Additional Terms for the Use of SLACE

1. Scope of the Services 

SLACE is a software provided as a service, which allows the customer to control and manage communication taking place via Messengers and short message services by connecting with a) Messengers directly or b) through certified business partners of the Messaging Operators (“CBP”) that provide services to send, receive and manage the Messenger or c) in case of short message services by directly sending messages into the systems of the Messaging-Operators, which may also be done by the Service Provider via third party telecommunication providers. For the purpose of sending and receiving messages through and obtaining any associated meta or user data from the Messengers, the customer can use existing Open Messaging APIs in SLACE to connect to Messaging Operators’ or CBPs’ APIs and, if included in the contract, can build connectors to Messengers or integrate with CRM, Bot, Data and other platforms. Such connectors or custom API integrations can be created by the customer or third parties. Some Messenger connectors or 3rd-party integrations might be provided and maintained (possibly against extra charge) by the Service Provider. 

Depending on the contract, the customer can connect various Messenger or short message accounts to SLACE and can activate various logins to grant access to the customer’s account with SLACE. 

Depending on the contract it is for Messengers either a) the customer’s obligation to enter into the required contracts with certain Messaging Operators and any eventual CBPs,and to create the respective Messenger accounts, or b) the Service Provider may also act as a reseller of Messaging Operators or CBPs, or c) the Service provider may set up the connections with the Messaging Operators and/or CBPs in the name and on behalf of the customer, for which the customer grants a power of attorney to the Service Provider. In the case of short message services, the Service Provider may, at its own discretion, use another telecommunications provider to feed the short messages into the system of the Messaging Operators (i.e. in this case, the mobile network operators). Currently, this is TENIOS GmbH, Oskar-Jäger-Straße 125, 50825 Cologne, Germany. The Service Provide may replace this telecommunications provider at any time, but is obliged, however, to ensure contractually  that such a telecommunications provider complies with the statutory data protection provisions, in particular the GDPR, the Federal Data Protection Act (BDSG), the Telecommunications Act (TKG) as well as its provisions on telecommunications secrecy and the TTDSG.

In any case it is the customer’s obligation to ensure that its use of the short message services, Messengers and the CBPs complies with applicable laws as well as the contractual agreements with and terms of the Messaging Operators or CBPs respectively, including but not limited to those defined in the contract. 

Since the short message services and Messengers are operated by the Messenger Providers and the systems of the CBPs are operated by the CBPs, the Service Provider is not responsible for the functionality and availability of the Messengers and the systems of the CBPs. 

Unless specific short message services, Messengers or CBPs are agreed to in the contract, the Service Provider does not warrant that SLACE will operate with specific short message services, Messengers or CBPs, and it’s the customer’s obligation to ensure any eventually required interoperability with specific CBPs or Messengers through the use of existing connectors or the creation of its own connectors in SLACE. In this context the customer is informed that certain Messaging Operators or their CBPs might charge an extra fee. 

The Customer can access SLACE over the internet through browsers which are expressly supported by the Service Provider. SLACE does not owe accessibility through any other than the expressly supported browsers. 

SLACE includes a “Conversational Inbox” that enables the customer to manage communication taking place via the integrated short message services and Messengers and to administer users and conversations.

The Content Retention agreed in the contract defines how long the contents are stored in the Service Provider’s databases in order to display them in the Conversational Inbox. Please note that Message and Media Content will NOT be additionally backed-up. Logins as defined in the contract is the number of additional logins (“seats”) that can be created to have access to the customer’s account to the Platform’s dashboard and Messaging API. Certain rights and access control can be administered for those logins. If Automated Bot Conversations are agreed in the contract, SLACE includes an easy user interface which allows the customer to create a scripted bot that will converse with a person based entirely off of a preprogrammed script. It uses a decision tree model and other commands and also allows to craft structured responses. If Multitenancy is agreed in the contract SLACE allows to create additional sub-accounts within the Platform, whereby the service provided for one sub-account will not be visible for the other sub-accounts.

