SaaS Agreement including Data Processing Agreement
Client: Goodie Tech OG
Date: 26.5.2025
Update: 26.5.2026
1. Preamble
1.1. Goodie Tech OG, Adamsgasse 18/Top 12, 1030 Vienna, Austria, Company Registration Number: 649273 p (hereinafter referred to as "PROVIDER") offers the software application GuestGoodie in the most current version at the time of contract conclusion (hereinafter "APPLICATION") to the CUSTOMER as a Software-as-a-Service variant. The APPLICATION serves the CUSTOMER as a digital booking platform for hotel guests.
1.2. This SaaS Agreement is exclusively directed at persons who intend to use the services for professional purposes, i.e., entrepreneurs within the meaning of § 1 Para 1 No 1 KSchG (hereinafter referred to as "CUSTOMER").
1.3. The General Terms and Conditions of the CUSTOMER are expressly not applicable.
1.4. For reasons of better readability, gender-specific differentiation is omitted. This is done without any intention of discrimination. All genders are equally addressed.
2. Clarification
2.1. Included Services
For clarification, it is noted that the LICENSE FEE includes the following services:
- Provision of the APPLICATION for the duration of the contract term
- Maintenance of the APPLICATION for the duration of the contract term through updates and upgrades
- Service provisions for the duration of the contract term
- Backups
2.2. Excluded Services
Expressly not included in the LICENSE FEE and therefore to be compensated separately are:
- Changes and customizing
- Upgrades
- Other extraordinary expenses
3. Scope of Application
3.1. For all business relationships between the PROVIDER and the CUSTOMER in connection with Software-as-a-Service services regarding the APPLICATION, this SaaS Agreement applies in its version valid at the time of business conclusion.
3.2. The contract, order, and business language is German.
4. Terms of Use
4.1. The CUSTOMER is obligated to provide truthful and complete information within the business relationship and to keep their data up to date at all times. They must treat their data (especially passwords and access data) confidentially. If the CUSTOMER suspects misuse by third parties (including employees attributable to them), they must immediately inform the PROVIDER.
4.2. The CUSTOMER must refrain from all actions that could endanger or impair the technical service provision of the PROVIDER (including cyber attacks).
4.3. The CUSTOMER is fully liable for the behavior of their employees and persons attributable to them regarding the unlawful use of the APPLICATION.
4.4. In case of unlawful use of the APPLICATION, the PROVIDER reserves the right to deny the CUSTOMER use of the APPLICATION.
4.5. It is the responsibility of the CUSTOMER to create the electronic infrastructure necessary for using the services. This also means that the CUSTOMER has the necessary software and hardware equipment to use the APPLICATION. The PROVIDER is not obligated to provide information or advice in this regard.
4.6. It is the sole responsibility of the CUSTOMER to ensure that the APPLICATION does not capture content containing illegal information. The PROVIDER assumes no liability for unlawful use of the APPLICATION.
4.6.1. It is the responsibility of the CUSTOMER that only photos are uploaded to the APPLICATION when the necessary rights have been obtained or exist.
4.7. It is the sole responsibility of the CUSTOMER to verify the results produced and processed by and through the APPLICATION for accuracy and plausibility. The PROVIDER assumes no liability for the accuracy of data created by the APPLICATION.
5. Fees and Payment Terms
5.1. The prices quoted by the PROVIDER are in EUR. In case of doubt, VAT is not yet included (and therefore to be added).
5.2. The LICENSE FEE to be paid results from the package selected by the CUSTOMER on the PROVIDER's website.
5.3. Payments are due upon invoicing. If the claim is not paid within 30 days, the PROVIDER will charge statutory default interest of 9.2% per year above the current base rate of the European Central Bank from the due date.
5.4. In case of default, the CUSTOMER undertakes to reimburse the PROVIDER for reminder and collection costs incurred, insofar as they are necessary for appropriate legal prosecution. Costs of EUR 40.00 can be claimed per reminder letter. The Provider reserves the right to claim damages beyond this amount.
5.5. In case of payment delay of more than 45 days, the PROVIDER is entitled to withhold its services.
5.6. Payment of the flat-rate LICENSE FEE is made in advance for one year or one month, depending on the CUSTOMER's selection.
