General Terms of Use Software uhub.io

The following terms of use ("Terms") are important for the following reasons:

• They outline your rights against momou ag.

• They explain the rights you grant us when using our service uhub.io.

• They govern how any disputes will be settled by arbitration.

1. Preamble

momou ag (contractor) processes personal data for the customer (client) in accordance with the contract existing between the parties (see section 4, subject) ("Service Agreement"). The parties acknowledge that the Regulation (EU) 2016/679 (General Data Protection Regulation "GDPR") may apply to the agreed data processing (e.g., when processing personal data of individuals residing in the EU). Therefore, the parties agree that the processing of personal data is conducted based on this Data Processing Agreement ("DPA"), which takes into account the provisions of the GDPR. Additionally, the data processing must ensure compliance with the relevant Swiss data protection rules according to the applicable Data Protection Act (DPA), unless such compliance is already fulfilled by adhering to the GDPR requirements.

2. Subject

The subject of the contract arises from the services of the product uhub ("Service Description"):

uhub is an online software (Cloud Software) that is independent of the operating system and platform and can be operated through a browser. uhub is a communication management software that enables an organization to translate its communication strategy into integrated communication activities - target group-specific, cross-channel, and cross-team. From strategic planning to operational implementation, everything is found in one place. The digitization of the communication process helps at a strategic level to make decisions, present, discuss if necessary, and ultimately implement. At the operational level, uhub supports the strategy-compliant planning of communication activities. Content is structured and captured according to target groups and channels. Depending on the capabilities of the channel, publication occurs either automatically or manually. 

The customer receives a non-exclusive, non-transferable SaaS license to use uhub.io for the duration of the contract.

momou ag guarantees a 99.5% availability on a monthly average (planned maintenance windows excluded) and responds to support tickets within 1 business day.

The customer is prohibited from using the service to distribute illegal content, send spam, or conduct DoS attacks.

3. Duration

The contract is indefinite and can be terminated by either party at any time at the end of the month with a notice period of 1 month. If the "Annual Payment" option is chosen, the contract can be terminated with the same notice period at the end of the current annual period. After each period, it automatically extends for 12 months unless terminated in due time. The possibility of immediate termination for good cause remains unaffected.
The payment and reminder regulations are set out in section 4.

4. Payment terms and reminder process

Payment deadline
Invoices are payable within 15 days from the invoice date without deduction.

Default
If the customer defaults after the payment deadline (Art. 102 para. 1 CO), they owe an interest on arrears of 5% per annum from the following day in accordance with Art. 104 CO.

Reminder stages
a) First reminder – occurs automatically upon default; new payment deadline 10 days; reminder fee CHF 20.–.

b) Second reminder – if payment is not made; further deadline 10 days; additional reminder fee CHF 40.–.

c) Collection – if the claim remains open thereafter, momou ag may assign the claim to a collection agency without further notice; all costs incurred thereby are borne by the customer.

Access suspension
momou ag is entitled to suspend access to uhub.io until all due amounts are paid in full.

Offsetting & Retention
Set-offs by the customer are only permitted with legally established or written claims recognized by momou ag. A right of retention is excluded.

5. Specification of the scope of the contract

a) Nature and purpose of the intended processing of data

The subject of the contract for data processing is the performance of the following tasks by the contractor: storage of data to provide services according to the Service Description and Service Agreement.

The provision of the contractually agreed data processing takes place in Switzerland. An adequate level of data protection has been determined by the EU Commission in a formal decision for Switzerland: 2000/518/EC.

b) Nature of the data

The contractor does not actively process personal data. Access to the data occurs only to rectify errors according to the GTC. In the context of this error correction, it may be possible for the contractor to access the data of the client. This may also involve personal data.

The client confirms that the following, non-exhaustive, personal data may be subject to processing.

• Customers

• Prospective clients

• Employees

• Suppliers

c) Audit right
The client may conduct an audit of the security and data protection relevant processes of momou ag annually or have it conducted by third parties. momou ag supports audits during normal business hours; any costs exceeding 2 hours per year will be charged at a rate of CHF 180.00.

6. Technical / Organizational Measures

The contractor has implemented the necessary technical and organizational measures before commencing processing.

The contractor has established security in accordance with Art. 28 para. 3 lit. c, 32 GDPR, in particular in connection with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and to ensure a level of protection commensurate with the risk concerning confidentiality, integrity, availability, and resilience of the systems. The state of the art, implementation costs, the nature, scope, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons as defined in Art. 32 para. 1 GDPR have been taken into account.

The technical and organizational measures are subject to technical progress and development. Therefore, the contractor is permitted to implement alternative adequate measures. However, the level of security of the established measures must not be undermined. Significant changes must be documented.

Upon request, documentation of the technical and organizational measures can be requested via email at privacy@uhub.io.

7. Correction, restriction, and deletion of data

The contractor may not unilaterally correct, delete, or restrict the processing of the data processed on behalf without documented instructions from the client. If a data subject addresses the contractor directly in this regard, the contractor will forward this request to the client without delay.