Any claims between the Parties and the CBPs based on any wrongdoing, act or omission of the Messaging Operators (an “Operator Breach”) are mutually excluded. However, in the event of an Operator Breach, the Parties will reasonably cooperate with each other and the CBP and support the damaged party or CBP in their dealings with the Operator.

2. Special Terms for selected Messengers

Certain Messengers have specific requirements so that the following terms are agreed for the relevant Messengers and Messaging Operators as defined hereinafter.

For the avoidance of doubt, as far as specific terms are mentioned or referred to hereinafter, these are not exhaustive and it is not said that no terms and conditions exist for Messaging-Operators that are not specifically mentioned. It is the customer’s obligation in accordance with Section 9.4 to ensure that he complies with the contractual agreements with and the conditions of the respective Messaging Operators.

2.1 WhatsApp

The use of the WhatsApp Business Solution is subject to the applicable WhatsApp Business Solution Terms (also referred to by WhatsApp and herein as “Business Terms”), at https://www.whatsapp.com/legal/business-solution-terms as well as the applicable WhatsApp legal terms and policies at https://www.whatsapp.com/legal#terms-of-service and https://www.whatsapp.com/policies/business-policy (altogether and together with all other applicable policies, guidelines and terms the “WhatsApp Terms”). The customer shall and warrants and guarantees to comply with the WhatsApp Terms.

The use of the WhatsApp Business Services requires the setting up of a WhatsApp Business Account (“WABA”) and to appoint a system administrator. The customer authorizes the Service Provider to act as system administrator and grants a power of attorney to SLACE to appoint the companies listed at https://www.facebook.com/business/partner-directo-ry/search?solution_type=messaging&sort_by=alpha as system administrator and to act on its behalf for all instructions and acts towards the system administrator and/or WhatsAPP. All and any communication regarding the services provided with the system administrator and/or WhatsApp shall be made through the Service Provider and the customer shall not communicate directly with the system administrator and/or WhatsApp. 

Depending on the exact scope agreed in the contract the services include the registration of WhatsApp Business Accounts either directly by Service Provider or through the system administrator including corresponding phone number with, and their ongoing administration towards, WhatsApp. Generally, there is no limitation of registrations, however, each registration is subject to approval by WhatsApp to be given or withheld in WhatsApp’s discretion.

Customer acknowledges and agrees to comply with the following requirements of WhatsApp: “Our Business Services are not intended for distribution to or use in any country where such distribution or use would violate local law. We reserve the right to limit our Business Services in any country at any time. Company will comply with all applicable U.S. and non-U.S. export control and trade sanctions laws (“Export Laws”).   Company will not, directly or indirectly, export, reexport, provide, or otherwise transfer our Business Services: (a) to any individual, entity, or country prohibited by Export Laws; (b) to any individual or entity, or anyone owned or controlled by any individual or entity, on U.S. or non-U.S. government restricted parties lists; or (c) for any purpose prohibited by Export Laws, including nuclear, chemical, or biological weapons, or missile technology applications, without the required government authorizations. Company will not use or download our Business Services: (i) if it is located, or owned or controlled by anyone located, in a restricted country; (ii) if it is currently listed, or owned or controlled by anyone listed, on any U.S. or non-U.S. restricted parties list; (iii) for the benefit or on behalf of a restricted country or anyone listed on any U.S. or non-U.S. restricted parties list; or (iv) for any purpose prohibited by Export Laws. Company will not disguise its location through IP proxying or other methods.”

2.2 Telegram

Customer shall and warrants and guarantees to comply with the terms at https://telegram.org/tos. Depending on the exact scope agreed in the contract the services include the registration of the Telegram account in the name and on behalf of the customer including corresponding phone number and the administration of the Telegram account towards the Messaging Operator.

2.3 Viber

If the customer uses a Bot for Viber, the customer is obliged to send outgoing messages only to Viber users who have subscribed to such messages and did not unsubscribe. 

The outbound messages shall at all times comply with the content standards set forth in the https://www.viber.com/terms/viber-advertising-policy/. The Customer shall only send outbound messages that relate to such Customer’s area of business.

Customer shall not send unsolicited traffic or knowingly transfer outbound messages that are classified as SPAM  through the Viber Platform.