5.7. The PROVIDER reserves the right to adjust the agreed fees once a year to inflation. The monthly consumer price index published by Statistics Austria (base CPI 2020) serves as a reference value. The fees increase according to the average change in the index numbers published in the last 12 months. Additionally, the PROVIDER reserves the right to adjust fees when introducing major new versions or upgrades of the APPLICATION to account for the expanded functionality and increased development efforts.
6. Use of the APPLICATION
6.1. The CUSTOMER may only use the APPLICATION offered by the PROVIDER for its intended purposes.
6.2. Upon complete payment of all LICENSE FEES, the PROVIDER grants the CUSTOMER a non-exclusive license (in the sense of § 24 Para 1 first sentence UrhG "work usage permit") to use the APPLICATION, which is temporally limited to the duration of the contractual relationship and spatially and substantively limited to the purposes of the business relationship. Otherwise, all (work) usage rights in all types of exploitation remain with the PROVIDER.
6.2.1. License Calculation
The LICENSE FEE is to be paid per location/hotel operation and is based on the number of rooms used for guests. A location is defined as follows: A fixed physical place where the CUSTOMER regularly or permanently conducts economic activities and accommodates guests.
6.3. Sub-licensing or further licensing is only permitted with the express consent of the PROVIDER.
6.4. The right to decompile and reverse engineer the APPLICATION is excluded, unless this is mandatorily provided. The CUSTOMER is not entitled to modify the APPLICATION without the consent of the PROVIDER.
6.5. Markings of the APPLICATION, particularly copyright notices, trademarks, serial numbers, or similar may not be removed, changed, or made unrecognizable.
6.7. The source code of the APPLICATION is expressly not owed.
6.8. A user manual is not owed.
7. Backups and Data Storage
7.1. The PROVIDER creates backup copies of the data generated and/or stored in the APPLICATION at regular intervals during its use. The backup copies are not stored for longer than seven days.
7.2. Notwithstanding Section 7.1, the CUSTOMER is responsible for securing and performing backups themselves.
7.3. It is noted that data captured with the APPLICATION may be deleted one year after the end of the contractual relationship. It is therefore exclusively up to the CUSTOMER to secure and, if necessary, extract the data in time.
8. Service Levels
8.1. The PROVIDER endeavors to respond to inquiries on working days (Republic of Austria; Federal State of Vienna) within 48 hours. Times outside working hours are excluded from the running of the stated period.
8.2. The PROVIDER endeavors to process inquiries on working days at the following times: Monday to Thursday: 09:00 to 17:00; Friday: 09:00 to 12:00. Processing outside working hours is not owed.
8.3. Inquiries should generally be submitted via the designated ticket system or via email.
8.4. The PROVIDER strives for an availability of the APPLICATION of 99.5% per year. Announced maintenance work and failures due to force majeure are not deducted when calculating availability.
9. Cooperation Obligations
9.1. The CUSTOMER is obligated to continuously support the PROVIDER in providing the APPLICATION to a reasonable extent and, if necessary, to enable (remote) access to the APPLICATION. In particular, the CUSTOMER must provide the PROVIDER with the necessary information, data, and descriptions and communicate their wishes and ideas for service provision in a timely and clear manner.
9.2. In case of necessary (security) updates to the APPLICATION, the CUSTOMER is obligated to tolerate their installation by the PROVIDER.
10. Changes, Customizing
10.1. The CUSTOMER has the right to propose changes to the APPLICATION (Change Request or Customizing), whereby the PROVIDER is not obligated to implement these change proposals.
10.2. The desired changes must be described as precisely as possible by the CUSTOMER in the form of a requirements specification and, if necessary, compensated separately.
10.3. The work usage right (in the sense of § 24 Para 1 second sentence UrhG) to implemented customer requests remains with the PROVIDER.
11. Updates and Upgrades
11.1. Updates, i.e., maintenance of the APPLICATION, are covered by the ongoing LICENSE FEE. These include, for example, regular bug fixes or improvements.
11.2. Upgrades, i.e., improvements to the APPLICATION, are not covered by the ongoing LICENSE FEE and therefore must be compensated separately. An upgrade means, for example, adding a new feature.
12. Warranty, Liability Exclusion and Indemnification
12.1. The quality of the APPLICATION to be provided by the PROVIDER is determined by the service description existing at the time of contract conclusion.
