluded based on the circumstances known at that time. For an individual case of damage, liability is limited to the amount of remuneration per contract year, but not less than EUR 10,000.

14.2. Cozero shall be liable for the loss of data in accordance with the preceding paragraph only if and insofar as such a loss could not have been avoided by the Customer through appropriate data backup measures.

14.3. The aforementioned limitations of liability as well as all other limitations of liability contained in these Terms shall not apply in the event of the assumption of express guarantees, in the event of claims due to a lack of warranted characteristics, or to damages resulting from injury to life, limb or health. In these cases, Cozero shall also be liable without limitation for slight negligence. The liability of Cozero under the German Product Liability Act also remains unaffected.

15. Force Majeure

15.1. If Cozero is completely or partially prevented from fulfilling the Contractual Services due to Force Majeure, Cozero shall be released from these obligations for the period and to the extent that Force Majeure prevents its performance.

15.2. As soon as Cozero becomes aware of a situation involving Force Majeure that completely or partially prevents Cozero from fulfilling the Contractual Services, Cozero shall be required to notify the Customer without undue delay (“notification”) and, as far as reasonably possible, to provide the Customer with an estimate of the extent and the expected duration of its inability to perform within 10 working days. If the notification is not issued without undue delay, Cozero shall only be released from its obligation to perform from the point in time when the notification is issued.

15.3. If Cozero invokes Force Majeure, Cozero shall make every economically reasonable effort to minimise the extent of the consequences caused by the Force Majeure for the Contractual Services. Cozero shall regularly inform the Customer in an appropriate manner about the current status as well as the extent and the expected duration of the impediment to performance.

15.4. The Customer shall be released from its payment obligation to the extent that and for as long as Cozero is prevented from fulfilling the Contractual Services due to Force Majeure. Cozero shall refund the Customer any relevant amounts already paid.

15.5. As soon as it becomes clear that the Contractual Services cannot be fulfilled, or cannot be fulfilled in full, for more than 3 months due to Force Majeure, each party shall be entitled to terminate the Contract with immediate effect.

16. Confidentiality

16.1. With regard to Confidential Information of the other party, each party shall be obliged to

A. keep such information strictly confidential and only use it in connection with the contractual purposes;

B. take appropriate confidentiality measures to secure such information against unauthorised access by third parties. This also includes technical security measures that take into account the state of the art (Art. 32 GDPR);

C. only disclose or pass on such information to those employees and bodies as well as commissioned service providers who or which need to know this information for the execution of the Contract, and who or which are subject to an obligation to maintain confidentiality that guarantees at least the same level of protection as this agreement;

D. not disclose or pass on such information to third parties, unless the third party is a consultant or potential investor of the receiving party and the respective consultant or investor is subject to an obligation to maintain confidentiality that guarantees at least the same level of protection as this agreement or is already professionally bound to secrecy.

16.2. The confidentiality obligations under Clause 16.1 shall not apply to Confidential Information that can be proven to

A. have been known or generally accessible to the public before its communication or transfer or becomes known or generally accessible to the public at a later date, as long as there is no breach of a confidentiality obligation;

B. have been already known to the receiving party prior to disclosure by the disclosing party, as long as there is no breach of a confidentiality obligation;

C. have been developed independently by the receiving party without using or referring to the Confidential Information of the disclosing party;

D. have been handed over or made available to the receiving party by an authorised third party, as long as there is no breach of a confidentiality obligation; or

E. be required to be disclosed due to mandatory legal provisions or a decision of a court and/or an authority.

16.3. The confidentiality obligations under this Clause 16 shall remain in force for a period of 2 years after termination of the Contract.

17. Data protection

17.1. Cozero shall process Personal Data only in accordance with the documented instructions of the Customer and only for the contractually agreed purposes in accordance with Art. 28(3) GDPR and in accordance with the Data Processing Agreement attached as Attachment DPA. The Data Processing Agreement becomes an integral part of the Contract even without a separate signature. In case of discrepancies between this contract and the Data Processing Agreement, the Data Processing Agreement shall prevail.

17.2. The Customer, as the controller in the sense of Art. 4(7) GDPR, shall be responsible for the legality of the collection, processing and use of Personal Data and for safeguarding the rights of its employees, customers and suppliers. Feedback

17.3. The Customer may submit Feedback to Cozero regarding Cozero's products and services at any time. There is no obligation to transmit Feedback.

