NovaStor GmbH

General Terms and Conditions of NovaStor GmbH

++ Machine translation ++

The original text at www.novastor.de/agb is legally binding.
General Terms and Conditions (GTC) of NovaStor GmbH

General Terms and Conditions (GTC) of NovaStor GmbH
Effective Date: May 2026 · Version: 2.1

++ Machine translation ++

The original text at www.novastor.de/agb is legally binding.

 

§ 1 Scope of Application

(1) The offers, services, and deliveries of NovaStor GmbH, Lübeckertordamm 1-3, 20099 Hamburg, Germany (hereinafter referred to as “NovaStor”) shall be provided exclusively on the basis of these General Terms and Conditions (hereinafter referred to as the “GTC”). These GTC shall form an integral part of all agreements concluded with NovaStor.

In commercial transactions within the meaning of Section 310 (1) of the German Civil Code (BGB), an explicit reference to these GTC shall be sufficient. In consumer transactions, the customer shall be provided with these GTC in a reasonable manner at the time of contract conclusion.

(2) Any terms and conditions of the customer that conflict with or deviate from these GTC are hereby expressly rejected. Such terms shall not become part of the contract, even if NovaStor does not expressly object to them or performs services without reservation while being aware of such conflicting terms.

(3) Any oral side agreements or representations made by employees that go beyond the content of these GTC shall only be binding if confirmed by a duly authorized representative of NovaStor.

(4) In commercial transactions, the current version of NovaStor’s GTC shall also apply to future business relationships, even if no separate reference is made to them in individual cases.

Revised versions of these GTC shall be communicated to existing contractual partners and shall be deemed incorporated into the contractual relationship unless the customer objects in text form within thirty (30) days of notification. In the event of an objection, NovaStor shall be entitled to terminate the contract with three (3) months’ notice effective at the end of a calendar month.

(5) For third-party software and other third-party products or services supplied by NovaStor as independent commercial goods and separately identified and priced in the respective offer, the contractual and licensing terms of the respective manufacturer or supplier shall take precedence unless otherwise agreed.

Such third-party terms may contain provisions deviating from these GTC, particularly regarding the granting of usage rights, warranties, and liability. NovaStor shall inform the customer of the applicable third-party terms upon conclusion of the contract. Any gaps shall be supplemented by these GTC.


 

§ 2 Subject Matter of the Contract and Scope

(1) The subject matter of these GTC is the provision of standard software in object-code form, including the associated user documentation (hereinafter referred to as the “Licensed Software”), as well as the granting of the usage rights described in Section 3.

The permitted hardware and software environment shall be specified in the respective quotation and/or license certificate.

(2) The Licensed Software shall be provided by way of download. NovaStor shall make the Licensed Software and the user documentation available to the customer in an appropriate downloadable format.

(3) The characteristics and functionality of the Licensed Software shall be conclusively determined by the product description valid at the time of contract conclusion, as specified in the quotation or made available via the NovaStor website.

Such descriptions constitute service specifications and not guarantees. A guarantee shall only exist where expressly designated as such.

(4) Where individual customizations or enhancements are provided, the customer shall examine and formally accept the deliverables within a reasonable period, but no later than one (1) month after delivery, in text form.

The deliverables shall also be deemed accepted if the customer puts them into productive use and does not submit a justified rejection based on material defects within the aforementioned period.

(5) In the case of subscription or rental agreements, NovaStor shall be entitled to modify the Licensed Software where such modifications are necessary to maintain functionality, remedy security vulnerabilities, or comply with legal requirements, provided such modifications are reasonable for the customer.

NovaStor shall inform the customer of such measures in advance and within a reasonable period.

(6) The following services are expressly excluded from the scope of these GTC:

  1. Managed Backup Services;

  2. Cloud services, including the SaaS operation of NovaStor DataCenter Evolve;

  3. Professional Services (including installation, configuration, training, and consulting).

(7) Such services shall be governed by separate contractual documents, including but not limited to the EULA, SLA, Data Processing Agreement (DPA), and individual service descriptions.

These GTC shall apply on a supplementary basis insofar as those documents do not contain deviating provisions.


 

§ 3 License and Usage Rights

(1) The customer shall receive a non-exclusive right to use the Licensed Software.

In the case of a purchase, the right of use shall be perpetual. In the case of rental or subscription agreements, the right of use shall be limited to the duration of the respective contract.

Permitted use includes installation, loading into memory, and use of the Licensed Software for its intended purpose by the customer.

The number of licenses as well as the type and scope of permitted use shall be determined by the applicable license certificate.

Upon termination of a rental or subscription agreement, the Licensed Software shall cease to provide contractual functionality. In particular, backup and recovery operations relying on access-controlled features may no longer be available.

(2) The customer may create one backup copy of the Licensed Software to the extent necessary to ensure future use.

The backup copy must visibly contain the designation “Backup Copy” as well as the manufacturer’s copyright notice.

(3) The interoperability rights granted under Section 69e of the German Copyright Act (UrhG) shall apply unless NovaStor has made the information necessary for interoperability available to the customer within a reasonable period following a request.

(4) After purchase or during a valid rental term, the customer may permanently transfer the acquired copy of the Licensed Software to a third party together with the license certificate and documentation, provided that:

  • the customer completely ceases use of the software;
  • all installed copies are removed; and
  • all backup copies are deleted or transferred to NovaStor.

Upon request, the customer shall confirm compliance in text form.

The customer shall expressly obligate the third party to comply with the scope of rights granted under this Section 3.

(5) If the customer exceeds the granted scope of use quantitatively or qualitatively, the customer shall immediately acquire the additional rights required for lawful use.

In the event of a continuing license violation, NovaStor shall be entitled to suspend the affected usage rights and technically deactivate the license. Any further legal claims shall remain unaffected.

(6) Copyright notices, serial numbers, and any other identifiers used for program identification may not be removed, altered, or obscured.


 

§ 4 Prices, Payment, Due Dates and Default

(1) The prices specified in the quotation shall apply, plus the applicable statutory value-added tax (VAT).

Unless otherwise agreed, all prices are stated in Euro (EUR).

(2) For recurring agreements (including rental, subscription, and maintenance agreements), NovaStor may adjust prices once per calendar year, but not earlier than twelve (12) months after commencement of the contract.

The adjustment shall be limited to either:

  1. a maximum of six percent (6%) per annum; or

  2. if lower, the percentage increase of the German Consumer Price Index (CPI) published by the Federal Statistical Office for the preceding calendar year.

The customer shall be notified of any adjustment in text form at least sixty (60) days before it becomes effective.

If the adjustment exceeds ten percent (10%) compared to the previously applicable price, the customer shall be entitled to terminate the affected agreement with extraordinary effect as of the effective date of the adjustment, provided such termination is declared in text form within thirty (30) days after notification.

 

(3) Unless otherwise expressly agreed, payments shall become due upon delivery or provision for download and communication of the access credentials.

Invoices shall be payable within ten (10) days from the invoice date without deduction.

NovaStor reserves the right to require advance payment or security in individual cases.

 

(4) In the event of late payment, commercial customers shall owe default interest at a rate of nine (9) percentage points above the applicable base interest rate pursuant to Section 288 (2) BGB.

For consumers, the default interest rate shall be five (5) percentage points above the applicable base interest rate.

NovaStor’s right to claim additional damages shall remain unaffected.

 

(5) If the customer fails to meet its payment obligations, suspends payments, or if circumstances become known that call the customer’s creditworthiness into question, NovaStor may, at its discretion:

  • declare all outstanding amounts immediately due and payable;
  • require advance payments or security;
  • suspend performance without prior notice; or
  • terminate the contract for cause.

In the event of termination, the customer shall immediately return delivered goods and software to the extent corresponding to the outstanding payment obligations.


§ 5 Term of Subscription, Rental and Maintenance Agreements

(1) Subscription and rental agreements shall be concluded for an indefinite period unless a fixed minimum term is specified in the respective quotation.

Either party may terminate such agreements by giving three (3) months’ notice effective at the end of the applicable billing period, but not earlier than twelve (12) months after the commencement of the contract.

Unless terminated in due time, the agreement shall automatically renew for the duration of the preceding billing period, but for no less than twelve (12) additional months.

