Data Processing Agreement
– hereinafter referred to as "DPA" –
Agreement on the use of CeleroOne,
concluded on the basis of the General Terms and Conditions
– hereinafter referred to as the "Principal Agreement" –
Celero Cloud GmbH
Schöllbronner Straße 23 a, 76275 Ettlingen, Germany
– hereinafter referred to as "Processor" –
and the Customer to the Principal Agreement.
– hereinafter referred to as "Customer" –
– both hereinafter referred to as "the Parties" –
All terms are gender-neutral.
Preamble and Scope of Application
The Processor is commissioned by the Customer to process personal data on behalf of the Customer. The DPA specifies this processing with regard to its object and the rights and obligations between the Contracting Parties arising from the Processing.
1. Terms and Definitions
a. "Processing" - Pursuant to 4 (8) GDPR, "Processing" is understood to mean the processing of personal data as defined in Article 4 (2) GDPR carried out on behalf of the Controller, irrespective of the number of intermediary processors, by the Processor in accordance with the subject-matter of this DPA.
b. "Principal Agreement" - The term " Principal Agreement" covers all types of ongoing business relations between the Customer and the Processor, under which the Processor processes personal data at the instruction of the Customer in accordance with the definition of the subject of the Processing in this DPA. Insofar as the validity of this DPA is otherwise limited (i.e. within this agreement or outside it, in other agreements or regulations) to certain types, categories or specific business relationships, contracts, etc., these are each to be understood as the Principal Agreement. The definition of the Principal Agreement also includes ongoing individual assignments by the Customer to the Processor, which are issued by the Customer within the scope of the Principal Agreement (e.g. in the case of framework contracts).
c. "Controller" - "Controller" is anyone who alone or jointly with others determines the purposes and means of processing (Article 4 (7) GDPR).
d. "Personal Data" - In accordance with Article 4 (1) GDPR, "personal data" (hereinafter also referred to briefly as "data") is all information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
e. "Data subjects" - In accordance with Article 4 (1) GDPR, "data subjects" are defined as Persons who are at least identifiable by means of personal data. The data subjects concerned by this Processing are determined by the subject-matter of the Processing.
f. "Third party" - "Third party" means according to Article 4 (10) GDPR a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
g. "Sub-processing" - When a processor is not directly appointed by the Controller but by a processor who is the first processor appointed by the Controller, a "sub-processing" is present and the processors following the first processor are referred to as "sub-processors".
h. "Electronic format" - declarations are deemed to have been made in "electronic format" in accordance with Article 28 (9) DSGVO if the declaring person is identifiable and the electronic declaration format is suitable as proof of the declaration. Electronic format" means in particular text form, an agreement stored on permanent data carriers (e.g. e-mail), digital signing procedures or the use of dedicated online functions (e.g. in user accounts).
2. Subject-Matter of the Processing
a. The Processing is carried out within the framework of the following legal relationship (Principal Agreement): Agreement on the use of Celero One, concluded on the basis of the General Terms and Conditions https://celero-one.com/terms-and-conditions).
b. The detailed information on the subject-matter of the Processing, Data processed, the data subjects and the nature, scope and purposes of the Processing are governed by the provisions of the Annex "The Subject-Matter of the Processing".
3. Type of Processing
Insofar as the Customer acts as the Controller of the Processing, it shall be responsible within the scope of this DPA for compliance with the provisions of the data protection laws, in particular for the legality of the Data Processing as well as for the legality of the assignment of the Processor. Insofar as the Customer itself acts as a Processor, the Customer shall commission the Processor as a Sub-Processor. The controller of the processing may, on the basis of this DPA, directly invoke the rights to which the Customer is entitled to against the sub-processor.
