General Terms of Use Software uhub.io

The following terms of use ("Terms") are important for the following reasons:

• They outline your rights against momou ag.

• They explain the rights you grant us when using our service uhub.io.

• They regulate how any disputes will be settled through arbitration.

1. Preamble

momou ag (Contractor) processes personal data for the customer (Client) in accordance with the contract existing between these parties (see section 4, Subject) ("Service Agreement"). The parties confirm that the regulation (EU) 2016/679 (General Data Protection Regulation "GDPR") may apply to the agreed data processing (e.g., when processing personal data of individuals residing in the EU). Therefore, the parties agree that the processing of personal data is carried out on the basis of this data processing agreement ("DPA"), which takes into account the provisions of the GDPR. The data processing must also ensure compliance with the relevant Swiss data protection rules in accordance with the applicable Data Protection Act (DPA), provided that these are not already fulfilled by adherence to the GDPR requirements.

2. Subject

The subject of the order results from the services of the product uhub ("Service Description"):

uhub is an online software (Cloud Software) that is independent of operating systems and platforms and can be operated through a browser. uhub is a communication management software that enables an organization to translate its communication strategy into integrated communication activities - specific to target groups, across channels & teams. From strategic planning to operational implementation, everything can be found in one place. The digitization of communication processes helps at the strategic level to make decisions, present, discuss if necessary, and ultimately implement them. At the operational level, uhub supports the strategic planning of communication activities in line with the strategy. Content is structured and collected according to target groups and channels. Depending on the capabilities of the channel, publication takes place automatically or manually. 

The customer receives a non-exclusive, non-transferable SaaS license to use uhub.io during the contract period.

momou ag guarantees an availability of 99.5% on a monthly average (scheduled maintenance windows excluded) and responds to support tickets within 1 working day.

The client is prohibited from using the service to disseminate illegal content, to send spam, or for DoS attacks.

3. Duration

The contract is indefinite and can be terminated by either party at any time at the end of the month with a notice period of 1 month. If the "Annual Payment" option has been chosen, the contract can be terminated with the same notice period at the end of the current annual period. After each period, it automatically extends for 12 months unless terminated in due time. The possibility of termination without notice for good cause remains unaffected.
The payment and reminder regulations result from point 4.

4. Payment Terms and Reminder Procedures

Payment Period
Invoices are payable within 15 days from the invoice date without deduction.

Default
If the customer is in default after the expiration of the payment period (Art. 102 para. 1 OR), they owe a default interest of 5% p.a. from the following day according to Art. 104 OR.

Reminder Stages
a) First Reminder - occurs automatically upon entry into default; new payment period 10 days; reminder fee CHF 20.–.

b) Second Reminder - in case of non-payment; further period 10 days; additional reminder fee CHF 40.–.

c) Collection - if the claim remains open thereafter, momou ag may assign the claim to a collection agency without further notice; all resulting costs shall be borne by the customer.

Blocking of Access
momou ag is entitled to suspend access to uhub.io until all due amounts are fully settled.

Offsetting & Retention
Offsetting by the customer is only permitted with legally established or acknowledged claims in writing by momou ag. A right of retention is excluded.

5. Specification of the Subject Matter of the Contract

a) Nature and Purpose of the Intended Processing of Data

The subject of the order regarding data handling is the performance of the following tasks by the contractor: storage of data to provide the services according to the service description and service contract.

The provision of the contractually agreed data processing takes place in Switzerland. An adequate level of data protection has been established by the EU Commission in a formal decision for Switzerland: 2000/518/EC.

b) Nature of the Data

The contractor does not carry out any active processing of personal data themselves. Access to the data is granted only for the purpose of correcting errors in accordance with the GTC. In the context of this error correction, it is possible that the contractor gains access to the data of the client. This may also affect personal data.

The client confirms that the following, non-exhaustive personal data may be subject to processing.

• Customers

• Prospective Clients

• Employees

• Suppliers

c) Audit Rights
The client can conduct an audit of momou ag's security and data protection processes annually or have it conducted by third parties. momou ag supports audits during regular business hours; expenses exceeding 2 hours per year will be charged at an hourly rate of CHF 180.00.

6. Technical / Organizational Measures

The contractor has implemented the necessary technical and organizational measures before the processing begins.

The contractor has implemented security in accordance with Art. 28 para. 3 lit. c, 32 GDPR, particularly in conjunction with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken entail measures of data security and to ensure a risk-appropriate level of protection for confidentiality, integrity, availability, and resilience of systems. In this context, the state of the art, implementation costs, the nature, scope, and purposes of processing, as well as the differing probabilities and severities of the risks to the rights and freedoms of natural persons under Art. 32 para. 1 GDPR have been taken into account.

The technical and organizational measures are subject to technological advancement and further development. Accordingly, the contractor is permitted to implement alternative adequate measures. However, the level of security of the established measures must not be undermined. Significant changes are to be documented.

Documentation of the technical and organizational measures can be requested via email at privacy@uhub.io.

