Terms and Conditions

Version: 22.12.2023 • AGB-2023-02

Preamble

The fundingport GmbH (hereinafter "fundingport") brokers financings through a platform operated at https://app.fundingport.com/re (hereinafter the "Platform") in the form of non-participatory and non-qualified subordinated loans, financial investments within the meaning of § 1 paragraph 2 VermAnlG, and other financing agreements for commercial purposes (hereinafter each the "Contract Product") in the field of Renewable Energies, Commercial Real Estate, and Corporate Financings.

The Platform is intended for businesses, project companies (i.e., Special Purpose Vehicles), and investors (hereinafter "Customers") registered on the Platform, as well as advisors registered on the Platform and persons commissioned by them (such advisors and commissioned persons hereinafter "Sub-agents") who submit financing requests on the Platform. It is also intended for banks, debt funds, insurance companies, factoring or leasing providers, and other capital providers (hereinafter "Providers") registered on the Platform, and possibly additional registered intermediaries of contract products commissioned by them (hereinafter "Distribution Coordinators"). Customers can also submit their own financing requests directly on the Platform without using fundingport's sub-agent services (hereinafter "Direct Customers"; fundingport, Direct Customers, Providers, Sub-agents, and Distribution Coordinators hereinafter collectively referred to as the "Parties"; Direct Customers, Providers, Sub-agents, and Distribution Coordinators hereinafter also referred to as "Platform Users").

On the Platform, Direct Customers and Sub-agents can submit financing requests. Fundingport forwards the requests to selected Providers registered on the Platform or, if applicable, their Distribution Coordinators. The Providers then have the opportunity to submit free and non-binding offers (hereinafter "Term Sheets"). The Sub-agent can view the Term Sheets on the Platform, compare them, and initiate a contract with selected Providers on behalf of the Customer through the Platform. Direct Customers choose suitable Term Sheets themselves and, if necessary, contact the respective Providers. In this regard, fundingport acts as a messenger for the respective involved Direct Customers, Sub-agents, and Providers.

§1 General

1) These General Terms and Conditions (including the Data Processing Agreement in Appendix A and the Declaration in Appendix B hereinafter referred to as the "Conditions") govern the rights and obligations of the parties with regard to the use of the platform.

2) Other general terms and conditions apply only if the parties have expressly agreed to this in writing or in text form.

3) Only companies (entrepreneurs according to § 14 BGB) are allowed to register as platform users on the platform. The use is not permitted for other persons, especially consumers (according to § 13 BGB).

§2 Scope of Services and Remuneration

1) fundingport provides the platform under the URL https://app.fundingport.com/re (hereinafter "Platform Website") where customers can request financing for their respective commercial purposes in the form of contract products, either as direct customers or through authorized sub-intermediaries.

2) With the request, the direct customer or sub-intermediary asks the providers to submit non-binding term sheets. Only complete requests (all mandatory fields are filled in) can be processed. fundingport presents the direct customers or sub-intermediaries with a selection of providers that match their request. fundingport makes the selection based on the tender criteria that fundingport has previously determined with the providers or distribution coordinators. Providers and distribution coordinators, for example, define the types of contract products, customer groups, or the amount of investment volume for which they exclusively want to receive inquiries. Direct customers or sub-intermediaries select the providers and distribution coordinators from the selection presented by fundingport to whom their request should be forwarded.

3) The providers selected by the direct customer or sub-intermediary then have the opportunity to submit non-binding term sheets within a pre-defined period set by the direct customer or sub-intermediary for the request. If applicable, authorized distribution coordinators forward the request to submit a suitable term sheet to their clients (providers).

4) fundingport selects term sheets submitted at its sole discretion for forwarding to the direct customer or sub-intermediary. The selected term sheets are immediately and continuously displayed to the direct customer or sub-intermediary in a personal login area on the platform. In individual cases, the direct customer or sub-intermediary may receive the term sheets from fundingport via a separate means, such as email. If the direct customer or sub-intermediary wishes to contact a provider or distribution coordinator, they must use the corresponding platform function, provided this function is available for the respective provider. In addition, if necessary, fundingport forwards the contact details provided by the direct customer or sub-intermediary to the provider or distribution coordinator.

5) The term sheets of the providers are non-binding. Therefore, the financing terms and conditions may still change. The result of due diligence by the provider may lead to changed conditions or even the rejection of a contract.

6) The provider or, if applicable, the distribution coordinator commissioned by the provider provides contract documents to the direct customer or sub-intermediary after successful due diligence. The mere selection of a provider by a direct customer or sub-intermediary does not yet constitute a contract.

7) fundingport checks financing requests for completeness. Unless there are different individual agreements with platform users, fundingport is not obligated to verify the data provided by the direct customer or sub-intermediary on the platform, especially regarding the company and/or the project or financing project. fundingport is not obligated to review the term sheets submitted by the providers but conducts a case-by-case review of the conditions for market conformity. fundingport assumes no liability for the content of term sheets, contract documents, and all other information from the (direct) customer, sub-intermediary, provider, or distribution coordinator.

