General Terms and Conditions
1. Scope and subject matter of the contract
SLACE GmbH (“Service Provider”) provides platforms and associated services in relation to short message services and messenger services („Messenger“), that are provided by third parties (“Messaging Operators”) These General Terms and Conditions govern the contractual relationship between the Service Provider and the customer for the use of the Service Provider’s platforms and services on the basis of orders to be separately concluded between the parties.
2. Conclusion of the contract
The contract comes into effect when the Service Provider accepts an order submitted by the customer. Any order forms submitted by the Service Provider to the customer do not constitute an offer in the legal sense, even if they are designated as such.
3. Scope of the platforms and services
The Service Provider offers services for different purposes and different services on the provided platforms. The exact scope of the services agreed is specified in the order form or any other contractual document agreed between the parties and the exact scope of such services is defined in the Additional Terms attached hereto.
4. Service Levels
The provision of the platform for use by the customer takes place at the access point of the Service Provider’s data center („delivery point of service“). To use the platform, it is necessary that the customer has its own access to the Internet and accesses the platform at the delivery point of the service.
The platform shall have an overall availability of at least 99.5% per month at the access point of the service. Availability shall be defined as the customer’s ability to use all the main functions of the platform. The proof of availability shall depend on the measuring instruments of the Service Provider in the data center. For the avoidance of doubt it is clarified, that availability issues related to the Messenger itself and to the Network of the Messaging Operators will be treated at the sole discretion of the Messaging Operators and the obligation of SLACE in that regard is limited to processing such requests of the customer in a timely manner. Scheduled maintenance work will take place between 18:00 and 08:00 CET.
5. Rights of use for the services
For the duration of the contract and subject to full payment of the agreed remuneration, the Service Provider grants to the customer the worldwide, non-exclusive, non-transferable right to use the platform solely for the purposes of the contract as defined in the order form and these General Terms and Conditions. If agreed upon in the order, the customer may sublicense such right as specified in the order. The right of use expires at the end of the term of the contract.
6. Support Services
If specifically agreed in the order, the Service Provider will provide the customer with support services in case of disruptions to the services during business hours from Monday to Friday between 10.00 am and 6.00 pm CET/CEST with exception of public holidays with a response time of two business days.
Other support services that were ordered by the customer, in particular consulting and technical services, are invoiced to the customer by the Service Provider on a time and material basis. Before incurring any costs, the customer will be informed and asked for prior approval. The exclusive right of exploitation and use of the corresponding work results remains with the Service Provider. The customer is granted a right of use in accordance with clause 5. Any copyrights to the results that may have been created also remain with the Service Provider.
7. Compensation and invoicing
7.1 The remuneration for the use of the platform and the services is agreed in the contract. Unless otherwise agreed in individual agreements, for example in the contract, Service Provider shall be entitled to adjust the remuneration unilaterally in its reasonable discretion to the general price development in order to adjust to changed personnel or other operating costs but not more often than every 12 months. If an increase exceeds 10%, the customer is entitled to terminate the contractual relationship within four weeks of notification of the price increase with an effective termination at the end of the following calendar month. Until the termination takes effect, the old prices apply.
7.2 Invoicing to the customer is done in electronic form.
7.3 Unless otherwise agreed in the contract, fixed fees (are charged at the beginning of the initial term or any subsequent renewal period (s. section 13.1). One-off and monthly variable services are invoiced at the end of the month after the service has been provided. All fees are payable within 10 days after invoicing.
7.4 All agreed remunerations are net amounts and value added tax shall be charged in the amount required by law.
7.5 The set-off with counterclaims by the customer or the retention of payments due to such claims is only permitted if the counterclaims are undisputed or have been confirmed in a final court judgment.
7.6 Objections to the invoice must be made in writing to the Service Provider within 2 weeks of receipt of the invoice; otherwise, the invoice is deemed to have been approved. Legal claims of the customer in the event of objections after expiry of the deadline remain unaffected.
7.7 The assertion of the statutory rights of retention and refusal of performance is reserved.
7.8 In the event of default by the customer, the Service Provider is entitled to interest for default in the amount defined by statutory law.
8 Mutual information obligation
8.1 Each party will inform the other party immediately and before making a response about any requests or complaints or claims made by third parties in connection with the specific contractual services and shall furthermore endeavor to inform the other party of changes in the market if these might be of interest or importance to the other party.
9 Customer’s obligations, warranties and guarantees
9.1 During the term of the contract, the customer grants the Service Provider a non-exclusive, temporarily limited and locally restricted right to store, reproduce, process and transmit the content (“Media Content”) of the communications taking place via the platform, insofar as this is necessary for the fulfillment of the contractual obligations of the Service Provider.
9.2 The customer grants the Service Provider a permanent right for the use of anonymized statistics about the performance of and user behavior for the messages served through the platform.
9.3 The customer allows the Service Provider to be mentioned as a reference customer. Any publications shall be coordinated with the customer in advance.
9.4 The customer warrants and guarantees that its use of the short message services and the Messengers complies with applicable laws and the contractual agreements with and terms of the Messaging Operators or their CBPs.
9.5 The customer warrants and guarantees (i) that it is the owner of all necessary rights in the Media Content in order to grant the Service Provider the aforementioned rights, (ii) that the customer may freely dispose of them and (iii) that the Media Content is not encumbered with the rights of third parties.
9.6 In the course of the use of the platform the customer warrants and guarantees to store and/or to have processed by the Service Provider no illegal content and no content violating any laws or official orders.
9.7 The customer is aware that the Service Provider does not make separate backup copies of the Media Content and deletes it after pre-defined periods as defined in the customer’s contract. It is the customer’s responsibility to make backup copies of the Media Content on its own.
