General Terms and Conditions of Birdsview GmbH for business dealings with entrepreneurs within the meaning of Section 14 of the German Civil Code (BGB)

1. General

1.1 The following General Terms and Conditions (“GTC”) apply to all services of Birdsview GmbH, Reudnitzer Str. 1, 04103 Leipzig (hereinafter “Birdsview”) vis-à-vis the respective contractual partner who is an entrepreneur (hereinafter “Customer”). An entrepreneur is a natural or legal person or a partnership with legal capacity that acts in the exercise of its commercial or independent professional activity when concluding a legal transaction. These GTC also apply to future contracts between Birdsview and the Customer in their respective current version, even if the applicability of these GTC is no longer expressly mentioned or agreed.

1.2 Deviating, supplementary or conflicting general terms and conditions of the Customer shall not become part of the contract unless expressly agreed in writing. This also applies if Birdsview does not expressly object to such terms after receipt. The precedence of individual agreements between the parties over these GTC remains unaffected.

2. Offers, conclusion of contract, contract language, technical steps

2.1 Offers from Birdsview — in particular with regard to quantity, price and delivery time — are always non-binding and subject to change, unless Birdsview expressly designates an offer in text form (Section 126b BGB) as binding. Unless otherwise stated in the respective offer, Birdsview shall be bound by a binding offer for two weeks from receipt of the offer by the Customer.

2.2 A contract is only concluded upon Birdsview’s order confirmation in text form or upon the Customer’s acceptance of a binding offer from Birdsview. Only the provisions agreed in the respective contract or in the respective service description in text form shall apply.

3. Provision of services, subcontractors

3.1 Dates are only binding if Birdsview has expressly confirmed them in writing as binding.

3.2 In the event of force majeure or due to unforeseen events for which Birdsview is not responsible, such as war, natural disasters, pandemics, boycotts, operational disruptions, strikes, lockouts, official orders, the subsequent removal of export or import opportunities or similar, Birdsview shall be entitled to postpone the services owed for the duration of the impediment plus a reasonable grace period or, if performance actually or economically becomes impossible, to withdraw from the contract. The Customer is not entitled to withdraw from the contract if it is responsible for the impediment.

3.3 Unless otherwise agreed, Birdsview is entitled to have contractual services performed by subcontractors. The warranty vis-à-vis the Customer remains with Birdsview.

4. Cooperation and contributions

In addition to the provisions contained in the respective contract and the cooperation obligations pursuant to Section 6, the following general rules apply:

4.1 If the Customer names a contact person, the Customer thereby authorizes that person to represent it within the framework of the contractual relationship; in particular, the Customer declares that it accepts all statements made by that person for and against itself insofar as they relate to the cooperation between Birdsview and the Customer.

4.2 Birdsview shall provide the agreed services through suitable employees with sufficient qualifications. The Customer has no entitlement to performance by specific employees. The Customer has no right to give instructions to Birdsview’s employees. The exercise of house rules and instructions for averting danger remain unaffected.

4.3 The Customer’s contributions and cooperation obligations are genuine obligations and not merely duties of care. If the Customer breaches these obligations and the breach affects the services to be provided by Birdsview, Birdsview may — without prejudice to further rights — demand an appropriate adjustment of the contractual arrangements (e.g. changes to the schedule and remuneration). Deadlines to be observed by Birdsview shall be postponed in a manner that is proportionate to the duration of the delay in the contribution and its significance for the performance of services.

5. Rights of use

5.1 The granting of rights of use to the services provided by Birdsview to the Customer shall be subject to the suspensive condition of full payment of the claim arising from the service.

5.2 Birdsview remains the owner of all materials protected by industrial property rights or similar rights of any kind (e.g. patent rights, design rights, trademark rights, utility model rights and copyright), regardless of whether they are registered or not (“intellectual property rights”), regardless of whether these materials are protected or capable of protection (“materials”), which Birdsview owns at the time the contract is concluded or which were developed by Birdsview (or by third parties on Birdsview’s behalf) after conclusion of the contract. The same applies to edits and modifications. Upon delivery of the materials and unless otherwise agreed, Birdsview grants the Customer a non-exclusive, non-transferable, non-sublicensable right limited to the term of the respective individual contract to use the materials delivered under the contract for its own purposes.

