General Terms of Use Software uhub.io

The following terms of use ("Terms") are important for the following reasons: 1. They establish your rights with regard to momou ag. 2. They explain the rights that you grant to us when using our uhub.io service. 3. They govern how any disputes are resolved through arbitration. Preamble momou ag (Contractor) processes personal data for the customer (Principal) in accordance with the existing contract between these parties. The parties recognize that the General Data Protection Regulation ("GDPR") may apply to the agreed data processing and, as such, they agree that the processing of personal data is based on this data processing agreement ("DPA"), which takes into account the provisions of the GDPR. The data processing must also ensure compliance with the relevant Swiss data protection rules under the applicable Data Protection Act (DSG), unless these are already fulfilled by compliance with GDPR requirements. Subject The subject of the contract results from the services of the uhub product ("Service Description"): uhub is an online software, also known as cloud software, and is independent of operating system and platform. The software is accessed via an internet browser. uhub is a communications management software that enables an organization to translate its communication strategy into integrated communication activities—target-group-specific, cross-channel, and cross-team. From strategic planning to operational implementation, everything can be found in one place. The digitization of the communication process helps in making decisions, presenting, possibly discussing, and ultimately implementing them at a strategic level. On an operational level, uhub supports in the strategic planning of communication activities. Contents are structured and captured according to target groups and channels. Depending on the channel's capabilities, publication is automated or manual. Duration The contract is of indefinite duration and can be terminated by either party at the end of the month with one month's notice. If the "Annual Payment" option was chosen at the time of conclusion of the contract, the contract can be terminated by either party at the end of the contract with one month's notice. The possibility of termination without notice remains unaffected. Specification of the Contract Subject 4.1 Type and Purpose of the Intended Data Processing The subject of the data processing task is the performance of the following tasks by the contractor: Storage of data for the provision of services in accordance with the Service Description and the Agreement. The contractually agreed data processing takes place in Switzerland. An appropriate level of data protection has been determined by the EU Commission in a formal decision for Switzerland: 2000/518/EC. 4.2 Type of Data The contractor does not carry out any active processing of personal data. Access to the data is only for troubleshooting purposes in accordance with the terms and conditions. In the course of this troubleshooting, it is possible for the contractor to access the principal's data. This may also include personal data. The principal confirms that the following, non-exhaustive, personal data may be subject to processing: - Customers - Prospects - Employees - Suppliers The principal ensures that no data falling under Art. 9 of the GDPR is stored. This includes the following data categories: Racial and ethnic origin / political opinions / religious or philosophical beliefs / trade union membership / genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning sex life or sexual orientation. The contractor should be informed immediately if such data is stored. In this case, the contractor reserves the right to terminate the contract immediately, unilaterally, and without cost consequences. Technical / Organizational Measures The contractor has implemented the necessary technical and organizational measures before commencing processing. The contractor has ensured security pursuant to Art. 28 (3) sublit. c, 32 of the GDPR, especially in conjunction with Art. 5 (1), 2 of the GDPR. Overall, the measures to be taken are security measures and to ensure an appropriate level of protection in terms of the confidentiality, integrity, availability, and resilience of the systems. The state of the art, implementation costs, and the nature, scope, and purpose of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons under Art. 32 (1) of the GDPR, have been taken into account. The technical and organizational measures are subject to technological progress and further development. The contractor is permitted to implement alternative adequate measures. The level of security of the specified measures must not be lowered. Significant changes are to be documented. If interested, the documentation of the technical and organizational measures can be requested by email at privacy@uhub.io. Data Correction, Restriction, and Deletion 1) The contractor may not independently correct, delete, or restrict the processing of the data processed on behalf but only upon documented instruction from the principal. If an affected person addresses the contractor directly on this matter, the contractor will immediately forward this request to the principal. 2) If covered by the scope, deletion concept, right to be forgotten, correction, data portability, and information must be ensured directly by the principal. The contractor supports the principal, subject to compensation, in fulfilling these tasks. Quality Assurance and Other Duties of the Contractor In addition to compliance with the provisions of this contract, the contractor has legal obligations under Art. 28 to 33 of the GDPR. Therefore, the contractor ensures compliance with the following requirements in particular: 1) The contractor is not obligated to appoint a data protection officer under the GDPR. Olivier Fuchs, uhub.io ag, Neuengasse 41, 3011 Bern, Switzerland is named as the contact person. He can be reached at privacy@uhub.io. 2) The preservation of confidentiality pursuant to Art. 28 (3) sentence 2 lit. b, 29, 32 (4) of the GDPR. The contractor only uses employees who are committed to confidentiality while carrying out the work and have previously been familiarized with the relevant data protection provisions. 3) The implementation and observance of all technical and organizational measures required for this contract under Art. 28 (3) sentence 2 lit. c, 32 of the GDPR. 4) If the principal is exposed to monitoring by the supervisory authority, an administrative or criminal proceeding, the liability claim of an affected person or third party, or any other claim related to the data processing contract from the contractor, the contractor will support the principal to the best of its ability. An expense-based remuneration is due to the contractor for this support. 5) The contractor regularly monitors internal processes and technical and organizational measures to ensure that processing carried out in its area of responsibility complies with the requirements of applicable data protection law and ensures the protection of the rights of the data subjects. 