(2) For purchase agreements relating to NovaStor DataCenter, a maintenance agreement (“NovaCare”) shall additionally be concluded unless otherwise agreed.

NovaCare includes updates and upgrades (“Update/Upgrade Protection”) as well as technical support provided by NovaStor support engineers based in Hamburg, Germany.

NovaCare shall automatically renew for successive one-year periods unless terminated in text form at least three (3) months prior to the end of the current term.

 

(3) Without a valid NovaCare agreement, the functionality of the Licensed Software may be impaired because security updates and functional updates will no longer be available.

NovaStor shall not be obliged to analyze or remedy such impairments without additional compensation.

 

(4) Section 4 (2) shall apply accordingly to price adjustments upon contract renewal.

 

(5) Any termination notice must be provided in text form pursuant to Section 126b BGB.

An email sent by an authorized representative to the address specified in the contract or in the legal notice (Imprint) shall satisfy this requirement.


 

§ 6 Data Processing Agreement (DPA) pursuant to Article 28(3) GDPR

 

(1) Data Processing Agreement (DPA) pursuant to Article 28 GDPR

The details of the Data Processing Agreement (“DPA”) are set forth in Part D of the legal documentation.

The DPA forms an integral part of these GTC and does not require separate execution.

 

(2) Subject Matter and Duration of Processing

This agreement governs the rights and obligations of the parties in connection with the provision of services under the applicable service description and these GTC (hereinafter the “Main Agreement”), insofar as NovaStor processes personal data on behalf of the customer pursuant to Article 28 GDPR.

For purposes of the DPA, NovaStor shall act as the Processor (“Processor”), while the customer shall act as the Controller (“Controller”).

The DPA covers all activities performed by the Processor in fulfillment of the contractual services that constitute processing of personal data on behalf of the Controller.

The DPA shall apply regardless of whether the underlying agreement expressly refers to it.

The duration of processing shall correspond to the period during which personal data of the Controller is actually processed by the Processor.

Further details are set forth in Part D of the legal documentation.


 

§ 7 Extraordinary Termination

(1) The right of either party to terminate the contract for cause shall remain unaffected.

The assertion of claims for damages shall likewise remain unaffected.

 

(2) Material reasons entitling NovaStor to terminate the contract for cause include, in particular:

  1. the filing or commencement of insolvency proceedings concerning the customer’s assets;

  2. financial collapse of the customer or suspension of payments;

  3. repeated or serious breaches of material contractual obligations by the customer, including violations of the usage rights granted under Section 3;

  4. payment default exceeding ten percent (10%) of the fees due for a billing period for a period of more than one month following a reminder notice.

 

(3) Termination for breach of a material contractual obligation shall only be permissible after NovaStor has granted the customer an opportunity, in text form, to remedy the breach within a reasonable period of at least two (2) calendar weeks.

This requirement shall not apply where the breach is so severe that NovaStor cannot reasonably be expected to continue the contractual relationship until expiration of the cure period.

 

(4) Any termination must be made in text form.

Upon termination of the contract, NovaStor shall be entitled to the agreed remuneration on a pro rata basis until the effective termination date.

For incomplete work results, NovaStor shall receive compensation corresponding to the degree of completion achieved at the time of termination.

Customer data shall be handled in accordance with the provisions of the EULA and the DPA.

Unless otherwise specified in the EULA or SLA, the standard data export period shall be thirty (30) days following termination of the contract.


 

§ 8 Warranty

 

(1) NovaStor warrants that the Licensed Software, when used in accordance with the contract and the applicable documentation, will substantially perform the functions described in the relevant product description in accordance with the generally recognized state of the art.

NovaStor does not warrant that the Licensed Software is suitable for any specific purpose not expressly agreed between the parties.

 

(2) Any defects in the Licensed Software must be reported to NovaStor in text form without undue delay after discovery.

NovaStor shall remedy such defects within a reasonable period either by repair or replacement, at NovaStor’s sole discretion.

 

(3) If subsequent performance finally fails, is unreasonable for the customer, or is unjustifiably refused by NovaStor, the customer may, subject to applicable law, withdraw from the contract or demand an appropriate reduction of the agreed remuneration.

 

(4) Withdrawal from the contract due to an insignificant defect shall be excluded.

 

(5) The parties acknowledge that, according to the current state of technology, it is not possible to develop software that is entirely free from defects under all operating conditions.

 

(6) Where a NovaCare maintenance agreement exists between the parties, defect resolution periods and response times shall be governed by the terms of that agreement.

In all other respects, NovaStor’s Support Guidelines, as amended from time to time, shall apply.

 

(7) The warranty period shall be twelve (12) months from delivery in commercial transactions.

For consumer transactions, the statutory warranty periods shall apply.

 

(8) Warranty claims require that the Licensed Software has been used in accordance with the contract.

Warranty claims shall be excluded to the extent that defects result from the customer’s failure to comply with cooperation obligations or configuration requirements as set forth in the EULA and SLA.


 

§ 9 Liability

 

(1) NovaStor shall be liable without limitation:

  • in cases of willful misconduct (Vorsatz) and gross negligence;
  • for damages resulting from injury to life, body, or health;
  • under the provisions of the German Product Liability Act (Produkthaftungsgesetz); and
  • to the extent of any expressly assumed guarantee.

 

(2) In the event of a slightly negligent breach of a material contractual obligation (Kardinalpflicht), i.e., an obligation whose fulfillment is essential for the proper performance of the contract and on whose compliance the customer regularly relies and may reasonably rely, NovaStor’s liability shall be limited to the foreseeable damage typical for the contract at the time of contract conclusion.

In any event, NovaStor’s aggregate liability shall not exceed one hundred percent (100%) of the fees actually paid by the customer to NovaStor for the affected contractual subject matter during the twelve (12) months preceding the event giving rise to the claim.

 

(3) To the extent permitted by applicable law, any further liability of NovaStor is excluded, including liability for:

  • indirect damages;
  • consequential damages;
  • loss of profit;
  • production downtime; and
  • loss of use.

 

(4) NovaStor shall be liable for the loss of data and programs, and for their restoration, only to the extent that such loss could not have been avoided through proper and risk-appropriate backup procedures implemented by the customer.

If the customer fails to perform reasonable backup measures, NovaStor’s liability shall be limited to the restoration effort that would have been required had proper backups been maintained.

The customer’s obligation to perform regular data backups arises from the nature of the contractual subject matter and from the provisions of the EULA.

 

(5) The limitations of liability set forth in this Section 9 shall also apply in favor of NovaStor’s employees, representatives, officers, and agents.

 

(6) For rental agreements concluded in the course of business, NovaStor’s strict liability pursuant to Section 536a of the German Civil Code (BGB) for defects already existing at the time of contract conclusion shall be excluded.


 

§ 10 Security Obligations and Audit Rights

 

(1) The customer shall protect the Licensed Software and, where applicable, access credentials for online access against unauthorized access by third parties through appropriate technical and organizational measures.

In particular, all copies of the Licensed Software and all access credentials shall be stored in a secure location and protected against loss, theft, and misuse.

 

(2) NovaStor shall be entitled, once per calendar year and upon at least thirty (30) days’ prior notice, to verify the customer’s proper use of the Licensed Software, including compliance with the applicable licensing terms.

For this purpose, the customer shall:

  • provide NovaStor with relevant information;
  • grant access to relevant records and documentation; and
  • where necessary, permit verification of the applicable hardware and software environment.

Any audit shall be conducted during normal business hours and in a manner that minimizes disruption to the customer’s business operations.

NovaStor may engage independent third parties, such as certified public accountants or auditors bound by confidentiality obligations, to perform such audits.

 

(3) If an audit reveals that the customer has used the Licensed Software beyond the licensed scope, the customer shall bear the costs of the audit and shall pay the applicable license fees retroactively from the beginning of the unauthorized use, but for a period not exceeding three (3) years.


 

§ 11 Confidentiality

 

(1) “Confidential Information” means all information and documents of the respective other party that are designated as confidential or that, by their nature or circumstances of disclosure, should reasonably be regarded as confidential.

Confidential Information includes, without limitation:

  • business processes;
  • business relationships;
  • know-how;
  • source code;
  • product roadmaps;
  • pricing calculations; and
  • personal data.