6. Liability for defects, Customer cooperation

6.1 The statutory provisions on liability for defects shall apply, taking into account the deviating provisions of the following “Special provisions for rental agreements” (Clause 13).

6.2 The Customer shall make available to Birdsview all information and items at its disposal that are required for the performance of the contract and shall create all prerequisites within its business sphere that are necessary for the provision of deliveries and services.

6.3 The Customer’s further obligations include, in particular, the deployment of professionally competent employees and the adequate training of its personnel to ensure a safe introduction and operational process, as well as the preparation and execution of acceptance, in particular ensuring the availability of data transmission facilities and prior telephone and text-form complete, timely and sufficiently precise fault reports.

6.4 The Customer shall protect and store the access data to the Birdsview services against access by third parties in accordance with the state of the art. The Customer shall ensure that use only takes place within the contractually agreed scope. Any unauthorized access must be reported to Birdsview without undue delay.

7. Liability

7.1 Birdsview shall be liable ללא limitation for personal injury. The same applies to other damages suffered by the Customer as a result of an intentional or grossly negligent breach of duty by Birdsview, as well as to claims under the Product Liability Act and claims within the scope of the entrepreneur’s recourse claim pursuant to Sections 327u, 478, 479 BGB.

7.2 For typical contractual damages incurred by the Customer due to a breach of an essential contractual obligation by Birdsview, Birdsview shall also be liable in cases of simple negligence. However, liability for indirect damages, such as lost profits, is excluded. An essential contractual obligation within the meaning of the foregoing is one whose fulfillment makes the proper performance of the contract possible in the first place and on whose fulfillment the contractual partner regularly relies and may rely.

7.3 Otherwise, Birdsview’s liability for simple negligence is excluded.

7.4 The above provisions also apply to Birdsview’s legal representatives and vicarious agents in relation to the Customer.

7.5 The Customer is responsible for regularly backing up its data. Liability for data loss is limited to the recovery effort that would have been required if data had been properly backed up (as a rule, daily data backup on the Customer’s side).

8. Limitation

8.1 All claims of the Customer, regardless of the legal basis, become time-barred after 12 months.

8.2 In cases of intentional or fraudulent conduct as well as for claims under the Product Liability Act, for claims arising from entrepreneur recourse (Sections 327u, 478, 479 BGB) and for bodily injury, the statutory limitation periods shall apply.

9. Third-party rights, indemnification

9.1 The Customer warrants to Birdsview that all templates, data, texts, information, images and other content provided by the Customer are free of third-party rights or that the Customer holds the corresponding rights of use.

9.2 The Customer shall indemnify Birdsview against all third-party claims asserted against Birdsview due to possible legal infringements arising from the use, including storage, of the templates, data, texts, information, images and other content provided by the Customer. The Customer is obliged to reimburse Birdsview for the necessary costs incurred as a result of such claims. Other claims of Birdsview remain unaffected.

9.3 The Customer also undertakes to provide Birdsview with all necessary information and documents and to carry out acts of cooperation in order to be able to defend against asserted third-party claims.

9.4 If claims are asserted against the Customer for infringement of intellectual property rights valid in Germany due to items delivered or licensed under these terms, the Customer shall enable Birdsview to defend itself against such claims. The Customer is obliged to (1) inform Birdsview immediately in writing of the assertion of such claims, (2) provide Birdsview with all information necessary for legal defense and for the fulfillment of other cooperation obligations, and (3) leave it to Birdsview to decide whether and how the claim is defended. In such a context, Birdsview shall reimburse the Customer for all costs and damages that are undisputed between Birdsview and the Customer or recognized by Birdsview or finally adjudicated. If it is finally determined that continued use of the contractual items infringes intellectual property rights valid in Germany, or if Birdsview considers there to be a risk of an infringement action, Birdsview may, insofar as liability is not excluded, at its own expense either obtain for the Customer the right to continue using the contractual items, or replace or modify them so that no infringement remains, or — at the Customer’s request — take back the contractual item and refund its value less a usage fee for the use up to that point.

9.5 If the Customer modifies the materials supplied by Birdsview under the contract itself or has them modified by third parties, the claims under this Section 9 shall lapse unless the Customer proves that the modifications made by it or by a third party did not cause any infringement of third-party rights.

