General Terms and Conditions and Data Processing Agreement for Checkmk Cloud (SaaS) Beta

Last update: June 2024

1 Scope of application 

1.1 These General Terms and Conditions including its appendix (“GTC”) govern the provision and use of the Checkmk beta software-as-a-service offering as described online under: https://docs.checkmk.com/saas/en/, along with any related materials and (if applicable) documentation (collectively, the “Checkmk Cloud (SaaS) Beta” and the provision of any additional agreed services by Checkmk GmbH, Kellerstraße 27, 81667 München (“Provider”) to its customer, as specified in the given sign-up process as set out in the section “Conclusion of contract” below (“Customer”).

1.2 These GTC, together with the sign-up process and acceptance as described in section “Conclusion of contract”, collectively form the agreement (the "Agreement") between the Provider and the Customer.

2 Purpose

2.1 Customer intends to test Checkmk Cloud (SaaS) Beta in order to evaluate its adoption and provide feedback to Provider. For this purpose, the Provider makes Checkmk Cloud (SaaS) Beta available to Customer for participation in an evaluation and testing program free of charge (the “Purpose of the Agreement”).

2.2 These GTC outline the terms and conditions under which Customer will test and evaluate the Checkmk Cloud (SaaS) Beta, providing valuable feedback to Provider to evaluate whether the functionalities and capabilities of Checkmk Cloud (SaaS) Beta will meet the general business requirements of Customer, as outlined above. 

3 Conclusion of contract

3.1 To access and use the Checkmk Cloud (SaaS) Beta, the Customer must complete the sign-up process through the Provider’s website. During this process, the Customer will be required to provide certain information, including, but not limited to, name, email address, and other relevant details as specified on the sign-up form.

3.2 Access to and use of Checkmk Cloud (SaaS) Beta is offered to natural or legal persons under private and public law or partnerships with legal capacity, who act in exercise of their trade, business or profession (Unternehmer) within the meaning of section 14 of the German Civil Code (Bürgerliches Gesetzbuch). Any information provided by the Customer must be provided completely and truthfully.

3.3 Upon starting the sign-up process, the Customer will be presented with these GTC. The Customer must read and accept these GTC by clicking the “Start free trial” button (or similar, equivalent wording) or a checkbox of equivalent wording provided on the sign-up page. By clicking the “I Agree” button or checkbox, the Customer acknowledges that they have read, understood, and agree to be bound by these GTC.

3.4 The contract between the Provider and the Customer for the use of Checkmk Cloud (SaaS) Beta is concluded at the moment the Customer clicks the “I Agree” button or checkbox, thereby completing the clickwrap process. This action constitutes the Customer’s acceptance of these GTC, creating a legally binding agreement between the Provider and the Customer (“Effective Date”).

4 Access and usage rights

4.1 Customer’s Access and usage right: Subject to Customer’s material compliance with its obligations under the Agreement, the Provider grants Customer, on a limited, non-exclusive and non-transferable basis, the right to access and use Checkmk Cloud (SaaS) Beta and any output solely for the Purpose of the Agreement and in accordance with the obligations set forth in these GTC. Checkmk Cloud (SaaS) Beta may be accessed, tested and evaluated solely by the Customer and its employees.

4.2 Number of licensed services: Checkmk Cloud (SaaS) Beta is licensed for a maximum of five thousand (5.000) Services, with each “Service” consisting of a monitored data point, for example, the CPU load of a specific device. A monitored device may therefore generate many monitored Services in the Checkmk Software.

4.3 Non-production restriction: Customer may only use Checkmk Cloud (SaaS) Beta internally for testing purposes and may not use Checkmk Cloud (SaaS) Beta to provide services to any third-party outside of the Purpose of the Agreement, or in any production environment or otherwise make Commercial Use of Checkmk Cloud (SaaS) Beta. For purposes hereof, “Commercial Use” includes, without limitation, (i) using Checkmk Cloud (SaaS) Beta on commercial, production environments; (ii) providing, or offering to provide, any service using Checkmk Cloud (SaaS) Beta; (iii) receiving compensation from any third party with respect to use Checkmk Cloud (SaaS) Beta; (iv) hosting, or offering to host, Checkmk Cloud (SaaS) Beta, on any basis; and/or (v) receiving compensation for any service that uses Checkmk Cloud (SaaS) Beta, including support services. The Provider shall have the right to determine, in its sole discretion, whether any and all use of Checkmk Cloud (SaaS) Beta by the Customer is to be regarded as a Commercial Use or internal use.

4.4 Acceptable use: The Customer acknowledges and agrees to use Checkmk Cloud (SaaS) Beta in accordance with the following stipulations:

4.4.1 Critical systems monitoring: Checkmk Cloud (SaaS) Beta is not designed to monitor IT systems, devices, and applications whose outage can result in harm to life and limb or exorbitant financial loss. When setting up the monitoring system, the Customer must adopt measures appropriate to the criticality of the systems being monitored to ensure reliable monitoring (e.g., high availability/redundancy) and to minimize the impact of potential outages.

4.4.2 Automated actions: Checkmk Cloud (SaaS) Beta can be used to execute automated actions. Such automated actions can unintentionally cause significant issues, including system outages. Therefore, extreme care must be exercised by the Customer when configuring and/or scripting such actions to limit the possible impact of automated actions.

4.4.3 Confidentiality: Checkmk Cloud (SaaS) Beta contains business secrets of the Provider and its licensors and must be treated confidentially. Any disclosure to third parties is prohibited unless expressly permitted. The Customer may not use Checkmk Cloud (SaaS) Beta to obtain trade secrets of the Provider or its licensors. In addition, the provisions set out in the section "Confidentiality" apply.