10 Warranties
10.1 Sections 536 and the following of the German Civil Code (BGB) apply to defects of the platforms. Liability which is independent of fault, is excluded for initial defects. The liability of the Service Provider, which is dependent on fault, remains in place. When determining whether the Service Provider is at fault, the customer acknowledges that software cannot in fact be created completely error-free. Therefore the time required for resolution of issues or the ability to resolve issues may vary inter alia depending on the specific circumstances of each problem, including, without limitation, the nature of the problem, the completeness and correctness of information available about the problem and the level of customer’s cooperation and responsiveness in providing information, access and support required to resolve the problem, and SLACE and its subcontractors cannot and do not guarantee that they will be able to resolve any incidents.
10.2 The rectification of defects is carried out at the choice of the Service Provider either by free repair or replacement.
10.3 A termination by the customer in accordance with Section 543 para 2, first sentence BGB due to non-granting of the contractual use is only possible if the Service Provider has been given sufficient opportunity to rectify the defect and this has failed.
10.4 The Service Provider does shall not be responsible for the Internet access of the customer and/or the end customers, in particular for the availability and dimensioning of the internet access as well as of the Messengers. The customer is responsible for its Internet access to the delivery point of service.
11 Liability and Indemnification
11.1 The Service Provider shall be liable without limitation for damages resulting from injury to life, body or health, which are based on a breach of duty by the Service Provider, a legal representative or vicarious agents of the Service Provider.
11.2 The Service Provider is liable without limitation for damages caused by the Service Provider or a legal representative or vicarious agent of the Service Provider intentionally or by gross negligence.
11.3 In the case of a liability not subject to section 11.1 due to a slightly negligent breach of essential contractual obligations, i.e. an obligation which makes the proper execution of the contract possible in the first place and on the observance of which the customer regularly relies and may rely on, our liability shall be limited to such typical damages or such a typical extent of damage that were reasonably foreseeable at the time of conclusion of the contract.
11.4 Liability under the Product Liability Act remains unaffected.
11.5 Any other liability of the Service Provider is excluded.
11.6 The limitation period for claims for damages by the customer against the Service Provider is one year except in the cases of paragraphs 11.1, 11.2 or 11.4.
11.7 The customer shall indemnify and hold harmless the Service Provider from and against any costs (including reasonable attorney fees), claims and damages resulting from any violation of a warrantee and guarantee given by the customer under these General Terms and Conditions or otherwise in connection with the contract for the provision of the platforms.
12 Data Protection
12.1 In the context of the services provided, the Service Provider processes personal data on behalf of the customer as defined in the contract. The customer is responsible for compliance with the GDPR towards the respective data subjects. In particular, it shall be the customer’s obligation to ensure that a legal basis (e.g. consent or contract) for the use of the services exists and that the information obligations under Articles 13 or 14 of the GDPR are fulfilled.
12.2 The provision of contractually agreed data processing takes place exclusively in the member states of the European Union or in another state that is party to the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the customer and may only take place if the special conditions of Article 44 et seq. of the GDPR are fulfilled.
12.3 The subject of the processing of personal data shall be defined in the contract.
12.4 The categories of data subjects of the processing shall be defined in the contract for the different services.
12.5 The Service Provider shall establish the security in accordance with Art. 28 sec. 3 lit. c, 32 GDPR in particular in conjunction with Article 5 (1), paragraph 2 GDPR. Overall, the measures to be taken are data security measures to ensure a level of protection appropriate to the risk in terms of confidentiality, integrity, availability and resilience of systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing, as well as the different probability and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32(1) of the GDPR shall be taken into account. The measures taken are documented in Appendix 1. Appendix 1 shall be the basis of the processing.
The technical and organizational measures are subject to technical progress and further development. In this respect, the Service Provider is allowed to implement alternative adequate measures. The level of safety of the measures shall not fall short of the measures laid down. Significant changes shall be documented.
12.6 The Service Provider may not correct, delete or restrict the processing of the data that is processed on behalf of the customer on its own initiative, but only in accordance with the customer’s documented instructions and as defined in these General Terms and Conditions. Insofar as a data subject addresses the Service Provider directly in this regard, the Service Provider will immediately forward this request to the customer.
12.7 Only as far as the scope of services defined in the order includes these services the deletion concept, the right to be forgotten, correction, data portability and information shall be ensured directly by the Service Provider in accordance with the documented instructions of the customer.
12.8 The Service Provider has appointed a data protection officer, whose contact details are available at https://www.slace.com/legal/privacy. The Service Provider has legal obligations in accordance with Artt. 28 to 33 GDPR; in this respect, it shall ensure compliance with the following requirements:
– The Service Provider shall ensure that any person acting under its authority is obliged to maintain confidentiality and has previously been familiarized with the relevant data protection provisions for it. The Service Provider and any person acting under its authority who has access to personal data may process such data only in accordance with the customer’s instructions, which includes the powers granted in this contract, unless required to do so by law.
– The implementation and compliance with all technical and organizational measures required for this order in accordance with Art. 28 sec. 3 p. 2 lit. c, 32 GDPR [Details in Appendix 1].
– The customer and the Service Provider shall cooperate with the supervisory authority in the performance of their tasks upon request.
– The immediate information of the customer about control actions and measures of the supervisory authority, insofar as they relate to the order. This also applies to the extent that a competent authority determines in the context of an administrative or criminal procedure with regard to the processing of personal data during order processing at the Service Provider.
-The Service Provider shall support the customer to the best of its ability insofar as the customer is subject to a control by a supervisory authority, an administrative offence or criminal proceedings, the liability of a data subject or a third party or any other claim in connection with the processing by the Service Provider.
– The Service Provider regularly monitors internal processes as well as technical and organizational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection laws.
