General terms and conditions of business and use for cidaas 

Version 2.2 / Status 08.05.2024

The application cidaas (hereinafter referred to as “cidaas”) provided as Software as a Service is provided by Widas ID GmbH, Maybachstraße 2, D-71299 Wimsheim (hereinafter referred to as “Widas”), in accordance with the contract concluded herewith.

1. General Provisions

1.1. These General Terms and Conditions of Business and Use (hereinafter referred to as “GTC”) apply to the provision of cidaas in the respective current version with the functional scope described in the offer or on the website of Widas to companies (§ 14 BGB), corporations or institutions under public law or special funds under public law (hereinafter referred to as “Customers”) with their registered office within the EU/EEA.

1.2. This GTC apply exclusively. With the conclusion of the contract for the services (hereinafter referred to as “contract”), the customer recognises these GTC in the version valid at the time the contract is concluded, if the inclusion of these GTC has been agreed upon in the contract. This GTC shall be provided to the customer free of charge in text form (§ 126b BGB) upon request at any time. Deviating, conflicting, or supplementary terms and conditions of the customer do not become part of the contract even if cidaas has concluded the contract in the knowledge of such terms and conditions. The validity of such terms and conditions is expressly rejected. The precedence of individual agreements between cidaas and the customer (hereinafter individually or jointly “party” or “parties”) over these GTC remains unaffected.  

1.3. The sole contractual language is German. If translations of the contract or other contract-related documents are made into languages other than German, only the German version shall be authoritative. Service language is also German. 

2. Conclusion of contract, registration

2.1. Registration of a user account (“Account”) is required to use cidaas. Access to the ordered services in the web portal is also controlled via this account. The registration leads to the conclusion of a contract with regard to the version or subscription of cidaas selected by the customer. 

2.2. All offers are subject to change without notice and are non-binding, unless a binding assurance is expressly given in writing. They merely represent a request for the customer to submit an offer. An order is only binding if Widas confirms it or fulfils it by providing the service. 

2.3. The contract is concluded either as an individual contract through the customer’s order (=application) and execution or confirmation of the order by Widas (=acceptance) or through the conclusion of a framework contract and at least one individual contract.  

2.4. The content of the contract results from any framework contract, the respective individual contract and these GTC.

2.5. A contract is concluded exclusively between the parties. There is no contractual relationship between Widas and the users admitted by the customer for cidaas or third parties. 

3. Subject of the contract  

3.1. The subject matter of the contract shall depend on the stipulations made therein and may in particular consist of: 

  • cidaas a paid Software as a Service in the respective current version with the agreed functionalities and the agreed scope of use,  
  • “cidaas Free” as a free Software as a Service, and/or 
  • other services related to the aforementioned services, such as initial support with implementation or professional services.  

3.2. Widas is only obliged to provide the services specified in the agreement. The service description can be part of the offer prepared by Widas or can be included in an individual contract. Widas does not owe a quality of the services that goes beyond the service description. The interoperability of the services to be provided by Widas under the contract with IT systems or other hardware, software or services used by the Customer is not an owed quality of the services, insofar as cidaas is not expressly stated in text form to be compatible with this. 

3.3. Where reference is made in the Contract to an Annex, this shall mean the version of the relevant Annex valid at the time of commissioning of the Services. Widas will make amended Annexes available for retrieval free of charge via the Internet at and inform the Customer thereof without delay in text form (§ 126b BGB). Before commissioning new services, the customer is obliged to inform himself about the versions of the annexes valid at that time. The services already commissioned before notification of changes remain unaffected by changes to the systems.  

4. The nature and scope of Widas’s chargeable services

4.1. From the agreed time of provision, Widas makes cidaas available to the customer to the extent agreed in the contract for use in a cloud infrastructure operated by Widas, including the necessary access. In all other respects, the scope of the services shall be as set out in the contract.

4.2. Widas guarantees availability within its own sphere of influence subject to the proviso that minor periods of unavailability or impairment for the purpose of maintenance of cidaas cannot be excluded. Widas will, as far as possible and reasonable, carry out such maintenance measures outside normal business hours. If, due to such maintenance work, there is a foreseeable threat of unavailability lasting more than one hour, Widas will announce this in advance on the website or by e-mail. Widas has no influence on the availability, stability and functionality of the Internet as a whole or the infrastructure required to connect to cidaas at Widas or third parties (access provider, backbones, DNS server or similar) and is therefore not liable for such circumstances.