7. Correction, Limitation and Deletion of Data

The contractor may not unilaterally correct, delete or restrict the processing of data that is processed on behalf, but only follow documented instructions from the client. If an affected person contacts the contractor directly in this regard, the contractor will forward this request to the client without delay.

To the extent that deletion concepts, rights to be forgotten, corrections, data portability, and information are included in the scope of services, these must be ensured directly by the client. The contractor will assist the client against compensation in providing these services.

Requests from affected persons pursuant to Art. 15–20 GDPR or Art. 25 nDPA will be answered or implemented within 30 calendar days.

8. Quality Assurance and Other Obligations of the Contractor

The contractor has, in addition to complying with the regulations of this order, legal obligations in accordance with Art. 28 to 33 GDPR; accordingly, it assurances compliance with the following requirements:

a)     The contractor is not obliged to appoint a data protection officer under GDPR. Olivier Fuchs, uhub.io ag, Neuengasse 41, 3011 Bern, Switzerland, is designated as the contact person. He can be reached at privacy@uhub.io.

b)    The maintenance of confidentiality according to Art. 28 para. 3 p. 2 lit. b, 29, 32 para. 4 GDPR. The contractor engages only employees who are obligated to confidentiality and have been made familiar with the relevant data protection provisions beforehand in executing the work.

c)     The implementation and compliance with all technical and organizational measures required for this contract as per Art. 28 para. 3 p. 2 lit. c, 32 GDPR.

d)    Insofar as the client is subjected to a control by the supervisory authority, a regulatory or criminal procedure, a liability claim of an affected person or a third party, or another claim in connection with data processing at the contractor, the contractor will support him to the best of his ability. The contractor is entitled to compensation based on expenses for this support.

e)    The contractor regularly checks internal processes as well as technical and organizational measures to ensure that the processing in its area of responsibility occurs in accordance with the requirements of applicable data protection law and that the protection of the rights of the affected person is guaranteed.

f)      Documentability of the technical and organizational measures taken in accordance with the client's control powers under section 8 of this contract.

g)    In the event of a breach of personal data protection, momou ag informs the client no later than 72 hours after becoming aware of it in writing.

9. Subcontracting Relationships

Subcontracting relationships in the sense of these regulations are understood to be those services that directly relate to the provision of the main service. They do not include ancillary services that the contractor may use, such as telecommunications, postal/transport services, maintenance, and user service, or the disposal of data carriers as well as other measures to ensure confidentiality, availability, integrity, and resilience of the hardware and software of data processing systems. The contractor takes appropriate and legally compliant contractual agreements, as well as control measures to ensure data protection and data security for the data of the client, even for outsourced ancillary services.

The following subcontractors and sub-subcontractors are involved in providing the services:

a) Google LLC (formerly known as Google Inc.)
1600 Amphitheatre Parkway, Mountain View, California 94043 USA
Data Protection Officer:
support.google.com/cloud/contact/dpo
Services: Cloud Hosting Provider
Place of Processing (Address): Zurich (europe-west6), Switzerland

b) maatoo.io
Data Protection Officer: support@maatoo.io
Services: Marketing Automation
Place of Processing (Address): Nelocom GmbH, Buchmattstrasse 11, 3400 Burgdorf

c) Exoscale
Route de Marcolet 39. 1023 Crissier, Switzerland
Data Protection Officer: privacy@exoscale.ch
Services: Cloud Hosting Provider
Place of Processing (Address): Eielen fort DKII, Attingshausen, Switzerland

d) Chatlio LLC
1329 N 47TH ST #31231, Seattle, WA 98103 United States
Data Protection Officer: privacy@chatlio.com
Services: Chat Service to support the responsible parties

e) Slack Technologies
500 Howard Street, San Francisco, CA 94105, USA
Data Protection Officer: dpo@slack.com
Services: Chat Collaboration Solution to centralize support communication
Place of Processing (Address): Slack Technologies, 500 Howard Street, San Francisco, CA 94105, USA

f) Usetiful
Usetiful, Sepapaja tn 6, 15551 Tallinn, Estonia
Data Protection Officer: info@usetiful.com
Services: Digital Adoption Platform

g) Posthog
PostHog Inc, 2261 Market Street #4008, San Francisco, CA 94114
Data Protection Officer: privacy@posthog.com
Services: Product Analysis

h) OpenAI
OpenAI, L.L.C. 3180 18th Street, San Francisco, California 94110, USA
Data Protection: dsar@openai.com
Services: AI Assistant

j) TikTok
TikTok. Culver City, 5800 Bristol Pkwy
Data Protection Contact: https://www.tiktok.com/legal/report/privacy
Services: Social Network

k) Facebook
Menlo Park, 1 Hacker Way, United States
Data Protection: https://www.facebook.com/privacy/policy/
Services: Social Network

l) Instagram
Menlo Park, 1 Hacker Way, United States
Data Protection: https://about.instagram.com/safety/privacy
Services: Social Network

m) YouTube
San Bruno, 901 Cherry Ave, United States
Data Protection: https://www.youtube.com/howyoutubeworks/user-settings/privacy/
Services: Social Network

n) X Corporation
Mountain View, 1600 Amphitheatre Pkwy, United States
Data Protection: https://twitter.com/en/privacy
Services: Social Network

o) LinkedIn
1000 W Maude Ave Sunnyvale, CA 94085
Data Protection: https://www.linkedin.com/legal/privacy-policy
Services: Social Network

The subcontractors provide necessary ancillary services that are partly required for the proper and contractually compliant functioning of the solution. The client acknowledges this and explicitly agrees to the awarding of the described tasks.