4.4.4 Intellectual property: Markings on the Checkmk Cloud (SaaS) Beta, including but not limited to copyright notices, license notices, trademarks, serial numbers, or similar identifiers, must not be removed, altered, or obliterated.

4.4.5 Further prohibited use: The Customer shall not use, or permit third parties to use, Checkmk Cloud (SaaS) Beta (i) to engage in any unlawful or fraudulent activity; (ii) to infringe the rights of any third party; (iii) to incite, threaten, support, or actively promote violence, terrorism, or other serious harm; (iv) for content or activities that promote the sexual exploitation or abuse of any human being, in particular children; (v) to compromise the security, integrity, or functioning of any user, network, computer, or communication                         systems, software applications, or network or computer devices; or (vi) to disseminate, publish, send or facilitate the sending of unsolicited mass email or other messages, promotions, advertising or solicitations (or "spam").

4.5 Further restrictions: The customer may not use, directly or indirectly, Checkmk Cloud (SaaS) Beta, materials or Intellectual Property provided or accessed under the Agreement in any manner or for any other purpose than the Purpose of the Agreement. Without limiting the foregoing, the following activities are prohibited (including any attempt to do any of the following): (i) reverse engineering, disassembling, or decompiling Checkmk Cloud (SaaS) Beta, or parts thereof or any underlying code, methodology or intellectual property, or applying any other process or procedure to derive the code of any software included in Checkmk Cloud (SaaS) Beta; (ii) accessing or using Checkmk Cloud (SaaS) Beta in a way intended to avoid incurring any applicable fees or charges or purchasing additional licenses or access rights; (iii) reselling of Checkmk Cloud (SaaS) Beta; (iv) perform or disclose any benchmarking, availability or performance testing of the Checkmk Cloud (SaaS) Beta; (v) probe, scan, test or disclose the performance and/or any vulnerabilities of the Checkmk Cloud (SaaS) Beta; (vi) perform or disclose network discovery, port and service identification, vulnerability scanning, password cracking, remote access or penetration testing of the Checkmk Cloud (SaaS) Beta; (vii) interfere with the service, monitor data or traffic on any network or system, create an unusual level of load on the service via non-intentional use of Checkmk Cloud (SaaS) Beta (viii) use scripts or applications to access the APIs of Checkmk Cloud (SaaS) Beta; or (ix) misappropriate or use or disclosure of Checkmk Cloud (SaaS) Beta or other intellectual property of the Provider without authorization to do so. The provisions on decompiling pursuant to section 69e of the German Copyright Act (Urheberrechtsgesetz) shall remain unaffected by the above provisions.

4.6 Modifications: The Customer may have access to new versions of Checkmk Cloud (SaaS) Beta which may include functional enhancements or bug and security fixes. The Provider will automatically include such new versions in Checkmk Cloud (SaaS) Beta at its sole discretion and will further notify the Customer of such new versions and any other changes to Checkmk Cloud (SaaS) Beta at its sole discretion.

4.7 Investigation and enforcement: The Provider has the right to investigate any suspected breach of the obligations and provisions set out in this "Access and usage rights" section and to block the Customer's access to Checkmk Cloud (SaaS) Beta, including any related resources, if the Customer is in breach. The Customer agrees to cooperate with the Provider in remedying any such breach, regardless of who is at fault. In determining whether such a breach has occurred, the Provider may take into account the Customer's ability and willingness to comply with the obligations and provisions set out in this section "Access and usage rights", including the policies and other procedures the Customer has in place to prevent or detect and stop prohibited activities.

5 Proprietary rights

5.1 Retention of rights: Save as expressly set out in the Agreement, neither Party shall receive any right, title or interest in or to any intellectual property or proprietary rights, including but not limited to copyright rights (including rights in audiovisual works), moral rights, patent rights (including patent applications and disclosures), know-how, rights of priority, trademark rights, and trade secret rights recognized in any country or jurisdiction in the world (collectively and generally, “Intellectual Property Rights”) owned by the other Party (including any modifications or enhancements made thereto). All rights not expressly granted in the Agreement are reserved by the parties or their respective licensors. For the avoidance of doubt, the Provider (or its suppliers, where applicable) own(s) Intellectual Property Rights in Checkmk Cloud (SaaS) Beta and all modifications, enhancements, improvements, derivative works, upgrades, new releases and other alterations of either of the foregoing (even if requested or directed in any form, by the Customer).

5.2 Feedback license: The Customer grants to the Provider a worldwide, royalty-free, transferable, sublicensable, irrevocable, perpetual license to use and incorporate into Checkmk Cloud (SaaS) Beta, and otherwise to freely exploit without restriction, any recommendations, enhancements, requests, corrections, suggestions or other feedback provided by or on behalf of the Customer relating to the functionality or operation of Checkmk Cloud (SaaS) Beta.

5.3 Third party technology: Checkmk Cloud (SaaS) Beta may contain third party technology (including open-source software) which will be made available to the Customer as part of Checkmk Cloud (SaaS) Beta or during the provision of new versions or updates (“Separately Licensed Third Party Software”) and which are governed by separate license terms (“Separate Terms”). The Customer’s rights to use Separately Licensed Third Party Technology under the Separate Terms are not restricted in any way by the Agreement. Upon the Customer's request, the Provider shall make available to the Customer all relevant Separate Terms.