9.6 The above provisions of this Section 9 apply mutatis mutandis in the reverse case where Birdsview is held liable for infringement of third-party rights by materials of the Customer or materials provided by third parties on the Customer’s behalf.

10. References

Birdsview has the right to use the services provided for the Customer as a reference for self-promotion by naming the Customer and the industry. This also applies to self-promotion by Birdsview on the internet. Insofar as the Customer’s name is wholly or partially identical to a trademark or designation protected by another right, that right remains unaffected by the foregoing.

11. Term and termination of continuing obligations

11.1 If Birdsview’s performance obligations are not exhausted by a one-time, time-limited provision of services (“continuing obligation”), the contract term shall, subject to a deviating agreement in the contract, be at least twelve (12) months and shall be extended by a further twelve (12) months each time unless the contract is terminated by Birdsview or the Customer with three (3) months’ notice to the respective end in text form Contract term.

11.2 Statutory rights of termination (e.g. Sections 643, 649 BGB) and the right to extraordinary termination of the contract for good cause remain unaffected by any deviating minimum term agreed in the contract or pursuant to Clause 11.1.

12. Remuneration, payment terms

12.1 The remuneration for Birdsview’s services may take the form of monthly flat fees, usage-based fees (“pay-as-you-go”) or effort-based fees (e.g. based on time spent). Details are regulated in the individual contracts.

12.2 The remuneration for software-as-a-service services is due monthly in advance before the start of performance and is payable immediately after the invoice date to Birdsview’s account without deduction.

12.3 All prices stated are exclusive of statutory VAT unless otherwise stated. If no prices have been agreed, Birdsview’s price list in its current version shall apply. Any discount requires a separate written agreement.

12.4 In cross-border transactions, the agreed remuneration and/or usage fee is the net remuneration, i.e. the net amount payable by the Customer after deduction of any foreign taxes. “Foreign taxes” include in particular taxes, duties or other surcharges and costs as well as other fees and levies imposed by a foreign state or a foreign territorial authority. The Customer shall bear and pay all foreign taxes. The Customer undertakes to provide Birdsview with all necessary tax certificates, tax assessments and all other documents Birdsview needs to comply with tax obligations abroad and in the Federal Republic of Germany.

12.5 Birdsview is entitled to adjust the prices agreed with Customers under a continuing obligation due to proven cost increases by third parties (such as energy suppliers, licensors, telecommunications providers, etc.) by the actual increase in costs, which is to be notified to Birdsview one month in advance in writing, but not earlier than four months after the start of the contract. If this leads to an increase of more than 15% for the same IT services over a reference period of 12 calendar months, the Customer has a special right to terminate the affected individual contract(s).

13. Special provisions for rental agreements (SaaS)

In addition to the above provisions, the following rules also apply:

13.1 If the subject matter of the contract is the provision of software without physical transfer by means of software-as-a-service (“SaaS”), Birdsview is not obliged to provide user documentation for the software unless expressly agreed otherwise.

13.2 Birdsview’s strict liability under Section 536a(1) BGB for defects already existing at the time of conclusion of the contract is excluded for rental-law claims.

13.3 Unless otherwise agreed in the individual contract, the following service levels shall apply:

13.3.1 Adjustments, changes and additions to the SaaS services covered by the contract as well as measures to detect and remedy malfunctions shall only lead to a temporary interruption or impairment of availability if this is technically unavoidable.

13.3.2 The basic functions of the SaaS services are monitored daily. Birdsview will inform the Customer before maintenance work and carry it out as promptly as the technical conditions allow.

13.3.3 The availability of the respective agreed services of a SaaS contract is 98.5% on average per year, excluding maintenance work; however, availability may not be impaired or interrupted for longer than five (5) consecutive working days. Working days are Monday to Friday, excluding public holidays that apply throughout Germany.

13.4 Birdsview may update and further develop the software at any time and, in particular, adapt it due to changed legal requirements, technical developments or to improve IT security. In doing so, Birdsview shall reasonably take into account the Customer’s legitimate interests and inform the Customer in good time of any necessary updates. In the event of a material impairment of the Customer’s legitimate interests, the Customer shall have a special right of termination if Birdsview cannot operate the software in the condition that existed before notification to the Customer.

