General Terms & Conditions

1.1 The following General Terms and Conditions (“GTC”) apply to all services provided by Birdsview GmbH, Reudnitzer Str. 1, 04103 Leipzig (hereinafter “Birdsview”) to the respective contracting party who is an entrepreneur (hereinafter “Customer”). An entrepreneur is a natural or legal person or a partnership with legal capacity who, when concluding a legal transaction, acts in exercise of their trade or self-employed professional activity. These GTC also apply to future contracts between Birdsview and the Customer in their latest version, even if the applicability of these GTC is no longer expressly mentioned or agreed.

1.2 Deviating, supplementary or conflicting terms and conditions of the Customer shall not become part of a contract without a written agreement to the contrary. This also applies if Birdsview does not expressly object to such terms after receipt. The priority of individual agreements between the parties over these GTC remains unaffected.

2.1 Offers by Birdsview—especially with regard to quantity, price, and delivery time—are always non-binding and subject to change unless Birdsview expressly designates an offer in text form (Section 126b BGB) as binding. Unless otherwise stated in the respective offer, Birdsview is bound by a binding offer for two weeks from receipt of the offer by the Customer.

2.2 A contract is concluded only upon Birdsview’s order confirmation in text form or upon the Customer’s acceptance of a binding offer from Birdsview. Exclusively the provisions agreed in text form in the respective contract or statement of work shall apply.

3.1 Deadlines are only binding if expressly confirmed as binding by Birdsview in writing.

3.2 In the event of force majeure or due to unforeseen events not attributable to Birdsview, such as war, natural disasters, pandemics, boycotts, operational disruptions, strikes, lockouts, official orders, the subsequent elimination of export or import possibilities, or similar, Birdsview is entitled to postpone the owed services for the duration of the impediment plus a reasonable additional period or, if performance is actually or economically impossible or becomes so, to withdraw from the contract. The Customer is not entitled to withdraw from the contract if they are responsible for the impediment.

3.3 In the absence of any agreement to the contrary, Birdsview is entitled to have contractual services performed by subcontractors. The warranty towards the Customer remains with Birdsview.

In addition to the provisions contained in the respective contract and the cooperation obligations pursuant to Section 6, the following general rules apply:

4.1 If the Customer designates a contact person, the Customer thereby authorizes this person to represent them within the scope of the contractual relationship; in particular, the Customer declares that they will accept all statements by this person for and against themselves insofar as they relate to the cooperation between Birdsview and the Customer.

4.2 Birdsview provides the agreed services through suitable employees with sufficient qualifications. The Customer has no claim to performance by specific employees. The Customer has no right to issue instructions to Birdsview’s employees. The exercise of house rules and instructions to avert danger remain unaffected.

4.3 The contributions and cooperation to be provided by the Customer are genuine obligations and not merely duties of care. If the Customer breaches these obligations and the breach affects the services to be provided by Birdsview, Birdsview may—without prejudice to further rights—demand a corresponding adjustment of the contractual arrangements (e.g., changes to the schedule and remuneration). Deadlines to be met by Birdsview shall be postponed in a manner reasonably proportionate to the duration of the delay of the contribution and its relevance to the service provision.

5.1 The grant of rights of use to the services provided by Birdsview to the Customer is subject to the suspensive condition of full payment of the claim arising from the service.

5.2 Birdsview remains the owner of all materials protected by industrial property rights or similar proprietary rights of any kind (e.g., patent rights, design rights, trademark rights, utility model rights, and copyrights), whether registered or not (“intellectual property rights”), whether such materials are protected or capable of protection (“Materials”), which Birdsview owns at the time of the conclusion of the contract or which are developed by Birdsview (or by third parties on behalf of Birdsview) after the conclusion of the contract. The same applies to edits and modifications. Upon delivery of the Materials, and absent any agreement to the contrary, Birdsview grants the Customer a non-exclusive, non-transferable, non-sublicensable right, limited to the term of the respective individual contract, to use the Materials delivered under the contract for its own purposes.

6.1 The statutory provisions on defect liability apply, taking into account the deviating provisions contained in the “Special Provisions for Lease Agreements” (Section 13) below.

