General Terms of Use Software uhub.io

V

1.0

-

Last edited on

Jan 10, 2024

The following terms of use ("terms") are important for the following reasons:

  • They establish your rights against momou ag.

  • They explain the rights you grant us when using our service uhub.io.

  • They govern how any disputes are resolved by arbitration.


  1. Preamble

The momou ag (contractor) processes personal data for the customer (client) in accordance with the contract between these parties (see section 4, subject matter) ("service contract"). The parties acknowledge that Regulation (EU) 2016/679 (General Data Protection Regulation "GDPR") may apply to the agreed data processing (e.g. in the case of processing personal data of individuals residing in the EU). Therefore, the parties agree that the processing of personal data is based on this data processing agreement ("DPA"), which takes into account the provisions of the GDPR. Furthermore, data processing must ensure compliance with applicable Swiss data protection rules in accordance with the applicable Data Protection Act (DSG), provided that these are not already fulfilled by complying with the GDPR requirements.


  1. Subject Matter

The subject matter of the order arises from the services of the product uhub ("service description"):
uhub is an online software - also called cloud software - and independent of operating system and platform. The software is operated via an internet browser. uhub is a communication management software that enables an organization to translate its communication strategy into integrated communication activities - audience-specific, cross-channel, and cross-team. From strategic planning to operational implementation, everything is in one place. The digitization of the communication process helps to make decisions, present, if necessary discuss, and ultimately implement them at a strategic level. At the operational level, uhub supports the strategic planning of communication activities. Contents are structured and captured according to target groups and channels. Depending on the channel's capability, publication is automated or manual. 


  1. Duration

The order is issued for an indefinite period and can be terminated by both parties at the end of the month with one month's notice. If the option "annual payment" was chosen when the contract was concluded, the contract can be terminated by both parties at the end of the contract period with one month's notice. The possibility of termination without notice remains unaffected by this.


  1. Specification of the Order Content

4.1 Nature and Purpose of the intended Data Processing

The subject matter of the order for data handling is the performance of the following tasks by the contractor: Storage of the data to provide the services in accordance with the service description and service contract.
The provision of the contractually agreed data processing takes place in Switzerland. An adequate level of data protection has been established by the EU Commission in a formal decision for Switzerland: 2000/518/EC.

4.2 Type of Data

The contractor does not carry out active processing of personal data itself. Access to the data is only for error correction in accordance with the terms and conditions. In the context of this error correction, it is possible for the contractor to access the client's data. This may also include personal data.
The client confirms that the following, not exhaustive, personal data may be the subject of processing.

  • Customers

  • Prospects

  • Employees

  • Suppliers

The client ensures that no data in accordance with Art. 9 GDPR is stored. This includes the following data categories: Racial and ethnic origin / political opinions / religious or philosophical beliefs / trade union membership / genetic data, biometric data for the unique identification of a natural person, health data or data on the sex life or sexual orientation. In the event of the storage of such data, the contractor must be informed immediately. The contractor reserves the right, in this case, to terminate the contract immediately, unilaterally, and without cost consequences.


  1. Technical / Organizational Measures

The contractor has implemented the necessary technical and organizational measures before the processing is commenced.

The contractor has established security in accordance with Art. 28 para. 3 lit. c, 32 GDPR, in particular in connection with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are measures of data security and to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability, and resilience of the systems. The state of the art, the implementation costs, and the nature, scope, and purposes of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons in accordance with Art. 32 para. 1 GDPR have been taken into account.

Technical and organizational measures are subject to technical progress and further development. In this respect, the contractor is permitted to implement alternative appropriate measures. The level of security of the measures defined must not be undercut. Significant changes are to be documented.

If interested, the documentation of the technical and organizational measures can be requested by email to privacy@uhub.io

  1. Correction, Restriction, and Deletion of Data

1) The contractor may not correct, delete, or restrict the processing of the data processed on behalf of its own initiative, but only in accordance with documented instructions from the client. If an affected person applies to the contractor directly in this regard, the contractor will immediately forward this request to the client.

2) Insofar as included in the scope of services, deletion concept, right to be forgotten, correction, data portability, and information must be ensured directly by the client. The contractor supports the client for the provision of these services for a fee.