 

(2) The parties undertake to:

  • keep Confidential Information strictly confidential;
  • use Confidential Information solely for the purpose of performing the contract; and
  • disclose Confidential Information only to those employees, contractors, and agents who require access for the performance of the contract and who are subject to corresponding confidentiality obligations.

 

(3) The confidentiality obligation shall not apply to information that:

  1. was demonstrably known to the receiving party prior to disclosure;

  2. is or becomes publicly known without breach of this agreement;

  3. is lawfully obtained from a third party without any confidentiality obligation; or

  4. must be disclosed pursuant to statutory, regulatory, or governmental requirements.

In the case of mandatory disclosure under item (d), the receiving party shall, to the extent legally permissible, inform the other party in advance.

 

(4) The confidentiality obligations shall survive termination or expiration of the contract for a period of three (3) years.

Trade secrets within the meaning of the German Trade Secrets Act (GeschGehG) shall remain protected without limitation in time.


 

§ 12 Final Provisions

 

(1) The customer may assign claims against NovaStor to third parties only with NovaStor’s prior consent in text form.

Assignment of claims to affiliated companies within the meaning of Sections 15 et seq. of the German Stock Corporation Act (AktG) shall not require such consent.

 

(2) The customer may only set off claims or exercise rights of retention against undisputed claims or claims that have been finally determined by a court of competent jurisdiction.

 

(3) Any amendments or supplements to this agreement must be made in text form pursuant to Section 126b BGB.

This requirement shall also apply to any amendment or waiver of this clause itself.

Individual agreements negotiated between the parties shall take precedence in all cases pursuant to Section 305b BGB.

 

(4) Any general terms and conditions of the customer shall not apply, even if NovaStor performs services without reservation while being aware of such terms.

 

(5)  The Licensed Software may be subject to export or re-export restrictions, including restrictions imposed by the United States of America or the European Union.

The customer shall comply with all applicable export control regulations in connection with any resale, transfer, or export of the Licensed Software.

 

(6) This agreement shall be governed by and construed in accordance with the laws of the Federal Republic of Germany, excluding the United Nations Convention on Contracts for the International Sale of Goods (CISG).

 

(7) The place of performance shall be Hamburg, Germany.

Exclusive jurisdiction shall lie with the courts of Hamburg, Germany, provided that each party is a merchant, a legal entity under public law, a special fund under public law, or does not have a general place of jurisdiction in Germany.

NovaStor shall additionally be entitled to bring legal action against the customer at the customer’s general place of jurisdiction.

 

(8) Should any provision of this agreement be or become invalid, unenforceable, or void, the validity of the remaining provisions shall remain unaffected.

The invalid provision shall be replaced by a valid provision that most closely reflects the economic purpose of the invalid provision.

The same shall apply in the event of a contractual gap.

 

(9) For the purposes of these GTC, “Customer” means any person, company, organization, or other entity acquiring goods, products, or services from NovaStor.

This includes both commercial end customers and channel partners, including distributors, system integrators, and managed service providers (MSPs).

End User License Agreement (EULA)

End User License Agreement (EULA)

Effective Date: May 2026 · Version: 2.1

 

++ Machine translation ++

The original text at www.novastor.de/agb is legally binding.

§ 1 Scope, Contracting Parties

(1) This End User License Agreement (hereinafter referred to as the “EULA”) governs the relationship between NovaStor GmbH, Lübeckertordamm 1-3, 20099 Hamburg, Germany (hereinafter referred to as “NovaStor”), and the customer with respect to the use of the products listed below and the associated client and/or agent software provided for such products (collectively referred to as the “Licensed Software” or the “Service”).

 

(2) This EULA applies to the following products:

  1. NovaStor DataCenter – backup and data protection software operated on-premises within the customer’s own infrastructure;

  2. NovaStor DataCenter MSP – NovaStor DataCenter including MSP-specific components for multi-tenant administration, operated within the Managed Service Provider’s infrastructure;

  3. NovaStor DataCenter Evolve – a SaaS backup service operated by NovaStor in German data centers using a cloud-first architecture.

 

(3) The Service is intended exclusively for businesses within the meaning of Section 14 BGB, legal entities under public law, and special funds under public law.

Use by consumers within the meaning of Section 13 BGB is expressly excluded.

(4) The following documents shall additionally apply:

  1. NovaStor’s General Terms and Conditions (GTC);

  2. the Service Level Agreement (SLA) governing availability and support services;

  3. the Data Processing Agreement (DPA) pursuant to Article 28 GDPR; and

  4. any product-specific or customer-specific supplementary terms.

In the event of a conflict, the following order of precedence shall apply:

DPA → EULA → SLA → GTC

 

§ 2 Definitions

For purposes of this EULA, the following terms shall have the meanings set forth below:

Customer means NovaStor’s contractual partner, including end customers, system integrators, distributors, and Managed Service Providers (MSPs).

Authorized User means any natural person authorized by the Customer to use the Service, including employees, administrators, and, where applicable, customers of an MSP.

Customer Data means all data uploaded, stored, protected, backed up, transmitted for backup purposes, or otherwise processed within the Service by the Customer or an Authorized User, including personal data.

Availability means the monthly service availability level defined in the SLA for both the control plane and the data plane.

Scheduled Maintenance means planned maintenance and update activities announced at least seventy-two (72) hours in advance.

Emergency Maintenance means unplanned maintenance measures required to prevent or remediate security-critical incidents or to maintain system stability.

Incident Priority (P1–P4) means the classification of incidents according to severity as defined in the SLA.

RTO / RPO mean Recovery Time Objective and Recovery Point Objective, respectively.

Service Credit means a predefined compensation mechanism under the SLA in the event of failure to achieve the agreed service availability.

Immutability means the technically enforced non-modifiability of stored backups (WORM principle) during a defined retention period.

 

§ 3 Scope of Services

3.1 NovaStor DataCenter (On-Premises)

(1) NovaStor DataCenter is a backup and data protection software solution installed and operated by the Customer within its own infrastructure.

NovaStor provides the software, grants the corresponding usage rights, and supplies updates, upgrades, and support services during the term of a valid Subscription agreement or NovaCare maintenance agreement.

(2) The functionality and characteristics of NovaStor DataCenter are governed by the current product documentation available on NovaStor’s website or provided upon request.

3.2 NovaStor DataCenter MSP

(1) NovaStor DataCenter MSP is an enhanced version of NovaStor DataCenter that includes additional components for multi-tenant administration.

It is installed and operated within the MSP’s infrastructure and enables the MSP to provide backup and data protection services to its own customers.

(2) The MSP shall remain solely responsible toward its customers from both a contractual and data protection perspective.

Where personal data is processed, NovaStor shall act as a Processor on behalf of the MSP.

The MSP shall generally act as a Processor vis-à-vis its own customers or, depending on the specific arrangement, as a Controller.

3.3 NovaStor DataCenter Evolve

(1) NovaStor DataCenter Evolve is a SaaS backup service operated entirely within German data centers.

The standard hosting providers are currently:

  • IONOS SE
  • Impossible Cloud GmbH

NovaStor operates the command server, performs maintenance and updates, and manages licensing.

The Customer installs the backup client on the systems to be protected and independently configures its backup strategy.

(2) Key product features include, among others:

  • centralized management of cloud and local backups, including Microsoft 365 backups, through a unified interface;
  • support for immutable backups;
  • multi-tenancy capabilities;
  • pay-per-use billing based on storage consumption;
  • optional local backup functionality; and
  • additional features as described in the applicable product documentation.

(3) NovaStor DataCenter Evolve is designed to support GDPR- and NIS2-compliant operation.

Responsibility for the legality, configuration, classification, and protection of the backed-up data remains with the Customer under a Shared Responsibility Model.

(4) NovaStor offers a thirty (30) day trial period including access to all features of the standard package.

If no subsequent agreement is concluded, all data stored within the trial environment shall be securely deleted following expiration of the trial period.

§ 4 License Rights and Permitted Use

(1) NovaStor grants the Customer a non-exclusive, non-transferable (subject to any transfer rights expressly permitted under the GTC) right to use the Licensed Software and, where applicable, the Service.