6 Modification and deprecation of Checkmk Cloud (SaaS) Beta

6.1 The Provider may, at its sole discretion, discontinue or modify any feature or functionality of Checkmk Cloud (SaaS) Beta for any reason at any time to Customer. This includes making backward incompatible changes to Checkmk Cloud (SaaS) Beta.

6.2 Customer fully acknowledges that the development, provision and operation of Checkmk Cloud (SaaS) Beta is work in progress, because, in particular, Checkmk Cloud (SaaS) Beta is an offering in an evaluation and testing phase as a beta version as per the Purpose of the Agreement.

6.3 The Provider will in any case take into account the Customer's interests when discontinuing or modifying any feature or functionality of Checkmk Cloud (SaaS) Beta.

7 Customer's obligations

7.1 The Customer shall implement and maintain processes and procedures to prevent unauthorized access to and use of Checkmk Cloud (SaaS) Beta and shall notify the Provider as soon as practicable after the Customer becomes aware of any such unauthorized access and use. The Customer shall at all times use industry standard and up-to-date firewall and virus protection programs designed to ensure that no malicious code, such as viruses, worms, time bombs, Trojan horses, are uploaded to Checkmk Cloud (SaaS) Beta. In particular, Access credentials that enable access to Checkmk Cloud (SaaS) Beta or its functionality may not be disclosed to any third party under any circumstances. If such access credentials have been inadvertently compromised, the Provider must be notified immediately.

7.2 The Customer acknowledges that Checkmk Cloud (SaaS) Beta may not produce regular backups of any data of the Customer due to its status as beta software. The Customer further acknowledges that upon the expiration of the Evaluation Period, the Provider will delete all Customer data from the Checkmk Cloud (SaaS) Beta environment. The Customer is therefore solely responsible for producing regular and sufficient backups of all Customer data which are of a certain importance for Customer and for retrieving such Customer data to an environment other than Checkmk Cloud (SaaS) Beta prior to the expiration of the Evaluation Period.

8 Term and termination

8.1 The term of the Agreement with respect to the Checkmk Cloud (SaaS) Beta shall begin on the Effective Date and shall either end automatically after a period of fourteen (14) days after the Effective Date or, if the either party terminates the Agreement with the other party according to this section “Term and termination”, whichever occurs first (“Evaluation Period”).

8.2 Should the Customer wish to continue using Checkmk Cloud (SaaS) Beta after the Evaluation Period has ended, the Customer may make the Provider an offer for a renewal of the Evaluation Period by clicking the button labeled "Resume" (or similar, equivalent wording) in the respective administration section in the Customer’s account. The Provider accepts such an offer by continuing to provide access to Checkmk Cloud (SaaS) Beta to the Customer. In such case, the Provider and the Customer renew the existing contractual relationship and the terms and conditions as set forth in these GTC apply anew. For the avoidance of doubt: The Provider reserves the right to either accept or decline the Customer’s offer for a renewal of the Evaluation Period at its sole discretion.

8.3 For the sake of clarification, upon the conclusion of the Evaluation Period, neither Party shall have any obligation to enter into any further agreement regarding the licensing or purchase of Checkmk Cloud (SaaS) Beta.

8.4 Both parties may terminate the Agreement at any time and for any reason with no required notice period. The right to extraordinary termination for good cause remains unaffected (Recht der außerordentlichen Kündigung). 

8.5 All notices of termination must be made in text form (e.g., by postal mail, email or fax).

9 Confidentiality

9.1 Each party will treat as confidential all information that it receives from the other party in connection with the Agreement, its conclusion and/or its execution unless such information is expressly marked as non-confidential or the information is by its nature non-confidential such as, for example,

9.1.1 Information which the receiving party can demonstrate was already lawfully known to it, other than under an obligation of confidentiality, before the disclosing party first disclosed the information to it;

9.1.2 Information which was already in the public domain or readily available at the time of its disclosure or which later enters the public domain or becomes readily available through no breach of the receiving party’s duty of confidentiality;

9.1.3 Information which one party received in good faith from a third party who had lawfully obtained the information and who was under no duty of confidentiality in relation to the information; or

9.1.4 Information which the receiving party independently gained without using confidential information from the disclosing party.

9.2 Confidential information includes but is not limited to components of Checkmk Cloud (SaaS) Beta that are not also licensed under an open-source license, access credentials or license keys, and the prices and contractual conditions individually agreed with the Customer. The duty of confidentiality covers information that one party discloses to an Affiliate of the other party.

9.3 If any information pursuant to this section “Confidentiality” does not meet the statutory requirements for a business secret, it will nonetheless be subject to the confidentiality obligations pursuant to this section “Confidentiality”.

9.4 Each party undertakes to treat the other party’s confidential information confidentially and to only use it for contractual purposes. Except where the disclosure of confidential information is necessary for the purposes of contractual performance, it may only be disclosed to a third party with the prior written consent of the party to whom it belongs. The third party must agree in writing to adhere to the confidentiality obligations contained in this section “Confidentiality” before the confidential information may be disclosed to it.

9.5 Each party undertakes to protect the other party’s confidential information against unauthorized third-party access by taking appropriate protective measures, applying at least the same degree of care as it would apply to protect its own confidential information.

9.6 The parties will also bind their employees to comply with these confidentiality obligations. Each party is only permitted to share the other party’s confidential information with its employees or make the same available to them if they need to know such confidential information for contractual performance.

9.7 The duties of confidentiality will remain in force for the term of the Agreement and for an additional period of five 5 years thereafter.