  1. Quality Assurance and Other Obligations of the Contractor

In addition to compliance with the provisions of this order, the contractor has legal obligations in accordance with Art. 28 to 33 GDPR; to this extent, it ensures compliance with the following requirements in particular:

1) The contractor is not obliged to appoint a data protection officer under the GDPR. Olivier Fuchs, uhub.io ag, Neuengasse 41, 3011 Bern, Switzerland is specified as the contact person. He can be reached at privacy@uhub.io.

2) The maintenance of confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 GDPR. When carrying out the work, the contractor only employs staff who are committed to confidentiality and have been familiarized with the relevant data protection provisions applicable to them beforehand.

3) The implementation and compliance with all technical and organizational measures necessary for this order in accordance with Art. 28 para. 3 sentence 2 lit. c, 32 GDPR.

4) If the client itself is exposed to a control by the supervisory authority, an administrative or criminal proceedings, the liability claim of an affected person or a third party or another claim in connection with the order processing at the contractor, the contractor will support the client to the best of its ability. The contractor is entitled to a compensation based on expenses for this support.

5) The contractor regularly monitors the internal processes as well as the technical and organizational measures to ensure that the processing in its area of responsibility is in line with the requirements of the applicable data protection law and that the rights of the data subjects are guaranteed.

6) The contractor must be able to provide evidence of the technical and organizational measures taken to the client within the scope of the client's control rights under section 8 of this contract.


  1. Subcontracting

Subcontracting in the context of this regulation refers to services that are directly related to the provision of the main service. Not included in this are ancillary services that the contractor, for example, uses as telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity, and resilience of hardware and software of data processing systems. The contractor takes appropriate and legally compliant contractual agreements as well as control measures for the data protection and data security of the client's data, even with outsourced ancillary services.

The following subcontractors and sub-subcontractors are involved in providing the services:

a) Google LLC (formerly known as Google Inc.),
1600 Amphitheatre Parkway, Mountain View, California 94043 USA
Data protection officer:
support.google.com/cloud/contact/dpo
Services: Cloud Hosting Provider
Location of processing (address): Zurich (europe-west6), Switzerland

b) maatoo.io
Data protection officer: privacy@maatoo.io
Services: Marketing Automation
Location of processing (address): 55 weeks, Busswilstrasse 16, 3250 Lyss, Switzerland

c) Exoscale
Route de Marcolet 39. 1023 Crissier, Switzerland
Data protection officer: privacy@exoscale.ch
Services: Cloud Hosting Provider
Location of processing (address): Eielen fort DKII, Attingshausen, Switzerland)

d) Chatlio LLC
1329 N 47TH ST #31231, Seattle, WA 98103 United States
Data protection officer: privacy@chatlio.com
Services: Chat Service to support the controller

e) Slack Technologies
500 Howard Street, San Francisco, CA 94105, USA
Data protection officer: dpo@slack.com
Services: Chat Collaboration Solution for centralization of support communication
Location of processing (address): Slack Technologies, 500 Howard Street, San Francisco, CA 94105, USA)

f) Usetiful
Usetiful, Sepapaja tn 6, 15551 Tallinn, Estonia
Data protection officer: info@usetiful.com
Services: Digital Adoption Platform

g) Posthog
PostHog Inc, 2261 Market Street #4008, San Francisco, CA 94114
Data protection officer: privacy@posthog.com
Services: Product Analysis

h) OpenAI
OpenAI, L.L.C. 3180 18th Street, San Francisco, California 94110, USA
Data protection: dsar@openai.com
Services: AI Assistant

j) TikTok
TikTok. Culver City, 5800 Bristol Pkwy
Contact data protection: https://www.tiktok.com/legal/report/privacy
Services: Social Network

k) Facebook
Menlo Park, 1 Hacker Way, United States
Data protection: https://www.facebook.com/privacy/policy/ 
Services: Social Network

l) Instagram
Menlo Park, 1 Hacker Way, United States
Data protection: https://about.instagram.com/safety/privacy 
Services: Social Network

m) Youtube
San Bruno, 901 Cherry Ave, United States
Data protection: https://www.youtube.com/howyoutubeworks/user-settings/privacy/ 
Services: Social Network

n) X Corporation
Mountain View, 1600 Amphitheatre Pkwy, United States
Data protection: https://twitter.com/en/privacy 
Services: Social Network

o) Linkedin
1000 W Maude Ave Sunnyvale, CA 94085
Data protection: https://www.linkedin.com/legal/privacy-policy 
Services: Social Network

The subcontractors provide partly necessary ancillary services in connection with the main service to ensure the correct and contractual functioning of the solution. The client takes note of this and explicitly agrees to the allocation of the described tasks. If the subcontractor provides the agreed service outside the EU/EEA or Switzerland, the contractor ensures the legal permissibility with appropriate measures. The same applies if service providers in the sense of para. 1 sentence 2 are to be used.