– Providing evidence of the technical and organizational measures taken within the scope the customer’s rights under clause 12.10.
12.9The outsourcing to another processor or the replacement of another existing processor are permitted to the extent that: (i) the Service Provider notifies such outsourcing to another processor to the customer with a reasonable time in advance at least in text form, (ii) the customer does not object at least in text form and (iii) the subcontracting is based on a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR.
Subcontracting for the purpose of this Agreement is to be understood as meaning services that relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Service Provider shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the customer’s data, even in the case of outsourced ancillary services. The transfer of personal data of the customer to subcontractors and the commencement of processing shall only be undertaken after compliance with all requirements has been achieved. If the subcontractor provides the agreed service outside the EU/EEA, the Service Provider shall ensure compliance with EU Data Protection Regulations by appropriate measures. The same applies if Service Providers are to be used within the meaning of paragraph this paragraph’s second sentence. In the event of further and pre-indicated outsourcing by the subcontractor, all contractual arrangements in the contract chain shall also be imposed upon the further subcontractor.
Upon conclusion of the contract, the customer agrees to the use of the subcontractors in accordance with Appendix 2.
12.10The customer has the right to carry out inspections in consultation with the Service Provider or to have it carried out by auditors to be appointed in individual cases. It has the right to convince itself of the Service Provider’s compliance with the contract by random inspections that shall be announced in good time.
The Service Provider shall ensure that the customer can verify compliance with the obligations of the Service Provider in accordance with Article 28 GDPR. The Service Provider undertakes to provide the customer with the necessary information upon request and, in particular, to demonstrate the implementation of the technical and organizational measures.
The Service Provider may claim compensation for the possibility of checks by the customer.
12.11 The Service Provider shall assist the customer in complying with the obligations for the security of personal data, data breach reporting requirements, data breaches, data protection assessments and prior consultations, as set out in Articles 32 to 36 of the GDPR. These include:
– Ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
– The obligation to report personal data breaches to the customer without delay
– The obligation to assist the customer with regard to the customer’s obligation to provide information to the data subject concerned and, in this context, to provide him with all relevant information without delay
– Customer’s support for its data protection impact assessment
– Customer’s support in the context of prior consultations with the supervisory authority
For support services that are not included in the order or are not due to misconduct by the Service Provider, the Service Provider may claim compensation.
12.12The customer shall immediately confirm oral instructions (at least in text form). The Service Provider shall inform the customer immediately if it considers an instruction to violate Data Protection Regulations. The Service Provider shall then be entitled to suspend the execution of the relevant instructions until the customer confirms or changes them.
12.13 Copies or duplicates of the data shall not be created without the knowledge of the customer, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data. After conclusion of the contracted work, or earlier upon request by the customer, at the latest upon termination of the Service Agreement, the Service Provider shall hand over to the customer or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request. Documentation, which is used to demonstrate orderly data processing in accordance with the Order or Contract, shall be stored beyond the contract duration by the Service Provider in accordance with the respective retention periods. It may hand such documentation over to the customer at the end of the contract duration to relieve the Service Provider of this contractual obligation.
13 Term of the contract; Termination of access
13.1 The initial contract term is agreed in the contract. At the end of the initial term of the contract and each subsequent renewal period, the term shall be extended by the extension agreed in the order (“contract cycle”) , unless a termination is declared before the expiry of the respective contract term and in compliance with the notice period. The notice period during the respective term is one third of the contract cycle (e.g. 4 months notice period for a 12 months contract cycle). The right of both parties to terminate the contract without notice for good cause remains unaffected by this.
13.2 In particular, the Service Provider has the right to terminate without notice for good cause in the following cases: (i) the customer becomes insolvent or over-indebted; (ii) an application is made for the opening of insolvency proceedings relating to the customer’s assets (without prejudice to the provisions of Section 112 InsO (German insolvency code)), or (iii) the customer is in default for the payment of the agreed ongoing remuneration for two consecutive months or for part of this which is not insignificant or for a period of more than two months is in default for the payment of the remuneration due that amounts to the remuneration to be paid for two months.
13.3 Termination must always be made in writing (post or email).
13.4 After the end of the contract period, the Service Provider may at any time delete the Media Content stored by the customer on the platform. Such deletion takes place one month after the end of the contract at the latest. After such deletion, it is no longer possible to grant access to the platform and the Media Content, even in case of a then following extension of the contract or the conclusion of a new contract. An export of the data stored at the end of the contract term (e.g. Media Content, customer information) must therefore be requested by the customer before the end of the contract period, without such a timely request an export cannot be guaranteed. Migration support is provided for a fee of 150€ per hour.
14 Confidentiality
The parties shall not make confidential information available to third parties during and after the end of the contract term and shall not use it for other purposes that do not serve the cooperation of the parties. Confidential information shall be (i) all information on the remuneration agreed between the parties, (ii) all information relating to the term of the contract, (iii) all technical information and know-how made available to the customer, and (iv) other information marked as confidential by either party.
The obligation of confidentiality does not apply to information that has become public or was already known to the other party without breach of confidentiality, or which is must be disclosed to third parties by law, court or authority order.
The customer shall exercise the greatest possible care and take all measures that ensure the confidential, secure handling of IDs, passwords, usernames or other security devices provided to access the Platform and use the services the data and shall prevent their disclosure to third parties. The customer will be held responsible for the use of its passwords or usernames by third parties unless the customer can convincingly demonstrate that the reasons for such unauthorized access were out of its reasonable control. The customer shall inform the Service Provider immediately of any potential or known unauthorized use of its access details.