6) Documentation of the technical and organizational measures must be retained by the contractor beyond the end of the contract in accordance with the respective retention periods. Subcontractual Relationships For the purposes of this regulation, subcontracted relationships refer to services directly related to the provision of the main service. Excluded from this are ancillary services such as telecommunication services, postal/transport services, maintenance and user service, or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity, and resilience of the hardware and software of data processing systems. The contractor shall ensure that, even in the case of outsourced ancillary services, appropriate and legally compliant contractual agreements and control measures are taken to ensure data protection and data security of the principal's data. The following subcontractors are involved in the provision of the services: a) Google LLC (formerly known as Google Inc.), 1600 Amphitheatre Parkway, Mountain View, California 94043 USA Data Protection Officer: support.google.com/cloud/contact/dpo Services: Cloud Hosting Provider Processing Location (Address): Zurich (europe-west6), Switzerland b) maatoo.io Data Protection Officer: privacy@maatoo.io Services: Marketing Automation Processing Location (Address): 55 weeks, Busswilstrasse 16, 3250 Lyss, Switzerland c) Exoscale Route de Marcolet 39. 1023 Crissier, Switzerland Data Protection Officer: privacy@exoscale.ch Services: Cloud Hosting Provider Processing Location (Address): Eielen fort DKII, Attingshausen, Switzerland d) Chatlio LLC 1329 N 47TH ST #31231, Seattle, WA 98103 United States Data Protection Officer: privacy@chatlio.com Services: Chat Service for Support e) Slack Technologies 500 Howard Street, San Francisco, CA 94105, USA Data Protection Officer: dpo@slack.com Services: Chat Collaboration Solution for Centralizing Support Communication Processing Location (Address): Slack Technologies, 500 Howard Street, San Francisco, CA 94105, USA f) Usetiful Usetiful, Sepapaja tn 6, 15551 Tallinn, Estonia Data Protection Officer: info@usetiful.com Services: Digital Adoption Platform g) Posthog PostHog Inc, 2261 Market Street #4008, San Francisco, CA 94114 Data Protection Officer: privacy@posthog.com Services: Product Analysis The subcontractors provide partially necessary ancillary services in connection with the main service that are necessary for the correct and contractually compliant functioning of the solution. The principal acknowledges this and explicitly agrees to the assignment of the described tasks. If the subcontractor provides the agreed service outside of the EU/EEA or Switzerland, the contractor ensures the data protection conformity through appropriate measures. The same applies if service providers under sub para. 2 are to be used. Notification to the Principal The contractor ensures that the principal can verify the contractor's compliance with its obligations under Art. 28 of the GDPR. The contractor undertakes to provide the necessary information to the principal upon request. The verification of such measures can be done through: a) compliance with approved codes of conduct pursuant to Art. 40 of the GDPR; b) certification under an approved certification procedure pursuant to Art. 42 of the GDPR; c) current certificates, reports, or extracts of reports from independent bodies (e.g., auditors, revision, data protection officer, IT security department, data protection auditors, quality auditors); d) an appropriate certification through IT security or data protection audit (e.g., according to BSI basic protection). For costs incurred by the contractor in exercising inspection rights and providing the required evidence, the contractor may claim remuneration. Notification of Violations by the Contractor The contractor supports the principal in complying with the obligations mentioned in Articles 32 to 36 of the GDPR concerning the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments, and prior consultations, including: a) Ensuring an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of processing and the projected likelihood and severity of potential infringements by gaps in security and allow for an immediate detection of relevant breach events. b) Obligation to immediately report infringements of personal data to the principal c) Obligation to support the principal in carrying out its information obligations to the data subject, and to provide the principal with all relevant information in this context d) Support of the principal in its data protection impact assessment e) Support of the principal in prior consultations with the supervisory authority The contractor may claim remuneration for all assistance not included in the service description or not attributable to misconduct by the contractor. Directive Authority of the Principal The principal promptly confirms oral instructions (at least in textual form). The contractor is obliged to immediately inform the principal if it believes that an instruction violates data protection provisions. The contractor is entitled to suspend the execution of the corresponding instructions until they are confirmed or amended by the principal. Deletion and Return of Personal Data Copies or duplicates of the data are not created without the knowledge of the principal. This does not include backup copies, as far as they are necessary to ensure proper data processing, and data that is necessary to comply with legal retention obligations. After completion of the contractually agreed work, or earlier upon request by the principal, but no later than at the end of the service agreement, the contractor must hand over or, with prior approval, destroy all documents, processing and usage results, and data sets that are in its possession and are related to the contractual relationship. The same applies to test and scrap material. The deletion record is to be presented on request. Documentation intended to demonstrate the orderly and proper data processing are to be retained by the contractor beyond the end of the contract term. For their relief at the end of the contract, they can be handed over to the principal. Final Provisions This agreement does not replace any previous agreements. a) Additional agreements or amendments to this contract require written form. b) References to laws, regulations, documents, and attachments apply, unless expressly stated otherwise, to the laws, regulations, documents, and attachments in their respective valid versions, including any amendments after the contract date. c) Should any provision of this contract be or become invalid or unenforceable, this shall not affect the validity of the remaining parts. In such a case, the parties undertake to replace the invalid or unenforceable provision with one that comes as close as possible to the intended purpose in a legally permissible manner; the same applies in the event of regulatory gaps. d) The principal confirms that it fully complies with the provisions of the GDPR and the DSG and does not offer any content for processing that could violate the privacy rights of persons concerned. e) In the external relationship, the principal is liable according to the data protection liability regulations for the damage caused by non-compliant data processing. The contractor is liable for damage caused by processing only if it has not fulfilled its obligations under this contract or has acted against the principal's instructions. In the internal relationship, the parties are responsible for this damage in accordance with their share of responsibility. In such a case, if a person primarily holds one of the parties liable for damages, that party may request indemnification or reimbursement to the extent corresponding to its share of the responsibility from the other party. f) As a company operating in Switzerland, the contractor is obliged to provide information exclusively to Swiss authorities. Complying with or obeying orders issued by foreign countries and authorities is criminally prohibited under Swiss law (Art. 271 StGB). g) This contract is governed exclusively by Swiss law. The place of jurisdiction is Bern/BE.