If the subcontractor provides the agreed services outside of the EU/the EEA or Switzerland, the contractor ensures the legality under data protection law through appropriate measures. The same applies if service providers as per paragraph 1 sentence 2 are to be deployed.

momou ag informs the client at least 30 days before engaging new subprocessors. The client can object within 14 days for good cause; without objection, consent is deemed granted.

10. Information for the Client

The contractor ensures that the client can verify compliance with the contractor's obligations under Art. 28 GDPR. The contractor agrees to provide the client with the necessary information upon request.

Proof of such measures can be provided by:

a) adherence to approved codes of conduct in accordance with Art. 40 GDPR;

b) certification according to an approved certification process according to Art. 42 GDPR;

c) current certifications, reports or excerpts from independent bodies (e.g., auditors, review, data protection officer, IT security department, data protection auditors, quality auditors);

d) an appropriate certification by IT security or data protection audit (e.g., according to BSI basic protection).

e) For costs incurred to the contractor through the exercise of control rights and the provision of the requested evidence, the contractor may claim compensation.

11. Notification of Violations by the Contractor

The contractor assists the client in complying with the obligations mentioned in Articles 32 to 36 of the GDPR concerning the security of personal data, reporting obligations in case of data breaches, data protection impact assessments, and prior consultations. This includes:

a)     ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of processing, as well as the anticipated probability and severity of a potential legal violation through security gaps and enable immediate identification of relevant breach events

b)    the obligation to report personal data breaches to the client without delay

c)     the obligation to support the client in fulfilling their information obligations towards the affected person and provide them with all relevant information in this context

d)    supporting the client in their data protection impact assessment

e)    supporting the client in prior consultations with the supervisory authority

For all support services that are not included in the service description or not attributable to misconduct by the contractor, the contractor may claim compensation.

12. Instruction Authority of the Client

Oral instructions must be confirmed by the client without delay (at least in text form).

The contractor must inform the client without delay if he believes that an instruction violates data protection regulations. The contractor is entitled to suspend the implementation of the respective instruction until it is confirmed or changed by the client.

13. Deletion and Return of Personal Data

Copies or duplicates of the data are not created without the client's knowledge. This does not include backups insofar as they are necessary for ensuring proper data processing as well as data that is necessary for complying with legal retention obligations.

Upon completion of the contractually agreed work or earlier upon request from the client – at the latest upon termination of the service agreement – the contractor must hand over all documents that have come into his possession, created processing and usage results as well as data sets related to the order relationship to the client or destroy them in a data protection-compliant manner after prior consent. The same applies to test and committee material. The deletion record must be provided upon request.

Documentation that serves as proof of the proper and orderly data processing must be retained by the contractor in accordance with the respective retention periods beyond the end of the contract. The contractor may hand them over to the client for their exoneration at the end of the contract.

All customer data will be released either electronically free of charge or – at the customer's choice – deleted in a data protection-compliant manner and logged no later than 30 days after the end of the contract.

14. Final Provisions

a)     This agreement does not replace any previously concluded agreements.

b)    Side agreements or changes to this order must be made in writing.

c)     References to laws, regulations, documents, and annexes apply, unless expressly stated otherwise, to the laws, regulations, documents, and annexes in their currently applicable version, including any amendments after the contract date.

d)    Should individual provisions of this order be invalid or unenforceable or become so, the effectiveness of the remaining parts shall not be affected thereby. In such a case, the parties agree to replace the invalid or unenforceable provision with one that comes as close as possible to the intended purpose in a legally permissible manner; the same applies to regulatory gaps.

e)    The client confirms that he fully complies with the provisions of the GDPR and the DPA and does not offer any content for processing that could violate the personal rights of affected persons.

f)      In external relations, the client is liable according to the data protection liability provisions for damages caused by non-compliant processing. The contractor is liable for damages caused by processing only if he has failed to comply with his obligations under this contract or has acted against the instructions of the client. In internal relations, the parties are liable for this damage according to their share of responsibility. If a person in such a case makes a claim for damages against one party in full or mostly, they may seek indemnification or reimbursement from the other party to the extent that corresponds to their share of responsibility.

g)    The total liability of momou ag for slight negligence is limited to the amount the client has paid for uhub.io in the respective year; it amounts to a maximum of CHF 50,000.–. This limitation does not apply in cases of intent or gross negligence.

h)    The contractor is exclusively accountable to Swiss authorities as a company operating in Switzerland. The support or compliance with official or sovereign acts of foreign states and authorities is prohibited under criminal law (Art. 271 StGB).

i)      This contract is subject exclusively to Swiss law. The place of jurisdiction is Bern/BE.