6.2 The Customer shall provide Birdsview with all information and items available to it as required for the performance of the contract and shall create, within its sphere of operations, all prerequisites necessary for the provision of deliveries and services.

6.3 Further obligations of the Customer include, in particular, deploying professionally competent employees and sufficiently training its staff to ensure a secure introduction and operating procedure, as well as preparing and conducting acceptance, in particular ensuring the availability of data transmission facilities and submitting complete, prompt, and sufficiently precise error reports in advance by telephone and in text form.

6.4 The Customer must protect and store access data to Birdsview services against third-party access in accordance with the state of the art. The Customer shall ensure that use only occurs within the contractually agreed scope. Any unauthorized access must be reported to Birdsview without delay.

7.1 Birdsview is liable without limitation for personal injury. The same applies to other damages suffered by the Customer as a result of an intentional or grossly negligent breach of duty by Birdsview, as well as for claims under the Product Liability Act and claims within the scope of the entrepreneur’s right of recourse pursuant to Sections 327u, 478, 479 BGB.

7.2 For typical contractual damages suffered by the Customer as a result of a breach of a material contractual obligation by Birdsview, Birdsview is also liable in cases of simple negligence. However, liability for indirect damages, such as loss of profit, is excluded. A material contractual obligation in the aforementioned sense is one whose fulfillment enables the proper execution of the contract in the first place and on whose fulfillment the contracting partner regularly relies and may rely.

7.3 Otherwise, Birdsview’s liability for simple negligence is excluded.

7.4 The above provisions also apply to Birdsview’s legal representatives and vicarious agents in relation to the Customer.

7.5 The Customer is responsible for the regular backup of its data. Liability for data loss is limited to the restoration effort that would have been required with proper data backups (as a rule, daily backup on the Customer’s side).

8.1 All claims of the Customer, regardless of the legal basis, become time-barred after 12 months.

8.2 In cases of intentional or fraudulent behavior, as well as for claims under the Product Liability Act, claims arising from entrepreneur’s recourse (Sections 327u, 478, 479 BGB), and personal injury, the statutory limitation periods apply.

9.1 The Customer warrants to Birdsview that all templates, data, texts, information, images, and other content provided by the Customer are free of third-party rights or that the Customer holds corresponding rights of use.

9.2 The Customer shall indemnify Birdsview against any claims by third parties asserted against Birdsview due to possible legal violations resulting from the use, including storage, of templates, data, texts, information, images, and other content provided by the Customer. The Customer is obliged to reimburse Birdsview for the necessary costs incurred as a result of such claims. Other claims by Birdsview remain unaffected.

9.3 The Customer further undertakes to provide Birdsview with all necessary information and documents and to perform acts of cooperation in order to be able to defend against asserted third-party claims.

9.4 If claims based on the infringement of intellectual property rights valid in Germany are asserted against the Customer due to items delivered or licensed in accordance with these conditions, the Customer shall enable Birdsview to defend against such claims. The Customer is obliged (1) to inform Birdsview in writing without delay of the assertion of such claims, (2) to provide Birdsview with all information necessary for the legal defense and to fulfill other cooperation obligations, and (3) to leave to Birdsview the decision as to whether and how the claim is defended. In such contexts, Birdsview shall reimburse the Customer for all costs and damages which are undisputed between Birdsview and the Customer or are acknowledged by Birdsview or have been legally established. If it is finally established that further use of the contractual items infringes intellectual property rights valid in Germany, or if, in Birdsview’s opinion, there is a risk of an infringement action, Birdsview may, insofar as liability is not excluded, at its own expense either procure for the Customer the right to continue using the contractual items, or replace or modify them so that no infringement exists any longer, or—at the Customer’s request—take back the contractual item and reimburse its value less a usage fee for the use made up to that point.

9.5 If the Customer itself modifies the Materials delivered by Birdsview under the contract or has them modified by third parties, the claims under this Section 9 shall lapse unless the Customer proves that the changes made by it or a third party did not cause any infringement of third-party rights.