10 Data Protection and data responsibility

10.1 The Provider will process personal data of the Customer and the Customers’ employees only to the extent necessary for contractual performance. For this purpose, the parties agree on the data processing agreement within the meaning of Art. 28 of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as set forth in Appendix – Data Processing Agreement.

10.2 During and after the term of the Agreement and for the purpose of analyzing the performance of, developing and improving Checkmk Cloud (SaaS) Beta, and any other Checkmk offerings, the Provider may collect, aggregate, reproduce, run, create derivative works of, process, use and analyze Service Generated Data. “Service Generated Data” means telemetry data and information about the operation, delivery, usage, or performance and any other analytics functionality of Checkmk Cloud (SaaS) Beta generated or derived automatically by Checkmk Cloud (SaaS) Beta or manually by or on behalf of Checkmk and conveyed to the Provider by Checkmk Cloud (SaaS) Beta via the internet from time to time. If the Customer actively submits Service Generated Data to the Provider in the context of any additional services or otherwise, e.g. agent dumps or crash dumps, such Service Generated Data may also be used as described above, unless the Customer instructs the Provider otherwise when submitting such Service Generated Data.

11 Warranties

11.1 The Provider delivers Checkmk Cloud (SaaS) Beta on an “as is” basis. With the exception of cases of willful misconduct, gross negligence or where the Provider fraudulently misrepresents functionality of the Checkmk Cloud (SaaS) Beta, the Provider does not provide any warranty rights to the Customer. For the avoidance of doubt: The Provider assumes no warranty for Checkmk Cloud (SaaS) Beta, because it is a beta version-that is made available exclusively for testing and evaluation purposes.

11.2 Any statements regarding the features or fields of use of Checkmk Cloud (SaaS) Beta do not constitute guarantees or guaranteed features in a legal sense, unless they are expressly designated as such.

12 Liability

12.1 The Provider is only liable for damages caused intentionally or as a result of gross negligence on the part of the Provider, its legal representatives, agents or employees.

12.2 The Provider shall, in particular, not be liable for any damages arising out of or in connection with a use of Checkmk Cloud (SaaS) Beta in productive systems.

13 Indemnification

The Customer shall indemnify, defend and hold the Provider harmless from and against any and all claims, damages, losses, liabilities, costs and expenses (including reasonable attorneys' fees) arising out of or in connection with any claim by a third party relating to the Customer's use of Checkmk Cloud (SaaS) Beta (each a “Claim”), provided that a Claim is caused by the Customer's fault or negligence, including, in particular, (i) any Commercial Use; (ii) the Customer's use of Checkmk Cloud (SaaS) Beta in violation of any applicable law; (iii) any act or omission by the Customer in connection with the use of Checkmk Cloud (SaaS) Beta that infringes the rights of any third party, including but not limited to unauthorized use of data or use of Checkmk Cloud (SaaS) Beta on third party infrastructure or equipment without proper authorization. 

14 Final Provisions

14.1 The Agreement comprises the entire agreement between the parties concerning the subject matter hereof and supersede any prior agreements between them. Any provisions in the Customer’s general terms and conditions shall not apply and are hereby explicitly excluded from the Agreement. This requirement of consent will apply in any case, even if the Provider, for example, provides goods and services without reservation despite being aware of the Customer’s general terms and conditions.

14.2 To the extent there is a conflict between different elements of the Agreement, the following precedence will apply: (1) Appendix – Data Processing Agreement; (2) these GTC; and (3) any other referenced documents.

14.3 Amendments or additions will only be effective if the Provider has made the relevant declaration of intent at least in text form (e.g., by postal mail, e-mail or fax). The same applies to any waiver of the text form requirement.

14.4 Should any provision be or become invalid in whole or in part, this shall not affect the validity of the remaining provisions. The parties agree to substitute for any such invalid provision a valid provision that most closely approximates the economic effect and intent of the invalid provision.

14.5 The ongoing development of the Provider's offering may require amending these GTC during the term of the Agreement. The Provider will give the Customer reasonable time in advance for a notice of any amendments in text form (e.g., by postal mail, email or fax). The Customer will be deemed to have consented to the amendments if he has not indicated his refusal in text form (e.g., by postal mail, email or fax) before their proposed entry into force. The Customer is, in this case, entitled to terminate the Agreement for cause. The Provider will specifically alert the Customer in its offer as to the effect of deemed consent.

14.6 German law shall apply, with the exception of those provisions that would result in the application of the laws of a different jurisdiction. The United Nations Convention on Contracts for the International Sale of Goods CISG will not apply.

14.7 The courts of Munich, Germany, will have exclusive jurisdiction over any disputes arising out of or in connection with the Agreement, including its validity. The Provider reserves the right to bring action at the place of performance or at the Customer's general place of jurisdiction. Overriding statutory provisions, in particular on exclusive jurisdiction, shall remain unaffected.

Annex to the GTC – Data Processing Agreement

1 Preamble

This Data Processing Agreement including its schedules (hereinafter “DPA”) applies to the offering provided by the Provider to the Customer based on the Agreement effective from the Effective Date regarding the provision of the Checkmk Cloud (SaaS) Beta. This DPA is attached to the underlying GTC.

2 Structure

2.1 The Provider will process Personal Data as Processor on behalf of the Customer as Controller, except where the Provider processes Personal Data carrying out its Business Operations, in which case the Provider acts as Controller.

2.2 The parties agree that it is each party's responsibility to review and adopt requirements imposed on controllers and processors by the GDPR.