8) fundingport provides a data room on the platform, through which the parties can provide and access documents necessary or useful for financing and use a question-and-answer function (Q&A). The platform users decide autonomously which data to upload or delete and which of this data to make available for viewing only or for download. To the extent that personal data is processed or uploaded in this data room, fundingport acts as a data processor with the provision of the technical infrastructure of the data room on behalf of the platform user uploading the data. Personal data is processed by fundingport only according to the instructions of the respective controller. The data processing agreement in Appendix A to these conditions becomes part of this contract with the consent of the respective platform user. If a registered distribution coordinator on the platform uses the data room on the platform for a provider, fundingport acts as a data processor for the distribution coordinator.

9) fundingport does not guarantee the continuous availability of the platform website. Maintenance work, software updates, and events beyond the control of fundingport (e.g., force majeure, third-party fault) may lead to temporary unavailability of the platform website. If fundingport can foresee that downtime for maintenance and software updates will last longer than 24 hours, fundingport will inform about this by email, taking into account all mutual, also economic, interests.

10) Insofar as something different is not agreed in the terms or individually with a platform user, there is no entitlement to a specific design or equipment of the platform. In this regard, fundingport has the right, taking into account the legitimate interests of platform users, to change the platform (including the URL) or individual functions, services, or areas at its own reasonable discretion with effect for the future or to entirely or partially, permanently or temporarily discontinue them.

11) Compensation

The use of the platform is free of charge for platform users.

Compensation to fundingport occurs in the case of success (meaning in the event of a contract conclusion between the provider and the customer) and is made by the provider, possibly through their sales coordinator, by paying a commission based on a separately concluded agreement between fundingport and the provider or sales coordinator. The commission paid to fundingport may be partially or entirely included in the offer conditions of the providers. fundingport reserves the right to offer certain areas, functions, or services for platform users on a fee basis in the future. In such a case, an agreement on the costs will be concluded in accordance with § 12 paragraph (2) Alternative 1 (button/check option).

§3 Registration

1) The use of the platform and the associated services provided by fundingport require registration by the respective platform user. This involves capturing both the relevant commercial data of customers and platform users, as well as the contact details of the natural persons conducting the registration on behalf of the platform user (hereinafter "User"). All relevant data must be provided completely and truthfully. Mandatory information must be filled out for registration. The user provides their business email address for registration and selects a password. After confirming the selected password and clicking the checkbox to agree to these terms, the platform user completes the registration by clicking the "Register" button. Additional authentication measures may need to be performed during and after registration for security reasons.

2) Registration as a platform user is allowed for legal entities or partnerships within the scope of their commercial activities. Any unlimitedly capable natural person authorized by the respective platform user is allowed to perform the registration as a user. fundingport may request proof of the user's authorization at any time. However, fundingport is not obligated to verify this, notwithstanding any legal obligations. Furthermore, fundingport may contact a user at any time in connection with the operation of the platform. Contact may be made via email, telephone, or post. It is not permissible to create multiple registrations for the same platform user.

3) There is no entitlement to registration. fundingport is entitled to reject registration without stating reasons. fundingport is also entitled not to activate the account of a platform user or to block the registration of a user if necessary, evidence is missing. Moreover, if there are indications of platform use that conflict with the legitimate interests of other platform users, fundingport may reject or terminate the processing of a financing request at any time without stating reasons and delete the request. In the case of false information or other discrepancies, fundingport has the right to permanently exclude the relevant platform user from using the platform and to reject and delete inquiries (even retrospectively).

§4 Use of the Platform by Third-Party Users

1) A sub-agent may submit financing requests for customers on the platform if and to the extent that they are authorized to do so by the respective customer. The connection between the customer and the sub-agent is established no later than when the sub-agent creates a financing request for the customer on the platform.

2) Sub-agents are prohibited from publishing financing requests on the platform for individuals and associations of individuals who are sanctioned parties. Sanctioned parties, for the purposes of this regulation, include:

a. Natural persons, legal entities, and other associations of individuals who reside or are located in a state or region against which the USA, the European Union, or the Federal Republic of Germany have taken measures that are considered comprehensive sanctions.

b. Natural persons, legal entities, and other associations of individuals against whom the USA, the European Union, or the Federal Republic of Germany have imposed economic sanction measures.

c. Persons or associations of persons in which a sanctioned party mentioned in a.) or b.) holds at least 50% of the shares or voting rights; where a sanctioned party mentioned in a.) or b.) is entitled to determine the majority of the members of the management, the board, or a comparable executive body; or which is otherwise under the control of a party mentioned in a.) or b.).

3) For business policy reasons and to protect the general reputation of the platform, individuals and associations of individuals based in a high-risk country are also excluded from using the platform. For the same reasons, loans may not be brokered to individuals and associations of individuals based in a high-risk country. In this context, a high-risk country refers to all third countries with a high-risk designation determined by the Commission in the currently valid delegated act according to Article 9 of Directive (EU) 2015/849 (or a corresponding successor regulation), as well as the following countries: Democratic People's Republic of Korea (North Korea), Iran, Crimea, Cuba, Sudan/South Sudan, Syria, Lebanon, Syria, Belarus.