9.6 The above provisions of this Section 9 shall apply mutatis mutandis in the reverse case where Birdsview is held liable for infringement of third-party rights by Customer materials or materials provided by third parties on behalf of the Customer.

Birdsview has the right to use the services performed for the Customer, naming the Customer’s name and industry, as references for self-promotion. This also applies to self-promotion by Birdsview on the internet. Insofar as the Customer’s name is identical, in whole or in part, with a trademark or a designation protected by another right, such right shall not be affected by the foregoing.

11.1 If Birdsview’s performance obligations are not exhausted by a one-off, time-limited provision of services (“continuing obligation”), the contract term is at least twelve (12) months, subject to a deviating agreement in the contract, and is extended by a further twelve (12) months respectively if the contract is not terminated in text form by Birdsview or the Customer with a notice period of three (3) months to the end of the respective contract term.

11.2 Statutory termination rights (e.g., Sections 643, 649 BGB) and the right to extraordinary termination of the contract for good cause remain unaffected by an agreed deviating minimum term in the contract or under Section 11.1.

12.1 Remuneration for Birdsview’s services may be in the form of monthly flat fees, usage-based fees (“pay-as-you-go”), or effort-based fees (e.g., based on time spent). Details are governed by the individual contracts.

12.2 Remuneration for software-as-a-service services is due monthly in advance before performance and must be paid without deduction to Birdsview’s account immediately after the invoice date.

12.3 All prices stated are exclusive of statutory VAT unless otherwise stated. If no prices are agreed, Birdsview’s price list in the current version applies. Any cash discount requires a separate written agreement.

12.4 In cross-border transactions, the agreed remuneration and/or usage fee is the net remuneration, i.e., the net amount payable by the Customer after deduction of any foreign taxes. “Foreign taxes” include in particular taxes, duties or other surcharges and costs as well as other fees and charges levied by a foreign state or a foreign regional authority. The Customer shall assume and pay all foreign taxes. The Customer undertakes to provide Birdsview with all necessary tax certificates, tax assessments, and any other documents required by Birdsview in order to comply with tax obligations abroad and in the Federal Republic of Germany.

12.5 Birdsview is entitled to change prices agreed with Customers under a continuing obligation as a result of proven cost increases by third parties (such as energy suppliers, licensors, telecommunications providers, etc.) by the actual cost increase incurred by Birdsview, subject to one month’s prior written notice to the Customer, but not earlier than four months after the start of the contract. If this results in an increase of more than 15% for the same IT service(s) over a reference period of 12 calendar months, the Customer shall have a special right to terminate the affected individual contract(s).

In addition to the above provisions, the following rules also apply:

13.1 Where the subject matter of the contract is the provision of software without physical transfer by way of software-as-a-service (“SaaS”), Birdsview is not obliged to deliver user documentation for the software unless otherwise expressly agreed.

13.2 The fault-independent liability of Birdsview pursuant to Section 536a (1) BGB for defects already existing at the time of conclusion of the contract is excluded for claims under tenancy law.

13.3 Unless otherwise agreed in the individual contract, the following service levels apply:

13.3.1 Adjustments, changes, and additions to the SaaS services subject to the contract, as well as measures to detect and correct functional faults, shall only lead to temporary interruption or impairment of availability where this is technically unavoidable.

13.3.2 The basic functions of the SaaS services are monitored daily. Birdsview will inform the Customer prior to maintenance work and will carry it out as promptly as the technical conditions allow.

13.3.3 The availability of the respective agreed services of a SaaS contract is 98.5% on an annual average, excluding maintenance work; however, availability may not be impaired or interrupted for longer than five (5) consecutive business days. Business days are Monday to Friday, excluding public holidays applicable throughout Germany.

13.4 Birdsview may update and further develop the software at any time and, in particular, adapt it due to changes in legal requirements, technical developments, or to improve IT security. In doing so, Birdsview will reasonably consider the Customer’s legitimate interests and inform the Customer in good time about necessary updates. In the event of a material impairment of the Customer’s legitimate interests, the Customer has a special right of termination if Birdsview cannot operate the software in the state that existed before the notice to the Customer.