17.4. The Customer grants to Cozero a non-exclusive, perpetual, irrevocable, worldwide, transferable, royalty-free license, with the right to grant sublicenses through multiple tiers under Customer's respective intellectual property rights, to use, publish and disclose Feedback, and to present, perform, copy, make, have made, use, sell and otherwise make available, in any manner and through any medium Cozero chooses, Cozero's and its sublicensees' products or services containing such Feedback. Cozero may use the Feedback, without any restriction or obligation to pay compensation to Customer, for any purpose whatsoever.

18. Contract term, consequences of termination

18.1. The beginning of the Contract, its duration and any ordinary rights of termination shall be regulated in the Individual Contract. This shall not affect the right of extraordinary termination.

18.2. If the Individual Contract does not contain any provision on termination rights, the contract may be terminated with six months' notice.

18.3. Cozero shall block the Customer’s access to the Platform immediately after termination of the contractual relationship and, at the choice of the Customer, permanently erase or return all of the Customer Data and other content no later than one month after termination of the Contract. This shall not affect any statutory retention periods and it shall not affect Cozero’s right to use Emission Data in an anonymized form. Once erased, the content cannot be restored. It shall be the responsibility of the Customer to ensure that it has backed up or copied all data it requires, in particular Customer Data, before termination of the contractual relationship. At the Customer’s written request, Cozero shall support the Customer in this process in return for appropriate remuneration and make the data available to the Customer on a standard data medium or by way of remote data transmission. The Customer must declare its request at the latest at the time of termination or, in the case of termination by Cozero, immediately after receipt of the notice of termination.

19. Transfer of rights and obligations

19.1. With the exception of the provisions in Clause 19.2, neither party may transfer its rights and obligations arising from the Contract to a third party without the consent of the other party.

19.2. Cozero shall be entitled to transfer the Contract in its entirety to an enterprise affiliated with Cozero within the meaning of Sect. 15 of the German Stock Corporation Act (AktG) as well as to any other third party, provided that this other third party acquires Cozero’s entire business or a substantial part thereof. Cozero shall notify the Customer of a planned transfer at least four weeks in advance in text form. In the event of such notice of transfer, the Customer shall have an extraordinary right of termination at the time when the planned transfer takes effect. In the notice of transfer, Cozero shall point out this right separately to the Customer. Notice of termination must be received by Cozero in text form within 14 days after the Customer receives the notice of transfer.

20. Severability Clause

If any provision of the Contract is found to be invalid, ineffective, or unenforceable, this shall not affect the validity, effectiveness and enforceability of the other provisions of the Contract. The parties undertake to replace the ineffective provision with a legally permissible provision that comes as close as possible to the purpose of the ineffective provision.

21. Applicable law and place of jurisdiction

21.1. The Contract shall be subject to German law.

21.2. The courts in Berlin shall have exclusive jurisdiction for all disputes arising from or in connection with this Contract.

Data Processing Agreement (DPA)

1. Preamble, Subject-Matter and Order of Precedence

1.1. General. This agreement (the "Data Processing Agreement") forms part of the master agreement between you and Cozero relating to the provision of our Services (the "Agreement").

1.2. Subject matter of the Data Processing Agreement. This Data Processing Agreement describes how Cozero will Process Personal Data that you provide to us in connection with your use of our Services, in accordance with the requirements of Data Protection Laws.

1.3. Conflicts. In case of any conflict, the provisions of this Data Processing Agreement shall take precedence over the provisions of the Agreement.

2. Definitions

Throughout this Data Processing Agreement, we may use certain words or phrases, and it is important that you understand the meaning of them. The list is not all-encompassing and no definition should be considered binding to the point that it renders this Data Processing Agreement nonsensical:

2.1. "Agreement" means the agreement between you and Cozero relating to the provision of our Services, as set forth in our Terms of Service.

2.2. "Customer" or "you" refers to you, the person who is entering into the Agreement (including this Data Processing Agreement) with Cozero; If you use our Services on behalf of an organization, you agree to these terms on behalf of that organization and you represent that you have the authority to do so. In such case, "Customer" or "you" will refer to that organization.