4. Authority to issue instructions
a. The Processor may process Data only within the scope of the Principal Agreement and of the Customer's instructions and only insofar as Processing within the scope of the Principal Agreement is necessary.
b. The instructions are initially set out in the Principal Agreement or this DPA may subsequently be amended, supplemented or replaced by the Customer by issuing further instructions in writing or in an electronic format (text form, e.g. e-mail) to the Processor or to the entity designated by the Processor.
c. Oral instructions may be given if they are required by the circumstances (e.g. urgency) and must be confirmed immediately in writing or in electronical form.
d. If, on the basis of objective circumstances, the Processor considers that an instruction of the Customer is contrary to relevant data protection law, the Processor shall without delay inform the Customer thereof and provide objective reasons for his/her opinion. In this case, the Processor shall be entitled to suspend the execution of the instruction until the Customer expressly confirms the instruction and to refuse to execute the instruction in the case of obviously illegal instructions.
e. The Processor may refuse to carry out instructions if it is impossible or unreasonable to expect the Processor to comply with them (in particular because compliance with them would involve disproportionate effort or lack of technical facilities). The refusal can only be made with due consideration for the protection of the data of the data subjects and entitles the Customer to terminate the contract for good cause if the continuation of the contract cannot reasonably be expected of the Customer.
f. The Processor may be obliged to carry out processing operations or to communicate information by Union or Member State law and by administrative and judicial measures to which the Customer is subject. In such a case, the Processor shall communicate the legal requirements of the overriding legal obligation to the Customer prior to the processing, unless the law or order in question prohibits such communication on the grounds of an important public interest; in the event of a prohibition on communication, the Processor shall take possible and reasonable measures to prevent or restrict the legally overriding Processing.
g. The Processor shall document instructions given to her/him and their implementation.
h. The Processor shall name the designated representatives authorised to receive instructions and shall be obliged to inform the Customer immediately of any changes to the designated representatives or their contact details, as well as representatives in case of non-temporary absence or inability to be available.
5. Technical and Organisational Measures (Safety and Security Concept)
a. The Processor shall structure the internal organisation in his area of responsibility in accordance with the legal requirements and shall in particular implement technical and organisational measures (hereinafter referred to as "TOMs") for appropriate security, in particular the confidentiality, integrity and availability of the Customer's Data, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the Processing as well as the varying probability of occurrence and severity of the risk to the rights and freedoms of the persons concerned, and shall ensure that these measures are maintained, in particular by means of regular evaluation, at least once a year. With regard to the protection of the Data, the TOMs include in particular physical and logical access control, transfer control, input control, order control, integrity and availability control, separation control and the safeguarding of the rights of the Data Subjects.
b. The TOMs declared by the Processor upon conclusion of the contract define the minimum-security level guaranteed by the Processor. The TOMs may and should be further developed in accordance with technical and legal progress and replaced by adequate protective measures, provided that they do not fall below the safety level of the defined measures and that any substantial changes are notified to the Customer. The description of the measures must be so detailed that a competent third party can at all times see beyond doubt that the required legal data protection level and the defined minimum-security level are not undercut.
c. The Processor shall ensure that the employees, agents and other persons acting on behalf of the Processor are prohibited from processing the Data outside the scope of the Instruction. The Processor shall further ensure that the persons authorised to process the Client's Data have been instructed in the data protection provisions of law and of this DPA and have been bound to confidentiality and secrecy or are subject to a corresponding and appropriate legal obligation of secrecy. The Processor shall ensure that the persons employed for the Processing are with regard to the fulfilment of the data protection requirements appropriately instructed and supervised on an ongoing basis.
d. The Processor shall ensure that the persons employed by him/her to process the Data participate in a reasonable frequency of periodic training and awareness raising activities with regard to the protection of personal data and compliance with legal data protection requirements.
e. The processing of the Data outside of the premises of the Processor (e.g. in the home or mobile office or in case of remote access) is permitted, provided that the necessary technical and organisational measures are taken and documented, which take into account the specifics of these processing situations in an appropriate manner and in particular also allow sufficient control of the Data processing (e.g. conclusion of a data protection agreement with employees in the home and mobile office). The Processor shall provide the Principal with documentation of the implemented technical and organizational measures for such home, mobile or other remote processing upon request.
f. The Processing of personal data on the private devices of the employees of the Processor and its contractors is permitted, provided that the necessary technical and organisational measures are taken and documented, which take into account the specifics of these processing situations in an appropriate manner and, in particular, also allow for sufficient control of the Processing (e.g. conclusion of an agreement which allows for an appropriate control of the private devices). On request, the Processor shall provide the Customer with documentation of the implemented technical and organisational measures for these types of Processing upon request.