15 Changes to the contract
15.1 The Service Provider reserves the right to change the services offered insofar as the respective change is necessary to reflect changes that were unforeseeable at the time of the respective placement of the order and if the non-observance of such changes would affect the contractual balance between the Service Provider and the Customer, in particular to the extent that the Service Provider (i) is obliged to establish conformity of the services with the applicable law, in particular if the applicable legal situation changes; and/or (ii) in order to comply with a court ruling or government decision against the Service Provider, and/or (iii) must adapt the platform due to mandatory technical requirements of Messaging Operators.
15.2 At no time will the change of services restrict the fulfillment of the main contractual obligations of the Service Provider.
15.3 In cases other than clause 15.1, the Service Provider shall notify the Customer in advance of the changes to the Terms and Conditions. Insofar as the customer does not object to their validity within four weeks of receipt of the notification, the changes shall be deemed to have been accepted with effect for the future. If the customer objects to the changes, the Service Provider is entitled to terminate the contractual relationship. The Service Provider will point out the effect of silence and the right of termination in the notice.
15.4 The power to make amendments as per clause 15.3 shall neither relate to any change in the subject matter of the contract nor to changes of the main performance obligations which would lead to a change in the overall structure of the contract. In such cases, the Service Provider will notify the Customer of the intended changes and offer to continue the contractual relationship on the terms and conditions that are then amended.
16 Right to transfer the contract
The Service Provider may transfer the contract to a third party but shall inform the customer of any intended transfer with a prior written notice of four weeks, during which the customer shall have the right to object to such transfer. In case of such objection the transfer shall not take place, but the Service Provider shall have the right to terminate the contract.
17 Miscellaneous
17.1 The agreements concluded between the parties are subject to the substantive law of the Federal Republic of Germany with the exclusion of the UN Convention on Contracts for the International Sale of Goods and international private law.
17.2 The exclusive place of jurisdiction shall be at the registered office of the Service Provider.
17.3 Should one or more provisions of this contract be or become invalid, the validity of the remaining provisions shall not be affected.
17.4 The customer may not transfer the rights and obligations under the user contract to third parties permanently or temporarily without the prior written consent of the Service Provider.
Additional Terms for the Use of SLACE
- Scope of the Services
SLACE is a software provided as a service, which allows the customer to control and manage communication taking place via Messengers and short message services by connecting with a) Messengers directly or b) through certified business partners of the Messaging Operators (“CBP”) that provide services to send, receive and manage the Messenger or c) in case of short message services by directly sending messages into the systems of the Messaging-Operators, which may also be done by the Service Provider via third party telecommunication providers. For the purpose of sending and receiving messages through and obtaining any associated meta or user data from the Messengers, the customer can use existing Open Messaging APIs in SLACE to connect to Messaging Operators’ or CBPs’ APIs and, if included in the contract, can build connectors to Messengers or integrate with CRM, Bot, Data and other platforms. Such connectors or custom API integrations can be created by the customer or third parties. Some Messenger connectors or 3rd-party integrations might be provided and maintained (possibly against extra charge) by the Service Provider.
Depending on the contract, the customer can connect various Messenger or short message accounts to SLACE and can activate various logins to grant access to the customer’s account with SLACE.
Depending on the contract it is for Messengers either a) the customer’s obligation to enter into the required contracts with certain Messaging Operators and any eventual CBPs,and to create the respective Messenger accounts, or b) the Service Provider may also act as a reseller of Messaging Operators or CBPs, or c) the Service provider may set up the connections with the Messaging Operators and/or CBPs in the name and on behalf of the customer, for which the customer grants a power of attorney to the Service Provider. In the case of short message services, the Service Provider may, at its own discretion, use another telecommunications provider to feed the short messages into the system of the Messaging Operators (i.e. in this case, the mobile network operators). Currently, this is TENIOS GmbH, Oskar-Jäger-Straße 125, 50825 Cologne, Germany. The Service Provide may replace this telecommunications provider at any time, but is obliged, however, to ensure contractually that such a telecommunications provider complies with the statutory data protection provisions, in particular the GDPR, the Federal Data Protection Act (BDSG), the Telecommunications Act (TKG) as well as its provisions on telecommunications secrecy and the TTDSG.
In any case it is the customer’s obligation to ensure that its use of the short message services, Messengers and the CBPs complies with applicable laws as well as the contractual agreements with and terms of the Messaging Operators or CBPs respectively, including but not limited to those defined in the contract.
Since the short message services and Messengers are operated by the Messenger Providers and the systems of the CBPs are operated by the CBPs, the Service Provider is not responsible for the functionality and availability of the Messengers and the systems of the CBPs.
Unless specific short message services, Messengers or CBPs are agreed to in the contract, the Service Provider does not warrant that SLACE will operate with specific short message services, Messengers or CBPs, and it’s the customer’s obligation to ensure any eventually required interoperability with specific CBPs or Messengers through the use of existing connectors or the creation of its own connectors in SLACE. In this context the customer is informed that certain Messaging Operators or their CBPs might charge an extra fee.
The Customer can access SLACE over the internet through browsers which are expressly supported by the Service Provider. SLACE does not owe accessibility through any other than the expressly supported browsers.
SLACE includes a “Conversational Inbox” that enables the customer to manage communication taking place via the integrated short message services and Messengers and to administer users and conversations.
The Content Retention agreed in the contract defines how long the contents are stored in the Service Provider’s databases in order to display them in the Conversational Inbox. Please note that Message and Media Content will NOT be additionally backed-up. Logins as defined in the contract is the number of additional logins (“seats”) that can be created to have access to the customer’s account to the Platform’s dashboard and Messaging API. Certain rights and access control can be administered for those logins. If Automated Bot Conversations are agreed in the contract, SLACE includes an easy user interface which allows the customer to create a scripted bot that will converse with a person based entirely off of a preprogrammed script. It uses a decision tree model and other commands and also allows to craft structured responses. If Multitenancy is agreed in the contract SLACE allows to create additional sub-accounts within the Platform, whereby the service provided for one sub-account will not be visible for the other sub-accounts.