Such right shall be limited to the agreed contractual term and license scope.

 

(2) The following activities are prohibited in particular:

  1. reverse engineering, disassembly, or decompilation of the Licensed Software, except where expressly permitted by mandatory law, including Section 69e of the German Copyright Act (UrhG);

  2. circumvention, manipulation, or disabling of technical protection measures, licensing mechanisms, or security controls;

  3. rental, leasing, timesharing, or service bureau use outside the expressly agreed MSP business model;

  4. unauthorized load testing, security testing, penetration testing, or benchmark testing;

  5. use outside the agreed system environment or beyond the licensed scope;

  6. storage, processing, or transmission of unlawful content in violation of Section 5.4 (Acceptable Use Policy).

(3) Open-source components contained within the Licensed Software are subject to the respective license terms of the applicable open-source licensors.

NovaStor shall provide relevant notices and license texts within the product documentation and/or customer portal.

§ 5 Customer Responsibilities and Shared Responsibility Model

5.1 Configuration and Operation by the Customer

(1) The Customer is solely responsible for:

  • selecting the systems and datasets to be protected;
  • configuring backup frequencies (RPO);
  • defining retention periods;
  • performing regular test restores to verify recoverability;
  • providing adequate network connectivity; and
  • securing credentials, encryption keys, and access mechanisms.

Loss of an encryption key will inevitably result in the loss of recoverability of the affected backups.

NovaStor is unable to recover lost encryption keys.

5.2 Content and Legality

(1) The Customer bears sole responsibility for Customer Data and its legality.

The Customer represents and warrants that Customer Data does not violate:

  • applicable law;
  • rights of third parties; or
  • the restrictions set forth in Section 5.4 of this EULA.

For purposes of data protection law, the Customer acts as the Controller within the meaning of Article 4(7) GDPR, while NovaStor acts as a Processor.

Further details are set forth in the Data Processing Agreement (DPA).

5.3 Cooperation and Support Obligations

(1) The Customer shall designate:

  • a technical contact person; and
  • an escalation contact.

The Customer shall:

  • report incidents promptly in accordance with the SLA;
  • reasonably cooperate in troubleshooting activities;
  • provide logs, configuration information, and access to test environments where required; and
  • ensure the availability of qualified technical personnel during agreed support hours.


5.4 Acceptable Use Policy

(1) The Customer shall not use the Service to store, process, distribute, or transmit:


  1. content that violates applicable criminal laws, including child sexual abuse material, hate speech, or terrorist propaganda;

  2. content that infringes third-party rights, including intellectual property rights, trademark rights, copyrights, or personality rights, without appropriate authorization;

  3. malware, viruses, trojans, ransomware, or other malicious software intended for distribution or harmful use;

  4. data whose storage or processing would violate applicable data protection laws, including unlawful international data transfers without a valid legal basis.

(2) Where NovaStor has a reasonable basis to suspect a violation of this Acceptable Use Policy, NovaStor may temporarily restrict access to the affected content and request a statement from the Customer.


In the event of serious or repeated violations, NovaStor shall be entitled to terminate the agreement for cause with immediate effect.

§ 6 Data Protection and Data Processing Agreement

(1) To the extent that NovaStor processes the Customer’s personal data in connection with the performance of this Agreement, such processing shall be carried out in NovaStor’s capacity as a processor within the meaning of Article 28 GDPR. The details are governed by the Data Processing Agreement (“DPA”) concluded between the Parties, which forms an integral part of this contractual framework.

(2) The standard sub-processor is IONOS SE as the hosting provider operating data centers in Germany. NovaStor maintains a list of engaged sub-processors as Annex 3 to the DPA. Changes to the list shall be communicated to Customers in text form in due time in accordance with the provisions of the DPA.

(3) Data Location: Unless otherwise agreed in writing, Customer Data shall be stored and processed exclusively in data centers located in Germany. NovaStor is not subject to the United States CLOUD Act.

(4) The Customer shall be required to conclude the DPA before commencing productive use of the Service. Use of the Service without a valid DPA is not permissible under applicable data protection laws and may be refused by NovaStor.

§ 7 Service Levels, Maintenance and Support

Service levels, availability targets, response and recovery times, scheduled and unscheduled maintenance windows, service credits, and escalation procedures are governed by the Service Level Agreement (“SLA”), which forms an integral part of this EULA. In the event of any conflict between this EULA and the SLA, this EULA shall prevail unless the SLA contains more specific provisions.

§ 8 Fees and Billing

(1) The fees for the Licensed Software and/or the Service shall be determined in accordance with the pricing model specified in the applicable quotation or order. NovaStor DataCenter and NovaStor DataCenter MSP are generally licensed based on a BAU (Backend Administration Unit) licensing model. NovaStor DataCenter Evolve is provided under a pay-per-use model based on the amount of cloud storage consumed, potentially supplemented by charges for local backup components.

(2) The Evolve base package may already include a certain amount of cloud storage. Any storage consumption exceeding the included quota shall be billed in accordance with the applicable price list. Fees for data restoration, outbound data transfer (egress), or special services, if any, shall be determined by the quotation, order confirmation, or applicable price list.

(3) Unless otherwise agreed, the billing period shall be monthly in arrears. Payment terms are governed by Section 4 of the General Terms and Conditions (GTC).

(4) Price adjustments shall be governed by Section 4 (2) of the GTC.

§ 9 Updates and Changes to the Service

(1) NovaStor shall be entitled to implement updates and upgrades to the Licensed Software and/or the Service where necessary to maintain security, functionality, compliance, or performance, or where such measures are customary within the industry. Such measures shall be announced with reasonable prior notice where they affect the Customer, unless they constitute security-critical emergency patches.

(2) Functional restrictions that have a material adverse effect on the Customer shall be announced at least thirty (30) days prior to becoming effective. In such case, the Customer shall have a special right of extraordinary termination, which must be exercised in text form within fourteen (14) days after notification.

§ 10 Warranty 

(1) NovaStor shall provide the Service and the Licensed Software in accordance with the state of the art and the contractual specifications.

(2) NovaStor does not warrant uninterrupted availability or complete freedom from defects of the Service. Warranties shall only be granted if expressly designated as a “warranty”.

(3) In all other respects, the warranty provisions set forth in Section 7 of the General Terms and Conditions (GTC) shall apply.

§ 11 Liability

(1) NovaStor shall be liable without limitation in cases of intent, gross negligence, injury to life, body, or health, under the provisions of the German Product Liability Act (Produkthaftungsgesetz), and to the extent of any expressly assumed warranty.

(2) In cases of ordinary negligence, NovaStor shall be liable only for the breach of a material contractual obligation (cardinal obligation) and, even in such cases, only for damages that were foreseeable and typical for the contract at the time of its conclusion. In any event, liability shall be limited to a maximum of 100% of the fees actually paid by the Customer for the affected contractual subject matter during the twelve (12) months preceding the event giving rise to the claim.

(3) To the extent permitted by applicable law, liability for indirect damages, consequential damages, loss of profit, production downtime, or loss of use shall be excluded.

(4) In the event of loss of or damage to Customer Data, NovaStor shall be liable only to the extent of the typical recovery effort that would have been required if the Customer had maintained proper backup and restore procedures in accordance with Section 5.1. If the Customer has failed to perform reasonable restore tests, liability shall be further limited to the effort that would have been required had appropriate recovery precautions been taken.

(5) This liability provision is consistent with Section 8 of the General Terms and Conditions (GTC). In the event of any conflict, this EULA shall prevail.

§ 12 Term and Termination

(1) The Agreement shall commence upon provision of the Service or Licensed Software (for SaaS offerings: onboarding and activation of the tenant) or, where a trial period precedes the Agreement, upon execution of the Agreement following the end of the trial period. Minimum contract terms and renewal provisions shall be specified in the applicable quotation.

(2) Ordinary termination may be effected with three (3) months’ notice to the end of the respective contract term, unless otherwise agreed in the quotation. Notice of termination must be given in text form.

(3) The right of either Party to terminate the Agreement for cause without notice shall remain unaffected. Section 6 of the General Terms and Conditions (GTC) shall apply accordingly.

