BNITM Code Term of Use

Binding rules for the use of BNITM Code

Effective: May 2026 · Version 1.0

Please read these Terms of Use before using BNITM Code. By using the service, you agree to these Terms of Use.

§ 1 Purpose and Scope

This policy governs the use of the BNITM Code Git repository service code.bnitm.de (hereinafter “Platform”) by employees of the Bernhard Nocht Institute for Tropical Medicine and authorized external partners. The Platform is intended for version control and the collaborative development of software, scripts, and other project-related files. Parts of the content may be publicly accessible (“Public Repositories”).

§ 2 ## Platform Provider and Responsible Contact Point

Organization responsible for operating the Platform:

Bernhard Nocht Institute for Tropical Medicine Bernhard-Nocht-Straße 74 20359 Hamburg bni@bnitm.de

Contact for security and abuse reports: itsecurity@bnitm.de

§ 3 Permitted Use

The platform may be used exclusively for official or project-related purposes. Users agree to upload, store, or publish only content for which they hold the necessary rights.

§ 4 Prohibited Content

The following content is prohibited:

Access tokens, API keys, private keys, passwords, and similar secrets
Content that violates applicable law
Content that infringes copyright
Malware or exploits outside of legitimate purposes
Personal data without a legal basis
Confidential or security-critical information without authorization

Violations may result in the immediate suspension of the account and criminal charges being brought.

§ 5 Public Repositories

Publicly accessible repositories (“Public Repositories”):

are readable by third parties (e.g., anonymous internet users)
must not contain any confidential or sensitive information
are subject to an increased duty of care

The publication of research data, research software, or project-related materials must not violate any contractual, regulatory, or funding-related requirements.

§ 5.1 Additional Requirements for Public Repositories

Repositories may only be made publicly accessible if

a responsible repository owner has been designated
a review for sensitive content has been conducted

Repositories without a clearly designated responsible person may not be made publicly accessible. Unless expressly stipulated otherwise, responsibility for approval lies with the respective repository owner.

§ 6 Reporting Procedure (Notice-and-Action)

There is a procedure for reporting potentially illegal or impermissible content.

Reports should be sent to itsecurity@bnitm.de.

Reports may be submitted for:

Legal violations
Security issues
Publication of sensitive data
Other violations

Reports should include:

Repository URL
Description of the problem
If possible, evidence (evidence should be provided for the above-mentioned serios reports)

§ 7 Procedure Following Receipt of a Report

Upon receipt of a report:

An investigation is conducted
A preliminary restriction is imposed if necessary
Restriction of user accounts

Possible actions:

Removal of content
Blocking of repositories
Restriction of user accounts

Measures are taken proportionately and in compliance with legal requirements.

§ 8 User Responsibility

Each user is responsible for:

the content they post
compliance with the policy
the protection of sensitive data

§ 9 Logging and Traceability

To ensure security and compliance, the following events are logged:

Accesses
Changes to repositories
Administrative measures

The logs are used exclusively to ensure IT security, error analysis, system stability, and to address security-related incidents. Personal data analysis is conducted only on a case-by-case basis and in compliance with applicable legal requirements. The provisions of this section also apply to log data relevant to data protection within the meaning of the GDPR.

§ 10 Liability

The Provider makes the platform available primarily as a technical service. The respective users or repository owners are generally responsible for posted content. Upon becoming aware of potential legal violations, a risk-based review will be conducted and measures will be taken if necessary.

§ 11 Entry into Force

This policy enters into force upon publication and applies to all users of the platform.

§ 12 Data Protection (GDPR)

§ 12.1 Principle

Personal data may only be processed if:

there is a legal basis
the processing is necessary
data minimization is met

§ 12.2 Prohibited Content

In addition to login details such as passwords, API tokens and the like, the storage of special categories of personal data as defined in Article 9(1) of the GDPR is not permitted. These include, in particular

human genetic data
biometric data for the purpose of uniquely identifying a natural person
personal health data

§ 12.3 Public Repositories

Public repositories must not contain any unnecessary personal data.

§ 12.4 Responsibility

A responsible person (“Repository Owner”) must be designated for each repository.
This person is responsible for:

compliance with this policy
review prior to publication
processing of reports

Fallback provision

If no Repository Owner has been designated, the person who created the repository is considered responsible. If this person is unavailable, organizational responsibility passes to the System Owner until a new Repository Owner is designated. The System Owner may restrict, archive, or lock repositories in the event of security, compliance, or operational risks.

The Provider is entitled to restrict or remove repositories without a clearly designated responsible person.

§ 12.5 Incident Handling

In the event of the unintentional publication of personal data:

immediate notification to itsecurity@bnitm.de
Assessment as a data breach
Measures in accordance with the GDPR, if applicable

§ 12.6 Retention and Deletion

Repositories and personal data that are no longer needed must be deleted or archived in accordance with legal, organizational, and security-related requirements. Log data is stored only for as long as necessary for operational, security, or compliance purposes.