Any claims between the Parties and the CBPs based on any wrongdoing, act or omission of the Messaging Operators (an “Operator Breach”) are mutually excluded. However, in the event of an Operator Breach, the Parties will reasonably cooperate with each other and the CBP and support the damaged party or CBP in their dealings with the Operator.
2. Special Terms for selected Messengers
Certain Messengers have specific requirements so that the following terms are agreed for the relevant Messengers and Messaging Operators as defined hereinafter.
For the avoidance of doubt, as far as specific terms are mentioned or referred to hereinafter, these are not exhaustive and it is not said that no terms and conditions exist for Messaging-Operators that are not specifically mentioned. It is the customer’s obligation in accordance with Section 9.4 to ensure that he complies with the contractual agreements with and the conditions of the respective Messaging Operators.
2.1 WhatsApp
The use of the WhatsApp Business Solution is subject to the applicable WhatsApp Business Solution Terms (also referred to by WhatsApp and herein as “Business Terms”), at https://www.whatsapp.com/legal/business-solution-terms as well as the applicable WhatsApp legal terms and policies at https://www.whatsapp.com/legal#terms-of-service and https://www.whatsapp.com/policies/business-policy (altogether and together with all other applicable policies, guidelines and terms the “WhatsApp Terms”). The customer shall and warrants and guarantees to comply with the WhatsApp Terms.
The use of the WhatsApp Business Services requires the setting up of a WhatsApp Business Account (“WABA”) and to appoint a system administrator. The customer authorizes the Service Provider to act as system administrator and grants a power of attorney to SLACE to appoint the companies listed at https://www.facebook.com/business/partner-directo-ry/search?solution_type=messaging&sort_by=alpha as system administrator and to act on its behalf for all instructions and acts towards the system administrator and/or WhatsAPP. All and any communication regarding the services provided with the system administrator and/or WhatsApp shall be made through the Service Provider and the customer shall not communicate directly with the system administrator and/or WhatsApp.
Depending on the exact scope agreed in the contract the services include the registration of WhatsApp Business Accounts either directly by Service Provider or through the system administrator including corresponding phone number with, and their ongoing administration towards, WhatsApp. Generally, there is no limitation of registrations, however, each registration is subject to approval by WhatsApp to be given or withheld in WhatsApp’s discretion.
Customer acknowledges and agrees to comply with the following requirements of WhatsApp: “Our Business Services are not intended for distribution to or use in any country where such distribution or use would violate local law. We reserve the right to limit our Business Services in any country at any time. Company will comply with all applicable U.S. and non-U.S. export control and trade sanctions laws (“Export Laws”). Company will not, directly or indirectly, export, reexport, provide, or otherwise transfer our Business Services: (a) to any individual, entity, or country prohibited by Export Laws; (b) to any individual or entity, or anyone owned or controlled by any individual or entity, on U.S. or non-U.S. government restricted parties lists; or (c) for any purpose prohibited by Export Laws, including nuclear, chemical, or biological weapons, or missile technology applications, without the required government authorizations. Company will not use or download our Business Services: (i) if it is located, or owned or controlled by anyone located, in a restricted country; (ii) if it is currently listed, or owned or controlled by anyone listed, on any U.S. or non-U.S. restricted parties list; (iii) for the benefit or on behalf of a restricted country or anyone listed on any U.S. or non-U.S. restricted parties list; or (iv) for any purpose prohibited by Export Laws. Company will not disguise its location through IP proxying or other methods.”
2.2 Telegram
Customer shall and warrants and guarantees to comply with the terms at https://telegram.org/tos. Depending on the exact scope agreed in the contract the services include the registration of the Telegram account in the name and on behalf of the customer including corresponding phone number and the administration of the Telegram account towards the Messaging Operator.
2.3 Viber
If the customer uses a Bot for Viber, the customer is obliged to send outgoing messages only to Viber users who have subscribed to such messages and did not unsubscribe.
The outbound messages shall at all times comply with the content standards set forth in the https://www.viber.com/terms/viber-advertising-policy/. The Customer shall only send outbound messages that relate to such Customer’s area of business.
Customer shall not send unsolicited traffic or knowingly transfer outbound messages that are classified as SPAM through the Viber Platform.
Viber PA, PC, Bot, Community and VAP Guidelines located at https://www.viber.com/terms/public-chat-public-accounts-terms-guidelines/ (the “BOT Terms”) and the Viber API Terms of Service located at https://developers.viber.com/docs/general/api-terms-of-service/ (the “API Terms”), as amended from time to time, will apply to the development and use of the Bot by the Customer and Company hereby acknowledges and accepts these.
The Messaging Operator of Viber has reserved the right, in its sole discretion to change, in its sole discretion, by 30 days written notification to the Service Provider terms relating to any of the following: Bot Service Charge or any other fees, invoicing cycle, payment periods, monthly minimum amounts and product changes. Furthermore the Messaging Operator has reserved the right to has to issue a price change to Service Provider with at least seven (7) business days’ notice. Therefore, in addition to and in deviation from para. 7.1 and 15 of the GTC the Service Provider may pass on eventual price changes with a prior notification of at least seven days to the Customer and, insofar as other contractual agreements are affected by a 30-day notification by the Messaging-Operator, to amend the contractual provisions concerned in this respect with a prior notice period of 30 days to the Customer. The Customer is entitled to terminate the contract in relation to the use of Viber within 7 days after the respective notification if he does not agree with any such amendment.
2.4 Facebook Messenger
The use of the Facebook Messenger is subject to the applicable Terms of Service at https://www.facebook.com/terms.php and the Customer warrants and guarantees to comply with these.