14. Data protection

14.1 The parties shall each independently comply with the data protection provisions applicable to them.

14.2 In the course of providing services, Birdsview may have access to the Customer’s personal data, so the parties additionally conclude the Data Processing Agreement (“DPA”), which is attached to these GTC as Annex 1. In the event of conflict, the provisions of the DPA shall take precedence over these GTC or the individual contract.

15. Right to amend

Birdsview reserves the right to amend these GTC or other contractual terms referred to at any time outside a specific exchange of services. During an ongoing contract, such changes shall only become effective if the Customer does not object to the change within one month of receipt of a notice of change in text form and Birdsview has pointed out the right to object and the deadline in the notice of change in text form. If the Customer objects to the change, the contract shall continue without the changes. However, Birdsview is entitled to terminate the contract in writing (Section 126(1) BGB) within one month of receipt of the objection with one month’s notice to the end of the quarter. Excluded from this right of amendment are all changes relating to essential contractual obligations of a party; this shall not apply if the change is necessary to adapt the contract, the GTC or further contractual conditions referring to it to mandatory statutory changes.

16. Miscellaneous

16.1 The law of the Federal Republic of Germany shall apply, excluding the UN Convention on Contracts for the International Sale of Goods (CISG) and conflict-of-law rules; Article 3(3), (4) of Regulation (EC) 593/2008 remains unaffected.

16.2 Amendments or supplements to these GTC and the respective contracts require written form. This also applies to any amendment of the written form requirement.

16.3 The place of jurisdiction for all disputes arising out of or in connection with the contractual relationship shall be Birdsview’s place of business, provided that the Customer is a merchant, a legal entity under public law or a special fund under public law. However, Birdsview is entitled to sue at the Customer’s place of business.

16.4 The rights and obligations of Birdsview and the Customer shall first be governed by the contractual agreements, then by these GTC.

16.5 Should one or more of the above provisions or the contract be or become invalid, this shall not affect the validity of the remaining provisions. The application of Section 139 BGB is excluded.

Appendix 1 — Data Processing Agreement (DPA)

§ 1 Provision and requirements for processing

1.1 This Data Processing Agreement (“DPA”) sets out the data protection rights and obligations of Birdsview (“Provider”) and the Customer (“Controller”) (together “the Parties”) for all processing activities resulting from the existing or future contracts concluded between the Parties (the “Main Contract”), under which personal data are processed by the Provider on behalf of the Controller.

1.2 This data protection agreement applies with all its components when the Controller commissions the Provider to process personal data (“data”) on behalf in accordance with Article 28 GDPR. This data protection agreement forms the framework for a large number of different processing operations.

1.3 In the event of conflicts, the provisions of this DPA with all its components shall take precedence over the provisions of the associated Main Contract.

1.4 The specific data protection provisions (“specifications”) applicable to individual processing operations are listed in the specification appendix, insofar as they do not arise from the respective Main Contract. These include in particular the subject matter and duration as well as the nature and purpose of processing, the categories of data and the categories of data subjects.

1.5 The annexes are part of the DPA. In the event of conflict, the annexes shall take precedence over the more general provisions of the DPA. References to the DPA below or in the annexes refer to the DPA with all its components.

§ 2 Responsibility and processing according to instructions, protective measures

2.1 The Customer (“Controller”) is solely responsible under this DPA for compliance with the applicable legal provisions, in particular for the lawfulness of the transfer to the Provider and for the lawfulness of the processing (Controller within the meaning of Art. 4(7) GDPR).

2.2 Birdsview (“Provider”) processes the data exclusively in accordance with the instructions of the Controller, unless an exception pursuant to Art. 28(3)(a) GDPR applies (other statutory processing obligation). Oral instructions must be confirmed by the Controller in text form without undue delay. If the Controller acts as a processor for a third party, the Controller’s obligations arising from such processing for the third party are deemed, to the extent known, to be direct instructions from the Controller to the Provider, insofar as these obligations are stricter than those of this data processing agreement. The Controller shall inform the Provider in writing of such third-party requirements.

2.3 The Provider shall rectify or delete the data covered by the contract or restrict their processing (“blocking”) if requested to do so by the Controller and within the framework of the instructions.