g. If required by law, the processor shall appoint a data protection officer in accordance with the legal requirements. The Processor shall inform the Customer of the contact details of the data protection officer and of any subsequent changes.
h. The processing operations carried out for the Customer shall be separately recorded and documented by the Processor to an appropriate extent, and made available to the Customer on request.
i. The Data and data carriers and all copies made thereof, which are provided within the scope of the DPA, remain the property or ownership of the Customer, are subject to the Customer's control, must be carefully safeguarded by the Processor, protected from access by unauthorized third parties and may only be deleted, erased or disposed with the Customer's consent. Destruction must be carried out in accordance with data protection regulations and in such a way that a recovery of even residual information is no longer possible and cannot be expected with reasonable effort. Copies of data may only be made if they are necessary for the fulfilment of the principal and secondary obligations of the Processor towards the Customer (e.g. backups) and the contractual and statutory data protection level is guaranteed.
j. The processor shall be obliged to ensure the immediate return or deletion of the Data and data carriers, including those of sub-processors, in accordance with this DPA.
k. The Processor shall keep evidence of the destruction or deletion of Data and files properly performed within the scope of this DPA and shall make it available to the Customer upon request.
l. The right of retention is excluded with regard to the Data processed and the associated data carriers.
m. The Processor shall provide regular proof, to an appropriate extent, of the fulfilment of his/her obligations, in particular the full implementation of the agreed technical and organisational measures and their effectiveness (e.g. by regular checks, inspections, etc.). The proof is to be provided to the Customer upon request. The proof can be provided by approved rules of conduct or an approved certification procedure.
n. If the security measures taken do not or no longer meet the requirements of the Customer or the statutory requirements, the Processor shall notify the Customer immediately.
o. The sub-processing relationships already existing at the time of conclusion of this DPA are listed by the Processor in the Annex "Technical and Organisational Measures" and accepted by the Customer.
6. Information and cooperation obligations of the processor
a. The Processor may only provide information to third parties or the data subjects with the prior approval of the Customer. If a data subject contacts the Processor and asserts his or her rights as data subject (in particular rights of access or rectification or deletion of personal data), the Processor shall refer the data subject to the Customer, provided that, according to the data subject, an attribution to the Customer is possible. The Processor shall immediately forward the request of the data subject to the Customer and shall support the Customer within the scope of reasonableness and possibility. The Processor shall not be liable if the request of the data subject is not, not correctly or not timely answered by the principal, unless the Processor is responsible for this shortcoming.
b. The Processor shall immediately and fully inform the Customer if, with regard to the Processing, the Processor discovers errors or irregularities in the compliance with the requirements of this DPA and/or relevant data protection provisions. The Processor shall take the necessary measures to secure the Data and to mitigate any adverse consequences for the data subjects and shall consult with the Customer without delay.
c. The Processor shall inform the Customer without delay if a supervisory authority takes action against the Processor and whose activities may affect the Data processed for the Customer. The processor shall support the Customer in the fulfilment of his/her obligations (in particular to provide information and allow inspections) with regard to supervisory authorities.
d. Should the security of the Data be endangered (seizure, confiscation, insolvency proceedings, etc.) by measures taken by third parties (e.g. creditors, authorities, courts, etc.), the Processor shall inform the third parties without delay that the sovereignty and ownership of the Data lies exclusively with the Customer and, after consultation with the Customer, shall take appropriate protective measures (e.g. lodge objections, applications, etc.) if necessary.
e. The Processor shall provide the Customer with information relating to the Processing which is necessary for the fulfilment of the Customer's legal obligations (which may include, in particular, requests from data subjects or authorities and compliance with the Customer's accountability obligations of a data protection impact assessment).
f. The obligations of the Processor to provide certain information shall initially extend to information available to the Processor, his/her employees and agents. The information need not be obtained from third sources if the procurement by the Customer could be carried out within reasonable limits and no other agreement has been made.
g. The Processor must at all times be able to demonstrate, by any appropriate means, compliance with his contractual and legal obligations resulting from the Processing.