(4) The thirty (30)-day trial period for NovaStor DataCenter Evolve shall end automatically without requiring termination. If no subsequent contract is concluded, all data stored within the trial environment shall be securely deleted.


§ 13 Consequences of Termination

(1) Upon termination of the Agreement, the Customer’s right to use the Licensed Software and/or the Service shall expire. The Customer shall uninstall all copies of the Licensed Software and delete any remaining copies unless statutory retention obligations require otherwise.

(2) For SaaS Services (in particular NovaStor DataCenter Evolve), NovaStor shall provide reasonable options for exporting Customer Data and/or performing restores during the term of the Agreement and for a period of thirty (30) days following its termination. Any additional effort required for data migration shall be charged separately where contractually agreed.

(3) Following the expiration of the thirty (30)-day transition period, NovaStor shall delete any remaining Customer Data from its production systems. Deletion from backup systems shall occur in accordance with the applicable backup and retention periods, generally within an additional thirty (30) days. Confirmation of deletion shall be provided upon request in text form.

(4) Any payment obligations accrued up to the effective date of termination shall remain unaffected.


§ 14 Confidentiality, Security and Compliance

(1) The Parties shall maintain mutual confidentiality at a level equivalent to a non-disclosure agreement (NDA) in accordance with Section 10 of the General Terms and Conditions (GTC).

(2) NovaStor implements appropriate technical and organizational measures to protect Customer Data in accordance with the state of the art (see Annex 2 to the DPA). The hosting provider engaged by NovaStor is subject to established industry control frameworks. Further information is available on the hosting provider’s website.

(3) Both Parties shall reasonably support one another in complying with applicable regulatory requirements. This includes, in particular, information and cooperation obligations relating to the GDPR, the NIS2 Directive and, where applicable to the Customer, the DORA Regulation.

(4) Both Parties shall comply with all applicable export control, sanctions, and embargo regulations. Use of the Licensed Software or the Service by or for the benefit of sanctioned persons, organizations, or governments is prohibited.


§ 15 Final Provisions

(1) Any assignment of rights or obligations under this Agreement shall require the prior consent of the other Party in text form. This shall not apply to assignments made in connection with an intra-group restructuring or the sale of a business (asset deal or share deal), in which case notification in text form shall be sufficient.

(2) Any amendments or supplements to this Agreement must be made in text form (Section 126b German Civil Code – BGB). No oral side agreements exist.

(3) This Agreement shall be governed exclusively by the laws of the Federal Republic of Germany, excluding the United Nations Convention on Contracts for the International Sale of Goods (CISG).

(4) The exclusive place of jurisdiction shall be Hamburg, Germany, to the extent permitted by applicable law. NovaStor shall also be entitled to bring legal action against the Customer at the Customer’s general place of jurisdiction.

(5) Should any provision of this Agreement be or become invalid or unenforceable, the validity of the remaining provisions shall remain unaffected. The severability clause set forth in Section 11 (8) of the General Terms and Conditions (GTC) shall apply accordingly.

Service Level Agreement (SLA) NovaStor GmbH

Service Level Agreement (SLA) NovaStor GmbH

Effective as of: May 2026 · Version 2.1

 

++ Machine translation ++

The original text at www.novastor.de/agb is legally binding.

1. Purpose, Scope and Components

This Service Level Agreement (SLA) describes the service objectives, measurement methods, response times, scheduled and unscheduled maintenance activities, and service credits applicable to NovaStor DataCenter, NovaStor DataCenter MSP, and the operation of NovaStor DataCenter Evolve. For NovaStor DataCenter Evolve, the Control Plane (Portal, API, Command Server) and the Data Plane (Backup Ingest and Restore) are considered separately.

NovaStor DataCenter Evolve is operated in German data centers.

This SLA forms an integral part of the End User License Agreement (EULA). In the event of any conflict between this SLA and the EULA or the Data Processing Agreement (DPA), the order of precedence specified in the EULA shall apply (DPA takes precedence over EULA, EULA over SLA, SLA over General Terms and Conditions).

 

2. Service Description (Overview)

  • Operation and maintenance of the platform by NovaStor, including patches, updates, and license management (applicable to SaaS components).

  • Centralized management of cloud and local backups through a unified interface; Microsoft 365 is supported.

  • Optional features include Immutable Backups (WORM), multi-tenancy, and pay-per-use billing.

  • The Evolve base package includes cloud storage (details are governed by the applicable quotation, order, engagement, or price list).

  • Support languages: German and English.


 

3. Service Availability

Monthly Uptime Target (MUT): 99.90%.

Scope of applicability:

Control Plane (Portal and API)
  • Data Plane functions:
    • Receipt of backup data
    • Initiation of restore operations

The following are excluded from availability measurements:

  1. Scheduled maintenance announced at least seventy-two (72) hours in advance;

  2. Emergency maintenance required to prevent or remedy critical security or stability issues;

  3. Events beyond NovaStor’s reasonable control, including force majeure events, DDoS attacks exceeding customary protection measures, disruptions in customer networks or systems, Internet backbone failures, or actions by third parties;

  4. Availability impacts caused by customer configurations, including insufficient bandwidth, restrictive firewall rules, outdated agent versions, or misconfigurations;

  5. Breaches of customer obligations pursuant to Section 5 of the EULA.

Scheduled maintenance will preferably be performed outside normal business hours in the Europe/Berlin time zone (CET/CEST).

Maintenance notifications will be provided through the Portal and/or by email to designated contacts who have consented to receiving communications via email.

 

4. Backup and Restore Objectives (RPO / RTO)

  1. RPO (Recovery Point Objective)
    The RPO corresponds to the backup interval configured by the Customer for each data source and job.
    The Customer is solely responsible for configuring appropriate backup intervals and retention periods. Production-appropriate intervals and retention periods are recommended.

  2. RTO – Restore Support Start SLO
    NovaStor will commence technical restore support following ticket creation in accordance with the following response objectives:

Incident Class

Commencement of Restore Support

 

P1 (Critical / Restore Emergency)
Within 1 hour after ticket creation (24x7 where Premium Support has been purchased; otherwise within standard support hours)
P2 (Major Impairment)
Within 4 hours during standard support hours

 

P3 (Functional Limitation)

 

Within 1 business day
P4 (Request / How-To)
Within 2 business days

 

The time required to complete a restore depends on data volume, the target system, and available network and I/O capacity, and is therefore not covered by this SLA.

Immutable Backups are subject to active WORM and retention policies. Any reduction of retention periods or deletion during the applicable lock period is technically impossible and cannot be performed by NovaStor.

 

5. Support Hours and Response Times

  1. Standard Support (Included)
    Monday through Friday, 09:00–17:00 Europe/Berlin time, in German and English, excluding German nationwide public holidays.

  2. 24x7 Support for P1 Incidents
    Available as an optional service. Terms and conditions are set forth in the Premium Support package.

Target response times calculated from ticket creation (Portal, email, or telephone):

Incident Class

Response Time

P1 (Critical Outage / Restore Emergency)

30 minutes (24x7 if Premium Support has been purchased; otherwise during standard support hours)

P2 (Major Impairment)

2 hours during standard support hours

P3 (Functional Limitation)

8 hours during standard support hours

P4 (Request / How-To)

2 business days

 

6. Service Credits for Failure to Meet the MUT

If the Monthly Uptime Target (MUT) is not achieved during a calendar month, the Customer shall be entitled to service credits against the monthly fee for the affected service as follows:

Availability During Calendar Month

Service Credit

≥ 99,0 % und < 99,90 %

5% of the monthly fee for the affected service

≥ 98,0 % und < 99,0 %

10 % of the monthly fee

< 98,0 %

25 % of the monthly fee

 

Conditions for Claiming Service Credits:

  • Service credits must be requested through the support portal within thirty (30) days after the end of the affected month; credits will not be applied automatically.
  • No service credit shall be available for excluded periods described in Section 3.
  • Service credits are capped at 100% of the monthly fee for the affected service in any calendar month.
  • Service credits constitute the Customer’s sole and exclusive remedy under this SLA for any failure to meet the availability commitment. Any further claims, including claims for damages, shall be governed exclusively by the liability provisions of the EULA and the DPA.