2.4 The Provider shall inform the Controller without undue delay if it considers that an instruction violates applicable data protection provisions or this DPA. The Provider may suspend implementation of the instruction until it is confirmed or changed by the Controller in text form. The Provider may refuse to carry out instructions that clearly violate data protection law.

2.5 The Parties shall each designate one or more contact persons for data protection matters in text form, including the appointed data protection officers. In the event of changes to the contact persons, the contracting parties shall inform each other in text form.

2.6 The Provider shall ensure that persons authorized to process the data (a) are aware of the Controller’s instructions and comply with them and (b) are obliged to confidentiality or are subject to an appropriate statutory duty of confidentiality. The duty of confidentiality and secrecy shall also continue after the processing has ended.

2.7 If the Controller acts as a processor for a third party, the Provider’s obligations under this DPA shall also apply directly in the relationship between the third party and the Provider. This applies to all services of the Provider performed on behalf of the Controller vis-à-vis the third party. In particular, the third party shall have the rights of control and information pursuant to Section 7 directly vis-à-vis the Provider.

2.8 The Provider is obliged to comply with the statutory data protection provisions and not to pass on information obtained from the Controller’s domain to third parties or make it accessible to third parties. Documents and data must be protected against unauthorized access taking into account the state of the art.

2.9 The Provider shall oblige all persons involved in the processing and performance of this contract (“employees”) in writing to confidentiality (confidentiality obligation, Art. 28(3)(b) GDPR) and shall ensure that this obligation is complied with with due care. Upon request, the Provider shall provide the Controller with written or electronic proof of these obligations.

2.10 The processor shall organize its internal structure so that it meets the special requirements of data protection. It undertakes to take all appropriate technical and organizational measures to adequately protect the Controller’s data in accordance with Art. 32 GDPR, in particular those listed in Annex 2 to this data processing agreement, and to retain them for the duration of processing.

2.11 The Provider reserves the right to change the technical and organizational measures in order to ensure that the agreed level of protection is not undermined.

§ 3 Reporting data breaches and processing errors

3.1 The Provider shall inform the Controller without undue delay if it becomes aware within its organization of a personal data breach within the meaning of Art. 4(12) GDPR relating to the data processed on behalf of the Controller or if there is a specific suspicion of such a data breach at the Provider.

3.2 If the Controller discovers errors, it shall inform the Provider without undue delay.

3.3 The Provider shall take the necessary measures without undue delay to remedy the data breach pursuant to § 3.1 or the errors pursuant to § 3.2 and to mitigate possible adverse effects, in particular for the data subjects. The Provider shall coordinate this with the Controller. Oral notifications pursuant to § 3.1 or § 3.2 shall be followed up immediately in text form.

§ 4 Data transfers to a recipient in a third country or an international organization

Data transfers to a recipient in a third country outside the EU and the EEA are permitted provided that the conditions set out in Articles 44 et seq. GDPR are met. Details may, if necessary, be set out in one or more annexes.

§ 5 Subprocessing by further processors

5.1 The Provider may have the processing of personal data carried out in whole or in part by other processors (“sub-processors”).

5.2 The Provider shall inform the Controller in text form in good time in advance about the commissioning of sub-processors or changes in subprocessing. The Controller may object to subprocessing in text form within four weeks of becoming aware of it for good cause. Good cause exists in particular if there are reasonable doubts that the sub-processor will provide the agreed service in accordance with applicable data protection law or this DPA. In the event of a justified objection, the Controller shall grant the Provider a reasonable period to replace the affected sub-processor with another one. If the Provider is unable to do so or if this is unreasonable for the Controller, either party shall be entitled to extraordinarily terminate the Main Contract for good cause.

5.3 The Provider agrees to the sub-processor’s terms, which are identical in content to those of this DPA.

5.4 Services used by the Provider as purely ancillary services to support its business activities outside of processing do not constitute subprocessing within the meaning of this provision. However, to ensure data protection, the Provider is obliged to take appropriate precautions for such ancillary services as well.

§ 6 Rights of data subjects and support for the Controller

If a data subject asserts claims under Chapter III of the GDPR against one of the Parties, that Party shall inform the other Party without undue delay. The Provider shall support the Controller, within its capabilities, in handling such requests and in complying with the obligations set out in Articles 33 to 36 GDPR.