5. The nature and scope of the free services provided by Widas  

In derogation of Clause 4, the following: 

5.1.  “cidaas Free” is limited in functionality and scope compared to the paid version of cidaas. The customer has no claim to specific functionalities and usage options. “cidaas Free” is provided “as is”. The possibilities of use and functionalities can be adapted by Widas at any time without notice as well as completely or partially discontinued. 

5.2. No specific availability is promised for “cidaas Free”.

6. Subcontractors of Widas

6.1. Widas is entitled to provide its services in whole or in part through subcontractors. In doing so, Widas will structure the contract with the subcontractor in such a way that it corresponds to the obligations of Widas towards the customer with regard to the services to be provided by the subcontractor in each case. 

6.2. Widas is responsible for the fault of its subcontractors to the same extent as for its own fault. Services provided by a subcontractor are services provided by Widas in relation to the customer.

6.3. Widas will inform the customer in text form (§ 126b BGB) about the commissioning of subcontractors at his request by naming the subcontractor and the services to be provided by him. The stipulations for subcontractors made in the commissioned processing agreement in accordance with Art. 28 Para. 3 GDPR remain unaffected by this clause 6. 

7. Customer’s rights of use to cidaas 

7.1. Upon provision, the customer receives the non-exclusive, non-transferable, and revocable right, limited to the term of the contract, to use cidaas taking into account any quantitative metrics provided for in the contract, such as number of users, volume, etc., i.e., also to temporarily store and load, display and run cidaas, as far as this is necessary for the intended use of cidaas. This also applies insofar as duplications of cidaas become necessary for this purpose.  

7.2. The right of use exists worldwide except for those countries in which Widas does not generally offer cidaas in whole or in part due to state legal acts (for example export restrictions) and access to which is not possible as intended. As intended, access is not possible if access is blocked for all customers in the country concerned due to government legislation in the event of correct geolocation. Upon request, Widas will inform the customer of the countries in which cidaas is not available in whole or in part due to the aforementioned regulation. 

7.3. The use of cidaas is permitted for all business purposes of the customer, as long as they do not contradict the intended use. The use of cidaas for purposes other than those specified in the contract is prohibited. This applies in particular to the processing or economic use of cidaas by passing it on to third parties free of charge or in return for payment, permanently or for a limited period of time; unless otherwise stipulated in the contract, third parties also include companies affiliated with the customer within the meaning of §§ 15 ff. AktG (German Stock Corporation Act). The customer will not use cidaas to directly or indirectly develop or improve a comparable service or product itself or through third parties. 

7.4. Subject to any legal restrictions (e.g., copyright), the provisions of Sections 7.1 to 7.3 also apply to all individual components and parts of cidaas, unless the part in itself does not enjoy copyright or other legal protection (e.g., as an ancillary copyright). 

7.5. Widas reserves the right to block access to cidaas in whole or in part if the customer has acted contrary to clauses 7.1 to 7.3 or otherwise against contractual obligations or has enabled third parties to use or exploit cidaas or parts thereof without authorisation. When making a decision about such a blocking, Widas will take into account the legitimate interests of the customer and, if possible, inform the customer before the blocking and give the customer the opportunity to remedy the situation. The block shall be lifted as soon as the breach of duty has been remedied.  

7.6. There is no entitlement to the publication of the cidaas source code. The decompilation of cidaas is prohibited. Mandatory rights of the customer according to §§ 69d, 69e UrhG remain unaffected. 

7.7. All trademark rights, rights to business designations, rights to names, trademark rights, copyrights, ancillary copyrights, and other rights to cidaas itself, the individual graphic and textual elements and the functionalities and services are the sole property of Widas and may not be used, disseminated, copied, reproduced, made publicly accessible, performed, broadcast or otherwise exploited outside of the authorisation by the contract without the prior consent of Widas in text form. 

8. Obligations, cooperation, and provisions of the customer  

8.1. The registration of the customer is carried out by entering the information required for the execution of the contract and, if applicable, optional information by the customer or the users authorised by the customer. The information provided must be complete and truthful and must be updated immediately in the event of subsequent changes. Widas is entitled to block or delete accounts in accordance with clause 10 if data which is essential for the provision and execution of the services should prove to be untrue or incomplete.   