§5 Declarations and Obligations of the Direct Customer, Sub-Agent, and Provider / Release from Banking Secrecy / Indemnification Claim

1) Direct customers, sub-agents, and providers each bear sole responsibility for the accuracy and completeness of all information, content (e.g., documents, files), links, and other data they submit to the platform, upload on the platform, or have transmitted by a distribution coordinator (hereinafter collectively referred to as "Data").

2) Platform users expressly ensure that they have the right to transmit the Data to fundingport and that fundingport is authorized to further transmit the Data to other platform users as necessary.

3) If the customer has engaged a sub-agent, the sub-agent obtains a declaration from the customer essentially corresponding to Annex B and informs the customer about the current data protection policy of fundingport. By submitting a financing request on the platform, the customer's sub-agent indicates that the customer (i) has commissioned the sub-agent to broker the corresponding contract product and has authorized them to the extent necessary for the respective platform usage and (ii) has made the declaration described in clause 1 and authorized the sub-agent as a messenger to convey the statement to the affected platform users. Upon request from fundingport, the sub-agent substantiates the customer's engagement or promptly presents the customer's declaration described in clause 1. However, fundingport is not obliged to verify this, without prejudice to any legal obligations or conflicting individual contractual agreements. The sub-agent indemnifies fundingport from all claims, especially those of the customer, arising from (i) the non-existence or exceeding of the authorization mentioned above or (ii) the absence of a declaration essentially corresponding to Annex B.

4) Upon request from a provider, fundingport will only forward financing requests submitted by a sub-agent to the respective provider if fundingport has already received a declaration to lift banking secrecy from the customer in accordance with clause 3 or if fundingport has already obtained a corresponding declaration from a direct customer. In this case, fundingport will provide the relevant provider with a copy of the declaration to lift banking secrecy along with the forwarded financing request, unless the provider has already been presented with the declaration on another occasion.

5) Platform users are also obligated to structure their data in a way that does not violate legal or regulatory provisions or good morals.

6) Platform users ensure that they review all stored data for compliance with the requirements of clauses 1 to 3 before each new financing request and, if necessary, correct or provide the data again in accordance with these terms or have it provided by a distribution coordinator.

7) Fundingport is entitled to request evidence regarding the provided data.

8) Platform users are obliged to keep the access data to the platform (especially the password) confidential and protect it from third-party access. They ensure that the access data cannot be spied on by third parties during entry. If they become aware of or suspect that a third party has gained knowledge of the access data, the respective platform user is obliged to change their access data immediately. If this is not possible, fundingport must be informed immediately, and further action must be coordinated with fundingport.

9) Additional notification obligations of the provider towards fundingport are regulated in the service contract between fundingport and the provider.

10) Fundingport is at all times entitled to contact the platform user for inquiries regarding the contract status.

11) Platform users indemnify fundingport from all claims by third parties and/or other parties that arise due to inaccurate, incomplete, and/or unlawful data and/or unauthorized data disclosure by the respective platform user.

12) Each sub-agent assures that, during their brokerage activities, they will comply with all applicable legal requirements. They will particularly adhere to all applicable (potentially foreign or international) regulations on combating corruption (e.g., regarding bribery and corruption) and observe the following principles of conduct:

• It is impermissible to offer, promise, or grant any services of a material or immaterial nature to an employee of fundingport or to a third party acting on behalf of fundingport within the contractual relationship that directly or indirectly (e.g., through spouses/life partners or children) provides benefits to fundingport/its employees/or third parties acting on behalf of fundingport without a legally justified claim and in return for obtaining impermissible advantages in the awarding of contracts or the execution of financing agreements.

• Services of a material or immaterial nature that the sub-agent has offered, promised, or granted directly or indirectly to employees of fundingport or to a third party acting on behalf of fundingport in connection with the conclusion of the contract must be disclosed to fundingport without delay.

The sub-agent will promptly inform fundingport of any indications of a violation of anti-corruption regulations or the aforementioned code of conduct, to the extent legally permissible. Upon request from fundingport, the sub-agent will, in this case, provide an account to fundingport in accordance with §§ 259 ff. of the German Civil Code (BGB) regarding the relevant offered, promised, or granted services and provide any other information necessary to clarify the matter.

§6 Security / Communication / Platform Website

1) Subject to the liability provisions in § 7, fundingport ensures, with customary care, that all data on the platform and communication via the platform are protected against unauthorized access by third parties.

2) fundingport undertakes to comply with all data protection regulations concerning fundingport in their respective valid versions. In the processing of personal data, fundingport will exclusively use personnel or third parties who are bound to confidentiality in handling personal data and who have been adequately familiarized with data protection requirements. fundingport undertakes to obligate any third parties involved to comply with all data protection regulations.