7. Measures in the Event of a threat to Data Protection or Data Breach
a. In the event that the Processor becomes aware of facts which give rise to the assumption that the protection of the processed Data may have been breached within the meaning of Article 4 (12) GDPR, the Processor shall inform the Customer without delay and in full, take the necessary protective measures without delay, and assist the Customer in the performance of the Customer's obligations, in particular in relation to the notification of competent authorities or data subjects.
b. Information about a (possible) violation of the protection of the Data must be provided without undue delay, in general within 24 hours from the time of obtaining knowledge.
c. The notification from the Processor must according to Article 33 (3) GDPR contain at least the following information:
--> description of the nature of the data breach or threat, specifying, where possible, the categories of data concerned and the approximate number of persons and personal data sets concerned;
--> the name and contact details of the data protection officer or any other known contact point for further information;
--> a description of the likely consequences of the data breach or threat (e.g. with further details: identity theft, financial loss, etc.);
--> a description of the measures taken or proposed by the Processor to remedy the data breach and, where appropriate, measures to mitigate its possible adverse effects
d. Also, to be reported immediately are significant disruptions, failures or troubles in the Processing as well as violations of data protection regulations or of this DPA by the Processor or the Processor's employees or agents.
8. Audits and Inspections
a. The Client has the right to control compliance with the legal requirements and the provisions of this DPA, in particular the TOMs at the Processor's premises at any time to the necessary extent, either himself or through third parties, and to carry out the necessary audits, including inspections.
b. The Processor shall support the Customer in the audits and inspections to the extent necessary (e.g. by providing personnel and granting access and access rights).
c. The audits are limited to the necessary scope and must take into account the business and trade secrets of the Processor and the protection of personal data of third parties (e.g. other customers or employees of the Processor). Any interruptions to operations that are preventable must be avoided. Insofar as sufficient for the reason and purpose of the audit, an audit shall be limited to spot checks.
d. Only qualified personnel who are able to prove their identity and who are obliged to maintain confidentiality and secrecy with regard to the company and business secrets, other personal data and internal processes of the Processor are permitted to carry out the audit. The Processor may request proof of an appropriate commitment of the auditors. If the auditor appointed by the Customer is in a competitive relationship with the Processor or if there is any other justified reason for his/her refusal, the Processor shall have the right to object the appointment of the auditor.
e. Instead of audits and on-site inspections, the Processor may refer the Customer to an equivalent audit by independent third parties (e.g. neutral data protection auditors), compliance with approved rules of conduct (Article 40 GDPR) or appropriate data protection or IT security certifications pursuant to Article 42 GDPR. This shall only apply if the reference is reasonable for the client and the nature and scope of the audit and references correspond to the nature and scope of the client's legitimate audit and inspection intentions. The Processor shall immediately notify the Client of the exclusion of approved rules of conduct pursuant to Article 41(4) GDPR, the revocation of a certification pursuant to Article 42(7) GDPR and any other form of revocation or substantial modification of the above-mentioned proofs.
f. As a rule, the client does not exercise his right of audit more frequently than every 12 months, unless a specific reason (in particular a violation of data protection, a security incident or the result of another audit) makes it necessary to carry out audits before the end of this period.
a. Without prejudice to any restrictions imposed by the Principal Agreement, the Customer expressly agrees that the Processor may use sub-processors in the context of the Processing. The Processor shall inform the Customer of any new sub-processors within a reasonable period of time, which shall normally be 14 working days, and shall give the Customer the opportunity to reasonably inspect the sub-processors before using them and to object to the use of sub-processors if the Customer has a legitimate interest. If the Customer does not raise an objection within the preliminary period, the authorisation shall be deemed to have been granted. The Customer shall exercise the right to object to the changes only in accordance with the principles of good faith and of reasonableness and fairness.
b. If the processor uses the services of a sub-processor (e.g. a subcontractor) in order to carry out certain Processing activities on behalf of the Customer, it must impose on the sub-processor, by means of a contract or any other legal instrument permitted by law, the same data protection obligations as those to which the Processor has committed him/herself in this DPA (in particular as regards following instructions, complying with the TOMs, providing information and allowing audits).
c. The sub-processor shall be carefully selected by the Processor, having particular regard to the suitability and reliability of the sub-processor to comply with the obligations under this DPA for Processing and the adequacy of the TOMs implemented by the sub-processor.
d. The Processor shall be required to document the verification of the reliability of sub-processors and the legality of their assignment and to submit it to the Customer on request.
