Skip to main content

Data Processing pursuant to Art. 28 GDPR

Translation

We have translated this document into English for your convenience. This translation is for informational purposes only, and the definitive version of this page is the German version.

As of: 11 May 2026

This Data Processing Agreement (hereinafter also "DPA") is entered into between you (hereinafter also "Controller", "Customer", "you", "your") and ScootKit UG (haftungsbeschränkt), registered in the Commercial Register of Munich under registration number HRB 296162 (hereinafter also "Processor", "ScootKit", "we"). The address, further legal information, and contact options can be found in our imprint.

This DPA governs the processing of personal data of your end users by ScootKit on your behalf within the framework of the SCNX platform functions used by you. It forms an integral part of our Terms of Service and supplements them with the provisions required under Art. 28 GDPR.

§ 1 Scope and Status of the Processor

(1) These provisions on processing on behalf (hereinafter also "DPA") apply to the processing of personal data of your end users by ScootKit on your behalf within the framework of the SCNX platform functions activated by you, including the SCNX Custom Bot and all associated modules as well as the AI-based functions.

(2) This DPA becomes part of the contract upon acceptance of our Terms of Service. A separate acceptance or signature is not required. Electronic acceptance satisfies the written form requirement under Art. 28 para. 9 GDPR.

(3) This DPA applies irrespective of whether you have acquired your SCNX subscription directly from ScootKit or from an authorized reseller of ScootKit within the meaning of the Terms of Service. The data-protection relationship of processing on behalf always exists directly between you as Controller and ScootKit as Processor; it is independent of the respective sales relationship.

(4) ScootKit is a micro-enterprise within the meaning of the Annex to Commission Recommendation 2003/361/EC. Insofar as applicable law or an assessment of proportionality takes account of the size and resources of a processor, this characteristic shall be taken into account, in particular when assessing the technical and organizational measures appropriate under Art. 32 GDPR and the scope of the duties to assist under Art. 28 para. 3 lit. e and f GDPR.

(5) Inquiries, communications, and instructions on your part in connection with this DPA shall be addressed via the form provided for this purpose in the dashboard at https://scootk.it/dpa-request-form or by e-mail to [email protected]. Both channels are documented in our case management system and are equally binding. Communications and notifications from ScootKit regarding this DPA will be sent to you by e-mail to the primary contact e-mail address stored in your account or in the dashboard.

(6) The identity of the submitter shall be deemed sufficiently established by an authenticated dashboard session or by submission from a contact e-mail address stored in your account. In all other cases, we are entitled to carry out an appropriate identity check before substantive processing. Requests whose submitters cannot be verified within a reasonable period may be rejected without substantive processing, with a reference to an authenticated submission channel.

§ 2 Relationship to Consumer Rights

(1) Insofar as you are a consumer within the meaning of § 13 BGB, the following provisions apply only to the extent permitted by law.

(2) Your mandatory consumer rights remain unaffected by this agreement.

(3) The consumer information regulated in our Terms of Service, in particular regarding the right of withdrawal in distance contracts, applies in addition.

§ 3 Roles and Responsibilities

(1) Insofar as ScootKit processes personal data of your end users on your behalf, you are the Controller within the meaning of Art. 4 No. 7 GDPR and ScootKit is the Processor within the meaning of Art. 4 No. 8 GDPR.

(2) This applies irrespective of whether you use the SCNX platform privately or in the context of a commercial or professional activity. You are responsible for assessing your role under Art. 4 No. 7 GDPR, and in particular the applicability of the household exemption under Art. 2 para. 2 lit. c GDPR, on your own responsibility.

(3) You bear sole responsibility for the lawfulness of the processing initiated by you, in particular

  • a) for the existence of a legal basis under Art. 6 and, where applicable, Art. 9 and Art. 22 GDPR,
  • b) for fulfilling information obligations vis-à-vis your end users, and
  • c) for safeguarding the rights of the data subjects.

(4) With regard to the processing of personal data for ScootKit's own purposes, in particular for contract execution, invoicing, platform security, abuse prevention, the operation of the platform-internal advertising system, and the fulfillment of statutory obligations, ScootKit remains an independent controller; in this respect, the provisions of our privacy policy apply exclusively.