As long as it is included in the scope of services, deletion concepts, the right to erasure, correction, data portability, and information must be ensured directly by the client. The contractor supports the client against compensation in providing these services.

Requests from data subjects under Arts. 15–20 GDPR or Art. 25 nDPA will be answered or executed within 30 calendar days.

8. Quality assurance and other obligations of the contractor

The contractor has, in addition to complying with the regulations of this contract, legal obligations according to Arts. 28 to 33 GDPR; thus, it ensures in particular compliance with the following requirements:

a)     The contractor is not obligated to appoint a data protection officer under GDPR. Olivier Fuchs, uhub.io ag, Neuengasse 41, 3011 Bern, Switzerland is designated as the contact person. He can be reached at privacy@uhub.io.

b)    The maintenance of confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 GDPR. The contractor only employs staff who are committed to confidentiality and who have been made familiar with the relevant data protection provisions.

c)     The implementation and compliance with all necessary technical and organizational measures for this contract in accordance with Art. 28 para. 3 sentence 2 lit. c, 32 GDPR.

d)    If the client is subject to a control by the supervisory authority, an administrative offense or criminal procedure, a liability claim of a data subject or a third party, or another claim related to data processing against the contractor, the contractor will support him to the best of his ability. The contractor is entitled to a compensation based on the effort for this support.

e)    The contractor regularly checks internal processes along with the technical and organizational measures to ensure that the processing in its area of responsibility complies with the requirements of applicable data protection law and that the protection of the rights of the data subject is guaranteed.

f)      Documentation of the technical and organizational measures taken towards the client within the scope of its control powers according to section 8 of this contract.

g)    In the event of a breach of the protection of personal data, momou ag will inform the client in writing no later than 72 hours after becoming aware.

9. Subcontracting relationships

Subcontracting relationships in the sense of this regulation are understood as services that are directly related to the provision of the main service. It does not include ancillary services that the contractor engages for telecommunications services, postal/transport services, maintenance and user service, or the disposal of data carriers, as well as other measures to ensure confidentiality, availability, integrity, and resilience of the hardware and software of data processing systems. The contractor takes appropriate and legally compliant contractual agreements as well as control measures to ensure data protection and data security for the client's data even in outsourced ancillary services.

The following subcontractors and sub-subcontractors are involved in providing the services:

a) Google LLC (formerly known as Google Inc.)
1600 Amphitheatre Parkway, Mountain View, California 94043 USA
Data Protection Officer:
support.google.com/cloud/contact/dpo
Services: Cloud Hosting Provider
Place of processing (address): Zurich (europe-west6), Switzerland

b) maatoo.io
Data Protection Officer: support@maatoo.io
Services: Marketing Automation
Place of processing (address): Nelocom GmbH, Buchmattstrasse 11, 3400 Burgdorf

c) Exoscale
Route de Marcolet 39. 1023 Crissier, Switzerland
Data Protection Officer: privacy@exoscale.ch
Services: Cloud Hosting Provider
Place of processing (address): Eielen fort DKII, Attingshausen, Switzerland

d) Chatlio LLC
1329 N 47TH ST #31231, Seattle, WA 98103 United States
Data Protection Officer: privacy@chatlio.com
Services: Chat Service to support the responsible party

e) Slack Technologies
500 Howard Street, San Francisco, CA 94105, USA
Data Protection Officer: dpo@slack.com
Services: Chat Collaboration Solution to centralize support communication
Place of processing (address): Slack Technologies, 500 Howard Street, San Francisco, CA 94105, USA

f) Usetiful
Usetiful, Sepapaja tn 6, 15551 Tallinn, Estonia
Data Protection Officer: info@usetiful.com
Services: Digital Adoption Platform

g) Posthog
PostHog Inc, 2261 Market Street #4008, San Francisco, CA 94114
Data Protection Officer: privacy@posthog.com
Services: Product analytics

h) OpenAI
OpenAI, L.L.C. 3180 18th Street, San Francisco, California 94110, USA
Data protection: dsar@openai.com
Services: AI Assistant

j) TikTok
TikTok, Culver City, 5800 Bristol Pkwy
Contact Data Protection: https://www.tiktok.com/legal/report/privacy
Services: Social Network

k) Facebook
Menlo Park, 1 Hacker Way, United States
Data protection: https://www.facebook.com/privacy/policy/
Services: Social Network

l) Instagram
Menlo Park, 1 Hacker Way, United States
Data protection: https://about.instagram.com/safety/privacy
Services: Social Network

m) Youtube
San Bruno, 901 Cherry Ave, United States
When using functions that access the YouTube API (e.g., video publishing, statistics, comment management), users expressly agree that they are additionally bound by the YouTube Terms of Service.
Data protection: https://www.youtube.com/howyoutubeworks/user-settings/privacy/
Services: Social Network

n) X Corporation
Mountain View, 1600 Amphitheatre Pkwy, United States
Data protection: https://twitter.com/en/privacy
Services: Social Network

o) Linkedin
1000 W Maude Ave Sunnyvale, CA 94085
Data protection: https://www.linkedin.com/legal/privacy-policy
Services: Social Network

p) Ayrshare (Nevermind Solutions LLC)
185 West End Ave #7B, New York, NY 10023, USA
Data protection: contact@ayrshare.com
Services: Social Media API (posting, scheduling, analytics, comment management). This is only used if the "Social Inbox" module is activated. 