 

7. Incident Reporting and Escalation Process

  1. Incidents shall be reported through the support portal, via email to support@novastor.de, or by telephone using the support hotline published in the Portal or on the website (www.novastor.de). P1 incidents should be reported by telephone.

  2. The following minimum information must be provided:

    • Customer number

    • Affected service

    • Description of the incident

    • Business impact

    • Time of occurrence

    • Reproducibility

    • Relevant logs, where applicable

  3. Escalation path:
    Support → Support Manager → Head of Service
    For P1 incidents, a conference bridge will be established upon request.

  4. Status update frequency:

    • P1: at least every 60 minutes while the incident is being handled
    • P2: at least every 4 hours during standard support hours
    • P3 and P4: as required, but at least once per business day

8. Security and Compliance Framework

NovaStor DataCenter Evolve is operated in German data centers (standard hosting providers: IONOS SE or Impossible Cloud GmbH) in consideration of the BSI control framework. Details are available on the respective websites of the standard hosting providers.


  1. NovaStor implements technical and organizational measures (TOMs) in accordance with Article 32 GDPR. For details, please refer to Annex 2 of the DPA. Security-related changes required to minimize risks shall not constitute a breach of this SLA, even where such changes temporarily affect service availability.

  2. The Customer is responsible for: identity and access management, secure configuration of the backup agent, network and firewall permissions, protection of credentials and encryption keys, and the regular execution of restore tests.

  3. Notifications of security incidents involving personal data shall be made in accordance with the provisions of the DPA. In any event, NovaStor shall inform the Customer without undue delay, generally within twenty-four (24) hours of becoming aware of the incident.


9. Data Location, Subprocessors and Deletion

  1. Data Location: Germany (standard hosting providers: IONOS SE or Impossible Cloud GmbH). Any deviation requires an express contractual agreement.
  2. Subprocessors: IONOS SE or Impossible Cloud GmbH acting as hosting providers. Additional subprocessors shall be maintained and managed in accordance with the provisions of the DPA (Annex 3).
  3. Termination: Data export window of thirty (30) days following termination of the Agreement; subsequent deletion in accordance with Section 13 of the EULA and the DPA.

10. Amendments to this SLA

NovaStor may reasonably amend this SLA to reflect changes in regulatory or technical requirements.

NovaStor shall provide at least thirty (30) days' prior notice in text form of any material deterioration of service levels before such changes become effective.

In such case, the Customer shall be entitled to terminate the Agreement for cause effective as of the date the amendment takes effect, provided such right is exercised in text form within fourteen (14) days following notification.

11. Limitation of Remedies

The service credits described in this SLA constitute the Customer’s sole and exclusive remedy for any failure to achieve the Monthly Uptime Target (MUT). Any further claims, including claims for damages, shall be governed exclusively by the liability provisions of the EULA and the DPA.

Data Processing Agreement (DPA) pursuant to Article 28 GDPR

Data Processing Agreement (DPA) pursuant to Article 28 GDPR

Version: June 2026 · Version 2.2

 

++ Machine translation ++

The original text at www.novastor.de/agb is legally binding.

Contracting Parties

Processor:

NovaStor GmbH, Lübeckertordamm 1-3, 20099 Hamburg, Germany, represented by its Managing Director
(hereinafter referred to as the “Processor” or “NovaStor”)

Controller:

By using NovaStor products, NovaStor as Processor and the Customer as Controller enter into the following Data Processing Agreement (hereinafter referred to as the “Agreement” or “DPA”):

Preambel

  1.  

(1) The Processor provides services to the Controller in connection with which it obtains access to the Controller’s personal data or processes such data within its own systems. Depending on the contractual arrangement, the services covered by this Agreement comprise one or more of the following processing scenarios:

  1. Module A: Remote maintenance of NovaStor software installed by the Controller (in particular NovaStor DataCenter and NovaStor DataCenter MSP) – access by the Processor solely in connection with a specific maintenance or troubleshooting case;

  2. Module B: SaaS backup services (NovaStor DataCenter Evolve) and/or Managed Backup Services – continuous processing of Customer Data within systems operated by the Processor.

(2) The applicable modules and the specific scope of processing are defined in Annex 1 to this Agreement.

(3) When operated properly by the Controller, the Processor does not obtain access to unencrypted data. The Processor is unable to read or decrypt encrypted data.

(4) The terms “personal data”, “data subject”, “processing”, “controller” and “processor” shall have the meanings assigned to them in Article 4 of Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”).


1. Subject Matter and Scope

(1) The purpose of this Agreement is to define the data protection obligations of the Parties with regard to the processing of personal data by the Processor on behalf of the Controller. This Agreement specifies and supplements the requirements of Article 28 GDPR.

(2) The nature, purpose and duration of the processing, as well as the categories of personal data and categories of data subjects, are set out in Annex 1 to this Agreement.

(3) This Agreement applies to all activities in which the Processor comes into contact with the Controller’s personal data while providing the contracted services. In the event of any conflict between this DPA and other agreements (EULA, SLA, GTC), the provisions of this DPA shall prevail.



2. Obligations of the Controller

(1) Responsibility under Data Protection Law: As between the Parties, the Controller remains solely responsible within the meaning of Article 4(7) GDPR. The Controller is responsible for the lawfulness of the processing and for safeguarding the rights of data subjects. In particular, the Controller shall ensure that data is backed up only in encrypted form.

(2) Instructions: The Controller shall issue instructions regarding the handling of data where required. Instructions shall be provided in text form (email or support portal communication shall suffice). Oral instructions must be confirmed without undue delay in text form. An instruction shall only be deemed issued upon receipt by the Processor.

(3) Configuration and Backup Responsibility: Where the Controller operates NovaStor DataCenter or NovaStor DataCenter MSP on-premises or through an MSP (Module A), responsibility for backup configuration, selection of data to be backed up, retention periods and recoverability rests solely with the Controller or the MSP. The Controller shall define clear responsibilities regarding the backup, retention and deletion of data and shall implement appropriate technical and organizational measures to ensure proper data protection.

(4) For SaaS services (Module B – Evolve), the Controller is responsible for configuring backup jobs, defining retention periods, managing access credentials and encryption keys, and regularly verifying recoverability through restore testing.

(5) The Controller shall designate a contact person for data protection matters and provide the relevant contact details to the Processor in text form.




3. Obligations of the Processor

3.1 Processing on Instructions and Purpose Limitation

(1) The Processor shall process personal data exclusively on documented instructions from the Controller and solely for the purposes specified in Annex 1. Any processing beyond this scope shall only take place where the Processor is required to do so under European Union law or the law of a Member State. In such cases, the Processor shall inform the Controller of the legal requirement prior to processing unless such notification is prohibited by law on important grounds of public interest.

3.2 Duty to Notify in Case of Unlawful Instructions

(1) The Processor shall inform the Controller without undue delay if it considers that an instruction violates the GDPR or other applicable data protection laws. The Processor shall be entitled to suspend execution of such instruction until it has been confirmed or amended by the Controller. The Processor is not obligated to perform a comprehensive legal review.

3.3 Assistance with Data Subject Rights

(1) Requests from data subjects regarding access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR) or objection (Art. 21 GDPR) shall be handled by the Controller. If a data subject contacts the Processor directly, the Processor shall promptly forward the request to the Controller and shall not respond independently. The Processor shall assist the Controller through appropriate technical and organizational measures in responding to data subject requests to the extent reasonably possible and proportionate.

3.4 Confidentiality

(1) The Processor shall ensure that all persons authorized to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. Such obligation shall survive the termination of the employment relationship or other engagement with the Processor.

3.5 Notification of Personal Data Breaches

(1) If the Processor becomes aware of a personal data breach within the meaning of Article 4(12) GDPR affecting the Controller’s data, the Processor shall notify the Controller without undue delay, generally within twenty-four (24) hours of becoming aware of the incident. Notification shall be made in text form to the contact person designated by the Controller and shall include, where available, information regarding the nature and scope of the breach, the categories of affected data and data subjects, the likely consequences, and any remedial measures already taken. The Processor shall assist the Controller in fulfilling its notification obligations under Articles 33 and 34 GDPR.

3.6 Assistance with Compliance Obligations

(1) Taking into account the nature of the processing and the information available to it, the Processor shall assist the Controller in complying with the obligations set forth in Articles 32 to 36 GDPR, including obligations relating to security of processing, breach notifications, data protection impact assessments and prior consultations with supervisory authorities.