2.3. "Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the processing of personal data (including in connection with providing telecommunication services and conducting email marketing), and including, without limitation, the GDPR, the German Telecommunications and Telemedia Data Protection Act (TTDSG).

2.4. "GDPR" means the General Data Protection Regulation (EU) 2016/679.

2.5. "Process" or "Processing" means any operation or set of operations which is performed by Cozero as part of the Services upon /or Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

2.6. "Services" means the services that we provide through our Site, including our emission communication and engagement services.

2.7. "Site" means our website, https://cozero.io/, as well as the associated platform.

2.8. "Subprocessor" means a third-party subcontractor engaged by Cozero which, as part of the subcontractor's role of delivering the Services, will Process /or Personal Data.

2.9. "Data Contributor" means any identified or identifiable natural person who is an employee, supplier representative, customer representative or business contact of yours and who has been or will be contacted and/or engaged in the carbon management process by you through our Site.

2.10. "Spectator" means any identified or identifiable natural person who is an employee, supplier representative, customer representative or business contact of yours and who has been or will be contacted and/or informed in your organization’s sustainability communication by you through our Site.

2.11. “Personal Data” means personal identifiable information as defined in Art. 4 Nr. 1 GDPR. Personal Data can be included in Customer Data. Other terms have the definitions provided for them in the Agreement or in the GDPR or as otherwise specified below.

3. Scope, Duration, Type of Data Contributor Data and Spectator Data and Categories of Data Subjects

3.1. General Scope. Under the terms of this Data Processing Agreement, Cozero will Process Personal Data on behalf of Customer in accordance with article 28 GDPR.

3.2. Duration. This Data Processing Agreement shall be effective for the duration of Cozero's Services under the Agreement, and shall terminate automatically upon expiration or termination of the Agreement for any reason.

3.3. Scope, Nature and Purpose of Processing. The scope, nature and purpose of the Processing of Personal Data hereunder shall be as defined in the Agreement and in our Privacy Policy.

3.4. Types of Data. Processing may include the following types/categories of Personal Data: personal information including name or email address, job description, business location affiliation, provided personal pictures, IP address, usage data, device data, referral data, information from cookie and page tags.

3.5. Categories of Data Subjects. The persons concerned by the Processing hereunder are assigned to the following categories: (i) employees of Customer; (ii) suppliers of Customer and (iii) business contacts of Customer.

3.6. Exception. During the term of the Co-Creation Phase, this Data Processing Agreement has only limited applicability since the Service of Cozero is under early-stage development. Latest by the end of the Co-Creation Phase, the Data Processing Agreement shall enter into full force and effect.

4. Customer Instructions

4.1. Processing Instructions. During our Services, you may provide instructions to us in addition to those specified in this Data Processing Agreement with regard to the processing of Personal Data (each such instruction hereinafter, a "Processing Instruction") in connection with our Services. Any Processing Instruction must be in writing or in electronic form. We will process your Personal Data according to your instructions.

4.2. Change requests. Any Processing Instruction that amends or deviates from the terms of this Data Processing Agreement will constitute a change request and will be subject to the requirements set forth in section 14. We will negotiate in good faith with you with respect to any change in the Services and/or fees resulting from any Processing Instructions.

4.3. Compliance of Processing Instructions with Data Protection Laws. You are responsible for ensuring that your Processing Instructions comply with Data Protection Laws.

4.4. Notification. If we believe that a Processing Instruction infringes or violates the GDPR or other Data Protection Laws, we will immediately inform you thereof.

5. Obligations and Rights of the Customer

5.1. Customer as Controller. You will be the controller as defined in article 4 paragraph 7 GDPR. You shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which you have acquired Personal Data.

5.2. Record of Processing Activities. You will maintain a record of processing activities under your responsibility in accordance with article 30 GDPR.

5.3. Notification obligation. You will, without undue delay, inform us of any defect you may detect in our Services, and of any irregularity in the implementation of statutory regulations on data privacy.