14.1 The parties shall each independently comply with the data protection provisions applicable to them.

14.2 In the course of providing services, Birdsview may have access to the Customer’s personal data, so the parties additionally conclude the Data Processing Agreement (“DPA”) attached as Annex 1 to these GTC. In the event of any conflict, the provisions of the DPA take precedence over these GTC or the individual contract.

Birdsview reserves the right to make changes to these GTC or other contractual conditions referring to them at any time outside a specific exchange of performance. During an ongoing contract, such changes shall only become effective if the Customer does not object to the change within one month after receipt of a change notice in text form and Birdsview has pointed out the right to object and the deadline in the change notice in text form. If the Customer objects to the change, the contract continues without the changes. However, Birdsview is entitled to terminate the contract in writing (Section 126 (1) BGB) with one month’s notice to the end of a quarter within one month after receipt of the objection. Excluded from this right to amend are all changes that relate to essential contractual obligations of a party; this does not apply if the change is necessary to adapt the contract, the GTC, or further contractual conditions referring to them to mandatory legal changes.

16.1 The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods (CISG) and conflict-of-laws rules; Article 3 (3), (4) of Regulation (EC) 593/2008 remains unaffected.

16.2 Amendments or supplements to these GTC and the respective contracts must be in writing. This also applies to any amendment to the written form requirement.

16.3 The place of jurisdiction for all disputes arising from or in connection with the contractual relationship is Birdsview’s registered office if the Customer is a merchant, a legal entity under public law, or a special fund under public law. However, Birdsview is entitled to bring an action at the Customer’s registered office.

16.4 The rights and obligations of Birdsview and the Customer are determined first by what is contractually agreed, then by these GTC.

16.5 Should one or more of the foregoing provisions or of the contract be or become invalid, the validity of the remaining provisions shall not be affected. The application of Section 139 BGB is excluded.

1.1 This Data Processing Agreement (“DPA”) specifies, for all processing activities, the data protection rights and obligations of Birdsview (“Provider”) and the Customer (“Controller”) (together “the Parties”) arising from the contracts already existing or to be concluded between the Parties in the future (the “Main Contract”), under which personal data is processed by the Provider on behalf of the Controller.

1.2 This DPA applies with all its components when the Controller commissions the Provider to process personal data (“Data”) on behalf pursuant to Article 28 GDPR. This DPA forms the framework for a variety of different commissioned processing operations.

1.3 In the event of any conflicts, the provisions of this DPA with all its components take precedence over the provisions of the associated Main Contract.

1.4 The specific data protection provisions applicable to individual processing operations (“Specifications”) are set out in the Specifications Annex, insofar as these do not result from the respective Main Contract. These include, in particular, the subject matter and duration as well as the nature and purpose of processing, the categories of data, and the categories of data subjects.

1.5 The annexes form part of the DPA. In the event of any conflict, the annexes take precedence over the more general provisions of the DPA. References to the DPA in the following or in the annexes mean the DPA with all its components.

2.1 The Customer (“Controller”) is solely responsible, within the scope of this DPA, for compliance with applicable legal provisions, in particular for the lawfulness of disclosure to the Provider and for the lawfulness of processing (“Controller” within the meaning of Art. 4(7) GDPR).

2.2 Birdsview (“Provider”) processes the Data exclusively in accordance with the Controller’s instructions, unless an exception under Art. 28(3)(a) GDPR applies (other statutory processing obligation). Oral instructions must be confirmed by the Controller without delay in text form. If the Controller acts as a processor for a third party, the Controller’s obligations from such processing for the third party shall, upon knowledge, be deemed direct instructions from the Controller to the Provider insofar as such obligations are stricter than those of this DPA. The Controller shall inform the Provider in writing of such third-party requirements.

2.3 The Provider shall rectify or erase the Data subject to the contract, or restrict its processing (“blocking”), if instructed by the Controller and within the scope of the instruction framework.

2.4 The Provider shall inform the Controller without delay if it is of the opinion that an instruction violates applicable data protection provisions or this DPA. The Provider may suspend implementation of the instruction until it is confirmed or amended by the Controller in text form. The Provider may refuse to execute instructions that are clearly in breach of data protection law.

