The uhub.io ag (contractor) processes personal data for the customer (client).
The subject matter of the contract results from the procedural description of the product uhub.io (“performance description”):
uhub.io is online software – also known as cloud software – and is independent of the operating system and platform. The software is operated via an Internet browser. uhub.io is a communication tool that enables the responsible person to record, share and plan his communication strategy in a structured manner. Furthermore, communication teams are collaboratively supported in the implementation of the communication strategy.
The order is placed for an unlimited period and can be terminated by either party at any time at the end of a month by observing a notice period of one month. If the "annual payment" option was selected when the contract was concluded, the contract can be terminated by either party by giving one month's notice to the end of the contract.The possibility of termination without notice remains unaffected.
Concretisation of the order content
1) Nature and purpose of the proposed processing of data
The subject of the order for data handling is the performance of the following tasks by the contractor:
Storage of the data for the provision of the services in accordance with the service description.
The performance of the contractually agreed data processing takes place in Switzerland. An adequate level of data protection was established by the EU Commission in a formal decision for Switzerland: 2000/518/EC.
2) Type of data
The contractor himself does not actively process personal data. Access to the data is only granted for the purpose of rectifying errors in accordance with the General Terms and Conditions. Within the scope of this error correction it is possible for the contractor to gain access to data of the client. Personal data may also be affected by this.
The Client confirms that the following non-exhaustive personal data may be the subject of processing.
The customer shall ensure that no data is stored in accordance with Art. 9 DS-GVO. This includes the following data categories:
Racial and ethnic origin / political opinions / religious or ideological beliefs / trade union membership / genetic data, biometric data for the unambiguous identification of a natural person, health data or data on sex life or sexual orientation.
When storing such data, the contractor must be informed immediately. The contractor reserves the right in this case to terminate the contract immediately, unilaterally and without cost consequences.
Technical / Organizational Measures
1) The contractor has put the necessary technical and organisational measures into force before the start of processing.
2) The contractor has suffered the security in accordance with Art. 28 para. 3. c, 32 DS-GVO in particular in conjunction with Art. 5 para. 1, para. 2 DS-GVO. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the type, scope and purpose of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 DS-GVO were taken into account.
3) The technical and organisational measures are subject to technical progress and further development. In this respect, the contractor is permitted to implement alternative adequate measures. The safety level of the specified measures may not be undercut. Material changes must be documented.
If interested, the documentation of the technical and organisational measures can be requested by e-mail to email@example.com .
Correction, restriction and deletion of data
1) The contractor may not correct, delete or restrict the processing of the data processed on behalf of the client without authorisation, but only in accordance with the documented instructions of the client. If a person concerned directly contacts the Contractor in this respect, the Contractor shall forward this request to the Customer without delay.
2) Insofar as the scope of services covers, the deletion concept, right to be forgotten, correction, data portability and information shall be ensured directly by the Customer. The contractor shall support the client in the provision of these services in return for compensation.Quality Assurance and Other Duties of the Contractor.
In addition to compliance with the provisions of this contract, the Contractor shall have statutory obligations pursuant to Articles 28 to 33 DS-GVO; to this extent he shall in particular ensure compliance with the following requirements:
1) The contractor is not obliged to appoint a data protection officer in accordance with the DS-GVO. The contact person is Olivier Fuchs, uhub.io ag, Neuengasse 41, 3011 Bern, Switzerland. This can be done under firstname.lastname@example.org.
2) Maintaining confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 DS-GVO. When carrying out the work, the contractor shall only employ employees who are obliged to maintain confidentiality and who have been familiarised beforehand with the data protection provisions relevant to them.
3) The implementation of and compliance with all technical and organisational measures required for this assignment pursuant to Art. 28 para. 3 sentence 2 lit. c, 32 DS-GVO
4) Insofar as the Client is subject to inspection by the supervisory authority, administrative offence or criminal proceedings, the liability claim of a person concerned or a third party or any other claim in connection with the processing of the order by the Contractor, the Contractor shall support him to the best of his ability. The contractor shall be entitled to expense-based compensation for such assistance.
5) The Contractor shall regularly monitor the internal processes and the technical and organisational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the rights of the data subject are protected.
6) Verifiability of the technical and organisational measures taken to the client within the scope of his control powers in accordance with section 8 of this contract.
1) For the purposes of this Regulation, subcontracting shall mean services which relate directly to the provision of the principal service. This does not include ancillary services which the contractor uses, e.g. as telecommunications services, postal/transport services, maintenance and user services or the disposal of data media as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. In order to guarantee the data protection and data security of the Customer’s data, the Contractor shall also take appropriate and legally compliant contractual agreements and control measures in the case of outsourced ancillary services.