8.2. In order to use cidaas, the customer may be required to use the Web API of cidaas, in addition to a suitable Internet connection and a standard browser. The customer is solely responsible for use. The customer is responsible for the actions of any users he has authorized as for his own actions. The customer ensures that the users make use of cidaas exclusively in the contractually agreed scope.    

8.3. When using cidaas, the customer must observe the applicable law and protect the rights of third parties. The customer himself is responsible for the compliance with the legal regulations because of the contents posted or transmitted by the customer or his users via cidaas as well as the services provided.

8.4. The customer is obliged to prevent unauthorised access of third parties to cidaas by suitable precautions as well as to check his data and information for viruses or other harmful components before entering them and to use state-of-the-art programs for protection against malicious software for this purpose.  

8.5. The customer and its users are obliged to keep the “User ID” secret and not to make it accessible to third parties. The customer shall choose a secure password in accordance with the state of the art, keep this secret from third parties, protect it from misuse and change it if necessary. In the event of misuse or suspicion thereof, the customer must inform Widas immediately in text form. In the event of misuse, the customer is exclusively liable; this does not apply if Widas is solely or predominantly responsible for the misuse.  

8.6. The customer is obligated to notify Widas immediately of recognizable defects. 

8.7. The customer must take appropriate precautions against the loss of its content, including the information processed using cidaas. If the creation of backups by Widas is not part of the agreed services, this also includes the creation of regular backups of the contents placed in cidaas by the customer, corresponding to the importance of the customer’s contents. 

8.8. With cidaas, Widas only provides the technical and organizational platform for the content posted by the customer, its users or third parties, including the information processed using cidaas. These contents are foreign to Widas. Third-party content is only stored by Widas and, if necessary, processed automatically in connection with the use of cidaas. Widas has no knowledge of this third-party content. A selection of this third-party content or any other control by Widas does not take place. Nor does Widas supervise the customers and users of cidaas or give them instructions. Widas does not adopt such third-party content as its own by providing cidaas. 

9. Rights of the customer in case of defects 

Widas must provide the customer with the agreed service in accordance with the contract during the term of the contract. For the period in which the usability of the performance is reduced due to a defect or poor performance, the customer shall only pay an appropriately reduced remuneration for the performance, insofar as no other compensation (such as non-performance credits) has been agreed for this poor performance. Other legal claims of the customer due to defects or poor performance remain unaffected. Strict liability for defects already existing at the time of provision of cidaas is excluded. 

10. Blocking or deletion of access by Widas

10.1. Widas is entitled to temporarily block access by the customer or his users in whole or in part if there is reasonable suspicion that the processed content including the information processed by means of cidaas is illegal or infringes the rights of third parties. Reasonable suspicion of illegality or infringement exists in particular if courts, authorities or other third parties inform Widas thereof. When deciding on such a blocking, Widas will take into account the legitimate interests of the customer and, if possible, inform the customer of this before the blocking and give the customer the opportunity to remedy the situation. The block shall be lifted as soon as the breach of duty has been remedied.  

10.2. Widas may delete the affected access if the customer or his users do not immediately remedy the breach of duty or do not cooperate in clarifying the facts despite being requested to do so. In the previously required request for a statement, Widas will point out to the customer that deletion of the affected access is imminent if the customer does not cooperate in clarifying the facts or does not immediately eliminate the breach of duty or rights.  

10.3. Notwithstanding the entitlement to block or delete access, Widas remains entitled to terminate the contract with the customer as a whole or to assert further claims, in particular claims for damages. 

11. Liability

11.1. Subject to the following provisions, the liability of Widas and its legal representatives, vicarious agents or subcontractors is governed by the statutory provisions. 

11.1.1. In the case of services provided free of charge, Widas’ liability for simple negligence is excluded. Otherwise, the liability of Widas in the case of simple negligence in the breach of essential contractual obligations is limited to the foreseeable damage to the customer that is typical for the contract. Apart from the breach of essential contractual obligations by Widas, liability towards the customer for compensation for indirect damage, in particular lost profit, is completely excluded in the case of simple negligence. The parties agree that the sum of the contract-typical and foreseeable damage to the customer does not regularly exceed the amount of the remuneration for the past 12 calendar months, but at least EUR 250,000.00, and treat this as a liability upper limit by mutual agreement. The customer shall inform Widas prior to the conclusion of the agreement if he deems this upper liability limit to be unsuitable.  