(5) Insofar as you provide your end users via the SCNX platform with their own tenant-isolated accesses or interfaces (in particular to view statistics, tickets, or comparable server- or member-related information), you also remain controller within the meaning of Art. 4 No. 7 GDPR for the configuration, content, and design of these interfaces. ScootKit provides the underlying infrastructure in a tenant-isolated manner, but has no influence on your individual configuration and design decisions within your tenant and does not perform content moderation of tenant-specific configurations.

(6) Insofar as you publish publicly accessible content via the SCNX platform, in particular websites designed by you or comparable public presentations, you remain controller within the meaning of Art. 4 No. 7 GDPR for all personal data contained in the published content. This applies irrespective of whether the affected persons are your end users or not.

(7) You represent that you maintain a suitable legal basis for the publication of personal data under Art. 6 and, where applicable, Art. 9 GDPR, that you inform data subjects in accordance with Art. 13 and 14 GDPR, and that you do not publish content that infringes third-party rights.

(8) ScootKit provides the hosting infrastructure on a tenant-isolated basis, but has no influence on the content published by you and does not carry out any upstream content review. ScootKit is entitled and obliged, in accordance with applicable law, to react to notices of unlawful content; the procedure provided for this is governed by our Terms of Service or a separate policy.

(9) The fulfillment of requests for deletion, rectification, or restriction of processing under Art. 16 to 18 GDPR with regard to publicly published content is your sole responsibility. The removal of individual content on your instruction or on the instruction of a competent authority remains unaffected.

§ 4 Subject Matter, Duration, Nature, and Purpose of the Processing

(1) Subject matter: Provision and operation of the bots configured by you and all functional modules of the SCNX platform activated by you, including moderation, logging, member management, leveling, economy system, ticket and support functions, custom commands, AI-based functions, interfaces to third-party systems, import functions for user-generated configuration content, and other current and future modules.

(2) Duration: The processing begins with the entry into force of this DPA and ends with the termination of the service contract between you and ScootKit, including termination due to inactivity in accordance with the Terms of Service.

(3) Nature of the processing: All processing operations within the meaning of Art. 4 No. 2 GDPR that are necessary for the provision of the functions activated by you, including real-time collection from Discord events, permanent storage in our databases, and provision to the respective functional modules.

(4) Purpose: Provision of the SCNX service in accordance with your configuration settings and the functionality of the modules activated by you.

§ 5 Categories of Data Subjects and Personal Data

(1) Categories of data subjects: Members of your Discord servers who interact with your bot hosted on SCNX or with the functional modules activated by you, or whose data is processed by them, as well as, where applicable, your employees, moderators, and Trusted Admins.

(2) Categories of personal data (depending on the modules activated and configurations made by you):

  • a) Discord user IDs, server IDs, and publicly accessible profile data (in particular usernames, display names, avatars);
  • b) message content insofar as required for activated modules (in particular auto moderation, AI functions, custom commands, logging);
  • c) activity data in voice and text channels (in particular join and leave timestamps, voice channel dwell time, reactions);
  • d) moderation data, including warnings, bans, mute actions, quarantines, role assignments, and ban histories, each with reasons, timestamps, and moderator identifiers;
  • e) evidence and documentation files for moderation measures provided by you or your moderators;
  • f) behavioral and profile data from leveling, XP, economy, and game modules (in particular experience points, virtual currency balances, transaction histories, game states);
  • g) verification data from welcome and CAPTCHA modules;
  • h) audit logs on user, message, role, channel, and configuration changes;
  • i) content and form input from tickets, applications, surveys, and forum functions;
  • j) input to custom commands and the results of their processing;
  • k) content of server backups insofar as you activate and create this function in accordance with the Terms of Service;
  • l) where AI functions are activated: input transmitted to AI service providers and their output;
  • m) data processed within interfaces to third-party systems or import functions, including content received from or transmitted to such sources, as well as associated activity and log data.

(3) Special categories of personal data within the meaning of Art. 9 GDPR are not the subject of the processing on behalf. Should the processing of such data nevertheless arise due to your configuration, the content of evidence files, or the behavior of your end users, this takes place without the knowledge and intent of ScootKit and exclusively under your responsibility.

