Declaration on Data Protection

(Pursuant to sections 5, 13 of the German Telemedia Law, TMG, and sections 28, 30 of the German Law on Data Protection, BDSG)

Definitions

EACG means EACG GmbH.

EOS means EACG Operations Solutions GmbH, a fully owned subsidiary of EACG GmbH and the the operator of the TrustSource solution.

The two companies can be reached as follows:

EACG GmbH Registered at the Commercial Register Frankfurt am Main, HRB 84852 with registered office in Taunustor 1, TaunusTurm 18th floor 60310 Frankfurt am Main Germany

EACG Operations Services GmbH Registered at the Commercial Register Frankfurt am Main, HRB 101441 with registered office in Taunustor 1, TaunusTurm 18th floor 60310 Frankfurt am Main Germany

TrustSource is a trademark of EACG. It indicates the SaaS-Solution, which accepts the scan results, analyses and generates reports as well as supports the management process of the Open Source Risk Management and Governance

Scanner means the component responsible to transfer the list of identified open source components, to TrustSource. These are mostly open source by themselves.

Account Company specific, potentially associated with fees, access to TrustSource, that can be used by one or more legitimate persons to access TrustSource.

I. General

EACG agrees to comply with the existing and applicable legislation of the German and European law on data protection in the design of the platform and the service offer. We are committed to the right to informational self-determination and data protection at the highest possible level as well as to the protection of technical and/or commercial trade secrets. Our protective measures are constantly subject to review and improvement in light of ongoing technological developments in order to protect your personal data processed by EOS against any accidental or intentional manipulation, loss, destruction or access by unauthorized persons (see sections 9, 11 of the German Law on Data Protection, Bundesdatenschutzgesetz – BDSG). We also commit our employees and cooperation partners as well as any other aides to respect the values of secrecy and data protection.

2.1 What is EACG , and who is responsible for EACG?

EACG GmbH is a consulting company as well as the provider of the website www.eacg.de. The trademark EACG is protected under copyright and trademark law. Responsibility in accordance with data protection laws and service provider in accordance with the German Telemedia Law (TMG) lies with EACG GmbH, Taunustor 1, D-60310 Frankfurt am Main, Telefon +49 69 153 22 77 50, Email support@trustsource.io.

2.2 What is TrustSource, and who is responsible for TrustSource?

TrustSource is a software-as-a-service platform. The trademark TrustSource and EACG are protected under copyright and trademark law. Responsibility in accordance with data protection laws and service provider in accordance with the German Telemedia Law (TMG) lies with EACG Operations Services GmbH (EOS), Taunustor 1, D-60310 Frankfurt am Main, Telefon +49 69 153 22 77 50, Email support@trustsource.io. EACG Operations Services GmbH also is the processor of data for the TrustSource platform https://app.trustsource.io.

3. Which personal data of our customers do we collect and use?

We collect and use two kinds of information. On the one hand, we use customer data for fulfilling contracts and processing payments, as well as data for mandatory inspections upon purchase on account and other transactions subject to VAT.

In relations to TrustSource we also collect data with the help of the Code-Scanner Part-List-Information. Those will only be stored directly within customer context and will not be passed on to third parties.

4. Which information is compiled, processed, stored and/or transferred, and how?

The information you provide with the order and for managing your account will be stored and processed by us. In particular, this includes the information you enter on our website (for instance upon registration with the platform of TrustSource or the website EACG, or upon the purchase of a particular license). These are data which are required for the conclusion, content-related design or modification of your contract (inventory data). We will use these data only to fulfil our contract with you. They will be used only for communicating with you and the purpose for which you have provided the data. Such data is retained as required by the German law on preservation of business communications.

In addition respectively to the Scanner, you will employ the transfer structural information about your source code composition. This information will be stored into your account and will be visible to users with corresponding access rights within your account only. Each component information transferred can be marked as „public“ or „private“. The components marked as „public“ will reviewed by our analysis services and monitored for known vulnerabilities accordingly. However, all this kind of data will only be accessible and visible to members of your account. Personal data will be removed 90 days after the cancellation of the account.

For further information, please see the data privacy of the respective services.

5. How will license information be collected, and what happens with it?

You may use your individual license data pursuant to our General terms and Conditions. In Addition to this the data transferred by your Scanners can be injected into a data pool with other data, be stored, processed and transferred. This will be done only in anonymised form pursuant to section 30 of the German Law on Data Protection, BDSG. TrustSource will hold the exclusive copyright and right of use concerning the structure data transferred to TrustSource in that way and combined in a pool. The data will be transferred exclusively for business purposes of TrustSource and EOS or EACG, as well as for research purposes. Anonymization prevents any tracing and/or personal association of your personal data.

6. How safe is it to communicate with us?

In order to protect your data, data stored by us can be accessed only via an encrypted connection; in addition, a firewall guarantees the highest possible level of protection for your data. Registration via our website, as well as the use of the TrustSource platform solution, is made exclusively in encrypted form via a SSL/ TSL (Secure Sockets Layer/ Transport Layer Security) connection.

7. Which data will be stored, either in the long term or temporarily, when you visit our website or access us from the internet?

Upon each user access to our webpages, data on this process will be temporarily stored and processed in a log file. The following data will be compiled and stored until they are automatically deleted:

• IP address of the retrieving computer;
• Date and time of access;
• Name and URL of the page retrieved;
• Notice on whether the retrieval was successful;
• Identification data of the browser and operating system used;
• Website from which access was made;
• Name of your internet access provider.

The storage of data takes place due to a specific purpose. The processing of data is carried out for the purpose of enabling use of the website (establishing a connection) and, in addition to this, serves the security of the system, the technical administration of the network infrastructure as well as the optimization of the online services. The data will be evaluated for statistical purposes only, used to improve our services and then subsequently deleted. Information on the address can, as a general rule, be analyzed only upon attacks of the network infrastructure of TrustSource, EOS or EACG.

Furthermore the tracking data (session/ip, pages) are transferred to Google-Analytics services for the analysis of your behaviour on our site to allow optimisation and improvement our offering. We will use such data solely for our own acquisition purposes.

Except in the cases stated in the Declaration on Data Protection, personal data will not be processed unless you explicitly consent to more extensive or further processing.

8. In which cases must or may we transfer your data to third parties?

Where necessary, the data and information stored by us may be used and disclosed to third parties pursuant to the applicable law upon a court order, a legally valid request by an investigative authority or for evidentiary purposes (for instance, upon breach of our General Terms and Conditions).

9. Where can I find information on the data stored?

Of course, we provide registered customers information on the data stored by us about them. Please direct your request to support@trustsource.io or using the “help”-function inside the application of TrustSource.