11.1.2. Widas is not liable for the loss of data insofar as the damage is due to the fact that the customer failed to carry out data backups and thereby ensure that lost data can be restored with reasonable effort.  

11.2. The limitations of liability do not apply to claims based on intent and gross negligence, injury to life, limb or health, fraudulent intent, claims under the Product Liability Act and promises of guarantee. Warranties are only assumed by Widas where they are expressly designated as “warranty” or “guarantee” by Widas itself. All other formulations, such as “assure” or “ensure”, do not constitute guarantees, but merely describe Widas’ general obligation to perform. 

12. Compensation, Terms of Payment 

12.1. The remuneration for the agreed services results from the contract, otherwise according to the Widas price list applicable at the time the service is provided, insofar as no stipulation has been made in the contract. All prices are exclusive of value added tax at the statutory rate.  

12.2. If the customer does not use cidaas, the obligation to pay remains unchanged (lump sum payments, minimum purchases if applicable). Credits for non-use or less use of cidaas are not given.

12.3. Widas is entitled to adjust the remuneration in text form, subject to a prior notice period of four weeks, to the extent that the purchase price of upstream suppliers changes for Widas itself. In all other respects, Widas is entitled to increase the remuneration by up to five percent per annum, subject to eight weeks’ advance notice in text form, but for the first time after the expiry of 12 months of the contract term. If the price increase exceeds ten percent within a period of three years, the customer is entitled to terminate the contract for cause. The termination will take effect at the time the price increase was to take effect. If Widas withdraws the price increase in response to the customer’s termination, the contract will continue without the price increase. In this case, the parties shall treat the termination as if it had never been declared.

12.4. The remuneration shall become due upon receipt of the invoice and shall be paid within 14 days. Invoices are issued and transmitted electronically. In the case of recurring payments, Widas is entitled to issue a one-time permanent invoice as long as the payment does not change. Payment is made via one of the means of payment offered by Widas in each case (e.g., bank transfer, credit card, SEPA direct debit, payment service provider). For the use of payment service providers (e.g., PayPal), their terms and conditions apply exclusively. 

12.5. Objections to the invoice must be raised by the Customer with Widas in text form within eight (8) weeks of receipt of the invoice. After expiry of the aforementioned period, the invoice is deemed to have been approved by the Customer. Widas will inform the customer of this when sending the invoice. For any objections raised after the expiry of the deadline, the customer is obliged to present and prove his case.  

12.6. If the customer does not fulfil his payment obligations or does not fulfil them in due time, Widas is entitled to block the access of the customer and his users to cidaas in accordance with clause 10, if the customer does not comply with a renewed request for performance with the granting of a reasonable grace period. 

13. Term, Termination, Deletion of Access 

13.1. The contract for cidaas Free runs for an indefinite period and can be terminated at any time without giving reasons. For the rest, the term results from the contract. Unless otherwise specified in the contract, the contract can be terminated with a notice period of three months to the end of a calendar month, but not before the end of any minimum contract term. 

13.2. The contract may be terminated in whole or in part by either party for good cause without notice within a reasonable time from knowledge of the cause for termination. Good cause shall be deemed to exist if facts are given on the basis of which the terminating party, taking into account all circumstances of the individual case and weighing the interests of the other party, can no longer reasonably be expected to continue the contract. If the good cause consists in the breach of a contractual obligation, the termination is only permissible after the unsuccessful expiry of a deadline set for remedial action or after an unsuccessful warning, unless a deadline is dispensable pursuant to section 314 in conjunction with section 323 paragraph 2 BGB. § Section 323 (2) of the German Civil Code (BGB). An important reason for termination exists for Widas in particular if the customer is more than one month in arrears with the payment of the remuneration despite the setting of a grace period. In the event of termination for good cause, Widas is entitled to remuneration for the services provided under the contract until the termination takes effect. However, the remuneration shall not apply to those services for which the customer demonstrates that they are of no interest to him due to the termination.  

13.3. Upon termination of the agreement, Widas will initially block the access of the customer and his users and delete them after one month. 

14. Data privacy

14.1. Both parties shall process personal data exclusively in accordance with the requirements of the applicable data protection law. Upon conclusion of the contract, the contract for commissioned processing attached as Annex 1 becomes effective in accordance with Art. 28 DSGVO; this does not apply to cidaas Free. 