6. Cozero Obligations

6.1. Processing solely for provision of Services. We will Process your Personal Data only on documented instructions from you and solely for the provision of the Services in accordance with article 28 paragraph 3 a) to h) GDPR and will not otherwise (i) Process or use your Personal Data for purposes other than those set forth in the Agreement or this Data Processing Agreement or (ii) disclose your Personal Data to third parties other than Subprocessors for the aforementioned purposes or as required to do so by Union or Member State law to which we are subject. In such a case, we will inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

6.2. Processing within and outside the EU/EEA. We will generally Process Personal Data within the territory of the Federal Republic of Germany, a Member State of the European Union or another signatory to the Agreement on the European Economic Area. In some instances, we may also transfer Personal Data to our third-party service providers located in the United States of America; please see our List of Subprocessors (available at https://cozero.io/subprocessors) for details on the third-party service providers we use. If, from the Customer's point of view, the performance of a transfer impact assessment should be necessary in the event of processing of Personal Data in a third country, Cozero will support the Customer in this to a reasonable extent and to the best of its knowledge. However, there is no obligation for the Customer to carry out a transfer impact assessment.

6.3. Personnel of Cozero. We will ensure that our personnel engaged in and authorized for the Processing of Personal Data are informed of the confidential nature of the Personal Data and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.4. Our data protection officer. We have appointed a data protection officer: Fabian Schwarzer, Cozero GmbH, Zionskirchstraße 73a, 10119 Berlin. The person may be reached by email via dpo@cozero.io.​

7. Technical and Organizational Measures

7.1. Cozero TOM. When we process Personal Data on your behalf, we will take all measures required pursuant to Article 32 GDPR, and have implemented and will maintain certain technical and organizational security measures for the Processing of such data, as such measures are specified in Annex 1. These measures are intended to protect Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and against all other unlawful forms of processing.

7.2. Changes to TOM. All technical and organizational security measures are subject to technical progress and development. Accordingly, we may modify our security measures and/or implement alternative security measures, provided, however, that these do not fall short of the level of security as contractually agreed upon in Annex

8. Customer Audit Rights

8.1. Customer Audits. You may, prior to the commencement of our Services and up to once per year during the performance of our Services, audit the technical and organizational measures implemented by Cozero. You may perform more frequent audits to the extent required by Data Protection Laws.

8.2. Details regarding Audits. In the course of such audit, you may, in particular, conduct the following measures: (i) You may obtain all such information from Cozero that is necessary to demonstrate compliance with the obligations laid down in this Data Processing Agreement. (ii) You may request Cozero to submit to you an existing certificate by a qualified third party auditor. (iii) You may, upon reasonable advance agreement, during regular business hours and without interfering with Cozero's business operations, conduct an on-site inspection of those parts of Cozero's business facilities where Personal Data is being processed, subject to Cozero's then-applicable security policies.

8.3. On-Site Inspections. To request an on-site inspection, you must submit an inspection plan to us at least two weeks in advance of the proposed inspection date, describing the proposed scope, duration and start date of the inspection. We will review the inspection plan and provide you with any concerns or questions (for example, any request for information that could compromise Cozero's security, privacy, employment or other relevant policies).

8.4. Report in lieu of audit. If the requested audit scope is addressed in a SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within the prior twelve months, you agree to accept those findings in lieu of requesting an audit of the systems covered by the report.

8.5. Sharing of reports. You will provide us with any audit reports generated under this section, unless prohibited by law. You may use the audit reports only for the purpose of confirming that our technical and organizational measures are in compliance with the requirements of this Data Processing Agreement. The audit reports are confidential information of the parties under the terms of the Agreement.

8.6. Costs of audits. Any audits are at your expense. Any request for Cozero to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required for the provision of the Services. We will seek your written approval and agreement to pay any related fees before performing such audit assistance.

8.7. Third party auditors. If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and Cozero and must execute a written confidentiality agreement acceptable to Cozero before conducting the audit.

9. Subprocessors

9.1. Subprocessors. We may engage Subprocessors to assist in the Processing of your Personal Data. By entering into this Data Processing Agreement with us, you give your prior general written authorization to our use of Subprocessors in accordance with article 28 paragraph 2 GDPR. A list of Subprocessor is provided under https://cozero.io/subprocessors. Where we intend to add or replace a Subprocessor, we will inform you of such intended change, thereby giving you the opportunity to object to such change. If you don’t object within two weeks from our notification regarding the change of a Subprocessor, it has the same effect as a consent.