§ 6 Instructions

(1) ScootKit processes personal data of end users exclusively on your documented instructions. The following alone shall constitute documented instructions:

  • a) the configuration of your bot and of the individual modules via the SCNX dashboard within the configuration options provided there;
  • b) the activation or deactivation of individual modules and functions via the SCNX dashboard;
  • c) the content of custom commands, AI system prompts, welcome texts, and comparable configurable content composed by you;
  • d) the configuration and activation of interfaces to third-party systems (in particular API integrations, webhooks, and OAuth connections) via the dashboard;
  • e) the activation of configurations, custom commands, or comparable content which you have adopted from other sources via import functions provided by ScootKit, including content shared by other Customers;
  • f) actions performed by Trusted Admins within the meaning of the Terms of Service in the dashboard; these are deemed, pursuant to the Terms of Service, to be made in your name and thus to constitute your instructions;
  • g) this agreement, our Terms of Service, and our privacy policy in their respective valid versions.

(2) Instructions outside the configuration scope of the dashboard, in particular individual instructions submitted via the form at https://scootk.it/dpa-request-form or by e-mail to [email protected], are only effective insofar as ScootKit expressly confirms their implementation.

(3) ScootKit is not obliged to implement individual instructions that go beyond the configuration scope of the dashboard. The implementation of individual instructions may be made dependent on a separate remuneration based on effort. The confirmation of receipt of an instruction in our case management system does not constitute a commitment to implementation.

(4) Where we are of the opinion that an instruction violates applicable data protection law, we are entitled to suspend implementation until the instruction is clarified or confirmed by you.

(5) Processing outside your instructions takes place only insofar as required by law (Art. 28 para. 3 lit. a GDPR).

§ 7 Confidentiality

(1) We oblige persons authorized to process personal data to confidentiality, insofar as they are not already subject to an appropriate statutory duty of secrecy.

§ 8 Technical and Organizational Measures

(1) We take the technical and organizational measures legally required under Art. 32 GDPR to ensure a level of protection appropriate to the risk. When assessing the appropriate level of protection, the characteristic of ScootKit as a micro-enterprise mentioned in § 1 para. 4 shall be taken into account.

(2) The specific design of the measures is at our discretion and may evolve in accordance with the state of the art, as long as the legally required level of protection is maintained.

(3) Upon substantiated request, we will provide a summary overview of the measures taken at the relevant point in time.

§ 9 Sub-Processors

(1) You consent generally to the involvement of sub-processors pursuant to Art. 28 para. 2 sentence 2 GDPR. A current list of our sub-processors, including registered office, processing purpose, and data transfer mechanism, can be found in our privacy policy at https://scootk.it/scnx-privacy.

(2) We will inform you of the addition or replacement of a sub-processor with a lead time of at least thirty (30) days, as a rule by publication in the list linked above and, at our choice, by e-mail or in the dashboard.

(3) You may object to the change within this period for an important data-protection reason. An objection for commercial or other non-data-protection reasons is excluded.

(4) If we cannot remedy your justified objection, you are entitled to extraordinarily terminate the service contract with effect as of the time at which the new sub-processor would, for the first time, process personal data of your end users. We will refund to you the fees paid in advance pro rata for the billing period remaining after the termination takes effect. Further claims, in particular for damages, are excluded to the extent permitted by law.

(5) We oblige our sub-processors, to the extent required, to obligations that are substantially equivalent to those set out in this DPA.

§ 10 International Data Transfers

(1) Insofar as personal data are transferred to sub-processors outside the European Economic Area, we ensure that an appropriate safeguard under Chapter V GDPR is in place, in particular

  • a) an adequacy decision (including the EU-US Data Privacy Framework, insofar as the respective sub-processor is certified), or
  • b) standard contractual clauses pursuant to Implementing Decision (EU) 2021/914.

(2) The respective applicable mechanism is listed in the list available at https://scootk.it/scnx-privacy.