2.5 The Parties shall each appoint one or more contacts in data protection matters in text form, including the designated data protection officers. If there are changes to the contacts, the Parties shall inform each other in text form.

2.6 The Provider ensures that persons authorized to process the Data (a) are aware of the Controller’s instructions and comply with them and (b) are bound to confidentiality or are subject to an appropriate statutory duty of secrecy. The duty of confidentiality and secrecy continues after processing has ended.

2.7 If the Controller acts as a processor for a third party, the Provider’s obligations under this DPA shall also apply directly in the relationship between the third party and the Provider. This applies to all services of the Provider rendered on behalf of the Controller towards the third party. In particular, the third party has the control and information rights under § 7 directly against the Provider.

2.8 The Provider is obliged to observe statutory data protection provisions and not to disclose information obtained from the Controller’s domain to third parties or to expose it to third-party access. Documents and data must be safeguarded against unauthorized access, taking into account the state of the art.

2.9 The Provider shall obligate all persons entrusted with processing and fulfilling this agreement (“employees”) in writing to confidentiality (confidentiality undertaking, Art. 28(3)(b) GDPR) and shall ensure compliance with this obligation with due care. Upon request, the Provider shall provide the Controller with written or electronic proof of such obligations.

2.10 The Processor shall design its internal organization such that it meets the special requirements of data protection. It undertakes to implement all appropriate technical and organizational measures to adequately protect the Controller’s data pursuant to Art. 32 GDPR, in particular those listed in Annex 2 to this DPA, and to maintain them for the duration of the processing.

2.11 The Provider reserves the right to change the technical and organizational measures, ensuring that the agreed level of protection is not undermined.

3.1 The Provider shall notify the Controller without delay if it becomes aware, within its organization, of any personal data breach within the meaning of Art. 4(12) GDPR concerning the Data entrusted by the Controller, or if there is a concrete suspicion of such a data breach at the Provider.

3.2 If the Controller detects errors in processing, it shall inform the Provider without delay.

3.3 The Provider shall promptly take the measures necessary to remedy the data breach under § 3.1 or the errors under § 3.2 and to mitigate any possible adverse effects, in particular for the data subjects. The Provider shall coordinate with the Controller on this. Oral notifications under § 3.1 or § 3.2 shall be promptly followed up in text form.

Transfers of Data to a recipient in a third country outside the EU and EEA are permissible subject to compliance with the conditions set out in Articles 44 et seq. GDPR. Details may be set out in one or more annexes where necessary.

5.1 The Provider may perform the processing of personal data, in whole or in part, through further processors (“Sub-processors”).

5.2 The Provider shall inform the Controller in text form in good time in advance about the engagement of Sub-processors or changes in sub-processing. The Controller may object to the sub-processing in text form within four weeks of becoming aware thereof for good cause. Good cause exists in particular where there are justified grounds for doubt that the Sub-processor will perform the agreed service in accordance with applicable data protection law or this DPA. In the event of a justified objection, the Controller shall grant the Provider a reasonable period to replace the affected Sub-processor with another. If the Provider is unable to do so or this is unreasonable for the Controller, either party is entitled to extraordinarily terminate the Main Contract for good cause.

5.3 The Provider shall agree with the Sub-processor provisions identical in substance to those of this DPA.

5.4 Services which the Provider uses as purely ancillary services to support its business activities outside commissioned processing do not constitute sub-processing within the meaning of this provision. However, to ensure the protection of Data, the Provider is obliged to take appropriate precautions for such ancillary services as well.

If a data subject asserts claims under Chapter III of the GDPR against one of the Parties, that Party shall inform the other without delay. The Provider shall support the Controller, within its possibilities, in handling such requests and in complying with the obligations set out in Articles 33 to 36 GDPR.

7.1 The Provider shall demonstrate compliance with its obligations to the Controller by appropriate means. The Controller shall review their adequacy.