3.7 Security of Processing pursuant to Article 32 GDPR

(1) Within its area of responsibility, the Processor shall implement all technical and organizational measures required under Article 32 GDPR. The measures in place at the commencement of the Agreement are described in Annex 2. The Processor may further develop and improve such measures provided that the overall level of data protection is not reduced. Material changes shall be coordinated with the Controller and documented accordingly.

 

4. Audit Rights of the Controller

(1) The Controller shall be entitled to verify compliance with this Agreement, applicable data protection laws and the instructions issued, in coordination with the Processor. Audits at the Processor’s business premises must be announced at least fourteen (14) days in advance in text form and shall be conducted during normal business hours while minimizing disruption to the Processor’s business operations. One on-site audit per calendar year shall be permitted without specific cause. This limitation shall not apply where there is justified cause, such as a specific data protection incident.

(2) Upon request, the Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations set forth in Article 28 GDPR.

(3) Evidence of compliance relating to measures that do not exclusively concern this specific engagement may, at the Processor’s discretion, be provided by means of:

  1. Compliance with approved codes of conduct pursuant to Article 40 GDPR;

  2. Certification under an approved certification mechanism pursuant to Article 42 GDPR (e.g., ISO/IEC 27001, BSI C5 certification of the hosting provider);

  3. Provision of current attestations, reports or report extracts issued by independent parties (auditors, data protection officers, external auditors).

(4) To the extent that audits may reveal trade secrets, business secrets, intellectual property or otherwise adversely affect the Processor’s legitimate interests, the Controller shall conduct the audit through a qualified, independent third party bound by confidentiality obligations.

(5) The costs of on-site audits shall be borne by the Controller. Any efforts required from the Processor to support extensive on-site audits may be charged separately on a time and materials basis where such efforts exceed reasonable cooperation obligations.

5. Sub-processors

(1) The Processor may engage additional processors (“Sub-processors”) only after prior notification of the Controller. By entering into this Agreement, the Controller grants the Processor a general written authorization to engage additional processors pursuant to Article 28(2) GDPR. The Sub-processors engaged at the time of execution of this Agreement are listed in Annex 3.

(2) The Processor shall inform the Controller in text form of any intended changes to or additions of Sub-processors at least thirty (30) days before such changes become effective. The Controller may object to the change within fourteen (14) days after notification, provided that there are compelling grounds, particularly legitimate data protection concerns regarding the new Sub-processor. If the Parties are unable to reach an agreement within thirty (30) days, the Controller shall be entitled to terminate the Agreement for cause.

(3) The Processor shall enter into a written agreement with each Sub-processor imposing substantially the same data protection obligations as those set forth in this Agreement. The Processor shall remain liable to the Controller for compliance with such obligations by the Sub-processor.

(4) The standard Sub-processors for hosting services in connection with NovaStor DataCenter Evolve are IONOS SE and Impossible Cloud GmbH, both headquartered in Germany and operating data centers in Germany. IONOS and Impossible Cloud are subject exclusively to German jurisdiction and are not subject to the United States CLOUD Act.

6. Transfers of Data to Third Countries

(1) As a general rule, no processing or transfer of personal data to third countries (outside the EU/EEA) shall take place under this Agreement. The standard storage location is Germany.

(2) Should a transfer to a third country become necessary in an individual case (for example through the engagement of specialized Sub-processors), the Processor shall notify the Controller in advance in accordance with Section 5. Such transfer shall only take place in compliance with Chapter V GDPR, in particular on the basis of an adequacy decision pursuant to Article 45 GDPR or appropriate safeguards pursuant to Article 46 GDPR (including, in particular, the EU Standard Contractual Clauses in their current version, supplemented where necessary by additional measures in accordance with the requirements established by the Court of Justice of the European Union in the Schrems II decision).

(3) Remote access by employees of the Processor within the scope of Module A (remote maintenance) shall be carried out exclusively from devices and locations within the European Union or Switzerland.

7. Special Provisions for Cloud Backup (Module B)

(1) To the extent that backup storage in the cloud operated by the Processor (Module B – NovaStor DataCenter Evolve or Managed Backup Services) forms part of the contractual services, the following additional provisions shall apply:

  • Customer Data shall be transmitted to the cloud in an encrypted, deduplicated and compressed format based on a configuration agreed with the Controller and may subsequently be restored from the cloud.

  • In accordance with the state of the art, neither NovaStor nor the cloud hosting provider (IONOS SE or Impossible Cloud GmbH) can decrypt stored backup data where customer-managed encryption with customer-controlled key management has been configured. Where standard encryption with keys managed by the Processor is used, technical decryption by the Processor is possible but shall only be performed upon the explicit instruction of the Controller or where required by law.

  • Before, during and after the backup process, no processes are initiated on the Controller’s IT systems that open network ports toward the Internet. Data transfers to S3-based storage systems via HTTPS likewise do not permit third-party use of the connection.

  • The storage location of the data is Germany (IONOS or Impossible Cloud data centers). In addition, the respective current data processing terms of IONOS SE and Impossible Cloud shall apply, available at:

  • The Processor reserves the right to change the cloud hosting provider where economic, technical or regulatory circumstances make such change necessary. In such case, the Sub-processor change procedure pursuant to Section 5(2) shall apply.

8. Return and Deletion of Data upon Termination

(1) Module A (Remote Maintenance): As a general rule, the Processor does not create copies of data or store such data within its sphere of responsibility when providing services. Where this exceptionally occurs upon instruction of the Controller, the Processor shall, upon completion of the contracted work or upon request, return all documents, processing results, usage results and datasets that have come into its possession and shall subsequently delete or destroy them in compliance with applicable data protection requirements. Upon request, a written deletion confirmation including the deletion date shall be provided.

(2) Module B (SaaS / Managed Backup): During the term of the Agreement and for up to thirty (30) days following termination, the Processor shall provide the Controller with reasonable options for exporting Customer Data and/or performing restores. Following expiration of the export period, Customer Data shall be deleted from the production systems. Deletion from backup systems shall occur in accordance with the applicable retention periods, generally within an additional thirty (30) days. A deletion confirmation shall be provided upon request in text form.

(3) Statutory retention obligations shall remain unaffected. Data that cannot be deleted due to legal retention requirements shall be restricted and deleted once the applicable retention period has expired.

9. Liability

(1) The liability of the Parties under this Agreement shall be governed by the applicable statutory provisions, in particular Article 82 GDPR. The liability limitations contained in the EULA shall apply additionally to the extent they do not conflict with mandatory data protection laws.

(2) As between the Parties, where both Parties are liable for the same damage, liability shall be allocated in proportion to their respective contributions to the cause of the damage.

10. Term

(1) The term of this Agreement shall commence upon the start of the business relationship or the provision of the Licensed Software or SaaS Service, whichever occurs first, and shall automatically terminate upon termination of all underlying principal agreements.

(2) The right of either Party to terminate the Agreement for cause shall remain unaffected. Good cause for the Controller shall exist in particular where the Processor commits a material breach of its obligations under this Agreement and fails to remedy such breach despite a written request and the granting of a reasonable cure period of at least fourteen (14) days.

11. Final Provisions

(1) This Agreement shall be governed exclusively by the laws of the Federal Republic of Germany, excluding the United Nations Convention on Contracts for the International Sale of Goods (CISG).

(2) The place of jurisdiction shall be Hamburg, Germany, to the extent permitted by applicable law.

(3) Should any provision of this Agreement be or become invalid or unenforceable, the validity of the remaining provisions shall remain unaffected. The invalid provision shall be replaced by a valid provision that most closely reflects the economic purpose of the invalid provision. The same shall apply in the event of any contractual gap.

(4) Any amendments or supplements to this Agreement must be made in text form (Section 126b German Civil Code – BGB).


 

Annex 1 to the DPA | 
Details of the Processing Activities

Version: June 2026 · Version 2.2

 

1.1 Applicable Module

Depending on the contractual scope, the following processing scenarios shall apply between the Parties:

Module A – Remote Maintenance
(NovaStor DataCenter, NovaStor DataCenter MSP on-premises)

Module B – SaaS / Managed Backup Service
(NovaStor DataCenter Evolve or Managed Backup Services)

In certain cases, both modules may apply simultaneously.