§ 11 Automated Decision-Making

(1) You are aware that individual modules of the SCNX platform that you may activate (in particular modules for auto moderation, anti-raid, ping protection, anti-grief, join-gate, welcome verification, status roles, and comparable rule-based modules) may, without human intervention, take measures against your end users on the basis of your configuration, including the imposition of mutes, quarantines, bans, warnings, or role revocations.

(2) Insofar as such measures have a legal effect on your end users or significantly affect them in a similar way, a processing within the meaning of Art. 22 GDPR may be present.

(3) It is your sole responsibility,

  • a) to assess whether the modules activated by you, in the specific use case, constitute solely automated decision-making within the meaning of Art. 22 GDPR,
  • b) to ensure a required legal basis under Art. 22 para. 2 GDPR,
  • c) to provide for the safeguards required under Art. 22 para. 3 GDPR, in particular the possibility for the data subject to express their point of view, to contest the decision, and to obtain human intervention on your part,
  • d) to inform your end users about the automated decision-making in a transparent manner pursuant to Art. 13 para. 2 lit. f and Art. 14 para. 2 lit. g GDPR.

(4) ScootKit provides the technical functionality; the decision on its activation, configuration, thresholds, and consequences is taken exclusively by the Controller.

§ 12 Support for Data Subject Rights

(1) We support you, insofar as is possible and reasonable taking into account the nature of the processing, with the technical and organizational tools provided on the SCNX platform, in fulfilling your obligation to respond to requests of your end users under Art. 15 to 22 GDPR. Support is limited to the data covered by the standard export, information, and deletion tools of the SCNX platform.

(2) Any support beyond this, in particular

  • a) the individual preparation, research, or transmission of data,
  • b) the identification, handling, or deletion of data arising from custom commands created by you, individual modules, or other structures configured by you,
  • c) the evaluation or preparation of evidence and documentation files as well as other content provided by you,

is only provided on the basis of a separate remuneration agreement based on effort.

(3) You are obliged to know at any time which personal data is processed and stored by custom commands created by you or by other individual configurations, and to provide us in good time with the information necessary for handling data subject requests.

(4) We reserve the right to demand an appropriate fee for the handling of manifestly unfounded or excessive requests or to refuse the handling.

(5) Should an end user contact us directly to exercise their rights, we will forward the request to you without undue delay; the substantive handling lies with you.

(6) Insofar as end users, via a tenant-isolated interface configured by you within the meaning of § 3 para. 5, may directly access the data concerning them or submit requests under Art. 15 to 22 GDPR there, the substantive handling of these requests remains your task as Controller. In this respect, ScootKit only provides the technical functionality and has no influence on the content, form, and handling of the end-user processes you configure.

§ 13 Support for Further Data Protection Duties

(1) We support you, to the extent legally required and taking into account the information available to us as well as our characteristic as a micro-enterprise, in complying with your obligations under Art. 32 to 36 GDPR.

(2) Support going beyond the provision of generally accessible information, in particular for carrying out a data protection impact assessment, is only provided on the basis of a separate remuneration agreement based on effort.

§ 14 Notification of Personal Data Breaches

(1) We inform you without undue delay after a personal data breach concerning personal data of your end users has become known to us with sufficient certainty.

(2) The notification contains the information referred to in Art. 33 para. 3 GDPR insofar as it is known to us at the time of the notification; missing information will be provided subsequently as soon as it becomes available to us.

(3) The notification is sent by e-mail to the primary contact e-mail address stored in your account. It is your responsibility to keep this address up to date and to check it regularly.

(4) Any further notification obligation, in particular vis-à-vis your end users or the competent supervisory authority, lies solely with you.

§ 15 Deletion or Return after Termination

(1) After termination of the service contract, we delete the personal data of your end users processed on your behalf in our productive systems within a reasonable period. Where statutory retention obligations exist, storage to the extent and for the duration required for that purpose remains unaffected.

(2) Return of the data takes place only upon your express request, which must reach us no later than within thirty (30) days after the end of the contract, and only in a standard format determined by us at our reasonable discretion. Return in a special format requested by you or with individual preparation is only provided on the basis of a separate remuneration agreement. After expiry of the deadline, we are no longer obliged to return.