e. The Processor shall audit compliance with the obligations of the sub-processors, in particular the TOMs, on a regular basis and at least every 12 months, to an appropriate extent. The inspection and its results shall be documented in a comprehensible manner so that they are comprehensible to a competent third party. The documentation shall be presented to the Customer on request. Instead of his own audit, the Customer may refer to an audit by independent third parties (e.g. neutral data protection auditors), compliance with approved rules of conduct (Article 40 GDPR) or suitable data protection or IT security certifications in accordance with Article 42 GDPR. The Customer shall immediately notify the Customer of the exclusion of approved rules of conduct pursuant to Art. 41 (4) GDPR, the revocation of a certification pursuant to Art. 42 (7) GDPR and any other form of revocation or substantial modification of the above-mentioned proofs.
f. The responsibilities for performing the obligations under this DPA and under the law must be clearly defined and allocated between the processor and the sub-processor.
g. The Customer must be able to exercise effectively his/her rights towards the Processor, also towards the sub-processor. In particular, the Customer must be entitled to carry out audits on sub-processors at any time to the extent laid down in this DPA.
h. The Processor shall be liable to the Customer in the event that the sub-processor fails to comply with his/her data protection duties.
i. Processing of personal data which is not directly related to the provision of the main contractual obligation and where the Processor uses the assistance of third parties as a mere ancillary service in order to carry out its business activity (e.g. cleaning, security, maintenance, telecommunications or transport services) does not constitute sub-processing within the meaning of the above provisions of this DPA. Nevertheless, the processor shall ensure, e.g. by contractual agreements or notices and instructions, that the security of the data is not endangered and that the provisions of this processing contract and the data protection regulations are observed.
j. Sub-processing relationships of which the Customer was notified at the time of the conclusion of this DPA shall be deemed approved to the extent of the notification and subject to the provisions of this DPA on sub-processing.
k. The sub-processing relationships already in existence at the time of the conclusion of this DPA are listed by the Processor in the Annex "Sub-Processors" and updated by the Processor.
l. The current list of sub-processors is available at the end of this page.
10. Spatial Area of the Processing
a. The Data is processed within the scope of the DPA in a member state of the European Union (EU) or in another member state of the Agreement on the European Economic Area (EEA) or in Switzerland.
b. Processing may take place in third countries provided that the special conditions laid down in Article 44 et seq. GDPR are fulfilled, i.e. in particular a) the EU Commission has established an adequate level of data protection; or b) on the basis of so-called Standard Contractual Clauses (SCC); or c) on the basis of binding corporate rules.
c. The authorisation of sub-contracting relationships by the Customer within the scope of this DPA, shall also extend to the spatial area of the Processing.
d. Processing in a country other than those referred to in the preceding paragraphs, including by sub-processors, shall be subject to the prior consent of the Customer.
11. Obligations of the Customer
a. The Customer must inform the Processor without delay and in full if he/she discovers errors or irregularities in the Processing results, instructions or processing procedures with regard to data protection regulations.
b. In the event of a claim against the Processor by data subjects, third parties, bodies or authorities with regard to possible entitlements arising from the processing of the Data within the scope of this DPA, the Customer undertakes to support the Processor in the defense of the claim within the scope of its possibilities and taking into account the degree of fault of the Contracting Parties.
The statutory liability provisions apply, in particular Article 82 GDPR and, in the case of the use of a sub-processor, Article 28 (4) S. 2 GDPR.
13. Term, Continuation after Termination of the DPA and Deletion of Data
a. This DPA becomes effective upon its signature or conclusion in an electronic format.
b. The effective term and termination of this DPA shall be determined by the erm and termination of the Principal Agreement.
c. The right of extraordinary termination is reserved to the Contractual Parties, in particular in the event of a serious breach of the obligations and specifications of this DPA and the applicable data protection law. A serious breach shall be deemed to have occurred in particular if the Processor fails or has failed to perform to a considerable extent the duties specified in the DPA and the agreed technical and organisational measures.
d. In the case of non-material breaches of duty, the termination for good cause must be preceded by a warning notice of the breaches with a reasonable period of notice to remedy them, whereby the warning notice is not required if it is not to be expected that the breaches complained of will be remedied or if they are so substantial that the terminating Contractual Party cannot reasonably be expected to adhere to the DPA.