14.2. As the responsible party, in the event of commissioned processing by Widas, the Customer shall check on his own responsibility whether the information disclosed by him to Widas in connection with the use of cidaas is personal data and whether the processing of this personal data is lawful. 

15. Confidentiality

The parties undertake to maintain secrecy about all confidential processes, in particular business secrets of the respective other party, which come to their knowledge in the course of the preparation, execution and fulfilment of the contract, and to neither disclose nor exploit them in any other way except for the fulfilment of the contract. If required, the parties shall enter into a priority non-disclosure agreement. 

16. Final Provisions

16.1. The exclusive place of jurisdiction, including international jurisdiction, for all disputes arising directly or indirectly in connection with the agreement or the use of cidaas is the registered office of Widas. Widas is also entitled to sue the customer at his general place of jurisdiction. This clause does not apply if the dispute relates to claims other than pecuniary claims or if an exclusive place of jurisdiction is established for this by law.   

16.2. The contract shall be governed by the law of the Federal Republic of Germany to the exclusion of the UN Convention on Contracts for the International Sale of Goods and the conflict of laws; Art. 3 para. 3, para. 4 Rome I Regulation shall remain unaffected. 

16.3. No verbal ancillary agreements have been made. Amendments and supplements to the contract must be made in text form. This also applies to a waiver of this formal clause.    

16.4. Should one or more provisions of the contract be invalid in whole or in part, this shall not affect the remaining provisions. The parties undertake to replace invalid provisions with provisions that come as close as possible to what the parties intended when the contract was concluded. The same shall apply in the event of a loophole in the contract not considered by the parties. Until then, the law shall apply if the invalid or incomplete provision cannot be replaced or supplemented by a supplementary interpretation of the contract (§§ 133, 157 BGB). 

16.5. The Customer is only entitled to assign claims with the prior consent of Widas in text form. Widas will only refuse consent for important reasons.  

16.6. The transfer of the contract by Widas to an affiliated company according to §§ 15 ff. AktG is permitted. Widas will inform the customer of this in good time in advance. Otherwise, the transfer of the contract by one party requires the prior consent of the other party in text form. 

Annex 1: Commissioned Processing Agreement for cidaas 

1. Order and specifications for processing

1.1. This Commissioned Processing Agreement (hereinafter referred to as the “CPA”) specifies the rights and obligations of the parties under data protection law for all processing operations resulting from the agreements (hereinafter referred to as the “Main Agreement”) already existing between the parties or to be concluded in the future under which personal data are processed by Widas for the customer.  

1.2. This CPA with all its components applies if the customer has obliged Widas to process personal data (hereinafter “data”) on behalf of the customer in accordance with Art. 28 of the GDPR. In the event of any contradictions, the provisions of this CPA with all its components shall take precedence over the provisions of the main contract and any other agreements of the parties. 

1.3. The specific data protection provisions applicable to individual processing operations (hereinafter referred to as “provisions”) shall be regulated in annexes to the CPA (hereinafter referred to as “annexes”) prior to the start of processing. These are in particular the subject and duration as well as the type and purpose of the processing, the categories of data and the categories of data subjects as well as, if applicable, the technical and organisational measures (hereinafter “TOM”). 

1.4. The Annexes are part of the CPA. In the event of any contradictions, the annexes shall take precedence over the more general provisions of the CPA. Where reference is made to the GCU in the following or in the Annexes, the CPA with all its components is meant. The Agreement contains the following Annex: “Annex Specifications.

2. Responsibility and processing under instructions 

2.1. The Customer is solely responsible under this CPA for compliance with the applicable legal provisions, in particular for the lawfulness of the disclosure to Widas as well as for the lawfulness of the processing (“Controller” within the meaning of Art. 4 No. 7 GDPR). He/she makes the sole decision on the purposes and essential means of the processing. 

2.2. Widas acts exclusively in accordance with instructions for the processing of data, unless there is an exceptional case pursuant to Art. 28 Paragraph 3 lit. a GDPR (other legal processing obligation). Verbal instructions must be confirmed immediately in text form. The instructions already given by the customer result from the main contract. If the customer acts as a processor for a third party, the customer’s obligations arising from this commissioned processing shall apply to the third party directly as the customer’s instructions in relation to Widas, insofar as these obligations are stricter than those from this CPA. The customer shall inform Widas in good time in advance of any such third-party requirements. 