12.2. The PROVIDER is entitled to remedy any defects through economically and technically reasonable workarounds.
12.3. The liability of the PROVIDER for damages caused by slight negligence is completely excluded.
12.4. The liability of the PROVIDER is, in cases of gross negligence, limited to twice the amount of the (net) LICENSE FEE paid or to be paid by the CUSTOMER in the last year of the contractual relationship. In the first year, twice the contractually payable LICENSE FEE (net) is decisive.
12.5. Damage claims of the CUSTOMER expire one year after their occurrence.
12.6. The PROVIDER is not liable for lost profits.
12.7. The PROVIDER strives for trouble-free operation of the APPLICATION. This is naturally limited to services over which the PROVIDER has influence. The PROVIDER reserves the right to temporarily restrict access to the APPLICATION due to maintenance work, capacity concerns, and due to other events beyond its control. The PROVIDER is also entitled to discontinue or change individual functions.
12.8. The PROVIDER is not liable for content published by the CUSTOMER in the APPLICATION. The CUSTOMER indemnifies the PROVIDER in case of claims due to alleged or actual legal violations and/or violations of third-party rights from all third-party claims arising from actions attributable to the CUSTOMER in connection with the use of the APPLICATION.
12.9. The PROVIDER assumes no liability and provides no warranty that the APPLICATION runs error-free. The PROVIDER proceeds according to the current state of technology but does not guarantee absolute security of the APPLICATION.
12.10. During the free trial period, all warranty claims are excluded.
13. Data Protection and Preservation of Business and Trade Secrets
13.1. The transfer of data and information to the respectively required business partners is permitted insofar as this is necessary for the fulfillment of the contractual relationship, legitimate interests, and legal obligations (Art 6 Para 1 lit b, c, e and lit f GDPR). Otherwise, the PROVIDER is obligated to maintain confidentiality about the circumstances, data, or business and trade secrets of the other party that become known from the present business relationship and, in particular, to maintain data secrecy. These obligations to data and business secrecy also apply beyond the contractual relationship.
13.2. The source code of the APPLICATION is to be qualified as a trade secret within the meaning of § 26b UWG and as such is subject to appropriate confidentiality measures. The CUSTOMER is not entitled to pass on calculation methods, programs, expressions of the software, offers, rankings, prices, service descriptions, requirements specifications (hereinafter "WORK RESULTS") and similar, in whole or in part, for payment or free of charge, without written consent of the PROVIDER. The created WORK RESULTS are exclusively in the intellectual property of the PROVIDER (or a third party) and constitute trade secrets.
13.3. The PROVIDER points out that personal data of the CUSTOMER may be processed for advertising purposes based on legitimate interests (Art 6 Para 1 lit f GDPR). The CUSTOMER can object to this form of data processing at any time (Art 21 Para 2 GDPR).
13.4. Since the PROVIDER processes personal data on behalf of the CUSTOMER, the parties conclude the Data Processing Agreement according to Art 28 GDPR shown in Annex I.
14. Use of Open Source Components
14.1. The APPLICATION contains proprietary software components and open-source software components (hereinafter "OSS Components"). With regard to the OSS Components, the respective license conditions of the OSS licensor apply. The PROVIDER is not a contracting party of the CUSTOMER with regard to the OSS Components and cannot be held liable for them. This SaaS Agreement therefore refers exclusively to the proprietary software components. "Proprietary software" means those elements developed by the PROVIDER or third-party manufacturer whose source code is to be qualified as confidential.
14.2. The OSS Components may only be used under the respective OSS license conditions. The list of OSS Components (software bill of materials) will be made available to the CUSTOMER upon request. Note: The contracting party of the CUSTOMER with regard to the OSS Components used is not the PROVIDER, but the respective open-source licensor.
15. Audit Clause
15.1. The PROVIDER has the possibility to verify compliance with the license-compliant and lawful use of the APPLICATION. Regardless of this, the PROVIDER can request proof from the CUSTOMER that the APPLICATION is being used in compliance with the license and law. Requests in connection with the license-compliant and lawful use of the APPLICATION must be answered truthfully.