(3) Personal data remaining in operational data backups (disaster recovery backups) are deleted within the regular rotation of the backup systems within a maximum of ninety (90) days. A targeted early deletion from such backups, including on the basis of requests for deletion under Art. 17 GDPR, is not owed; as long as data remain in backups, they are kept exclusively for the purposes of restoration in the event of damage and are otherwise excluded from any further processing.

(4) The "Server backups" function regulated in the Terms of Service (customer-controlled backups of your Discord server for restoration purposes) constitutes a separate data set to be managed by you. The provisions of the Terms of Service apply exclusively to its creation, retention, deletion, and security. This DPA does not regulate retention and deletion periods in this respect.

(5) For Discord API data, the deletion obligations laid down in the preceding section "Service Provider" under Discord Developer Policy also apply.

§ 16 Evidence and Audit

(1) We make available to you the information required to demonstrate compliance with our obligations under Art. 28 GDPR in summary form. This is primarily done by providing current audit reports of independent third parties, certifications, or comparable documents.

(2) Insofar as mandatorily required by law, we enable you or an auditor commissioned by you to carry out an inspection. Such an inspection requires that

  • a) it is announced in writing with a notice period of at least sixty (60) days,
  • b) a concrete, data-protection-related cause is set out,
  • c) no more than one inspection takes place per calendar year, unless a competent supervisory authority orders an additional inspection,
  • d) the auditor is not a direct competitor of ScootKit and concludes an appropriate confidentiality agreement prior to the start of the audit,
  • e) the audit does not unreasonably affect the orderly business operations of ScootKit and is limited to the areas necessary for the audit subject matter.

(2a) The notice period mentioned in para. 2 lit. a and the limitation to one inspection per calendar year mentioned in para. 2 lit. c do not apply where there is a concrete and sufficiently substantiated suspicion of a breach of the protection of personal data of your end users or a comparable security incident. In such cases, the inspection shall be announced with a shorter notice period appropriate to the circumstances; the remaining requirements of para. 2 remain unaffected.

(3) All costs associated with inspections, including the effort of ScootKit, shall be borne by you, unless the audit reveals a material violation attributable to ScootKit.

(4) When determining the scope of the information and audit obligations, the characteristic of ScootKit as a micro-enterprise mentioned in § 1 para. 4 shall be taken into account.

§ 17 Future Functions, Updates, and Beta Functions

(1) This DPA automatically applies to all future functions, modules, and extensions of the SCNX platform insofar as they process personal data of your end users on behalf. A separate acceptance of this DPA for individual new functions is not required.

(2) We reserve the right to further develop, restrict, or discontinue the functionality and behavior of existing modules insofar as this is necessary for operational, economic, security-related, legal, or regulatory reasons.

(3) Material changes affecting the nature or scope of the processing of personal data will be communicated to you in good time before they take effect. You are obliged to regularly review the information you provide to your end users and to adapt it to changes in functionality and scope of processing.

(4) Functions expressly marked as beta, alpha, preview, experimental, test, or comparable functions ("beta functions") may be changed, restricted, or discontinued by us at any time without prior notice.

(5) Beta functions are provided in their respective current state and subject to availability. There is no warranty as to function, availability, data persistence, freedom from defects, or fitness for a particular purpose. Any service-level agreement does not apply to beta functions.

(6) You are responsible for assessing, prior to activating a beta function, whether its use is suitable for your end users, and, where appropriate, for providing increased due diligence measures. The processing of personal data in beta functions takes place at your sole responsibility; ScootKit is liable for this only within the scope of mandatory statutory liability.

(7) We reserve the right to adapt this DPA insofar as changes in the legal situation, requirements of supervisory authorities, or of our platform make this necessary. The amendment procedure regulated in the Terms of Service applies accordingly to such adaptations: amendments are deemed approved where you either expressly consent to them in the dashboard or do not object to them in Text Form within six (6) weeks of receipt of the amendment notice. The amendment notice is generally given by e-mail or in the dashboard. We will inform you separately about the right of objection and the legal consequence of silence in the amendment notice. In the event of a timely objection, § 9 para. 4 applies accordingly.