Viber PA, PC, Bot, Community and VAP Guidelines located at https://www.viber.com/terms/public-chat-public-accounts-terms-guidelines/ (the “BOT Terms”) and the Viber API Terms of Service located at https://developers.viber.com/docs/general/api-terms-of-service/ (the “API Terms”), as amended from time to time, will apply to the  development and use of the Bot by the Customer and Company hereby acknowledges and accepts these.

The Messaging Operator of Viber has reserved the right, in its sole discretion to change, in its sole discretion, by 30 days written notification to the Service Provider terms relating to any of the following: Bot Service Charge or any other fees, invoicing cycle, payment periods, monthly minimum amounts and product changes. Furthermore the Messaging Operator has reserved the right to has to issue a price change to Service Provider with at least seven (7) business days’ notice. Therefore, in addition to and in deviation from para. 7.1 and 15 of the GTC the Service Provider may pass on eventual price changes with a prior notification of at least seven days to the Customer and, insofar as other contractual agreements are affected by a 30-day notification by the Messaging-Operator, to amend the contractual provisions concerned in this respect with a prior notice period of 30 days to the Customer. The Customer is entitled to terminate the contract in relation to the use of Viber within 7 days after the respective notification if he does not agree with any such amendment.

2.4 Facebook Messenger

The use of the Facebook Messenger is subject to the applicable Terms of Service at https://www.facebook.com/terms.php and the Customer warrants and guarantees to comply with these. 

2.5 Instagram

The use of Instagram is subject to the applicable Terms of Use at https://help.instagram.com/581066165581870 and the Customer warrants and guarantees to comply with these.

3. Data Protection

The Service Provider will process personal data on behalf of the customer in SLACE. The data subjects are persons who have requested information from the customer, or which use the customer’s services under a contract or persons with whom the customer carries out pre-contractual measures. The subject of the processing is the management of the content of communication with and the contact details via Messengers of end users through SLACE as described herein. Furthermore, data subjects are also employees of the Client who use SLACE on behalf of the Client. In this context, the Service Provider will manage login and administrative data of these employees in order to enable them to perform their tasks within the Client’s organisation. In addition to the subcontractors defined in Appendix 2 of the Service Provider’s General Terms and Conditions, but always subject to a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR being in place as per Section 12.9 iii) of the Service Provider’s General Terms and Conditions, the Service provider may also use the companies listed at https://www.facebook.com/business/partner-directory/search?solution_type=messaging&sort_by=alpha as subprocessors for SLACE and the customer consents to such use of these companies as subprocessors.

 

4. Miscellaneous

The General Terms and Conditions of the Service Provider shall apply. In case of any contradictions between the General Terms and Conditions and these Additional Terms and Conditions, these Additional Terms and Conditions shall prevail.

 

Additional Terms for the use of MessageLink

1. Scope of the Services

Under the MessageLink service the  Service Provider will provide a link to the to the customer which leads to a URL, which is hosted by the Service Provider and which link the customer can integrate on its website or make available by other means, e.g. as a QR-Code or through NFC, so that customer’s users can access it and which, when accessed, depending on the exact scope agreed in the contract, will on the customer’s user’s device a) open a certain short message service or Messenger supported by MessageLink, b) initiate a certain short message service or Messenger supported by MessageLink in which a predefined message can be send by the customer’s users to a predefined number (“Messaging-App-Call”), or c) initiate a certain short message service or Messenger in which a message pre-defined by customer will be created and can then be sent to a recipient defined by the customer’s user (“Tell-a-friend”).  

If “Attribution” is agreed in the contract, MessageLink attributes messages sent under the Messaging-App-Call back to the source, so that such attribution back to the source enables the customer to transmit the information specifically and targeted to the requested of the respective user.

2. Personal Data

 2.1 MessageLink includes functionalities based on the customer’s user’s IP address to personalize and contextualize the services, particularly based on the user’s location. For this purpose the SLACE processes the IP address of the customer’s users as a data processor on behalf of the customer. The IP address will not be stored beyond the end of the connection with the customer’s user.