2.5 Instagram
The use of Instagram is subject to the applicable Terms of Use at https://help.instagram.com/581066165581870 and the Customer warrants and guarantees to comply with these.
3. Data Protection
The Service Provider will process personal data on behalf of the customer in SLACE. The data subjects are persons who have requested information from the customer, or which use the customer’s services under a contract or persons with whom the customer carries out pre-contractual measures. The subject of the processing is the management of the content of communication with and the contact details via Messengers of end users through SLACE as described herein. Furthermore, data subjects are also employees of the Client who use SLACE on behalf of the Client. In this context, the Service Provider will manage login and administrative data of these employees in order to enable them to perform their tasks within the Client’s organisation. In addition to the subcontractors defined in Appendix 2 of the Service Provider’s General Terms and Conditions, but always subject to a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR being in place as per Section 12.9 iii) of the Service Provider’s General Terms and Conditions, the Service provider may also use the companies listed at https://www.facebook.com/business/partner-directory/search?solution_type=messaging&sort_by=alpha as subprocessors for SLACE and the customer consents to such use of these companies as subprocessors.
4. Miscellaneous
The General Terms and Conditions of the Service Provider shall apply. In case of any contradictions between the General Terms and Conditions and these Additional Terms and Conditions, these Additional Terms and Conditions shall prevail.
Additional Terms for the use of MessageLink
- Scope of the Services
Under the MessageLink service the Service Provider will provide a link to the to the customer which leads to a URL, which is hosted by the Service Provider and which link the customer can integrate on its website or make available by other means, e.g. as a QR-Code or through NFC, so that customer’s users can access it and which, when accessed, depending on the exact scope agreed in the contract, will on the customer’s user’s device a) open a certain short message service or Messenger supported by MessageLink, b) initiate a certain short message service or Messenger supported by MessageLink in which a predefined message can be send by the customer’s users to a predefined number (“Messaging-App-Call”), or c) initiate a certain short message service or Messenger in which a message pre-defined by customer will be created and can then be sent to a recipient defined by the customer’s user (“Tell-a-friend”).
If “Attribution” is agreed in the contract, MessageLink attributes messages sent under the Messaging-App-Call back to the source, so that such attribution back to the source enables the customer to transmit the information specifically and targeted to the requested of the respective user.
2. Personal Data
2.1 MessageLink includes functionalities based on the customer’s user’s IP address to personalize and contextualize the services, particularly based on the user’s location. For this purpose the SLACE processes the IP address of the customer’s users as a data processor on behalf of the customer. The IP address will not be stored beyond the end of the connection with the customer’s user.
2.2 As far as Attribution is agreed, SLACE uses different methods as a processor on behalf of the customer as the controller to enable the customer to attribute an individual user to the respective source of the user’s request, so that the customer can provide such user with an individual communication that is targeted at the specific source of such user. For this purpose, SLACE shall, on behalf of the customer, integrate parameters in the respective communication with the user and use cookies. Each of these methods is absolutely necessary in order to provide the targeted communication to the user, which was explicitly requested by such user in the context of the use of MessageLink.
3. Miscellaneous
The General Terms and Conditions of the Service Provider shall apply. In case of any contradictions between the General Terms and Conditions and these Additional Terms and Conditions, these Additional Terms and Conditions shall prevail.
Additional terms and conditions for SLACE CONNECT
SLACE CONNECT is an additional feature within SLACE that enables the exchange of message content to be sent via the supported short message services or Messengers. In doing so, a customer („Merchant“) can post such content in SLACE CONNECT and offer it to other customers („Publishers“) of SLACE for use as content of messages at conditions defined by him. Unless the two customers have otherwise concluded an agreement about the use of such message content, the relevant contract between the parties is concluded after the merchant placed a corresponding offer in SLACE CONNECT and the publisher accepts it via SLACE CONNECT. The text of the contract is stored within SLACE CONNECT and is accessible to both, the Publisher and the Merchant. Within SLACE CONNECT, the Merchant can review the entries made by him again before his offer is published and, if necessary, change them by clicking on the back button in the browser or by using the technical correction tools provided there. On the final page for the acceptance of a corresponding offer, the Publisher can once again review all conditions and, if applicable, entries made by him and, if entries have been made, change them by clicking on the back button in the browser or through the technical correction tools provided there. SLACE CONNECT is offered in German and English, so that the contract between Merchant and Publisher can be concluded in these languages. SLACE CONNECT provides statistics on the message content exchanged via SLACE CONNECT and transmitted by the publisher to end users. The Merchant is liable for the legality of the content of the message content transferred from the Merchant to the Publisher in SLACE CONNECT. The Publisher is liable for the lawfulness of the transmission of the message content to the respective end users of the short message services or Messengers, in particular for having obtained any necessary consent.
Appendix 1: Technical-organizational measures
-
Confidentiality (Art. 32(1b) GDPR)
1.1 Physical Access Control
Aim
The aim of physical access control is to prevent access by unauthorised persons to data processing facilities which are used for the processing or use of personal data.
Measures
a. Securing zones/rooms by means of
- security locks
-
- alarm systems
b. Google Cloud:
1.2 System Access Control
Aim
The objective of system access control is to prevent unauthorised persons from using data processing facilities used for the processing or use of personal data.