§ 18 Obligations and Assurances of the Controller

(1) You represent and warrant that

  • a) you meet the minimum age regulated in the Terms of Service and, if you are a minor, the required consent of your legal representatives is given both to the Terms of Service and to this DPA;
  • b) you have assessed your role under Art. 4 No. 7 GDPR and the applicability of the household exemption under Art. 2 para. 2 lit. c GDPR on your own responsibility, and ScootKit may rely on this assessment;
  • c) for all processing initiated by you, a valid legal basis under Art. 6 and, where applicable, Art. 9 and Art. 22 GDPR exists;
  • d) you inform your end users comprehensively and in good time pursuant to Art. 13 and 14 GDPR and to Art. 50 AI Act, including information about the involvement of ScootKit and the respective sub-processors as well as about any automated decision-making;
  • e) your bot and module configuration as well as the purposes pursued with the bot are compatible with applicable law, including the provisions on youth, consumer, and competition protection;
  • f) you do not process any data via the SCNX platform that exposes ScootKit or its sub-processors to legal or regulatory risks, in particular no illegal, defamatory, glorifying-of-violence, youth-endangering content, or content that infringes personality rights of third parties;
  • g) evidence and documentation files provided by you for moderation purposes have been lawfully obtained and contain no special categories of personal data, insofar as no own legal basis for them exists;
  • h) you design custom commands and comparable individual configurations in such a way that they comply with applicable law, and you can at any time provide information about which personal data are processed by them;
  • i) interfaces to third-party systems that you configure or activate via the SCNX platform are not sub-processors of ScootKit. You are responsible for concluding independent data-protection agreements with the respective third-party providers where required, for maintaining a suitable legal basis for the respective data transfer, and for ensuring appropriate safeguards under Chapter V GDPR;
  • j) you carefully review configurations, custom commands, or comparable content which you adopt from other sources via import functions provided by ScootKit, prior to activation, with regard to legal compliance and suitability. Upon activation, you assume sole responsibility for the imported content and its effect in your environment, as if you had created it yourself;
  • k) all Trusted Admins authorized by you within the meaning of the Terms of Service comply with the provisions of this DPA; you are liable for their actions and omissions as for your own;
  • l) for tenant-isolated interfaces within the meaning of § 3 para. 5 which you provide to your end users, you are responsible for the legally compliant design, in particular for informing your end users pursuant to Art. 13 and 14 GDPR about the access, the data processed there, and the underlying legal basis;
  • m) for publicly accessible content within the meaning of § 3 para. 6 which you publish via the SCNX platform, you are responsible for the legally compliant design, including the legal basis for the publication of personal data, the observance of personality, copyright, trademark, and competition rights of third parties, as well as compliance with youth-protection and media-law requirements;
  • n) you primarily receive and handle requests of data subjects for the exercise of their rights yourself.

(2) If you breach any of these assurances, we are entitled to restrict or suspend affected functions or the entire access without prior notice.

§ 19 AI-Specific Provisions

(1) These provisions apply in addition insofar as you activate or configure AI-based functions.

(2) Roles under the AI Act. Insofar as you activate an AI function for your end users, you act as deployer within the meaning of Art. 3 No. 4 AI Act. ScootKit acts as provider or as downstream provider insofar as ScootKit integrates, adapts, and makes available for use via the platform the underlying AI models of third parties. The responsibilities between deployer and provider are governed by the AI Act.

(3) Transparency obligations. You are solely responsible for informing your end users about the use of AI pursuant to Art. 50 AI Act and for the data-protection information obligations under Art. 13 GDPR. ScootKit provides general standard notices for this purpose; their suitability for your specific use case and the legally compliant implementation lie solely with you.

(4) Configuration and use prohibitions. You undertake not to configure or use AI functions in a manner that

  • a) violates Art. 5 AI Act,
  • b) violates Art. 50 AI Act, in particular for the impersonation of natural persons without their express consent,
  • c) violates applicable law on the protection of minors,
  • d) violates our Terms of Service or applicable use policies of the underlying AI providers (in particular OpenAI, Anthropic, Google, ElevenLabs).