2.2 As far as Attribution is agreed, SLACE uses different methods as a processor on behalf of the customer as the controller to enable the customer to attribute an individual user to the respective source of the user’s request, so that the customer can provide such user with an individual communication that is targeted at the specific source of such user. For this purpose, SLACE shall, on behalf of the customer, integrate parameters in the respective communication with the user and use cookies. Each of these methods is absolutely necessary in order to provide the targeted communication to the user, which was explicitly requested by such user in the context of the use of MessageLink.

3. Miscellaneous

The General Terms and Conditions of the Service Provider shall apply. In case of any contradictions between the General Terms and Conditions and these Additional Terms and Conditions, these Additional Terms and Conditions shall prevail.

 

Additional terms and conditions for SLACE CONNECT

SLACE CONNECT is an additional feature within SLACE that enables the exchange of message content to be sent via the supported short message services or Messengers. In doing so, a customer („Merchant“) can post such content in SLACE CONNECT and offer it to other customers („Publishers“) of SLACE for use as content of messages at conditions defined by him. Unless the two customers have otherwise concluded an agreement about the use of such message content, the relevant contract between the parties is concluded after the merchant placed a corresponding offer in SLACE CONNECT and the publisher accepts it via SLACE CONNECT. The text of the contract is stored within SLACE CONNECT and is accessible to both, the Publisher and the Merchant. Within SLACE CONNECT, the Merchant can review the entries made by him again before his offer is published and, if necessary, change them by clicking on the back button in the browser or by using the technical correction tools provided there. On the final page for the acceptance of a corresponding offer, the Publisher can once again review all conditions and, if applicable, entries made by him and, if entries have been made, change them by clicking on the back button in the browser or through the technical correction tools provided there. SLACE CONNECT is offered in German and English, so that the contract between Merchant and Publisher can be concluded in these languages. SLACE CONNECT provides statistics on the message content exchanged via SLACE CONNECT and transmitted by the publisher to end users. The Merchant is liable for the legality of the content of the message content transferred from the Merchant to the Publisher in SLACE CONNECT. The Publisher is liable for the lawfulness of the transmission of the message content to the respective end users of the short message services or  Messengers, in particular for having obtained any necessary consent.

Appendix 1: Technical-organizational measures

 

1. Confidentiality (Art. 32(1b) GDPR)

 

1.1 Physical Access Control

Aim

The aim of physical access control is to prevent access by unauthorised persons to data processing facilities which are used for the processing or use of personal data.

 

Measures

a. Securing zones/rooms by means of

• security locks

• • alarm systems

b. Google Cloud:

• • • https://cloud.google.com/docs/security/infrastructure/design
    • https://cloud.google.com/security/compliance/soc-2
    • https://cloud.google.com/security/compliance/soc-3

 

1.2 System Access Control

Aim

The objective of system access control is to prevent unauthorised persons from using data processing facilities used for the processing or use of personal data.

 

Measures

a. Protection of access to all data processing systems by means of user authentication

b. Availability of boot passwords (Desktop and Notebooks)

c. Full disk encryption (FDE) in Standby and powered down state.

d. Wi-Fi security:

• Weak features are disabled (e.g. WPS, WPA)

• Separate guest Wi-Fi

e. Login credentials are managed within a password manager

f. Strict authentication for highest-level protection

• Time-based One-time passwords (TOTP) + login credentials

• SSH tunnel using asymmetric cryptography (Public Key)

• 2FA

g. Authentication (username/password) for high-level protection

• • Requirements for the passwords (using at least 8 characters)

h. Authentication data is solely transmitted in an encrypted form 

i. Blocking of access in the case of failed attempts/inactivity and procedure for resetting blocked access identifiers

• • Secure procedure for resetting blocked access (e.g. allocation of new user identifiers)

j. Determination of authorised persons

• • • The existence of role concepts (predefined user profiles)
    • Always assigning access rights individually (personally)
    • The circle of authorised persons is to be reduced to the minimum number required for operation of the company
    • Regularly reviewing individual authorisations to assess whether they are necessary

k. Administration and documentation of personal means of authentication and access authorisations