2.3. Widas corrects or deletes the contractual data or restricts its processing (hereinafter “blocking”) if the customer instructs this and this is otherwise covered by the customer’s instructions. Deletion is excluded insofar as Widas is legally obliged to continue storing personal data. 

2.4. Widas shall inform the Customer without delay if Widas is of the opinion that an instruction violates applicable regulations on data protection or this CPA. Widas may suspend the implementation of the instruction until it has been confirmed or amended by the customer in text form. Widas may refuse to carry out instructions that are obviously contrary to data protection law.  

2.5. Widas guarantees that the persons authorized to process the data (a) are aware of the customer’s instructions and comply with them, and (b) have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality. The obligation of confidentiality and secrecy shall continue to apply even after the processing has ended. 

2.6. If the Customer acts as a processor for a third party, Widas’ obligations under this CPA also apply directly in the relationship between the third party and Widas. This applies to all services provided by Widas to the third party on behalf of the customer. In particular, the third party is entitled to the control and information rights from Section 8 directly towards Widas.  

3. Security of Processing 

3.1. Widas has established TOM in accordance with Art. 32 GDPR for the adequate protection of data, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. Widas will provide the TOM to the customer in text form at any time upon the customer’s request. 

3.2. Widas reserves the right to change the TOM, although it must be ensured that the contractually agreed level of protection is not fallen below. Changes to the detriment of the customer require his prior consent in text form. 

4. Notification in the event of data protection breaches and processing errors 

4.1. Widas shall inform the Customer without delay if it becomes aware of violations of the protection of the data entrusted to it by the Customer within the meaning of Art. 4 No. 12 GDPR in its organisational area or if there is a concrete suspicion of such a data protection violation at Widas. 

4.2. If the customer discovers errors during processing, he must inform Widas immediately. 

4.3. Widas will immediately take the necessary measures to remedy the data protection breach in accordance with 4.1. or the error according to 4.2. as well as to reduce possible adverse consequences, in particular for the persons concerned. Widas shall coordinate this with the customer. Oral notifications are to be submitted immediately in text form.

5. Transmission of data to a recipient in a third country or in an international organization 

The transmission of data to a recipient in a third country outside of the EU and EEA is permitted in compliance with the conditions set out in Art. 44 et seq. GDPR. Details shall be set out in one or more annexes as required. 

6. Subcontracting by Widas  

6.1. Widas may have the processing of personal data carried out in whole or in part by other processors (hereinafter “subcontractors”). 

6.2. Widas shall inform the Customer in text form in good time in advance of the commissioning of subcontractors or changes in subcontracting. If there is an important reason for subcontracting, the customer can object to the subcontracting in text form within four weeks of becoming aware of it. Good cause shall be deemed to exist in particular if there is reasonable cause to doubt whether the subcontractor will provide the agreed service in accordance with the applicable statutory provisions on data protection or in accordance with this CPA. In the event of a justified objection by the customer, the customer shall grant Widas a reasonable period of time to replace the subcontractor affected by the objection with another subcontractor. If this is not possible for Widas or is unreasonable for the customer, the parties will reach a mutual agreement on how to proceed. If an agreement cannot be reached, the customer is entitled to extraordinary termination of the main contract due to the affected services for good cause. 

6.3. Widas will agree with the subcontractor on the content of the provisions set out in this CPA. In particular, the TOM to be agreed with the subcontractor must provide an equivalent level of protection.  

6.4. Subcontracting within the meaning of this provision does not include services which Widas uses purely as an ancillary service to support its business activities outside of commissioned processing. However, Widas is obliged to take reasonable precautions to ensure data protection also for such ancillary services. 

7. Rights of data subjects and support for the customer 

Where a data subject makes a claim under Chapter III of the GDPR against one of the parties, he or she shall inform the other party thereof without undue delay. Widas shall support the customer within the scope of its possibilities in processing such requests and in complying with the obligations set out in Articles 33 to 36 of the GDPR. 

8. Control and information rights of the customer  

8.1. Widas shall use appropriate means to demonstrate to the customer that it has complied with its obligations. The customer checks suitability.  