The subcontractors provide the necessary ancillary services related to the main service that are necessary for the correct and contractual functioning of the solution. The client acknowledges this and expressly agrees to the awarding of the described tasks.

If the subcontractor provides the agreed service outside the EU/EEA or Switzerland, the contractor ensures the legality of data protection through appropriate measures. The same applies if service providers as defined in sentence 1 are to be used.

momou ag informs the client at least 30 days before commissioning new subprocessors. The client can object within 14 days for good cause; in the absence of an objection, consent is deemed to be granted.

10. Information of the Client

The contractor ensures that the client can verify compliance with the contractor's obligations under Art. 28 GDPR. The contractor agrees to provide the client with the necessary information upon request.

Proof of such measures can be provided by:

a) compliance with approved codes of conduct according to Art. 40 GDPR;

b) certification under an approved certification procedure according to Art. 42 GDPR;

c) current attestations, reports, or excerpts from independent authorities (e.g., auditors, audit, data protection officers, IT security department, data protection auditors, quality auditors);

d) a suitable certification by IT security or data protection audit (e.g., according to BSI Basic Protection).

e) The contractor can claim compensation for costs incurred by the exercise of control rights and the provision of the required proofs.

11. Notification of Violations by the Contractor

The contractor supports the client in fulfilling the obligations regarding security of personal data, notification obligations in the event of data breaches, data protection impact assessments, and prior consultations specified in Articles 32 to 36 of the GDPR. This includes among others:

a)     ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of processing as well as the anticipated likelihood and severity of potential legal violations through security gaps, enabling immediate detection of relevant breach events

b)    the obligation to immediately report data breaches to the client

c)     the obligation to assist the client in fulfilling their information obligations to the data subject and to provide all relevant information in this context

d)    the contractor's support for the client's data protection impact assessment

e)    the contractor's support for the client in the context of prior consultations with the supervisory authority

For all support services not included in the scope of services or not attributable to the contractor's misconduct, the contractor may claim compensation.

12. Instruction Authority of the Client

Oral instructions must be confirmed by the client immediately (at least in text form).

The contractor must inform the client without delay if it believes an instruction is in violation of data protection regulations. The contractor is entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the client.

13. Deletion and Return of Personal Data

Copies or duplicates of the data may not be created without the knowledge of the client. Excluded from this are security copies, as far as they are necessary to ensure proper data processing, as well as data that are required in light of compliance with legal retention obligations.

Upon completion of the contractually agreed work or earlier upon request by the client – at the latest upon termination of the service agreement – the contractor must hand over all documents it has in its possession, all created processing and usage results, as well as data sets that are related to the contractual relationship, to the client or, after prior consent, securely delete them. The same applies to test and committee material. The deletion record must be provided upon request.

Documentations serving as proof of proper and orderly data processing must be retained by the contractor beyond the contractual end according to the specific retention periods. They may be handed over to the client at the end of the contract to relieve the contractor.

All client data will be released at the latest 30 days after the end of the contract either electronically free of charge or – at the client's option – deleted in compliance with data protection regulations and documented.

14. Final provisions

a)     This agreement does not replace any previously concluded agreements.

b)    Side agreements or amendments to this contract require written form.

c)     References to laws, regulations, documents, and appendices apply, unless expressly stated otherwise, to the laws, regulations, documents, and appendices in their respective valid versions, including any amendments after the contract date.

d)    Should individual provisions of this contract be ineffective or unenforceable, the validity of the remaining parts shall not be affected. In this case, the parties agree to replace the ineffective or unenforceable provision with a provision that legally comes closest to the intended purpose, the same applies to gaps in regulation.

e)    The client confirms that they fully comply with the provisions of the GDPR and the DPA and do not provide any content for processing that could violate the personal rights of data subjects.

f)      In external relations, the client is liable according to data protection liability provisions for damage caused by non-compliant processing. The contractor is only liable for damage caused by processing if it has failed to fulfill its obligations under this contract or has acted contrary to the instructions of the client. In internal relations, the parties are liable for this damage in proportion to their share of responsibility. If a person claims compensation from one party in this case in whole or predominantly, that party can request indemnity or hold harmless from the other party, as far as this corresponds to their share of responsibility.

g)    The contractor's total liability for slight negligence is limited to the amount the client has paid for uhub.io in the relevant year; it amounts to a maximum of CHF 50,000.–. This limitation does not apply in cases of intent or gross negligence.

h)    The contractor, as a company operating in Switzerland, is only obliged to provide information and accountability to Swiss authorities. Supporting or complying with official or sovereign acts of foreign states and authorities is prohibited (Art. 271 StGB).

i)      This contract shall be governed exclusively by Swiss law. The place of jurisdiction is Bern/BE.