(5) For your own system prompts, personalities, or comparable configuration elements, you bear sole responsibility for their legal compliance. ScootKit is entitled, at any time without prior notice, to deactivate or restrict configurations that violate the foregoing obligations or our Terms of Service, or to remove content.

(6) No warranty for AI outputs. AI-generated content may be incorrect, incomplete, biased, or misleading. ScootKit gives no warranty as to the substantive accuracy, completeness, or suitability of AI-generated outputs for a particular purpose. ScootKit is not liable for damages arising from the use of AI-generated outputs or from failures, delays, or changes of the services of the respective AI providers, to the extent permitted by law.

§ 20 Indemnification

(1) Insofar as you are an entrepreneur within the meaning of § 14 BGB, you indemnify ScootKit, its affiliated companies, legal representatives, employees, and vicarious agents against all claims of third parties arising out of or in connection with

  • a) a breach by you of this agreement, our Terms of Service, or applicable law,
  • b) a breach of your assurances or obligations under § 18,
  • c) the configuration or use of AI functions contrary to the requirements of this agreement,
  • d) the configuration or use of custom commands or modules with automated decision-making contrary to applicable law or the requirements of this agreement,
  • e) evidence and documentation files as well as other content provided by you,
  • f) actions or omissions of Trusted Admins authorized by you,
  • g) the use of beta functions contrary to § 17,
  • h) the configuration or use of interfaces to third-party systems or the activation of imported configurations contrary to the requirements of this agreement,
  • i) publicly published content within the meaning of § 3 para. 6, including claims arising from personality, copyright, trademark, or competition rights of third parties.

(2) The indemnification also covers reasonable costs of legal defense and fines, insofar as indemnification therefrom is permitted by law. We inform you of corresponding claims without undue delay.

(3) Insofar as you are a consumer within the meaning of § 13 BGB, the statutory liability applies in place of the foregoing indemnification.

§ 21 Liability

(1) The parties' liability under or in connection with this DPA is governed by the provisions of our Terms of Service. The following applies in addition:

  • a) Liability for indirect damages, consequential damages, lost profits, data loss (insofar as such loss could have been avoided by reasonable own backup measures), and reputational damages is excluded, to the extent permitted by law.
  • b) Insofar as liability is not already limited in amount under the Terms of Service, the liability of ScootKit for damages arising out of or in connection with this DPA is limited in amount to the fees paid by you to ScootKit in the twelve (12) months preceding the occurrence of damage, to the extent permitted by law.
  • c) Mandatory liability cases regulated in the Terms of Service remain unaffected, in particular liability for intent and gross negligence, for damages arising from injury to life, body, or health, and liability under mandatory statutory provisions, including the Product Liability Act.

(2) Responsibility under Art. 82 GDPR in the external relationship vis-à-vis data subjects remains unaffected by this agreement. In the internal relationship, the party responsible for the breach causing the damage is liable; in this respect, the foregoing liability framework applies accordingly.

§ 22 Final Provisions

(1) Precedence. In relation to other provisions of our Terms of Service and other agreements, the provisions of this DPA prevail insofar as the processing of personal data on behalf is concerned. Otherwise, the Terms of Service apply in addition.

(2) Form. This DPA is concluded upon your acceptance of our Terms of Service. Electronic acceptance satisfies the written form requirement under Art. 28 para. 9 GDPR.

(2a) Upon request, we will provide you with a signed copy of this DPA for your internal purposes. The provision of a signed copy serves solely your documentation and is not required for the validity of this DPA; validity follows exclusively from para. 2.

(3) Severability clause. Should individual provisions of this DPA be or become invalid or unenforceable, the validity of the remaining provisions shall remain unaffected. In place of the invalid or unenforceable provision, the valid and enforceable provision that comes closest to the purposes of this DPA in legal and economic terms shall apply.

(4) Applicable law and jurisdiction. The law and the place of jurisdiction agreed in the Terms of Service apply.

(5) Contact. Inquiries and communications on your part in connection with this DPA shall be addressed via the form at https://scootk.it/dpa-request-form or by e-mail to [email protected]. Communications and notifications from us are sent by e-mail to the primary contact e-mail address stored in your account or in the dashboard.