8.2. For compliance with the agreed protective measures and their effectiveness, Widas may refer to appropriate certifications or other suitable audit evidence. Angemessen sind insbesondere Zertifizierungen nach Art. 40 GDPR oder Nachweise nach Art. 42 GDPR. In addition, the following may also be considered: certification according to ISO 27001 or ISO 27017, ISO 27001 certification based on IT basic protection, certification according to recognized and suitable industry standards or audit evidence according to SOC / PS 951. The certification and testing procedures shall be carried out by a recognised independent third party. Widas shall provide their certificates or audit evidence. Further suitable means (e.g., activity reports of the data protection officer or excerpts from reports of the auditors) may be made available to the customer to prove compliance with the TOM. The Customer’s right of inspection under clause 8.3. shall remain unaffected by this.  

8.3. The Customer is entitled to carry out inspections at Widas during normal business hours without disrupting operations, regularly after prior notification, considering a reasonable lead time, to check compliance with this CPA. Widas may make the inspection dependent on the signing of a non-disclosure agreement regarding the data of other customers and the TOM it has taken.

8.4. In order to remedy the findings made during an inspection, the Parties shall agree on the measures to be implemented. 

8.5. If a supervisory authority makes use of powers pursuant to Art. 58 of the GDPR, the parties shall inform each other thereof without delay. They support each other in their respective areas of responsibility in fulfilling their obligations toward the respective supervisory authority. 

9. Liability and compensation 

9.1. If a data subject asserts a claim for damages against a party due to a breach of data protection provisions, the claimed party shall inform the other party thereof without undue delay. 

9.2. The parties are liable to data subjects in accordance with the regulation set out in Art. 82 GDPR, considering the overriding liability rules set out in the main contract.  

9.3. The parties shall support each other in the defence of claims for damages by affected persons, unless this would jeopardise the legal position of one party in relation to the other party, the supervisory authority or third parties. 

10. Costs

The costs incurred by Widas as a result of measures taken by the customer are to be borne by the customer insofar as these are not covered by the remuneration under the main agreement. This applies in particular to costs incurred by Widas as a result of checks and inspections by the customer in accordance with 8.3.

11. Term

11.1. The CPA shall be concluded for an indefinite period. The term of an installation shall be regulated in the respective installation; in the absence of such a regulation, the installation shall run for an indefinite period. 

11.2. The CPA may be terminated with a notice period of three months to the end of the quarter if all installations have been terminated simultaneously or previously. 

11.3. An Attachment shall terminate upon termination of the related Principal Contract without the need for a separate termination of that Attachment. In this case, Widas must, at the customer’s discretion, immediately surrender the data processed in accordance with the system or delete it in accordance with data protection regulations. If Widas has its own legal obligation to store this data, it must notify the Customer of this in text form.  

12. Endangerment of data at Widas 

Should the customer’s data at Widas be endangered by seizure or confiscation, by insolvency or composition proceedings or by other events or measures by third parties, Widas must inform the customer immediately in text form. Widas will immediately inform all persons responsible in this context that the responsibility for the data lies exclusively with the customer. 

13. Final Provisions

The final provisions in the GTC apply. 

Commissioned Processing Agreement Annex specifications:

The parties make the following stipulations to the Commissioned Processing Agreement with this annex for the provision of cidaas by Widas for the customer: 

1. Subject of the assignment 
The subject of the assignment is the provision of cidaas as software as a service. 

2. Duration of the assignment 
The duration of the assignment corresponds to the duration of the main contract. 

3. Purpose of Processing 
The activity of Widas serves to provide the services agreed in the main contract. 

4. Categories of data
The following categories of data are subject to this order: 

  • Personal master data
  • Communication data 
  • User account data

5. Categories of data subjects 
The following categories of data subjects are covered by the mandate 

  • Customers
  • Interested parties 
  • Employees

6. Subcontractors 

  • WidasConcepts GmbH, Maybachstrasse 2, 71299 Wimsheim, DE 
  • Widas Technologie Services GmbH, Maybachstrasse 2, 71299 Wimsheim, DE
  • Telekom Deutschland GmbH, Landgrabenweg 151, 53227 Bonn, DE
  • S-IT Informationstechnologie GmbH & Co. KG, Marktstraße 7-11, 75365 Calw, DE
  • Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA (with Data Localization Suite – EU)

7. Disclosure of data to recipients in third countries or international organizations  
Widas does not disclose data to Non-EU countries or international organizations.