2.3 Schedules 1 to 3 to this DPA are incorporated into and form part of this DPA. They set out the agreed subject-matter, the nature and purpose of the processing, the type of Personal Data, categories of data subjects, the applicable technical and organizational measures and the Sub-processors.

3 Definitions

3.1 All terms defined in the GTC shall apply mutatis mutandis to this DPA.

3.2 In addition, the following definitions apply:

3.2.1 “Business Operations” means such Personal Data processing activities where the Customer and the Provider agree that the Provider may carry out for its own internal purposes. This includes the processing of Service Generated Data in accordance with Section “Service Generated Data” in the GTC.

3.2.2 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; for the purposes of this DPA.

3.2.3 “Data Center” means the location where the production instance of Checkmk Cloud (SaaS) Beta is hosted for the Customer in its region.

3.2.4 “Data Protection Law” means the applicable legislation, in multiple jurisdictions worldwide, that relate to (i) protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data under the Agreement; or (ii) protecting, securing, processing, transferring, storing, or preventing unauthorized access to Personal Data. Data Protection Law includes, as far as it concerns the relationship between the parties regarding the processing of Personal Data by the Provider, the GDPR as a minimum standard, irrespective of whether the Personal Data is subject to GDPR or not.

3.2.5 “​​​​​​​Data Subject” means an identified or identifiable natural person as defined by Data Protection Law.

3.2.6 “​​​​​​​EEA” means the European Economic Area, namely the European Union Member States along with Iceland, Liechtenstein and Norway.

3.2.7 “​​​​​​​EU Law” means EU Union or Member State law, including the GDPR.

3.2.8 “​​​​​​​European Sub-processor” means a Sub-processor that is physically processing Personal Data in the EEA or Switzerland.

3.2.9 “​​​​​​​GDPR” means EU General Data Protection Regulation 2016/679.

3.2.10 “​​​​​​​Personal Data” means any information relating to a natural person that is subject to Data Protection Law. For the purposes of the DPA, it includes only personal data which is (i) entered by Customer into or derived from their use of Checkmk Cloud (SaaS) Beta, or (ii) supplied to or accessed by the Provider and/or its Sub-processors in order to provide any additional services under the Agreement (as defined under the Agreement).

3.2.11 “​​​​​​​Personal Data Breach” means a confirmed (i) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or unauthorized third-party access to Personal Data or (ii) similar incident involving Personal Data, in each case for which a client is required under Data Protection Law to provide notice to competent data protection authorities or Data Subjects.

3.2.12 “​​​​​​​Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of its client, be it directly as the processor of a client or indirectly as sub-processor of the processor which processes personal data on behalf of the client.

3.2.13 “​​​​​​​Sub-processor” means the Provider’s affiliates and third parties engaged by the Provider in connection with Checkmk Cloud (SaaS) Beta and which process Personal Data in accordance with this DPA.

4 Security of processing

4.1 Appropriate technical and organizational measures: The Provider has implemented and will apply the technical and organizational measures set forth in Schedule 1 – Details of the Data Processing throughout the Evaluation Period.

4.2 Changes: The Provider may change the measures set out in Schedule 1 – Details of the Data Processing at any time without notice, so long as it maintains a comparable or better level of security. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting Personal Data. Upon the Customer’s request, the Provider shall provide the Customer with an updated copy of Schedule 1 – Details of the Data Processing.

5 Provider's obligations

5.1 Instructions from the Customer: The Provider will process Personal Data only in accordance with documented instructions from the Customer. The Agreement (including this DPA) constitutes such documented initial instructions and each use of Checkmk Cloud (SaaS) Beta by the Customer then constitutes further instructions. The Provider will follow any other instructions of the Customer, as long as they are required by Data Protection Law, technically feasible and do not require changes to Checkmk Cloud (SaaS) Beta, except for standard configurations. If any of the before-mentioned exceptions apply, or the Provider otherwise cannot comply with an instruction or is of the opinion that an instruction infringes Data Protection Law, the Provider will immediately notify the Customer (email permitted). In addition, the Provider will only transfer data to third countries outside the EU/EEA as instructed by the Customer.

5.2 Processing on legal requirement: The Provider may also process Personal Data where required to do so by applicable EU or member state law. In such a case, the Provider shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

5.3 Personnel: To process Personal Data, the Provider and its Sub-processors shall only grant access to authorized personnel who have committed themselves to confidentiality. The Provider and its Sub-processors will regularly train personnel having access to Personal Data in applicable data security and data privacy measures.

5.4 Cooperation: At the Customer's request, the Provider will reasonably cooperate with the Customer in dealing with requests from Data Subjects or regulatory authorities regarding the Provider's processing of Personal Data or any Personal Data Breach. The Provider shall promptly, and in any event not later than reasonably required under applicable Data Protection Law, notify the Customer as soon as reasonably practical about any request it has received from a Data Subject in relation to the Personal Data processing, without itself responding to such request without the Customer's further instructions, if applicable. The Provider shall provide functionality that supports Customer's ability to correct or remove Personal Data from Checkmk Cloud (SaaS) Beta, or block access to or restrict its processing in line with Data Protection Law. Where such functionality is not provided, the Provider will correct, or remove any Personal Data, or block access to or restrict its processing, in accordance with the Customer's instruction and Data Protection Law; apart from this, the Customer may also access its Personal Data at any time during the term of the Agreement. The Provider may upon mutual agreement between the parties, provide other information and reasonable assistance as may be required – beyond sentence 1 of this sub-section “Cooperation” or the purpose of responding to any such Data Subjects or otherwise to comply with duties under applicable Data Protection Law.