9.2. Our agreements with Subprocessors. We will ensure that all of our Subprocessors are required to abide by substantially the same obligations as Cozero under this Data Processing Agreement as applicable to their performance of the Services. This shall apply in particular, but not be limited to, the requirements in § 4,§ 7,§ 8, and § 10 to § 13. Cozero remains responsible at all times for compliance with the terms of this Data Processing Agreement by all Subprocessors engaged in the performance of our Services to you.

9.3. As far we work with freelancers, who have access to your personal data, we ensure that we only collaborate with freelancers providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. Processing by a freelancer is governed by a data processing agreement which ensures the same data protection standard you and we agreed on. We will provide a list of the freelancers upon request.

9.4. Copies of relevant terms. You are entitled, upon written request, to receive copies of the relevant terms of Cozero's agreement with each Subprocessor that Processes your Personal Data, unless the agreement contains confidential information, in which case Cozero may provide a redacted version of the agreement.

9.5. Ancillary Services. This § 9 shall not apply where we engage third parties for ancillary services; these include, but are not limited to, telecommunications services, mail and shipping services, building security services, facility management services, and services relating to the cleaning or disposal of data media.

10. Rights of Data Subjects

10.1. Pass-through of Data Subject requests. Where a Data Subject requests us to correct, delete or block Personal Data, we will pass on such request to you. Cozero will not respond to any requests of Data Subjects without your prior written consent.

10.2. Assistance. Where a Data Subject requests you to correct, delete or block Personal Data or to provide information about the collection, processing or use of Personal Data in connection with our Services and you are unable to fulfil the request by yourself through our Site, we will support you in responding to the request and in fulfilling the request by appropriate technical and organisational measures, insofar as this is possible, provided that (i) you instruct us to do so in writing or in text form and (ii) you reimburse us for the cost and expenses incurred in providing such support.

11. Deletion of Data and Return of Data Media

11.1. No copies or duplicates. We will not create copies or duplicates of your Personal Data without your prior knowledge. Notwithstanding the preceding sentence, we may (i) create backup copies, to the extent such backup copies are required to ensure the proper Processing of Personal Data, and (ii) prepare and retain copies of Personal Data where required by us to comply with any statutory retention and storage obligations.

11.2. Deletion of data. Upon cancellation of your account, or at any prior time upon your written request, we will at your choice either delete all copies of your Personal Data from our systems within one month or return such Personal Data to you. We are not liable for any loss or damage following, or as a result of, such deletion or return, and it is your responsibility to ensure that any Personal Data which you require is backed-up or replicated before deletion or return.

11.3. Return of data media. If, in connection with our Services, we have received from you any data media containing /or Personal Data, we will return to you any such data media still in our possession at the time of cancellation of your account or upon your written request.

11.4. Continued use for legal obligations. Notwithstanding the above, we will retain only those Personal Data which are required to comply with our legal obligations, resolve disputes, and enforce our agreements.

12. Duties to Notify and Further Support

12.1. Notification of (governmental) searches and seizures. We will, without undue delay, inform you if your Personal Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in our control. In such event, we will inform all pertinent parties in such action, that any data affected thereby is in your sole property and area of responsibility, that data is at your sole disposition, and that you are the responsible body in the sense of the GDPR.

12.2. Notification of incidents and breaches. We will, without undue delay, inform you if we determine that (i) your /or Personal Data has been subject to a security incident (including by a Cozero employee) or (ii) there has been a breach by Cozero (including by a Cozero employee) of Data Protection Laws applicable to the performance of our Services to you or of any or any of the provisions set forth in this Data Processing Agreement. In such event, we will promptly investigate the security incident or breach and take reasonable measures to identify its root cause and prevent a recurrence.

12.3. Assistance. In the event that, due to the security incident or breach, you are required to fulfil any disclosure obligations in accordance with article 33 GDPR, we will support you fulfilling such obligations, provided that (i) you instruct us to do so in writing or in text form and (ii) you reimburse us for our reasonable and documented cost and expenses incurred in providing such support.

12.4. Further Support. In addition to our assistance obligations above, we will assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to us, provided that (i) you instruct us to do so in writing or in text form and (ii) you reimburse us for our reasonable and documented cost and expenses incurred in providing such support.