3) Each party that processes third-party personal data in connection with its respective activities in the context of mediation via the platform must take suitable measures to protect the processed personal data. This includes, in particular, appropriate measures:

• for secure data storage, including effective access protection, encrypted data storage, appropriate password requirements (secure password and regular password changes), end-to-end encrypted data transmission;

• to ensure data protection law-compliant deletion of personal data; and

• to ensure exclusively purpose-bound processing of personal data.

In case of suspected data protection violations or other significant irregularities in data processing, each party will promptly inform all potentially affected other parties.

4) fundingport processes the data provided by the platform user in accordance with legal requirements and the data processing agreement in Appendix A. Regardless, platform users are obligated to secure the data they provide outside the platform in an appropriate manner.

5) fundingport reserves the right to modify the platform website. In doing so, fundingport will take into account the legitimate interests of platform users and inform them in advance of any impending changes if and to the extent that the modification may visibly affect their legitimate interests.

§7 Liability / Limitation of Liability

1) fundingport is liable for simple negligence only in case of a breach of essential contractual obligations. Essential contractual obligations are all obligations whose fulfillment is necessary for the proper execution of the contract and on whose compliance a platform user may regularly rely. Otherwise, the pre-contractual, contractual, and non-contractual liability of fundingport is limited to willful intent and gross negligence. This limitation of liability also applies in the case of culpability by a vicarious agent of fundingport.

2) If the violation of an essential contractual obligation is not grossly negligent or intentional, the liability of fundingport is limited to such typical damages or such a typical scope of damages that were reasonably foreseeable at the time of contract conclusion.

3) The exclusions/limitations of liability under paragraphs (1) and (2) do not apply to liability for damages resulting from injury to life, body, or health, liability arising from the assumption of guarantees, or liability under the Product Liability Act.

§8 Setoff

Platform users can only set off against claims of fundingport with counterclaims that have been legally established, undisputed, or acknowledged by fundingport. Retention rights can only be asserted by platform users to the extent that they have been legally established, undisputed, or acknowledged by fundingport.

§9 Confidentiality Agreement

1) Direct customers and sub-brokers shall treat confidential information provided by the providers or their authorized distribution coordinators confidentially. Fundingport will treat the confidential information provided by platform users confidentially.

“Confidential information," regardless of the medium in which it is contained, includes, in particular, all financial, technical, technological, economic, strategic, legal, tax-related, business activities, and business process-related information or any other information (including products, manufacturing processes, know-how, trade secrets, business relationships, business strategies, business plans, financial planning, personnel matters) related to customers, sub-brokers, or providers or their affiliated companies within the meaning of §§ 15 ff. AktG. This also includes other information within the meaning of § 2 GeschGehG that is neither generally known nor easily accessible, of economic value, and the subject of confidentiality measures.

2) The parties remain the owners (within the meaning of § 2 No. 2 GeschGehG) of the confidential information exchanged between them in the course of using the platform and retain (subject to other agreements) all rights to use and exploit this confidential information.

3) The parties will not disclose or make available to unauthorized third parties the confidential information received from each other through the platform and will each take appropriate confidentiality measures to protect the confidential information from access by third parties.

§10 Industrial Property Rights

1) The platform (including the underlying software and databases, as well as the texts, images, logos, and design elements used) is protected by copyright. The provision of the platform for use by platform users does not constitute a waiver of fundingport's copyright and other protective rights.

2) Platform users are not entitled to register or have registered designations that are confusingly similar to the trademarks, names, and other rights of fundingport in terms of meaning, sound, or image. This also applies to internet domains.

3) Platform users must refrain from using logos, trademarks, or trade names of fundingport, companies associated with fundingport within the meaning of §§ 15 ff. AktG, or other platform users unless fundingport has provided written consent. Furthermore, platform users are only authorized to refer to fundingport or the cooperating platform users in communication measures with the written consent of fundingport. Fundingport is entitled to revoke any consent granted at any time.

§11 Applicable Law

These terms and conditions are subject to the laws of the Federal Republic of Germany.

§12 Severability Clause / Amendments / Supplements

1) Should any provision of these terms be wholly or partially invalid or void, the validity of the remaining provisions shall not be affected thereby. The parties shall instead commit to cooperating on an agreement that, from an economic perspective, corresponds as closely as possible to the original intention of the parties. The same applies to gaps in the regulations.

2) Amendments to these terms can be made through an offer by fundingport via the platform website and acceptance by a platform user through the activation of a corresponding button or checkbox on the platform website during login. Furthermore, changes to these terms can also be agreed upon by fundingport presenting the amended terms to the platform users no later than six weeks before the proposed effective date in written form; the consent of a platform user is then deemed to be granted if the user has not indicated their rejection before the proposed effective date of the changes. Fundingport will expressly draw attention to this approval effect in the offer.

Annex A to the Terms and Conditions of fundingport

Data Processing Agreement pursuant to Article 28 of the General Data Protection Regulation (GDPR) between the User, Third-Party User, or Provider, hereinafter referred to as the "Controller," and fundingport GmbH, Millerntorplatz 1, 20359 Hamburg, Germany, hereinafter referred to as the "Data Processor."