5.5 Personal Data Breach notification: The Provider will notify the Customer without undue delay if required by Data Protection Law, after becoming aware of any Personal Data Breach and provide reasonable information in its possession regarding the Personal Data Breach to assist the Customer to report a Personal Data Breach as the Provider is required to under Data Protection Law; other assistance may be provided upon mutual agreement. The Provider may provide such information in phases as it becomes available. Such notification shall not be interpreted or construed as an admission of fault or liability by the Provider. Unless required by Data Protection Law, the Provider shall not inform any third party of any Personal Data Breach without first obtaining the Customer’s prior written consent.

5.6 Data protection impact assessment: If, pursuant to Data Protection Law, the Customer is required to perform a data protection impact assessment or prior consultation with a regulator, at the Customer's request, the Provider will provide such documents as are generally available for Checkmk Cloud (SaaS) Beta (for example, this DPA, the GTC, audit reports or certifications). Any additional assistance shall be mutually agreed between the parties.

6 Data export and deletion

6.1 Export and retrieval by the Customer: During the Evaluation Period and subject to the Agreement, the Customer can access the processed Personal Data at any time. Customer may export and retrieve the Personal Data processed by the Provider in a standard format. Export and retrieval may be subject to technical limitations, in which case the Provider and the Customer will find a reasonable method to allow the Customer to access to Personal Data.

6.2 Deletion: Before the Evaluation Period expires, the Customer may use the Provider's self-service export tools (as available) to perform a final export of Personal Data from Checkmk Cloud (SaaS) Beta (which shall constitute a "return" of Personal Data). At the end of the Evaluation Period, the Customer hereby instructs the Provider to securely delete the Personal Data remaining on servers hosting Checkmk Cloud (SaaS) Beta within a reasonable time period in line with Data Protection Law unless applicable EU or member state law requires retention.

7 Audits

7.1 Customer audit: The Customer or its independent third party auditor reasonably acceptable to the Provider (which shall not include any third party auditors who are either a competitor of the Provider or not suitably qualified or independent) may audit the Provider's control environment and security practices relevant to Personal Data processed by the Provider if:

7.1.1 the Provider has not provided sufficient evidence of its compliance with the technical and organizational measures that protect the systems of Checkmk Cloud (SaaS) Beta through providing either: (i) a certification as to compliance with ISO 27001 or other standards (scope as defined in the certificate); or (ii) a valid ISAE3402 and/or ISAE3000 or other SOC1-3 attestation report. Upon the Customer's request audit reports or ISO certifications are available through the third party auditor or the Provider;

7.1.2 a Personal Data Breach has occurred;

7.1.3 an audit is formally requested by the Customer's data protection authority; or

7.1.4 Data Protection Law provides Customer with a direct audit right and provided that Customer shall only audit once in any twelve (12) month period unless Data Protection Law requires more frequent audits.

7.2 Further requirements: Audits of the Provider’s control environment and security practices relevant to the Customer’s Persona Data processed by the Provider under this DPA are subject to the condition that it can be technically ensured that during an audit no access can be gained to data that is not processed within the scope of the Agreement with the Customer, and in particular to data of other customers of the Provider. The Provider may refuse to provide information or access to the Provider’s business premises and IT systems if and to the extent that this could violate confidentiality obligations of the Customer. The Provider makes available to the Customer all information necessary to demonstrate compliance with its obligations which are hereby agreed upon.

7.3 Scope of audit: Except in the event of a Personal Data Breach, the Customer shall provide at least sixty (60) days advance notice of any audit unless mandatory Data Protection Law or a competent data protection authority requires shorter notice (or sooner if mutually agreed upon by the parties). The frequency and scope of any audits shall be mutually agreed between the parties acting reasonably and in good faith. The Customer audits shall be limited in time to a maximum of three (3) business days, unless otherwise agreed to between the parties. Beyond such restrictions, the parties will use current certifications or other audit reports to avoid or minimize repetitive audits. The Customer shall provide the results of any audit to the Provider.

7.4 Cost of audits: The Customer shall bear the costs of any audit unless such audit reveals a material breach by the Provider of this DPA, then the Provider shall bear its own expenses of an audit. If an audit determines that the Provider has breached its obligations under the DPA, the Provider will promptly remedy the breach at its own cost.

8 Sub-processors

8.1 Permitted use: The Provider is granted a general authorization to subcontract the processing of Personal Data to Sub-processors, provided that:

8.1.1 the Provider shall engage Sub-processors under a written (including in electronic form) contract consistent with the terms of this DPA in relation to the Sub-processor's processing of Personal Data and the Provider shall be fully liable for any breaches by, and all acts and omissions of, its Sub-processors in accordance with the Agreement;

8.1.2 the Provider will exercise appropriate due diligence in selecting Sub-processors and will evaluate the security, privacy and confidentiality practices of a Sub-processor prior to selection to establish that it is capable of providing the level of protection of Personal Data required by this DPA and the Provider will regularly evaluate each Sub-processor’s security practices as they relate to data handling; and

8.1.3 the Provider's list of Sub-processors in place on the Effective Date of the Agreement is attached to this DPA as Schedule 3 – List of Sub-processors including the name, location of processing and role of each Sub-processor the Provider uses to provide Checkmk Cloud (SaaS) Beta.