Measures
a. Protection of access to all data processing systems by means of user authentication
b. Availability of boot passwords (Desktop and Notebooks)
c. Full disk encryption (FDE) in Standby and powered down state.
d. Wi-Fi security:
- Weak features are disabled (e.g. WPS, WPA)
- Separate guest Wi-Fi
e. Login credentials are managed within a password manager
f. Strict authentication for highest-level protection
- Time-based One-time passwords (TOTP) + login credentials
- SSH tunnel using asymmetric cryptography (Public Key)
- 2FA
g. Authentication (username/password) for high-level protection
-
- Requirements for the passwords (using at least 8 characters)
h. Authentication data is solely transmitted in an encrypted form
i. Blocking of access in the case of failed attempts/inactivity and procedure for resetting blocked access identifiers
-
- Secure procedure for resetting blocked access (e.g. allocation of new user identifiers)
j. Determination of authorised persons
-
-
- The existence of role concepts (predefined user profiles)
- Always assigning access rights individually (personally)
- The circle of authorised persons is to be reduced to the minimum number required for operation of the company
- Regularly reviewing individual authorisations to assess whether they are necessary
-
k. Administration and documentation of personal means of authentication and access authorisations
-
-
-
- A process for the application, approval, allocation and resetting of means of authorisation and access is established, described and in use
- A responsible person is named for the allocation of access authorisations
- Absence substitution rules
-
-
l. Logging of access
-
-
-
-
- All successful and rejected access attempts are logged (identifiers, computer, and IP address used) and archived in an audit-proof form for at least 6 months
- Carrying out regular random tests in order to detect misuse
-
-
-
m. Measures at the user’s workplace
-
-
-
-
-
- When there are more than 5 minutes of inactivity at the workstation or the terminal, the password-protected screen saver is automatically activated by means of the operating system’s own mechanisms
- Workstations and terminals will be locked by employees against unauthorised use during temporary absence from the workstation during temporary absence
-
-
-
-
n. Google Cloud:
- ISO/IEC 27017 (https://cloud.google.com/security/compliance/iso-27017)
1.3 Data Access Control
Aim
Measures for data access control must be designed to ensure that those authorised to use a data processing system may only access the data in accordance with their access authorisation and that personal data cannot be read, copied, modified or removed without authorisation during the processing and use, and after the storage, thereof.
Measures
a. Use of passwords and defined password rules
b. Authorised individuals can only access data that is established in their individual authorisation profiles
c. Limitation of the scope of authorisations to the absolute minimum necessary for the performance of the relevant tasks or functions (in terms of logistics, timeframes etc.)
d. Administration and documentation of personal physical data access authorisations
-
- Authorisations are tied to a personal user identifier and to an account
e. Data access protocols
-
-
- All transactions where data are read, entered, changed and deleted are logged (user identifiers, transaction details) and archived in an audit-proof form for at least 6 months
-
f. Secure storage of data media
g. Encryption of data media
1.4 Data Separation Control
Aim
The objective of data separation control is to ensure that data collected for different purposes can be processed separately.
Measures
a. Implementation and documentation of the separation of functions (e.g. four-eye principle, closed-shop operations)
b. Implementation of regulations governing programming (e.g. separate test and live systems)
c. Regulations governing system and program reviews
d. There are technical and organisational regulations and measures for ensuring separate processing (storage, modification, deletion and transmission etc.)
e. And/or there are technical and organisational regulations and measures for storing data and/or data media with different contractual purposes
f. Implementation of a coordination and control system
g. System data with logical separation on application level
1.5 Pseudonymisation (Art. 32(1a) GDPR; Art. 25(1) GDPR)
Aim
The processing of personal data must – to the greatest extent possible – take place in such a way that the data can no longer be attributed to a specific person without reference to additional information, provided such additional information is stored separately and is subject to appropriate technical and organisational measures.
Measures
a. According to the instructions of the client.
-
Integrity (Art. 32(1b) GDPR)
2.1 Transfer Control
Aim
The aim of transfer control is to ensure that personal data cannot be read, copied, modified or removed by unauthorised parties during the electronic transmission of these data or during their transport or storage on a data carrier. It must be possible to verify and identify where a transmission of personal data by entities for data transmission purposes takes place.
Measures
a. Logging of every transfer (sending/receiving bodies)
b. The traffic between systems is protected via L2TP, IPsec (or equivalent safeguards)
c. Encryption of data transmitted between clients and servers (TLS 1.2/1.3)
d. A regulation is in place for the preparation of copies
e. A regulation is in place for the prevention of non-digital editions or onward transmission of datasets (i.e. no printouts)
f. Back-end transmissions
-
- Connection to the back-end systems is protected
- Connections between back-end systems is protected
- Data requiring a high level of protection are encrypted
- Data leaving the protected area (e.g. a data centre) is encrypted
g. Security gateways at network interconnection points
-
-
- There are network/hardware firewalls
- The firewalls are always activated
- The firewalls cannot be deactivated by the user
-
h. Secure storage of data
-
-
-
- Data are encrypted and stored (saved) locally
- Data are encrypted and stored in a database
- Data are also encrypted and stored in a backup
-
-
i. The use of mobile data media is kept to a minimum and limited solely to encrypted data
j. Administration of data media
-
- There are procedural regulations regarding the use of data storage devices
k. Procedure for erasure/destruction of data in accordance with data protection legislation
-
-
- Data are to be deleted from storage devices in a manner that conforms with data protection laws before those devices are used by other users; it is impossible to recreate the deleted data or this can only be done through excessive effort.
-
l. Erasure protocols
-
-
-
- The complete and permanent deletion of data or data storage devices with client data from the customer in a manner that conforms with data protection is to be logged
-
-
2.2 Input Control
Aim
The aim of Input Control is to ensure that appropriate measures are taken to enable the subsequent verification and determination of the particular circumstances under which the data entries are made.