Preamble

There exists a contractual relationship between the Controller and the Data Processor as defined in Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, "GDPR").

This Data Processing Agreement, including all annexes (hereinafter collectively referred to as the "Agreement"), regulates the data protection obligations arising from the terms and conditions, in particular in accordance with §§ 3(8), 6(4)(5) of the General Terms and Conditions (hereinafter referred to as "General Terms and Conditions"). Where reference is made to the provisions of the Federal Data Protection Act ("BDSG"), this refers to the Law Adapting Data Protection Regulations to the Regulation (EU) 2016/679 and Implementing the Directive (EU) 2016/680, in the version applicable from 25 May 2018. The Data Processor undertakes towards the Data Controller to fulfill the General Terms and Conditions and this Agreement in accordance with the following provisions:

§ 1 Scope and Definitions

1) The following regulations apply to all data processing services within the meaning of Art. 28 GDPR that the data processor provides to the data controller based on the terms and conditions.

2) Wherever the term "data processing" or "processing" of data is used in this agreement, it generally refers to the use of personal data. Data processing means any operation or set of operations performed with or without the aid of automated processes in connection with personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

3) Reference is made to the additional definitions in Art. 4 GDPR.

§ 2 Object and duration of data processing

1) The data processor processes personal data on behalf of and according to the instructions of the data controller.

2) The subject of the contract is the provision of the technical infrastructure of a data room on the platform by the data processor for use by the data controller, in particular by capturing, verifying, exchanging, and storing financial information and/or uploading, downloading, exchanging, and storing financial documents and using the question-and-answer function (Q&A) within the General Terms and Conditions.

3) The term of this agreement corresponds to the term of the terms and conditions.

§ 3 Type and Purpose of Data Processing

The type and purpose of processing personal data by the data processor are specified in the General Terms and Conditions. The General Terms and conditions cover the following activities and purposes:

• The data processor operates a platform through which data controllers can initiate the conclusion of financing agreements and acts as a technical service provider to facilitate communication between the affected data controllers.

• By providing the technical infrastructure of a data room on the platform, the data processor enables the data controller to independently capture, organize, store, and provide documents necessary or useful for the conclusion of the financing agreement for inspection or download by other affected data controllers. The data processor allows data controllers to delete such documents, collect, view, use, and, if necessary, store such documents of other affected data controllers, and provides a question-and-answer function (Q&A) for data controllers.

§ 4 Categories of Data Subjects

Within the scope of this agreement, personal data of the following categories of data subjects are processed:

• Employees of a data controller

• Individuals or other contacts of a data controller

• Other natural persons related to the financing project and/or whose data is necessary or useful for the conclusion of the financing agreement and/or whose data is collected by a data controller

§ 5 Types of Personal Data

The data processing involves the following types of data:

• Personal master data (Name, salutation)

• Contact details (Email address, phone number, address)

• Contract data (Contract details, services, customer number)

• Other data recorded by a data controller

§ 6 Rights and Obligations of the Data Controller

1) The assessment of the admissibility of data processing and the safeguarding of the rights of the data subjects are the sole responsibility of the data controller, who is thus the controller within the meaning of Article 4(7) of the GDPR.

2) The data controller is entitled to issue instructions on the nature, scope, and procedures of data processing. Oral instructions are to be confirmed in writing or in text form (e.g., by email) by the data controller at the request of the data processor.

3) If deemed necessary by the data controller, authorized persons with the power to issue instructions may be appointed. The data controller communicates this information to the data processor in writing or in text form. In the event of a change in these authorized persons at the data controller, this information is communicated to the data processor in writing or in text form, specifying the new person.

4) The data controller promptly informs the data processor if errors or irregularities related to the processing of personal data by the data processor are identified.

§ 7 Duties of the Data Processor

1) Data Processing The data processor shall process personal data exclusively in accordance with this Agreement and/or the underlying General Terms and Conditions and in accordance with the instructions of the data controller.

2) Rights of the Data Subjects

A. The data processor supports the data controller, to the extent possible, in fulfilling the rights of the data subjects, particularly with regard to correction, restriction of processing, deletion, notification, and access to information. If the data processor processes the personal data mentioned in Section 5 of this Agreement on behalf of the data controller, and if these data are the subject of a request for data portability under Article 20 of the GDPR, the data processor shall make the relevant dataset available to the data controller within a reasonable period, but no later than seven working days, in a structured, commonly used, and machine-readable format.

B. On the instruction of the data controller, the data processor shall correct, delete, or restrict the processing of the personal data mentioned in Section 5 of this Agreement, which is processed on behalf of the data controller. The same applies if this Agreement provides for the correction, deletion, or restriction of the processing of data.

C. If a data subject directly contacts the data processor to correct, delete, or restrict the processing of the personal data mentioned in Section 5 of this Agreement, the data processor shall promptly transmit this request to the data controller upon receipt.

3) Monitoring Obligations

A. The data processor ensures through appropriate controls that the personal data processed within the scope of this Agreement is processed exclusively in accordance with this Agreement and/or the terms and conditions and/or the respective instructions.