8.2 New Sub-processors: If the Provider proposes using any new Sub-processors:

8.2.1 the Provider will inform the Customer in advance (by email through and notifying the Customer of any such updates if Customer of any proposed additions or replacements to the list of Sub-processors including name, location of processing and role of the new Sub-processor; and

8.2.2 Customer may object to such changes as set out in sub-section “Objections to new Sub-Processors” below.

8.3 Objections to new Sub-processors: The Customer may object to any new proposed Sub-processors as follows:

8.3.1 If the Customer has a legitimate reason to object to the new Sub-processors' processing of Personal Data, the Customer may terminate the Agreement for which the new Sub-processor is intended to be used on written notice to the Provider. Such termination shall take effect at the time determined by the Customer which shall be no later than fourteen (14) days from the date of the Provider’s notice to the Customer informing the Customer of the new Sub-processor. If the Customer does not terminate within these fourteen (14) day period, the Customer is deemed to have accepted the new Sub-processor.

8.3.2 Within the fourteen (14) day period from the date of the Provider's notice to the Customer informing the Customer of the new Sub-processor, Customer may request that the parties come together in good faith to discuss a resolution to the objection. Such discussions shall not extend the period for termination and do not affect the Provider's right to use the new Sub-processor(s) after the fourteen (14) day period.

8.3.3 Any termination under this sub-section “Objections to new Sub-Processors” shall be deemed to be without fault by either party and shall be subject to the terms of the Agreement; provided, that no fee or penalty shall be payable by the Customer in connection with such termination.

8.4 Emergency replacement: The Provider may replace a Sub-processor without advance notice where the reason for the change is outside of the Provider's reasonable control and prompt replacement is required for security or other urgent reasons, subject to sub-section “Permitted use” above. In this case, the Provider will inform the Customer of the replacement Sub-processor as soon as possible following its appointment. Section “Objections to new Sub-Processors” applies accordingly.

9 International processing

9.1 Standard: Data processing within the scope of this DPA shall take place exclusively within the EU/EEA.

9.2 Conditions for international processing: The Customer is aware that data storage and processing only takes place in countries inside the European Union (EU) and the European Economic Area (EEA) and no processing in countries outside of the EU/EEA is intended. Where future processing of personal data for the purposes of the contract should take place in countries outside the EU or the EEA, the adequacy of the level of data protection is safeguarded in accordance with the provisions of Art. 44 et seq. GDPR.

10 Documentation; records of processing

Each party is responsible for its compliance with its documentation requirements, in particular maintaining records of processing where required under Data Protection Law. Each party shall reasonably assist the other party in its documentation requirements, including providing the information the other party needs from it in a manner reasonably requested by the other party (such as using an electronic system), in order to enable the other party to comply with any obligations under Data Protection Law relating to maintaining records of processing. The Provider shall make such records available to the Customer or a supervisory authority upon request, both in accordance with Data Protection Law.

Schedules:

Schedule 1 – Details of the Data Processing 

Schedule 2 – Technical and organizational measures

Schedule 3 – List of Sub-processors

Schedule 1– Details of Data Processing

Description Details
Categories of Data Subject whose Personal Data is transmitted: The data subjects include: (i) users authorized by the Customer to use Checkmk Cloud (SaaS) Beta and (ii) users of monitored systems as determined at the Customer’s sole discretion.
Categories of Personal Data transmitted:
  • The Customer is required to provide certain Personal Data in order to use the Checkmk Cloud (SaaS) Beta, including (i) IP address; (ii) master data such as first and last name, address, and e-mail address; (iii) billing information; (iv) and login credentials.
  • Data required for authorization, such as permission roles of specific administrators and/or end-users.
  • Access and activity logs related to the use of Checkmk Cloud (SaaS) Beta itself.
  • Telemetry data such as (but not limited to) (i) number and types of hosts and services; (ii) ruleset configurations; (iii) user admin panel interactions; (iv)  number and type of notifications sent; and (v) login frequency.
  • The Customer may submit additional Personal Data to the Services, the extent of which is determined and controlled by the Customer at its sole discretion.
Sensitive data processed (if any) and any restrictions or safeguards applied that are appropriate to the nature of the data and the risks associated with it, such as strict purpose limitation, access restrictions (including access only for employees who have received special training), records of access to the data, restrictions on further transfers, or additional security measures:

The Provider aims for a protection level for the parties concerned by data processing appropriate to the nature and extent of the risk for rights and liberties.

The Provider is using the principle of least privilege for all its internal access needs, with a focus on limiting any access to the system environment of the Checkmk Cloud (SaaS) Beta. Access to all systems of the Provider is automatically logged within their respective environment, and the log data is also shipped to a designated account that only auditors and security engineers can access. The logs of the Customer are kept separate from the application logs of the Provider, within the region, where they can only be accessed with consent from the Customer during an investigation.

The Providers aim to ensure that the measures taken are suitable and appropriate to limit the risks to the protection objectives in the long term and are state of the art.

Any measures taken by the Provider are subject to technological progress and developments. The Provider may implement alternative measures, if the protective level of the defined measures is not reduced.