 

1.2 Module A – Remote Maintenance

Subject Matter, Nature and Purpose of the Processing

Remote maintenance of NovaStor software installed by the Controller, in particular NovaStor DataCenter and NovaStor DataCenter MSP. Activities include the installation of updates and patches, configuration and optimization, troubleshooting and error correction, as well as training and consulting services relating to the operation of the software.

Categories of Data Processed

  • As a general rule, no personal data of end users is processed; access is limited to configuration and diagnostic information relating to the NovaStor software.

  • The following information may be visible to a limited extent:

    • System identifiers
    • Host names
    • Backup job names
    • Technical log data

  • Where the Controller exceptionally grants the Processor access to content data (for example for defect analysis purposes), the categories of data involved shall be documented on a case-by-case basis.

Categories of Data Subjects (Typically)

  • Generally none. To a limited extent:

    • Technical administrators of the Controller (Login and session data)

Remote Access Conditions

  • Access shall only take place upon request and in the presence of an authorized representative of the Controller.

  • All transmissions shall be encrypted end-to-end (TLS or equivalent).

  • Remote maintenance access shall be performed using tools controlled by the Processor (e.g., remote support tools or VPN connections).

  • Access shall be performed exclusively by employees and from devices located within the European Union or Switzerland.

  • The Controller shall have the right at any time to interrupt or terminate the access session, particularly where unauthorized access or processing is suspected.

  • Sessions shall be logged through technical audit logs. Such logs may be deleted after three (3) months unless specific circumstances require a longer retention period.

1.3 Module B – SaaS / Managed Backup Service

Subject Matter, Nature and Purpose of the Processing

Provision of a SaaS backup service (NovaStor DataCenter Evolve) and/or Managed Backup Services. Processing activities include the receipt, storage, retention in accordance with the retention policies configured by the Controller, and restoration of backup data.

Categories of Data Processed

The backup data typically contains all data selected by the Controller for backup purposes. The specific categories of personal data included are determined solely by the Controller. Possible categories include, in particular:

  • Master data (name, address, contact information)

  • Contractual and billing data

  • Communication data (emails, chat messages)

  • Employee master data

  • Health data or other special categories of personal data pursuant to Article 9 GDPR, to the extent such data is included in the datasets selected by the Controller for backup

  • Authentication and authorization data

  • File contents, database contents and other content data

Categories of Data Subjects (Typically)

  • Employees of the Controller and its affiliated companies

  • Customers, suppliers and business partners of the Controller

  • Other natural persons whose data is processed by the Controller in the course of its business activities

Duration of Processing

For the duration of the underlying contractual relationship, plus a thirty (30)-day export and transition period following termination of the Agreement. Subsequent deletion shall be carried out in accordance with Section 8 of the DPA.

 

 

Annex 2 to the DPA | 
Technical and Organisational Measures (TOMs) pursuant to Article 32 GDPR

Version: June 2026 · Version 2.2

 

The Processor has implemented the technical and organisational measures described below to ensure the security of processing. These measures are regularly reviewed for effectiveness and updated where necessary to reflect the state of the art. For the SaaS platform (NovaStor DataCenter Evolve), NovaStor additionally benefits from the security measures implemented by the hosting providers IONOS SE and/or Impossible Cloud GmbH.

 

2.1 Confidentiality (Article 32(1)(b) GDPR)

Physical Access Control

  • Business premises are secured and accessible only to authorized personnel through electronic access controls.

  • Visitors are registered, documented and escorted while on-site (further details are governed by the contractual provisions of the hosting providers).

  • Server rooms and data centers operated by IONOS are protected in accordance with the BSI C5 framework, including 24/7 security personnel, multi-factor physical access controls and video surveillance.

System Access Control

  • User identification and authentication are performed through individual user accounts subject to strong password policies.

  • Multi-factor authentication (MFA) is required for administrative access and access to production systems.

  • Sessions are automatically locked or terminated following periods of inactivity.

  • Access rights are centrally managed and reviewed on a regular basis.

Data Access Control

  • Role-based access control (RBAC) is implemented in accordance with the principle of least privilege (“Need-to-Know Principle”).

  • Access to Customer Data is granted only where necessary for the performance of assigned duties and only to appropriately trained personnel.

  • Administrative access to production systems is logged and monitored.

  • Development, testing and production environments are logically separated.

Separation Control

  • The SaaS platform utilizes a multi-tenant architecture with logical separation of customer data on a per-tenant basis.

  • Separate databases and/or database schemas are used where appropriate.

  • Backup data belonging to different customers is segregated at the storage level.

Pseudonymisation and Encryption

  • Data transmitted between clients and backend systems is encrypted using TLS 1.2 or higher.

  • Backup data is encrypted at rest using AES-256 or an equivalent encryption standard.

  • Optional customer-managed encryption keys are available to support end-to-end encryption.

  • Encryption keys and key material are securely managed and protected.


2.2 Integrity (Article 32(1)(b) GDPR)

Transfer Control

  • All backup data is transmitted in encrypted form.

  • Secure communication channels (including TLS, SSH and VPN) are used for administrative access.

  • Customer Data is not stored on mobile devices or removable media.

Input Control

  • All material processing activities within the backup systems are logged.

  • Administrative activities are recorded through comprehensive audit trails.

  • Logs are stored in a tamper-resistant manner.

  • Immutable Backup functionality is available as an optional feature to protect against ransomware attacks.

 

2.3 Availability and Resilience
(Article 32(1)(b) GDPR)

Availability Control

  • Production systems are designed with redundancy across the hosting providers’ data center infrastructure.

  • Uninterruptible power supplies (UPS) and emergency power generators are available at the hosting provider facilities.

  • Data centers are equipped with environmental controls, including climate management and early fire detection systems.

  • Platform metadata and configuration data are backed up separately.

  • DDoS protection and Web Application Firewall (WAF) technologies are implemented.

  • Platform monitoring and alerting are performed on a 24/7 basis.

Rapid Recovery

  • A Disaster Recovery concept is maintained with defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

  • Recovery procedures are tested regularly.

  • Backup copies are stored at geographically separated locations within Germany.

 

2.4 Procedures for Regular Testing, Assessment and Evaluation (Article 32(1)(d) GDPR)

  • An established Information Security Management framework with documented processes is maintained.

  • Internal audits are conducted on a regular basis.

  • Penetration testing of the SaaS platform is performed at least annually.

  • Employees receive training on data protection and information security at least once per year.

  • A Data Protection Officer (internal or external) has been appointed; contact details are available upon request.

  • An Incident Response Process with defined escalation paths and notification procedures is maintained.

  • Processing activities performed by Sub-processors are governed by written contractual agreements.


2.5 Protection Against Malware and Recoverability

  • Current anti-virus and endpoint protection solutions are deployed on all endpoints and servers.

  • Security-related updates are applied through a structured patch management process.

  • Server configurations are hardened in accordance with recognized security standards (e.g., CIS Benchmarks).

  • Optional Immutable Backup functionality provides additional protection of Customer Data against ransomware attacks.


 

Annex 3 to the DPA
Approved Sub-processors

Version: June 2026 · Version 2.2

 

At the time of execution of this Agreement, the following Sub-processors are approved. The Processor shall maintain and keep this list up to date. Any changes shall be communicated in accordance with Section 5 of the DPA.

 

Subprocessor

Registered Office / Processing Location

Services Provided

Applicable Modul

IONOS SE

Germany (registered office and data centers)

Hosting of the NovaStor DataCenter Evolve SaaS platform, including storage of backup data

Modul B

Impossible Cloud GmbH

Germany (registered office and data centers)

Hosting of the NovaStor DataCenter Evolve SaaS platform, including storage of backup data

Modul B

[Additional Sub-processors, if applicable]

[Location]

[Services]

[Modul]

 

Tools and services used by the Processor for its internal administration purposes (e.g., office applications, internal CRM systems, accounting systems) that do not have access to the Controller’s Customer Data are not considered Sub-processors within the meaning of this DPA and are therefore not listed in this Annex.

 

Back to top