7.2 For compliance with the agreed protective measures and their verified effectiveness, the Provider may refer to appropriate certifications or other suitable audit evidence. Appropriate certifications include, in particular, certifications under Art. 42 GDPR or evidence under Art. 40 GDPR. In addition, the following are possible: certification under ISO 27001 or ISO 27017, an ISO 27001 certification based on IT-Grundschutz, certification according to recognized and suitable industry standards, or an audit report in accordance with SOC / PS 951, each in the valid version. The certification and audit procedures must be carried out by a recognized independent third party. The Provider shall provide its certificates or audit evidence. Other suitable means (e.g., activity reports by the data protection officer or excerpts from auditors’ reports) may be provided to evidence compliance with the agreed protective measures. The Controller’s inspection right under § 7.3 remains unaffected.

7.3 The Controller is entitled, during normal business hours and without disrupting operations, and generally after prior notice with reasonable lead time, to conduct inspections at the Provider to verify compliance with data protection provisions. The Provider may make the inspection contingent upon signing a confidentiality agreement with respect to other customers’ data. The Provider is obliged to enable and contribute to the Controller’s audits and inspections.

7.4 The Parties shall agree on measures to remedy findings identified during an inspection.

7.5 If a supervisory authority exercises powers under Article 58 GDPR, the Parties shall inform each other thereof without delay. They shall support each other within their respective responsibilities in fulfilling obligations to the supervisory authority.

8.1 If a data subject asserts claims for damages against one Party due to a violation of data protection provisions, the Party receiving the claim shall inform the other Party without delay.

8.2 The Controller and the Provider shall be liable to data subjects in accordance with Article 82 GDPR.

8.3 The Parties shall mutually support each other in defending against claims for damages by data subjects, unless this would jeopardize the legal position of one Party vis-à-vis the other Party, the supervisory authority, or third parties.

Costs incurred by the Provider due to measures by the Controller at the Provider shall be borne by the Controller, insofar as these are not covered by the remuneration under the Main Contract. This applies in particular to necessary costs incurred by the Provider due to the Controller’s audits and inspections under § 7.

10.1 The DPA is concluded for an indefinite term.

10.2 The DPA ends upon termination of the associated Main Contract without requiring a separate termination of the DPA. In this case, the Provider shall, at the Controller’s choice, without delay either hand over the Data processed according to the Annex or delete it in compliance with data protection requirements and confirm this to the Controller in text form. If the Provider is subject to a statutory obligation to retain such data, it shall notify the Controller in text form.

10.1 The DPA is concluded for an indefinite term.

10.2 The DPA ends upon termination of the associated Main Contract without requiring a separate termination of the DPA. In this case, the Provider shall, at the Controller’s choice, without delay either hand over the Data processed according to the Annex or delete it in compliance with data protection requirements and confirm this to the Controller in text form. If the Provider is subject to a statutory obligation to retain such data, it shall notify the Controller in text form.

The subject matter of the commission is the optimization of customer retention through automated marketing measures with messages in text form (Section 126b BGB) by the Controller to its (end) customers (customer retention automation).

The duration of the commission results from the Main Contract.

Support with marketing measures and communication processes with the Controller’s customers.

Master data (names and addresses), Email addresses, Gender, Age & Contract data (purchase behavior)

Customers, Prospective customers, Suppliers & service providers

Amazon Web Services EMEA SARL (“AWS”)

Activity: Provision of cloud computing infrastructure, including hosting, data storage, data processing, and communications. In particular, the following services are used:

- Amazon SES (Simple Email Service): sending transactional and marketing email
- Amazon S3 (Simple Storage Service): storage and archiving of data
- Amazon EC2 (Elastic Compute Cloud): operation and scaling of server instances
- Amazon SNS (Simple Notification Service): sending notifications and messages to users or systems
- Amazon DynamoDB: storage and management of structured data in a scalable NoSQL database


Supabase Inc / Incorporating Services, Ltd., 3500 S. DuPont Highway, Dover, Kent 19901, Delaware (“Supabase”)

Activity: Provision of a backend-as-a-service platform for database management, authentication, and serverless functions. In particular, the following services are used:

- PostgreSQL database: storage and management of structured data
- Auth Service: user authentication and management
- Edge Functions: serverless functions for processing business logic
- Storage: storage and delivery of filesRealtime: provision of real-time database updates

Amazon Web Services EMEA SARL (“AWS”)

Activity: Provision of cloud computing infrastructure, including hosting, data storage, data processing, and communications. In particular, the following services are used:

- Amazon SES (Simple Email Service): sending transactional and marketing email

- Amazon S3 (Simple Storage Service): storage and archiving of data

- Amazon EC2 (Elastic Compute Cloud): operation and scaling of server instances

- Amazon SNS (Simple Notification Service): sending notifications and messages to users or systems

- Amazon DynamoDB: storage and management of structured data in a scalable NoSQL database

The Provider employs a combination of policies, procedures, guidelines, and technical and physical controls to protect the personal data it processes from accidental loss and unauthorized access, disclosure, or destruction.

The Provider:
‍
- assigns staff responsibility for defining, reviewing, and implementing security policies and measures;
- regularly reviews its security measures and policies to ensure they remain suitable for the data to be protected;
- establishes and follows secure configurations for systems and software, ensuring that security measures are considered at project initiation and during the development of new IT systems.

The Provider maintains internal monitoring systems that can alert operations teams to service outages, in some cases even before thresholds are exceeded.
The Provider has a data breach response plan designed to respond to data breaches. The plan is regularly tested and updated.

The Provider restricts access to personal data by implementing appropriate access controls, including:

Access to infrastructure and internal resources follows the principle of least privilege; privileges are granted only as needed for business tasks and are revoked when no longer needed.
‍
Access management is centralized with identity providers; where possible, internal services delegate both authentication and authorization to these providers to ensure timely off-boarding and permission revocation.
‍
Changes to the Provider’s infrastructure require approval by at least one other authorized person. Individuals are authorized based on the relevance of the system to their business tasks.
‍
User authentication for internal Provider resources is protected by a strict password policy and mandatory 2FA; SMS-based 2FA is prohibited.The Provider never knowingly stores plaintext passwords; where necessary, it stores hashed and salted results of authentication material, as appropriate to the use case.
‍
Provider devices used to access internal resources enforce strong security measures, including secure passwords, antivirus software, and full-disk encryption.
‍
Audit logs of user actions within the Provider’s infrastructure are maintained. The Provider logs all interactions with its internal services and all interactions with customer projects. Traffic flow logs are maintained, enabling retrospective analysis of all connections to the infrastructure where necessary.
‍
Only pre-approved and secure communication channels with Provider services are allowed through Provider firewalls.
All communications—including transmission of credentials—take place via connections protected by TLS configured with a range of modern cipher suites.

Customer projects and internal Provider control-plane services are deployed in separate networks, with a firewall ensuring that only expected traffic between the two networks is permitted. In addition, metadata about traffic between the networks is stored. Logs and metrics used for observability and troubleshooting are automatically extracted and sent to systems separate from customer projects that contain the customer’s data.

Data at rest is encrypted where appropriate, including all data backups. All disks are encrypted at rest using the industry-standard AES-256 algorithm. Regularly scheduled backups are likewise encrypted at rest with AES-256.
‍
Encryption keys are generated per project and are themselves protected by keys stored with FIPS 140-2-compliant HSMs. All network communication is conducted over encrypted connections protected by modern security standards (TLS 1.2, modern cipher suites) to preserve the confidentiality and integrity of data.

The Provider creates daily backups of customer projects by default. Additional backups can be scheduled depending on customer requirements and service agreements.
‍
All backups are encrypted in transit and at rest.
Backups are stored on a storage system independent of the customer’s project resources and target availability of 99.99%.
‍
The Provider has staff and service providers distributed strategically around the world, enabling a follow-the-sun model for support and operations monitoring and accelerating the response to any service incidents.

The Provider uses appropriate and suitable security and compliance monitoring systems across its infrastructure to detect violations of its security policies. The Provider regularly conducts penetration tests of its systems by engaging reputable external security firms and remediates any identified deficiencies where necessary.