B. The data processor designs its business and operations in such a way that the data it processes on behalf of the data controller is secured and protected against unauthorized access by third parties to the extent required.

C. The data processor confirms that it has appointed a data protection officer in accordance with Article 37 of the GDPR and, if applicable, in accordance with §38 of the BDSG, and monitors compliance with data protection and data security provisions with the involvement of the data protection officer. The appointed data protection officer for the data processor is currently:

iSiCO Data Protection GmbH

Am Hamburger Bahnhof 4

10557 Berlin

berlin@isico-datenschutz.de

4) Notification Obligations

A. The data processor must promptly inform the data controller if it believes that an instruction from the data controller violates legal regulations. The data processor is entitled to suspend the execution of the corresponding instruction until it is confirmed or modified by the data controller.

B. The data processor supports the controller in fulfilling the obligations mentioned in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to him.

5) Location of Data Processing

The processing of data takes place in the territory of the Federal Republic of Germany, in a member state of the European Union, or in another contracting state of the Agreement on the European Economic Area. A transfer to a third country may only take place if the special conditions of Art. 44 ff. GDPR are fulfilled.

6) Deletion of Personal Data after Contract Completion

After the termination of the General Terms and Conditions, the data processor will, at the choice of the data controller, either delete or return all personal data processed within the scope of the agreement, provided that the deletion of this data does not conflict with legal retention obligations of the processor. The data protection deletion is to be documented and confirmed to the controller upon request.

§ 8 Audit Rights of the Controller

1) The data controller is entitled, after prior timely notification during regular business hours, without disrupting the business operations of the data processor or jeopardizing the security measures for other data controllers, and at their own expense, to verify compliance with data protection regulations and contractual agreements to the necessary extent, either by themselves or through third parties. The audits can also be carried out by accessing existing industry-standard certifications of the contracted data processor, current certificates, or reports from an independent entity (e.g., auditors, external data protection officer, or external data protection auditor) or through self-disclosures. The data processor provides the necessary assistance in conducting the audits.

2) The data processor informs the data controller about the implementation of the supervisory authority's control measures, if these measures may affect the processing of data performed by the data processor for the data controller.

§ 9 Subcontracting

1) The data controller authorizes the data processor to engage the services of other processors in accordance with the following paragraphs in § 9 of this Agreement. This authorization constitutes a general written authorization within the meaning of Art. 28 (2) GDPR.

2) In fulfilling the Agreement, the data processor currently collaborates with the subcontractors listed in Appendix 2, whose engagement the data controller agrees to.

3) The data processor is entitled to engage additional subprocessors or replace already engaged subprocessors. The data processor informs the data controller in advance of any intended changes regarding the appointment or replacement of another subprocessor. The data controller may object to an intended change.

4) Objections to the intended change must be made within 2 weeks of receiving the notification of the change from the data processor. In the event of an objection, the data processor may, at its discretion, either provide the service without the intended change or propose an alternative subprocessor and agree on this with the data controller. If providing the service without the intended change is unreasonable for the data processor – for example, due to disproportionate costs for the data processor – or if coordinating an alternative subprocessor fails, the data controller and the data processor may terminate this Agreement and the General Terms and Conditions with one month's notice to the end of the month.

5) When engaging another subprocessor, a level of protection comparable to this Agreement must always be ensured. The data processor is responsible to the data controller for all actions and omissions of the other subprocessors he engages.

§ 10  Confidentiality

1) The data processor is obliged to maintain confidentiality in the processing of data on behalf of the data controller.

2) The data processor undertakes to use only employees or other agents (according to § 278 BGB) in the performance of the contract who are obligated to confidentiality in handling the transmitted personal data and have been familiarized with these requirements of data protection in an appropriate manner. Upon request, the data processor must demonstrate to the data controller that these obligations have been fulfilled.

3) Insofar as different confidentiality provisions apply to the data controller, the data controller informs the data processor accordingly. The data processor obliges its employees to comply with these confidentiality provisions in accordance with the requirements of the data controller.

§ 11 Technical and organisational measures

1) The technical and organizational measures described in Annex 1 are agreed upon accordingly. The data processor may update and change these measures, provided that the level of protection is not significantly reduced by such updates and/or changes.

2) The data processor adheres to the principles of proper data processing according to Art. 32 in conjunction with Art. 5 para. 1 GDPR. It ensures the contractually agreed and legally required measures for data security. It takes all necessary measures to secure the data or the security of processing, especially taking into account the state of the art, and to mitigate possible adverse consequences for the data subjects. The measures to be taken include, in particular, measures to protect the confidentiality, integrity, availability, and resilience of the systems, as well as measures to ensure the continuity of processing in the event of incidents. To ensure an adequate level of security of processing at all times, the data processor will regularly assess the measures implemented and, if necessary, make adjustments.