§ 7 Control and information rights of the Controller

7.1 The Provider shall demonstrate by suitable means that it complies with its obligations towards the Controller. The Controller shall verify the adequacy thereof.

7.2 For compliance with the agreed protective measures and their proven effectiveness, the Provider may rely on relevant certifications or other suitable audit evidence. Suitable certifications include, in particular, certifications pursuant to Art. 42 GDPR or evidence pursuant to Art. 40 GDPR. In addition, the following are possible: certification according to ISO 27001 or ISO 27017, an ISO 27001 certification based on IT baseline protection, a certification according to recognized and appropriate industry standards, or an audit report in accordance with SOC/PS 951, in each case in the currently valid version. The certification and audit procedures must be carried out by a recognized independent third party. The Provider must present its certificates or audit evidence. Other suitable means (e.g. activity reports of the data protection officer or excerpts from auditors’ reports) may be provided to demonstrate compliance with the agreed protective measures. The Controller’s right of control pursuant to § 7.3 remains unaffected.

7.3 The Controller is entitled to carry out inspections at the Provider during normal business hours and without interruption of operations, usually after prior notice with reasonable advance warning, in order to verify compliance with data protection provisions. The Provider may make the inspection dependent on the signing of a confidentiality agreement with regard to the data of other customers. The Provider is obliged to enable and assist the Controller’s audits and inspections.

7.4 The Parties shall agree measures to remedy any findings identified during an inspection.

7.5 If a supervisory authority exercises powers pursuant to Article 58 GDPR, the Parties shall inform each other of this without undue delay. They shall support each other within the scope of their respective tasks in fulfilling their obligations towards the supervisory authority.

§ 8 Liability and damages

8.1 If a data subject asserts claims for damages against a Party due to a breach of data protection provisions, the Party receiving the claim shall inform the other Party without undue delay.

8.2 The Controller and the Provider shall be liable to data subjects pursuant to Article 82 GDPR.

8.3 The Parties shall support each other in defending against claims for damages by data subjects, unless this would endanger the legal position of one Party vis-à-vis the other Party, the supervisory authority or third parties.

§ 9 Costs

Costs incurred by the Provider as a result of measures taken by the Controller at the Provider’s premises shall be borne by the Controller, insofar as these are not covered by the remuneration under the Main Contract. This applies in particular to necessary costs incurred by the Provider as a result of the Controller’s audits and inspections pursuant to § 7.

§ 10 Term

10.1 The DPA is concluded for an indefinite period.

10.2 The DPA ends upon termination of the associated Main Contract without the need for separate termination of the DPA. In this case, the Provider shall, at the Controller’s discretion, either hand over the data processed pursuant to the Annex without delay or delete it in compliance with data protection requirements and confirm this to the Controller in text form. If the Provider is subject to a statutory retention obligation, it shall inform the Controller thereof in text form.

§ 11 Final provisions

10.1 The DPA is concluded for an indefinite period.

10.2 The DPA ends upon termination of the associated Main Contract without the need for separate termination of the DPA. In this case, the Provider shall, at the Controller’s discretion, either hand over the data processed pursuant to the Annex without delay or delete it in compliance with data protection requirements and confirm this to the Controller in text form. If the Provider is subject to a statutory retention obligation, it shall inform the Controller thereof in text form.

Appendix 1 — Data Processing Agreement (DPA)

§ 1 Subject of the commission

The subject of the commission is the optimization of customer retention through automated marketing measures with messages in text form (Section 126b BGB) by the Controller to its (end) customers (customer retention automation).

§ 2 Duration of the commission

The duration of the commission is determined by the Main Contract.

§ 3 Purpose of processing

Support for marketing measures and communication processes with the Controller’s customers.