  1. Communication to the Client

The contractor ensures that the client can verify the contractor's compliance with the obligations under Art. 28 GDPR. The contractor undertakes to provide the necessary information to the client on request.

The proof of such measures can be provided by:
a) compliance with approved codes of conduct in accordance with Art. 40 GDPR;
b) certification according to an approved certification procedure according to Art. 42 GDPR;
c) current test reports or excerpts from reports by independent bodies (e.g. auditors, audit, data protection officer, IT security department, data protection auditors, quality auditors);
d) an appropriate certification by IT security or data protection audit (e.g. according to BSI-Grundschutz).
e) The contractor may claim remuneration for costs incurred by exercising the control rights and providing the required evidence.


  1. Notification of Breaches by the Contractor

The contractor supports the client in compliance with the obligations regarding data security, reporting requirements in case of data breaches, data protection impact assessments, and prior consultations mentioned in Articles 32 to 36 of the GDPR. This includes, among other things:

a) Ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing, as well as the expected probability and severity of a potential infringement through security vulnerabilities, enabling an immediate determination of relevant breach incidents

b) The obligation to report violations of personal data to the client immediately

c) The obligation to support the client in its duty to inform the data subject and provide all relevant information in this context

d) Support of the client in its data protection impact assessment

e) Support of the client in prior consultations with the supervisory authority

The contractor may claim a fee for all support services that are not included in the service description or are not due to the contractor's misconduct.


  1. Client's Authority to Issue Instructions

Verbal instructions are to be confirmed by the client immediately (in text form at least).

The contractor must inform the client immediately if it believes that an instruction violates data protection regulations. The contractor is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed by the client.


  1. Deletion and Return of Personal Data

Copies or duplicates of the data are not to be created without the client's knowledge. This does not apply to backup copies, insofar as they are necessary to ensure proper data processing, and data required with regard to compliance with legal retention obligations.

After the contractually agreed work has been completed or earlier upon the client's request - at the latest at the end of the service agreement - the contractor must hand over all documents, processing and usage results produced, and data stocks acquired in connection with the contractual relationship to the client or, after prior approval, to destroy them in compliance with data protection regulations. The same applies to test and scrap material. The deletion protocol is to be presented upon request. Documentation that serves as evidence of proper and proper data processing under the contract must be kept by the contractor in accordance with the respective retention periods beyond the end of the contract. He can hand them over to the client at the end of the contract for his relief.


  1. Final Provisions

This agreement does not replace any previously concluded agreements.

a) Side agreements or amendments to this order require written form.

b) References to laws, regulations, documents, and attachments apply, unless expressly stated otherwise, to the laws, regulations, documents, and attachments in their respectively applicable version, including any amendments after the date of the contract.

c) Should individual provisions of this contract be or become invalid or unenforceable, this shall not affect the validity of the remaining parts. In such a case, the parties undertake to replace the invalid or unenforceable provision with a provision that comes as close as possible to the intended purpose in a legally permissible manner; the same shall apply in the event of loopholes.

d) The client confirms that it fully complies with the provisions of the GDPR and the FADP and does not offer any content for processing that could violate the personal rights of data subjects.

e) In the external relationship, the client shall be liable in accordance with the liability provisions under data protection law for any damage caused by processing that does not comply with the law. The Contractor shall only be liable for damage caused by processing if it has not fulfilled its obligations under this contract or has acted contrary to the Client's instructions. In the internal relationship, the parties are liable for this damage in proportion to their share of responsibility. If, in such a case, a person claims damages from one party in whole or in part, that party may demand indemnification or hold harmless from the other party to the extent that this corresponds to its share of responsibility.

f) As a company operating in Switzerland, the Contractor shall be obliged to provide information and accountability exclusively to Swiss authorities. Supporting or complying with official or sovereign acts of foreign states and authorities is prohibited under criminal law (Art. 271 StGB).

g) This contract shall be governed exclusively by Swiss law. The place of jurisdiction is Bern/BE.