15.2. The PROVIDER is entitled to verify compliance with the license-compliant and lawful use of the APPLICATION by the CUSTOMER at any time after at least 14 days' notice on-site or remotely (license audit). The PROVIDER may use an auditor or lawyer bound to confidentiality. The PROVIDER will protect business and trade secrets as well as data protection interests of the CUSTOMER as best as possible. The audit will be conducted during the CUSTOMER's regular business hours while protecting operational activities. The costs arising in this connection shall be borne by each party itself. The CUSTOMER is obligated to provide the PROVIDER with the information necessary for the audit and to cooperate with the PROVIDER during the license audit. Otherwise, the PROVIDER is entitled to withhold its services. This occurs without prejudice to any further legal claims.
16. Reference Clause
16.1. The PROVIDER is entitled to refer to the fact of the business relationship with the CUSTOMER by means of a reference on its website or in other marketing/business documents. It is entitled to use the logo/brand of the CUSTOMER in this context. This right also exists beyond this contractual relationship.
17. Subcontractors
17.1. The PROVIDER is entitled to use subcontractors (vicarious agents) for the fulfillment of its services. The mentioned liability limitations also apply to them.
18. Contract Duration and Termination Rights
18.1. The contractual relationship is concluded for an indefinite period.
18.1.1. Annual termination variant: It can be terminated by both parties with a notice period of three months to the last day of each contract year.
18.1.2. Monthly termination variant: It can be terminated by both parties with a notice period of seven days to the last day of each month.
18.2. The contract year and contractual relationship begin, in case of doubt, at the time when the CUSTOMER signs this contract. For illustration, an example: The CUSTOMER signs the contract on June 12, 2025. The contract year ends in this case on June 12, 2026.
18.3. Termination must be made in writing, whereby an email is sufficient.
18.4. The right to extraordinary termination remains reserved for the parties.
19. Jurisdiction and Applicable Law
19.1. Austrian law shall apply to this contractual relationship and is agreed upon. The application of the UN Sales Law is excluded.
19.2. Exclusive jurisdiction is the competent court in Vienna (3rd District), Austria.
19.3. Place of performance is the headquarters of the PROVIDER.
20. Changes to the SaaS Agreement
20.1. The PROVIDER is entitled to change this SaaS Agreement at any time. The PROVIDER will inform the CUSTOMER about such changes by sending the changed conditions to the last known email address. The CUSTOMER has the right to object to changes. If no objection from the CUSTOMER is made within 14 days of dispatch, this shall be deemed as implied consent to the change in conditions. Factually unjustified changes to the conditions cannot be implemented in this way.
21. Miscellaneous
21.1. Invalid provisions do not affect the validity of the remaining provisions. In place of invalid provisions, appropriate substitute provisions apply which, in light of the purpose of the contract, come closest to what the contracting parties would have wanted had they known of the invalidity. The same applies to contractual gaps.
21.2. The CUSTOMER undertakes not to export, re-export, or pass on the delivered APPLICATION either directly or indirectly to countries or to persons, companies, or organizations if this would violate applicable export control regulations. Before any export, re-export, or transfer, the CUSTOMER must independently verify whether approval is required and, if necessary, obtain it from the competent authorities. The PROVIDER assumes no liability for violations of export regulations by the CUSTOMER.
21.3. The agreement made hereby supersedes any previously concluded oral or written contracts.
21.4. The attached annex forms an integral part of this contract and is deemed effectively agreed upon acceptance of the SaaS Agreement.
Annex I: Data Processing Agreement according to Art 28 GDPR
1. Introductory Provisions
1.1. Contracting Parties
This agreement is concluded between CUSTOMER hereinafter referred to as "Controller" on the one hand and the PROVIDER hereinafter referred to as "Processor" on the other hand.
1.2. Definitions
PROCESSOR means a processor within the meaning of Art 4 No 8 General Data Protection Regulation.
DATA means personal data within the meaning of Art 4 No 1 of the General Data Protection Regulation.
GDPR means the General Data Protection Regulation in its currently valid version.
CONTROLLER means a controller within the meaning of Art 4 No 7 General Data Protection Regulation.
The CONTRACTING PARTIES comprise the processor and the controller.
SUB-PROCESSOR means another processor whose services the PROCESSOR uses to carry out certain processing activities.
1.3. Gender Neutrality
For the purpose of better readability, gender-specific differentiation is omitted. This is done without any discriminatory intent. All genders are equally addressed.