§ 12 Liability/exemption

1) The data processor is liable to the data controller in accordance with legal provisions for all damages resulting from culpable violations by the data processor, its employees, or persons commissioned by it against this agreement and the legal data protection regulations applicable to it in the implementation of the agreement when providing the contractual service. The data processor shall not be liable for damages if it proves that it processed the data provided by the data controller exclusively in accordance with the instructions of the data controller and complied with its obligations under the GDPR explicitly imposed on the data processors.

2) The data controller indemnifies the data processor against all claims by third parties that are asserted against the data processor due to a culpable breach of obligations under this agreement or applicable data protection regulations by the data controller.

§ 13 Miscellaneous

1) In the event of conflicts between the provisions of this agreement and the provisions of the General Terms and Conditions, the provisions of this agreement shall prevail.

2) Amendments and additions to this agreement require the mutual consent of the contracting parties in written form, including electronic form, with specific reference to the provision of this agreement to be amended or supplemented. Oral collateral agreements do not exist and are also excluded for future changes or additions to this agreement.

3) German law applies to this contract.

4) If access to the data transmitted by the data controller to the data processor for data processing is jeopardized by third-party measures (e.g., actions of an insolvency administrator, seizure by tax authorities, etc.), the data processor must immediately report this and inform the data controller.

Appendix Directory

Appendix 1 to Annex A: Technical and Organizational Measures to Ensure Data Processing Security

Appendix 2 to Annex A: Subcontracting Relationships in accordance with § 9 of the Agreement

Appendix 1 to Annex A: Technical and Organizational Measures to Ensure Processing Security

The data processor ensures that it has implemented the following technical and organizational measures:

A. Pseudonymization Measures

Measures that significantly reduce the direct reference to the data subject during processing, allowing identification only through access to additional information. The additional information must be kept separate from the pseudonym through suitable technical and organizational measures.

B. Encryption Measures

Measures or processes in which a readable text/clear information is transformed into an unreadable, non-easily interpretable string (ciphertext) using an encryption method (cryptosystem):

• 256-Bit Advanced Encryption Standard (AES-256)

C. Measures to Ensure Confidentiality

1) Access Control

There is no physical storage or processing of data by the data processor. Measures that physically deny unauthorized access to IT systems and data processing devices for processing personal data, as well as to confidential files and storage media:

• Controlled access via personalized mobile phones or smart cards

• Door security (electronic door opener, etc.)

• Doorman

• Surveillance devices (alarms, video)

• Secure server room

• Visitor control system

Measures to prevent the processing or use of data protection-protected data by unauthorized persons:

• Only authorized personnel have access to the physical data centers. All employees requiring access to a data center must first submit a request for access and provide a valid business justification. Approval of this request follows the principle of least privilege, meaning employees must specify the level of the data center and the duration of access in the request. The request is reviewed and approved by authorized personnel. Access is revoked upon expiration of the requested period. Employees with access to a data center are restricted to specific areas based on their permissions.

• Third-party access must be requested by authorized employees who must also provide a business justification for access. Approval of this request follows the principle of least privilege, meaning the employee must specify the level of the data center and the duration of access in the request. These requests are approved by authorized personnel. Access is revoked upon expiration of the requested period. Employees with access to a data center are restricted to specific areas based on their permissions. Individuals with a visitor pass must present it upon arrival and are registered and accompanied by authorized personnel.

• Access to data centers is regularly reviewed. Access is automatically revoked once an employee's record is deleted from the personnel system. Additionally, access by employees or temporary workers is revoked upon expiration of the approved period, even if they continue to work as employees.

• At the data level, electronic intrusion detection systems are installed to detect security-related events and automatically alert the responsible personnel. Entrances and exits to server rooms are secured by devices requiring personnel to undergo multi-factor authentication before entering or leaving the room. These devices trigger an alarm if the door is forced open or held open without authorization. Door alarm systems are configured to detect if someone enters or leaves a data layer without multi-factor authorization. In such cases, an alarm is immediately triggered and sent to the Security Operations Center for logging, analysis, and response.

• Password procedures, i.e., personal and individual user login when accessing the system (including special characters, minimum length, regular password changes).

• Automatic locking (e.g., password or break).

• Establishment of a user record for each user.

• Limitation of the number of authorized employees.

• Encapsulation of sensitive systems through separate network segments.

• Authentication procedures.

• Regularly deploy updated antivirus and spyware filters.

Measures ensuring that individuals authorized for data processing can only access personal data within their authorization, preventing unauthorized reading, copying, alteration, or removal of data during processing, use, and storage:

• Authorization concepts (profiles, roles, etc.) and their documentation.

• Evaluation/logging.

• Archiving concept.

• Logging of accesses and attempted misuse

2) Separation Rule

Measures ensuring that data collected for different purposes is processed separately and kept distinct from other data and systems to prevent unintended use of this data for other purposes:

• Personal data is stored in encrypted form (256-Bit Advanced Encryption Standard (AES-256)).

• Test and production systems do not share data.

D. Measures to Ensure Integrity

1) Data Integrity

Measures to ensure that stored personal data is not damaged due to system malfunctions:

• Importing new releases and patches with release/patch management

• Functional testing during installation and releases/patches by the IT department

• Logging

• Transport processes with individual responsibility

2) Transfer Check

Measures to ensure that it can be verified and determined to which locations personal data has been or can be transmitted or made available using data communication means:

• Logging.