2) The following subcontractors and subcontractors are involved in the provision of the services:
a) Google LLC (formerly known as Google Inc.),
1600 Amphitheatre Parkway, Mountain View, California 94043 USA
Data Protection Officer:
Services: Cloud Hosting Provider
Place of processing (address): Zurich (europe-west6), Switzerland
Data protection officer: email@example.com
Services: Marketing Automation
Place of processing (address): 55 weeks, Busswilstrasse 16, 3250 Lyss, Switzerland
Route de Marcolet 39. 1023 Crissier, Switzerland
Data Protection Officer: firstname.lastname@example.org
Services: Cloud Hosting Provider
Processing location (address): Eielen fort DKII, Attingshausen, Switzerland
d) Chatlio LLC
1329 N 47TH ST #31231, Seattle, WA 98103 United States
Data Protection Officer: email@example.com
Services: Chat service for the support of the responsible persons
e) Slack Technologies
500 Howard Street, San Francisco, CA 94105, USA
Data Protection Officer: firstname.lastname@example.org
Services: Chat Collaboration Solution for centralizing support communication
Processing location (address): Slack Technologies, 500 Howard Street, San Francisco, CA 94105, USA
Usetiful, Sepapaja tn 6, 15551 Tallinn, Estonia
Data Protection Officer: email@example.com
Services: Digital Adoption Platform
PostHog Inc, 2261 Market Street #4008, San Francisco, CA 94114
Data Protection Officer: firstname.lastname@example.org
Information of the client
1) The Contractor shall ensure that the Client can satisfy himself that the obligations of the Contractor under Art. 28 DS-GVO have been complied with. The Contractor undertakes to provide the Customer with the necessary information upon request.
2) Evidence of such measures may be provided by
a) compliance with approved rules of conduct pursuant to Art. 40 DS-GVO;
b) certification in accordance with an approved certification procedure pursuant to Art. 42 DS-GVO;
c) current certificates, reports or extracts of reports from independent bodies (e.g. auditors, auditors, data protection officers, IT security department, data protection auditors, quality auditors);
d) a suitable certification through an IT security or data protection audit (e.g. according to BSI basic protection).
e) The contractor may claim remuneration for costs incurred by the contractor as a result of exercising the control rights and providing the required evidence.
Notification of infringements by the contractor
1) The Contractor shall support the Client in complying with the obligations set out in Articles 32 to 36 of the DS-GVO regarding the security of personal data, reporting obligations in the event of data breakdowns, data protection impact assessments and prior consultations. These include, but are not limited to
a) ensuring an adequate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing as well as the predicted probability and severity of a possible breach of rights due to security gaps and enable the immediate detection of relevant breach events
(b) the obligation to report infringements of personal data to the contracting authority without delay
(c) the obligation to assist the contracting entity in fulfilling its obligation to inform the person concerned and to provide him with all relevant information in this connection
(d) assisting the contracting authority with its data protection impact assessment
(e) assisting the contracting authority in prior consultations with the supervisory authority
2) For all support services which are not included in the service description or are not due to a misconduct of the contractor, the contractor can claim a remuneration.
Authority of the Customer to issue instructions
1) Oral instructions are confirmed by the client without delay (at least in text form).
2) The contractor must inform the client immediately if he is of the opinion that an instruction violates data protection regulations. The contractor is entitled to suspend the execution of the corresponding instruction until it has been confirmed or changed by the client.
Deletion and return of personal data
1) Copies or duplicates of the data will not be made without the knowledge of the client. Excluded from this are backup copies, insofar as they are necessary to guarantee proper data processing, as well as data which are necessary with regard to compliance with statutory storage obligations.
2) Upon completion of the contractually agreed work or earlier upon request by the Customer – at the latest upon termination of the performance agreement – the Contractor shall hand over to the Customer all documents, processing and usage results as well as data stocks which have come into his possession and which are connected with the contractual relationship, or, after prior consent, destroy them in accordance with data protection regulations. The same applies to test and scrap material. The deletion protocol must be submitted upon request.
3) Documentation which serves as proof of orderly and proper data processing shall be stored by the Contractor beyond the end of the contract in accordance with the respective retention periods. He may hand them over to the Customer at the end of the contract for his relief.
1) This agreement does not replace any previous agreements.
2) Subsidiary agreements or amendments to this order must be made in writing.
3) References to laws, regulations, documents and appendices shall, unless expressly provided otherwise, apply to the laws, regulations, documents and appendices in their respective valid version, i.e. including any amendments after the contract date.
4) The annexes are an integral part of this contract. In the event of a contradiction between the provisions of the contract itself and its annexes, the provisions of the contract shall prevail. Mandatory legal regulations remain unaffected by this.
5) Should individual provisions of this contract be or become invalid or unenforceable, this shall not affect the validity of the remaining parts. In such a case, the parties undertake to replace the invalid or unenforceable provision with a provision that comes as close as possible to the intended purpose in a legally permissible manner; the same shall apply in the event of loopholes.
6) The client confirms that he fully complies with the provisions of the DS-GVO and the DSG and does not offer any content for processing which could constitute an infringement of the personal rights of the persons concerned.
7) In the external relationship, the Client shall be liable in accordance with the data protection liability provisions for damage caused by processing that does not comply with the law. The contractor shall only be liable for the damage caused by processing if he has not fulfilled his obligations under this contract or acted against the instructions of the client. Internally, the parties shall be liable for such damage in proportion to their share of the responsibility. If, in such a case, a person makes a full or predominant claim against one party for damages, the latter may claim indemnity or indemnity from the other party to the extent that this corresponds to his share of the responsibility.
8) As a company operating in Switzerland, the Contractor shall be exclusively accountable and answerable to the Swiss authorities. The support of or compliance with official or sovereign acts of foreign states and authorities is prohibited under criminal law (Art. 271 StGB).
9) Swiss law applies exclusively to this contract. Place of jurisdiction is Bern/BE.