2. Main Part
2.1. Subject, Duration, Nature and Purpose of Processing (Art 28 Para 3 GDPR)
This agreement is concluded for an indefinite period. It ends as soon as the Software-as-a-Service agreement between the parties ends. The subject and nature of this DPA can be described as follows: Provision of the GuestGoodie software and provision of services in this context.
2.2. Types of Personal Data and Categories of Data Subjects (Art 28 Para 3 GDPR)
In the course of the present commissioned processing, the following types of DATA are processed:
- Guest name
- Check-in date
- Check-out date
- (if applicable) Guest email
- Room number
- Guest orders
- Availability to obtain services
- Name of Controller's employees and providers
- Email of employees and providers
- (voluntary) Photo of employee and provider
- Order processing time
- Employee log-ins
The DATA of the following data subjects are processed:
- Employees of the Controller
- Customers of the Controller
- Providers of services and goods
2.3. Processing Only on Documented Instructions (Art 28 Para 3 lit a GDPR)
The PROCESSOR will only process DATA on documented instructions from the CONTROLLER within the framework of the agreement made - also with regard to the transfer of DATA to a third country or an international organization - unless required to do so by Union law or Member State law to which the PROCESSOR is subject; in such a case, the PROCESSOR shall inform the CONTROLLER of these legal requirements before processing, unless the relevant law prohibits such notification for an important public interest.
2.4. Obligation to Confidentiality (Art 28 Para 3 lit b GDPR)
The PROCESSOR ensures that persons authorized to process the DATA have committed themselves to confidentiality or are subject to appropriate statutory secrecy. This obligation also applies beyond the contractual relationship.
2.5. Obligation to Implement Required Measures (Art 28 Para 3 lit c GDPR)
The PROCESSOR ensures that all measures required under Article 32 GDPR are taken.
The PROCESSOR has provided the CONTROLLER with a list of specifically implemented or ongoing technical and organizational measures (hereinafter "TOMs") prior to the conclusion of this Data Processing Agreement. This list of TOMs is attached to this agreement as Annex Ib and must be regularly re-evaluated and adjusted if necessary by the PROCESSOR.
2.6. Support Obligations (Art 28 Para 3 lit e GDPR)
The PROCESSOR will assist the CONTROLLER by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the CONTROLLER's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR. The PROCESSOR provides information to third parties or data subjects exclusively upon instruction of the CONTROLLER.
2.7. Information Obligations (Art 28 Para 3 lit f GDPR)
The PROCESSOR will assist the CONTROLLER in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the PROCESSOR.
2.8. Return or Deletion of Data (Art 28 Para 3 lit g GDPR)
The PROCESSOR will, after the end of the provision of processing services, delete or return all DATA at the choice of the CONTROLLER, unless there is an obligation to store the DATA under Union or Member State law.
2.9. Possibility of Verification (Art 28 Para 3 lit h GDPR)
The PROCESSOR will make available to the CONTROLLER all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the CONTROLLER or another auditor mandated by the CONTROLLER.
2.10. Duty to Inform in Case of Data Protection Violation (Art 28 Para 3 lit h GDPR)
The PROCESSOR will immediately inform the CONTROLLER if, in its opinion, an instruction violates the GDPR or other data protection provisions of the Union or Member States.
2.11. Engagement of Sub-processors (Art 28 Para 4 GDPR)
Where the PROCESSOR engages another processor (hereinafter: SUB-PROCESSOR) for carrying out specific processing activities on behalf of the CONTROLLER, the same data protection obligations as set out in the contract or other legal instrument between the CONTROLLER and the PROCESSOR shall be imposed on that SUB-PROCESSOR by way of a contract or other legal instrument under Union or Member State law. In particular, sufficient guarantees must be provided to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that SUB-PROCESSOR fails to fulfill its data protection obligations, the PROCESSOR shall remain fully liable to the CONTROLLER for the performance of that SUB-PROCESSOR's obligations.
Currently, the PROCESSOR uses the following SUB-PROCESSORS:
- See Annex Ia
The CONTROLLER agrees to the engagement of the mentioned SUB-PROCESSORS. The CONTROLLER grants general authorization for the PROCESSOR to engage other SUB-PROCESSORS. However, the PROCESSOR must always inform the CONTROLLER of any intended changes concerning the addition or replacement of other SUB-PROCESSORS. The CONTROLLER has the right to object to such changes within 14 days (Art 28 Para 2 GDPR), otherwise consent is assumed. The PROCESSOR undertakes that the conditions mentioned in Art 28 Para 2 and 4 GDPR for the use of the services of another SUB-PROCESSOR are complied with (Art 28 Para 3 lit d GDPR).