• Transport processes with individual responsibility.

• Checksums.

3) Transport Control

Measures to ensure the confidentiality and integrity of data during the transmission of personal data and the transport of data carriers:

• Transmission of data via encrypted data networks or tunnel connections (VPN).

• Transport processes with individual responsibility.

• Encryption methods that detect data changes during transport.

• Comprehensive logging procedures.

4) Input Control

Measures to ensure that it can be subsequently verified and determined whether and by whom personal data has been entered, modified, or removed from computer systems:

• Logging of all system activities and retention of these logs for at least three years

• Log evaluation systems

E. Measures to Ensure Availability and Resilience

1) Availability Control

Measures to ensure that personal data is protected from accidental destruction or loss. The data is stored in the Amazon Cloud (AWS). Details can be found at: AWS GDPR Data Processing Addendum

• Data backup procedures

• Redundant server systems

• Uninterruptible power supply

• Fire alarm system

• Air conditioning

• Alarm system

• Emergency plans

• No water-carrying pipes above or next to server rooms

2) Rapid Recovery Capability

Measures to ensure the quick restoration of availability and access to personal data in the event of a physical or technical incident:

• Data backup procedures

• Regular tests of data recovery

• Emergency plans

3) Reliability

Measures to ensure that all system functions are available and that occurring disruptions are reported:

• Automatic monitoring

• Emergency plans with responsibilities

• 24/7 IT emergency service

• Regular tests of data recovery

F. Measures for the Regular Assessment of Data Processing Security

1. Review procedure

Measures to ensure data protection-compliant and secure processing:

  • Data protection management
  • Regular re-certification
  • Formalized processes for data protection incidents
  • Instructions from the data controller are documented

2. Order Control

Measures to ensure that personal data processed under the contract may only be processed according to the instructions of the data controller:

• Instructions from the data controller are documented

• Formalized order management

Appendix 2 to Annex A: Subcontractors according to § 9 of the Agreement

In fulfilling the agreement, the data processor currently collaborates with the following other processors, whose engagement is approved by the data controller:

Name/Company: Amazon Web Services Inc.

Function/Activity: Data storage of the data processor on servers of Amazon Web Services Inc.

Registered Office: 410 Terry Avenue North, Seattle, Washington 98109, USA

Name/Company: Hotjar Ltd.

Function/Activity: Web analysis to better understand the needs of our users and improve our services.

Registered Office: Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 3155, Malta

Name/Company: fundingport Sofia EOOD

Function/Activity: Software development and hosting of the fundingport platform.

Registered Office: ul. Galichitsa 22, 1407 Sofia, Bulgarien

Name/Company: 3flows GmbH

Function/Activity: Software development and hosting of the fundingport platform.

Registered Office: Echternacherstr. 23, 50933 Köln, Deutschland

Name/Company: Loom Inc.

Function/Activity: Provision of video communication software.

Registered Office: 85 2nd Street, Suite 100, San Francisco, CA 94105, USA

Annex B to the Terms and Conditions of fundingport GmbH

Authorization for Financing Inquiry with the Intermediation of fundingport GmbH

We are interested in obtaining financing for commercial use and hereby instruct our financing intermediary ("Intermediary") to arrange financing for us with the intermediation of fundingport GmbH ("fundingport") from a financing provider ("Provider") registered on the fundingport platform, possibly again through the intermediation of another financing intermediary ("Distribution Coordinator") appointed by the Provider.

We inform the Intermediary which Providers should receive a loan request on the fundingport platform. The Intermediary and fundingport commit to sending financing requests exclusively to the Providers we have specified.

Data Protection Notices and Waiver of Bank Secrecy

To assess the financing request and create a financing offer, we authorize the Intermediary to provide fundingport with the information and documents transmitted by us for forwarding to Providers selected by us to receive it. In the event that a Provider selected by us has appointed a Distribution Coordinator, we authorize fundingport to forward the information and documents to the Distribution Coordinator and the Distribution Coordinator to forward them to the Provider selected by us.

The necessary information and documents for this purpose include, in particular, financing and company data (e.g., loan amount, purpose of use, company name, registered office, date of establishment, turnover, main business account, copies of account transactions over a period of 3 months, the last three business assessments (BWA), balance sheets, or other comparable evidence of income and liabilities).

We authorize the Providers, through fundingport – possibly via a Distribution Coordinator – to provide the Intermediary with the following information for forwarding:

i. the financing offer,

ii. any Term Sheets from the Provider for financing requests on the platform;

iii. information on the conclusion, volume, and timing of provision and/or initial disbursement in the event of a contract for a contract product or the extension or refinancing of an existing contract product; and

iv. information about the final failure of a contract for a contract product.

For this purpose, we release the Providers from bank secrecy to the extent that Providers are subject to it. fundingport, the Intermediary, and, if engaged, a Distribution Coordinator