• • • • A process for the application, approval, allocation and resetting of means of authorisation and access is established, described and in use
      • A responsible person is named for the allocation of access authorisations
      • Absence substitution rules

l. Logging of access

• • • • • All successful and rejected access attempts are logged (identifiers, computer, and IP address used) and archived in an audit-proof form for at least 6 months
        • Carrying out regular random tests in order to detect misuse

m. Measures at the user’s workplace

• • • • • • When there are more than 5 minutes of inactivity at the workstation or the terminal, the password-protected screen saver is automatically activated by means of the operating system’s own mechanisms
          • Workstations and terminals will be locked by employees against unauthorised use during temporary absence from the workstation during temporary absence
            

n. Google Cloud:

• ISO/IEC 27017 (https://cloud.google.com/security/compliance/iso-27017)

 

1.3 Data Access Control

Aim

Measures for data access control must be designed to ensure that those authorised to use a data processing system may only access the data in accordance with their access authorisation and that personal data cannot be read, copied, modified or removed without authorisation during the processing and use, and after the storage, thereof.

 

Measures

a. Use of passwords and defined password rules

b. Authorised individuals can only access data that is established in their individual authorisation profiles

c. Limitation of the scope of authorisations to the absolute minimum necessary for the performance of the relevant tasks or functions (in terms of logistics, timeframes etc.)

d. Administration and documentation of personal physical data access authorisations

• • Authorisations are tied to a personal user identifier and to an account

e. Data access protocols

• • • All transactions where data are read, entered, changed and deleted are logged (user identifiers, transaction details) and archived in an audit-proof form for at least 6 months

f. Secure storage of data media

g. Encryption of data media

 

1.4 Data Separation Control

Aim

The objective of data separation control is to ensure that data collected for different purposes can be processed separately.

 

Measures

a. Implementation and documentation of the separation of functions (e.g. four-eye principle, closed-shop operations)

b. Implementation of regulations governing programming (e.g. separate test and live systems)

c. Regulations governing system and program reviews

d. There are technical and organisational regulations and measures for ensuring separate processing (storage, modification, deletion and transmission etc.) 

e. And/or there are technical and organisational regulations and measures for storing data and/or data media with different contractual purposes

f. Implementation of a coordination and control system

g. System data with logical separation on application level

 

1.5 Pseudonymisation (Art. 32(1a) GDPR; Art. 25(1) GDPR)

Aim

The processing of personal data must – to the greatest extent possible – take place in such a way that the data can no longer be attributed to a specific person without reference to additional information, provided such additional information is stored separately and is subject to appropriate technical and organisational measures.

 

Measures

a. According to the instructions of the client.

 

2. Integrity (Art. 32(1b) GDPR)

2.1 Transfer Control

Aim

The aim of transfer control is to ensure that personal data cannot be read, copied, modified or removed by unauthorised parties during the electronic transmission of these data or during their transport or storage on a data carrier. It must be possible to verify and identify where a transmission of personal data by entities for data transmission purposes takes place.

 

Measures

a. Logging of every transfer (sending/receiving bodies)

b. The traffic between systems is protected via L2TP, IPsec (or equivalent safeguards)

c. Encryption of data transmitted between clients and servers (TLS 1.2/1.3)

d. A regulation is in place for the preparation of copies

e. A regulation is in place for the prevention of non-digital editions or onward transmission of datasets (i.e. no printouts)

f. Back-end transmissions

• • Connection to the back-end systems is protected  
  • Connections between back-end systems is protected
  • Data requiring a high level of protection are encrypted 
  • Data leaving the protected area (e.g. a data centre) is encrypted

g. Security gateways at network interconnection points

• • • There are network/hardware firewalls
    • The firewalls are always activated
    • The firewalls cannot be deactivated by the user

h. Secure storage of data

• • • • Data are encrypted and stored (saved) locally 
      • Data are encrypted and stored in a database
      • Data are also encrypted and stored in a backup

i. The use of mobile data media is kept to a minimum and limited solely to encrypted data

j. Administration of data media

• • There are procedural regulations regarding the use of data storage devices

k. Procedure for erasure/destruction of data in accordance with data protection legislation

• • • Data are to be deleted from storage devices in a manner that conforms with data protection laws before those devices are used by other users; it is impossible to recreate the deleted data or this can only be done through excessive effort.

l. Erasure protocols

• • • • The complete and permanent deletion of data or data storage devices with client data from the customer in a manner that conforms with data protection is to be logged

 

2.2 Input Control

Aim

The aim of Input Control is to ensure that appropriate measures are taken to enable the subsequent verification and determination of the particular circumstances under which the data entries are made.