13. Changes

Changes to these terms. Cozero may change these terms at any time for a variety of reasons, such as to reflect changes in applicable law, to reflect updates to our Services or the technical and/or organizational measures we employ, and to account for new Services or functionalities.

14. Miscellaneous

14.1. Severability. Where individual provisions of this Data Processing Agreement are invalid or unenforceable, the validity and enforceability of the other provisions of this Data Processing Agreement shall not be affected.

14.2. Governing law and venue. This Data Processing Agreement is subject to German law. Any disputes arising out of or in connection with this Data Processing Agreement shall be exclusively submitted to the courts of Berlin.

** This DPA is bindingly agreed between the Parties without separate signature as follows: In case of a conclusion of contract in paper form by an explicit reference to the Terms of Service; in case of a conclusion of contract online by a link to the Terms of Service. **

Annex - ​Technical and organizational measures to ensure the security of processing

1. Measures to ensure confidentiality

1.1. Physical access control

Measures that physically deny unauthorized persons access to IT systems and data processing equipment used to process personal data, as well as to confidential files and data storage media.

Description of physical access control:

  • Safety locks on doors
  • Careful selection of cleaning staff
  • Admission management: authorized personnel and scope of authorization are pre-defined
  • Careful selection of security staff
  • Further measures by service provider

1.2. Logical access control

Measures to prevent unauthorized persons from processing or using data which is protected by data privacy laws.

Description of logical access control system:

  • Limitation of the number of authorized employees
  • Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change)
  • User rights are granted restrictively
  • All log-ons / log-offs are recorded
  • Use of central password policy

1.3. Data access control

Measures to ensure that persons authorized to use data processing systems can only access personal data according to their access rights, so that data cannot be read, copied, changed or removed without authorization during processing, use and storage.

Description of data access control:

  • Limitation of the number of authorized employees
  • Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change)
  • All data access is logged automatically
  • Small number of system administrators
  • Records and log files are analyzed regularly

1.4. Separation rule

Measures to ensure that data collected for different purposes are processed separately and separated from other data and systems in such a way as to preclude the unplanned use of such data for other purposes.

Description of the separation control process:

  • Systems allow for data segregation (multi-tenancy), data is segregated by software
  • Productive systems and test systems are separated from each other
  • Data sets can be accessed only through those applications which have been pre-defined
  • Database user rights are issued and managed centrally

1.5. Pseudonymization measures

Measures that reduce direct references to persons during processing in such a way that it is only possible to associate data with a specific person if additional information is included. The additional information must be kept separately from the pseudonym by appropriate technical and organizational measures.

Description of the pseudonymization:

  • none due to work on a central server system

2. Measures to ensure integrity

2.1. Transmission and transport control

Measures to ensure that the confidentiality and integrity of data is protected during transmission of personal data and transport of data carriers. Furthermore measures to ensure that it is possible to verify and establish to which bodies personal data may be or have been transmitted or made available using data communication equipment.

Description of the transmission and transport control:

  • HTTPS
  • Unnecessary printouts are terminated
  • No use of physical data carriers
  • Comprehensive logging procedures
  • No use of private data carriers at work

2.2. Input control

Measures to ensure that it can be subsequently verified and ascertained whether and by whom personal data have been entered or modified in data processing systems.

Description of the input control process:

  • Logging of all system activities and keeping of these logs for at least six months
  • Use of central rights management for entering, altering and deleting data

3. Measures to ensure availability and resilience

3.1. Availability control

Measures to ensure that personal data are protected against accidental destruction or loss.

Description of the availability control system:

  • Backups are taken on a regular basis
  • Backup and recovery plan is in place
  • Data backup files are stored at a safe and remote location, diverse additional measures taken by suppliers
  • Localisation
  • Additionally diverse measure of server service providers

3.2. Quick recovery

Measures to ensure the ability to quickly restore the availability of and access to personal data and used systems in the event of a physical or technical incident.

Description of the measures for quick recovery:

  • Data backup procedure

4. Measures for the regular testing and evaluation of the security of data processing

Measures to ensure that the data are processed securely and in compliance with data protection regulation. Measures to ensure that personal data processed on behalf of the Controller can only be processed in accordance with the instructions of the Controller.

Description of the order control measures:

  • Involvement of data protection officers for all data protection-related questions
  • Formalized processes for data privacy incidents