§ 4 Categories of personal data

Master data (names and addresses), email addresses, gender, age & contract data (purchasing behavior)

§ 5 Categories of data subjects

Customers, prospects, suppliers and service providers

§ 6 Approved sub-processors

Amazon Web Services EMEA SARL (“AWS”)

Activity: Provision of a cloud computing infrastructure, including hosting, data storage, data processing and communication. In particular, the following services are used:

- Amazon SES (Simple Email Service): sending transactional and marketing emails
- Amazon S3 (Simple Storage Service): storage and archiving of data
- Amazon EC2 (Elastic Compute Cloud): operation and scaling of server instances
- Amazon SNS (Simple Notification Service): sending notifications and messages to users or systems
- Amazon DynamoDB: storage and management of structured data in a scalable NoSQL database


Supabase Inc/Incorporating Services, Ltd., 3500 S. DuPont Highway, Dover, Kent 19901, Delaware (“Supabase”)

Activity: Provision of a backend-as-a-service platform for database management, authentication and serverless functions. In particular, the following services are used:

- PostgreSQL database: storage and management of structured data
- Auth Service: user authentication and management
- Edge functions: serverless functions for processing business logic
- Storage: storage and delivery of files RealTime: provision of real-time database updates

Appendix 2 — Technical and organizational measures (TOMs)

Introduction

The Provider uses a combination of policies, procedures, guidelines and technical and physical controls to protect the personal data it processes against accidental loss and unauthorized access, disclosure or destruction.

Management and policies

The Provider:
‍
- assigns employees responsibility for defining, reviewing and implementing security policies and measures;
- regularly reviews its security measures and policies to ensure they remain appropriate for the data to be protected;
- creates and maintains secure configurations for systems and software and ensures that security measures are taken into account when projects are initiated and when new IT systems are developed.

Incident response

The Provider maintains internal monitoring systems that can alert operations teams to service outages, in some cases even before thresholds are exceeded.
The Provider has a data breach response plan designed to respond to data breaches. The plan is regularly tested and updated.

Access controls

The Provider restricts access to personal data by implementing appropriate access controls, including:

Access to infrastructure and internal resources follows the principle of least privilege. Privileges are only granted when needed for business tasks and are revoked when they are no longer needed.
‍
Access management is centralized with the identity providers. Where possible, internal services delegate both authentication and authorization to these providers to ensure timely offboarding and revocation of authorizations.
‍
Changes to the Provider’s infrastructure require approval by at least one other authorized person. Individuals are authorized based on the relevance of the system to their business tasks.
‍
User authentication for internal provider resources is protected by a strict password policy and mandatory 2FA; SMS-based 2FA is prohibited. The Provider never knowingly stores plain-text passwords; where necessary, it stores hashed and salted results of authentication material depending on the use case.
‍
Provider devices used to access internal resources enforce strict security measures, including secure passwords, antivirus software and full disk encryption.
‍
Audit logs of user actions within the Provider’s infrastructure are kept. The Provider logs all interactions with its internal services and all interactions with customer projects. Traffic flow logs are kept so that retrospective analysis of all connections to the infrastructure is possible if required.
‍
Only pre-approved and secure communication channels with provider services are permitted via provider firewalls.
The entire communication — including the transmission of credentials — takes place over connections protected by TLS and configured with a set of modern cipher suites.

Segmentation

Customer projects and internal provider control plane services are deployed in separate networks, with a firewall ensuring that only expected traffic is allowed between the two networks. In addition, metadata about traffic between the networks is stored. Logs and metrics used for observability and troubleshooting are automatically extracted and sent to systems separate from customer projects and containing customer data.

Encryption

Data at rest is encrypted where appropriate, including all backups. All disks are encrypted at rest using the industry-standard AES-256 algorithm. Regularly scheduled backups are also encrypted at rest using AES-256.
‍
Encryption keys are generated per project and themselves protected by keys stored with FIPS 140-2-compliant HSMs. All network communication takes place over encrypted connections protected by modern security standards (TLS 1.2, modern cipher suites) to preserve the confidentiality and integrity of the data.

Availability and backup

The Provider creates daily backups of customer projects by default. Additional backups can be scheduled depending on customer requirements and service contracts.
‍
All backups are encrypted during transmission and at rest.
Backups are stored on a storage system independently of the customer’s project resources. A target availability of 99.99% is pursued.
‍
The Provider has employees and service providers strategically distributed around the world. This enables a follow-the-sun model for support and operations monitoring and speeds up the response to any service incidents.

Testing

The Provider uses appropriate and suitable security and compliance monitoring systems throughout its infrastructure to detect violations of its security policies. The Provider regularly conducts penetration tests of its systems by commissioning reputable external security firms and remedies any deficiencies identified, where appropriate.