3. Final Provisions
3.1. Partial Invalidity/Severability Clause
Invalid provisions of individual contractual components of this DPA do not affect the validity of the remaining provisions. In place of the invalid provisions, appropriate substitute provisions apply which, in light of the purpose of the contract, come closest to what the CONTRACTING PARTIES would have wanted had they known of the invalidity. The same applies to contractual gaps. In case of doubt, the rules of Art 28 GDPR apply.
3.2. Costs of Cooperation
The PROCESSOR is entitled to separate cost reimbursement for the cooperation of legally and contractually required cooperation services (particularly in the course of an audit or the exercise of data subject rights). However, no cost reimbursement claim exists if the effort in this context is very low (effort of less than one hour per month).
4. Annex
The listed annexes form an integral part of the DPA and are deemed effectively agreed:
- Annex Ia: Sub-processors
- Annex Ib: TOMs
Annex Ia - Sub-processors
| Sub-processor | Purpose of Data Processing | Location of Sub-processor | Data Transfer to Third Country |
|---|---|---|---|
| Amazon Web Services | Application Hosting | USA | EU-US Data Privacy Framework (only regarding Non-HR Data) |
| HubSpot, Inc | CRM | USA | EU-US Data Privacy Framework (only regarding Non-HR Data) |
Annex Ib – TOMs
Technical Measures:
1. Encryption:
- Data Transmission: Secure protocols such as HTTPS to encrypt the transmission of personal data over networks.
- Data Storage: Encrypted storage of personal data, whether in databases, files, or other storage media.
2. Access Control:
- Authentication: Mechanisms such as passwords to ensure that only authorized users can access data.
- Authorization: Clear access rights for employees based on their roles and tasks, and implementation of appropriate authorization mechanisms.
3. Pseudonymization:
- Separation of personal data from identification features and replacement with pseudonymous identifiers to prevent direct connection to individual persons without unnecessarily affecting the data.
4. Data Minimization:
- Collection and storage of only those data that are necessary for the specific purpose, and reduction of the amount of personal data collected to a minimum.
- Implementation of mechanisms for automatic anonymization or deletion of data once they are no longer needed.
5. Data Backup and Recovery:
- Regular data backups and storage of backups in secure locations to enable quick recovery in case of data loss or data protection breach.
6. Privacy by Design:
- Integration of data protection principles already in the development of systems, products, and services to ensure GDPR compliance from the outset.
7. Multi-Tenancy Isolation:
- Strict data encapsulation between customers to prevent access to third-party data.
8. Infrastructure Security:
- Regular updates of all base images in the container environment to always be at the latest security level.
- Regular rotation of database credentials.
9. DDoS Protection and Traffic Management:
- Automatic DDoS protection at network and transport level against IP flooding, ICMP floods, SYN floods, and UDP floods.
- Monitoring and alerting for unusual traffic patterns.
10. Logging and Monitoring:
- Central logging of all access to the application.
Organizational Measures:
1. Data Protection Policies and Procedures:
- Creation of clear data protection policies and procedures to ensure GDPR compliance and clearly define employee responsibilities.
- Ensuring that data protection policies are regularly reviewed, updated, and understood and followed by all employees.
2. Training and Awareness:
- Regular training and training materials for employees to raise their awareness of data protection regulations and keep them informed about best data protection practices.
3. Data Secrecy:
- Employees are obligated to maintain data secrecy.
4. Data Processing Agreements:
- Conclusion of written agreements with processors that regulate the processing of personal data according to GDPR requirements and ensure that processors implement appropriate security measures.
5. Incident Response Plan:
- Development of a clear plan for responding to data protection breaches, which includes procedures for reporting incidents, investigating data protection breaches, and notifying affected parties.
6. Need-to-Know Principle:
- The need-to-know principle is stringently implemented and technically supported by appropriate authorization concepts.
Status: 26.05.2025
Goodie Tech OG
Adamsgasse 18/Top 12
1030 Vienna, Austria