Frequency of transmission (e.g., whether transmission is one-time or ongoing):
  • Master data such as first and last name, address, and e-mail address is collected once for user authentication and authorization.
  • IP addresses and activity logs are transmitted on an ongoing basis for each user session.
  • Frequent monitoring of related data with each scan interval (typically once per minute but can be more frequent depending on the scan and configuration).
Purpose(s) of the processing:
  • To enable the Provider to provide services to the Customer based on the Agreement effective from the Effective Date regarding the provision of Checkmk Cloud (SaaS) Beta and exercise its right and obligations under the Agreement.
  • To enable the Provider to analyze usage patterns during duration of beta program of Checkmk Cloud (SaaS) Beta offering.
  • To enable the Provider to collect and analyze Service Generated Data, in particular telemetry data, for the purpose of performance analysis and improvement of Checkmk Cloud (SaaS) Beta.
Duration for which the Personal Data will be stored or, if this is not possible, the criteria for determining this duration:

The Provider stores Personal Data for the duration of the beta program of Checkmk Cloud (SaaS) Beta offering.

The Provider stores site backups (metric and configuration) for a maximum of thirty (30) days. The Customer is able to delete site data (metrics and configuration) directly in the user admin panel.

Schedule 2 — Technical and organizational measures

Technical and organizational measures of

Checkmk GmbH, Kellerstr. 27, 81667 Munich

These technical and organization measures describe the implementation of measures for secure
processing of personal data in accordance with applicable data protection legislation. The
requirements of Articles 24, 25 and 32 of the GDPR are taken into account as far as applicable.
The specifications below apply for the following physical locations:
Headquarters in Munich; data center location; employee home offices (exception: physical access)

1 Confidentiality

1.1 Physical access: All rooms in which personal data is processed, or processing equipment is stored must be locked in the absence of authorized personnel. A role-based physical access concept is implemented in accordance with the “need to know principle”. Distribution of keys and tokens is documented. All visitors from outside the company are centrally registered and must be attended at all times. 
Main data processing assets are housed in an external data center holding certifications according to relevant industry standards. Access to these facilities is strictly regulated and limited to a minimal group of IT administrators. Appropriate protection and surveillance measures (e.g., CCTV, alarm system, on-site security) are implemented. 
Applications offered as “Software as a Service” are hosted in the data centers of Amazon Web Services (AWS).

1.2 Authentication: Unique user accounts are created for each individual user and must be protected with a password of sufficient length and complexity. Password rules are centrally enforced and login attempts tightly monitored. Key applications require a secure connection and 2-factor authentication. Access to administrative interfaces is limited to a minimal group of IT administrators and requires multi-factor authentication and an encrypted connection. 
All company assets are centrally managed and protected using state-of-the-art tooling. The use of company assets is regulated by an acceptable use policy.

1.3 Data access control: A role-based authorization concept is in place. Access to personal data is restricted to authorized personnel and limited to the extent needed for them to fulfill their task (principle of least privilege). Administrative access is limited to a minimal group of particularly obliged IT administrators. The access to user access logs of our Software as a Service applications is limited to auditors and security engineers. 
The assignment, modification and withdrawal of access privileges follow a documented process.
Privileges are subject to regular review. 
To protect data from unauthorized access, all data at rest is encrypted and increased security measures are implemented for sensitive workplaces. Retention of personal data as well as their deletion or destruction follows documented procedures and recognized industry standards. Removable storage media will generally not be used for personal data.

1.4 Pseudonymization: Personal data is pseudonymized wherever this is possible at early stages of analyses. Third parties are advised to pseudonymize or anonymize data at source if personal information is not required for processing.

1.5 Separation control: Personal data is separated by customer using at least logical separation. In our Software as a Service applications, we implement a multi-tenancy concept with logical separation of data storage. 
Live and test environments are separated to prevent accidental access to personal data.

2 Integrity

2.1 Transfer control: To ensure safe transfer of data, all data in transit is encrypted in accordance with industry standards. All storage media use for personal data is encrypted and must be centrally approved. Removable storage media will generally not be used for personal data. 
Wherever possible, personal data in transfer is pseudonymized or anonymized.

2.2 Input control: Measures are in place to assign the entry, modification and deletion of personal data to the individual performing them. The modification and deletion of data records must be restricted so that accidental modification or deletion is effectively prevented.

2.3 Order control: As part of the order control, all data processing operations carried out on behalf of a customer are carried out exclusively upon written instructions of the customer. All employees involved in data processing activities are regularly trained. 
Sub-processors are only engaged as agreed with the customer. They are diligently selected according to a documented supplier evaluation and management process. All sub-processors are required to sign a Data Processing Agreement in accordance with Article 28 GDPR.

3 Availability and resilience

All systems processing personal data are protected using state-of-the-art tooling. Vulnerabilities area centrally managed and systems are regularly patched following a documented procedure. 
To ensure constant availability of data, a redundant storage concept is implemented. Regular backups are created using geo-redundant storage locations. Measures to effectively prevent downtimes due to physical disruption are implemented in all data centers (e.g., uninterruptible power supply, smoke and fire detection, air conditioning). Documented business continuity and emergency plans are in place.

4 Procedures for regular review, assessment and evaluation

Skilled personnel has been appointed as data protection and information security officers and entrusted with the maintenance, review and regular update of the internal processes and procedures. Documented processes are in place for risk assessment and treatment, as well as incident management and reporting.
All employees are contractually obliged to data secrecy and must participate in regular awareness training sessions.

Schedule 3 – List of Sub-processors

List of all subcontractors known at the time of contract conclusion:

# Company Location Type of service
1. Amazon Web Services Inc. EU-central-1, Frankfurt, Germany US-east-1, Virginia, USA Hosting of sites and user admin panel, authentication of users
       
2. Algolia, Inc Europe/Frankfurt Search in onboarding guide
3. Checkmk, Inc. 675 Ponce de Leon Avenue, Suite 8500 Atlanta, GA, 30308 United States of America Global support