Measures
a. Assignment of rights to enter, alter and erase data on the basis of an authorisation concept
b. Protocols for the entering, altering and erasure of data
c. Archiving of protocols in an audit-proof form for a period of 12 months
d. Traceability of any entering, altering and erasure of data through the use of individual user names (not user groups)
-
Availability and resilience (Art. 32(1b) GDPR)
Aim
The aim of availability control is to ensure that personal data are protected against accidental destruction or loss. Data processing systems are ‘resilient’ if they are so resistant that they are still capable of functioning even in the event of heavy access/utilisation. This applies, not least of all, to the targeted overloading of servers, to ensure availability despite an external attack, for example, from so-called (distributed) denial of service ((D)DoS) attacks.
Measures
a. Back-up concept
-
- There is a backup concept
- Backups occur daily
- A named person and his/her deputy are responsible for the backup
- Regular checks are carried out to verify that it is possible to restore the backup
b. There is a disaster recovery plan in place which lists and defines the steps to be initiated and the individuals (particularly on the side of the client) who are to be notified of the incident.
c. Storage of data back-ups in fire- and waterproof data security cabinets
d. Regular checking of the condition and labeling of data media used for data back-ups
e. Availability and regular testing of emergency generators and overvoltage protection devices
f. Permanent monitoring of operational parameters
g. Devices for monitoring the temperature and humidity in server rooms
h. Fire and smoke alarms
i. Alarms signaling any unauthorised access to server rooms
j. Existence of a current anti-virus program
k. Data managed on Google Cloud services:
-
Process for regularly testing, assessing and evaluation (Art. 32(1d) GDPR; Art. 25(1) GDPR)
4.1 Privacy Management
Aim
Controllers and contracted processors must not only establish the desired security measures and ensure their ‘long-term’ existence. They must also regularly subject the effectiveness of these measures to critical approval according to an appropriate process.
This obligation is based on the principle that only regular evaluation of the measures can ensure the necessary degree of data security in the long term. ‘Follow-up care’ in the form of technical and organisational measures takes place on the basis of external or internal audit reports as well as evaluations by users and other involved parties. This can take place, for example, by means of questionnaires or personal surveys. The data processor must evaluate the results of such surveys at regular intervals and undertake the necessary adjustment measures.
The GDPR does not set specific requirements for the regular cycle of such evaluation measures. The oversight authority sought to impose a flexible standard, and this results in a loss of legal certainty for those adhering to it. The timing of the evaluations depends on the changing fortunes of the risks to rights and freedoms caused by the processing process. New risks may result not only from technical changes but also from changes to previous processing practices. In general, as the size of the data pool, the complexity of the processing activities, and/or the number of (sub)contractors increase, so does the risk of attacks by third parties.
Measures
a. Appointed a data protection officer (Prof. Dr. Christoph Bauer, ePrivacy GmbH, Burchardstrasse 14, 20095 Hamburg).
b. Annual audit plan
c. Monitoring execution of the evaluation
d. Evaluating the findings
e. If necessary, adjusting the TOMs
4.2 Incident Response Management
Aim
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Measures
a. Determining possible cases of data breaches
b. Describing the process that is to take place in case of a data breach
c. Describing the responsibilities
d. Describing the technical procedure for eliminating a data breach
4.3 Data protection-oriented default settings (Art. 25(2) GDPR)
Aim
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. Therefore, the controller must design its default settings (especially for online and telecommunications media) in such a way that only the data necessary for the specific processing purpose in question are processed.
That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. Such measures must, in particular, ensure through pre-settings that personal data are not made available to an indefinite number of natural persons without the intervention of the person.
Measures
a. Developing a concept for data protection through technology (‘privacy by design’)
b. Developing a concept for data protection-oriented default settings (‘privacy by default’)
c. Minimising the amount of data collected
d. Reducing the scope of data processing
e. Reducing storage periods
f. Making it harder to access data
4.4 Job control
Aim
The aim of monitoring contracts is to ensure that contract data processing as defined in Art. 28 of the GDPR takes place only as specifically instructed by the contracting party.
Measures
a. Selection of contractors on the basis of diligence (in particular with regard to data security)
b. Instructions to the contractor are issued in writing. (e.g. through a customer data processing contract)
c. Contractors in IT & Development sign a declaration of commitment to maintaining confidentiality and data secrecy.
d. Effective rights of control are agreed upon with the contractor
e. Obligation of the contractor’s employees to data secrecy
f. Ensuring the destruction of data following upon completion of contracts
g. Ongoing reviews of contractors and their operations
Appendix 2: Existing subcontractors:
Subcontractor | Address / Country | Services |
Blue Focus Soft Sp. z o.o. | Ul. 1 May 18/540-284 Katowice, Poland
Poland |
Programming and customer support services, APIs and data infrastructure |
Google Ireland Limited | Gordon House
Barrow Street Dublin 4 Ireland |
Provision and operation of server capacity and cloud computing services |
Appendix 3: Cookies
Number | Name of Domain | Name of Cookies | Purpose of the cookie | To whom are the contents of the cookies made available? | Structure of Cookie / example | Duration | Cookie category | ||
1 | .messagelink.com | guid | Attribution / Contact identification of Shopper End customers of the SLACE customers | SLACE | string identifier (LNElBokVcg) | 5 years or maximum cookie lifetime of the browser | Strictly necessary cookies | ||
2 | .messagelink.com | {organzization id} | Attribution / Contact identification of Shopper End customers of the SLACE customers | SLACE | string identifier (LNElBokVcg) | 5 years or maximum cookie lifetime of the browser | strictly necessary cookies | ||
3 | .slace.com | slace_state_{org_id} | SLACE Dashboard users | SLACE | {„organizationId“:““,“state“:“interactions-edit“,“channelId“:“qSCNIhhGzW“,“language“:“en“} | Local Storage | functionality cookie | ||
4 | .api.slace.com | RID | SLACE dashboard users | SLACE | auth refresh token as string | 24h | strictly necessary cookies |
General Terms and Conditions | Version 3.11 | July 4th, 2024