e. The termination of the Agreement, as well as the termination of this clause must be made at least in electronic format.
f. Upon completion of the Processing under this DPA, the Processor shall, at the Customer's discretion, either destroy or return all Data and copies thereof (as well as all documents, processing and usage results and data files coming into its possession in connection with the contractual relationship), unless there is a legal obligation to store the Data, in which case the Processor shall inform the Customer of the obligation and its scope, unless the Customer can be expected to be aware of the obligation. The destruction or deletion must be carried out in accordance with data protection regulations and in such a way that a recovery of even residual information is no longer possible or cannot be expected with reasonable effort. The objection of a right of retention is excluded with regard to the processed Data and the associated data carriers. With regard to the deletion or return, the rights of the Customer to information, proof and audit apply in accordance with this DPA.
g. The obligations to protect confidential information arising from the DPA shall continue to apply after the end of the DPA, provided that the Processor continues to process the Personal Data covered by the DPA and that compliance with the obligations can reasonably be expected of the Processor even after the end of the DPA.
h. Documentation which serves as proof of proper data processing and safeguarding of the TOMs shall be kept by the Processor in accordance with the Customer's respective retention and deletion periods, at least three years also beyond the end of the contract. The Processor may hand over the documentation to the Customer at the end of the contract in order to discharge the Processor from the duty to archive documents.
14. Reimbursement of expenses
a. Additional expenses incurred in supporting the Customer in the fulfilment of its obligations under data protection law or other obligations shall be appropriately remunerated at the hourly rates specified in the Principal Agreement.
b. The reimbursement of expenses or remuneration agreed under the DPA shall also include an allowance for the working hours of the personnel used by the Processor as well as necessary expenses (e.g. travel or material costs). To the extent possible, foreseeable and reasonable, the Processor shall notify the Customer of the amount of the reimbursement or remuneration by way of a proper estimate before it is incurred.
c. To the extent that an act or omission of the Processor leads to a failure, breach of data protection or irregularity in the Processing, the Customer shall not bear any costs for the support acts of the Processor necessarily resulting therefrom.
d. The amount of the reimbursement of expenses shall be determined according to the usual rates of the Processor or, if these cannot be determined, according to the rates usual in the industry.
e. If the expenditure for the Processor with the Customer's instructions exceeds the scope agreed upon in the Principal Agreement or otherwise expected to be customary in the industry, and the Processor is not at fault, the Customer shall compensate the Processor separately for the additional expenditure incurred.
f. If the expenditure for the Processor in connection with the provision of information and/or the necessary cooperation of the Processor exceeds the scope agreed upon in the Principal Agreement or otherwise expected to be customary in the industry, and the Processor is not at fault, the Customer shall compensate the Processor separately for the additional expenditure incurred.
g. If the expenditure for the Processor with participation in the audits or adequate alternative measures exceeds the scope agreed upon in the Principal Agreement or otherwise expected to be customary in the industry, and the Processor is not at fault, the Customer shall compensate the Processor separately for the additional expenditure incurred.
h. If the expenditure for the Processor with the deletion or the return of the data exceeds the scope agreed upon in the Principal Agreement or otherwise expected to be customary in the industry, and the Processor is not at fault, the Customer shall compensate the Processor separately for the additional expenditure incurred.
15. Final Provisions
a. The applicable law is determined by the Principal Agreement.
b. Place of jurisdiction is determined by the Principal Agreement.
c. The DPA constitutes the entire agreement concluded between the Contractual Parties. There are no additional agreements.
d. Amendments and additions to this DPA, as well as the termination of this clause must be made at least in electronic format.
e. In the event of a conflict with the Principal Agreement, the DPA shall take precedence.
f. Should one or more provisions of this DPA be invalid or unenforceable, this shall not affect the validity of the remaining provisions. Rather, the invalid provisions shall be replaced by way of a supplementary interpretation by such a provision which comes as close as possible to the economic purpose visibly pursued by the parties with the invalid provision(s). If the above-mentioned supplementary interpretation is not possible due to legally binding requirements, the Contracting Parties shall agree on a corresponding provision.
The DPA is concluded in electronic format and is effective without the signatures of the parties.