Measures

a. Assignment of rights to enter, alter and erase data on the basis of an authorisation concept

b. Protocols for the entering, altering and erasure of data 

c. Archiving of protocols in an audit-proof form for a period of 12 months

d. Traceability of any entering, altering and erasure of data through the use of individual user names (not user groups)

 

3. Availability and resilience (Art. 32(1b) GDPR)

Aim

The aim of availability control is to ensure that personal data are protected against accidental destruction or loss. Data processing systems are ‘resilient’ if they are so resistant that they are still capable of functioning even in the event of heavy access/utilisation. This applies, not least of all, to the targeted overloading of servers, to ensure availability despite an external attack, for example, from so-called (distributed) denial of service ((D)DoS) attacks.

 

Measures

a. Back-up concept

• • There is a backup concept
  • Backups occur daily
  • A named person and his/her deputy are responsible for the backup
  • Regular checks are carried out to verify that it is possible to restore the backup

b. There is a disaster recovery plan in place which lists and defines the steps to be initiated and the individuals (particularly on the side of the client) who are to be notified of the incident.

c. Storage of data back-ups in fire- and waterproof data security cabinets

d. Regular checking of the condition and labeling of data media used for data back-ups

e. Availability and regular testing of emergency generators and overvoltage protection devices

f. Permanent monitoring of operational parameters

g. Devices for monitoring the temperature and humidity in server rooms 

h. Fire and smoke alarms

i. Alarms signaling any unauthorised access to server rooms

j. Existence of a current anti-virus program

k. Data managed on Google Cloud services:

• • https://services.google.com/fh/files/misc/infrastructure_design_for_availability_and_resilience_wp.pdf

 

4. Process for regularly testing, assessing and evaluation (Art. 32(1d) GDPR; Art. 25(1) GDPR)

 

4.1 Privacy Management

Aim

Controllers and contracted processors must not only establish the desired security measures and ensure their ‘long-term’ existence. They must also regularly subject the effectiveness of these measures to critical approval according to an appropriate process. 

This obligation is based on the principle that only regular evaluation of the measures can ensure the necessary degree of data security in the long term. ‘Follow-up care’ in the form of technical and organisational measures takes place on the basis of external or internal audit reports as well as evaluations by users and other involved parties. This can take place, for example, by means of questionnaires or personal surveys. The data processor must evaluate the results of such surveys at regular intervals and undertake the necessary adjustment measures. 

The GDPR does not set specific requirements for the regular cycle of such evaluation measures. The oversight authority sought to impose a flexible standard, and this results in a loss of legal certainty for those adhering to it. The timing of the evaluations depends on the changing fortunes of the risks to rights and freedoms caused by the processing process. New risks may result not only from technical changes but also from changes to previous processing practices. In general, as the size of the data pool, the complexity of the processing activities, and/or the number of (sub)contractors increase, so does the risk of attacks by third parties.

 

Measures

a. Appointed a data protection officer (Prof. Dr. Christoph Bauer, ePrivacy GmbH, Burchardstrasse 14, 20095 Hamburg).

b. Annual audit plan

c. Monitoring execution of the evaluation

d. Evaluating the findings

e. If necessary, adjusting the TOMs

 

4.2 Incident Response Management

Aim

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

 

Measures

a. Determining possible cases of data breaches

b. Describing the process that is to take place in case of a data breach

c. Describing the responsibilities

d. Describing the technical procedure for eliminating a data breach

 

4.3 Data protection-oriented default settings (Art. 25(2) GDPR)

Aim

The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. Therefore, the controller must design its default settings (especially for online and telecommunications media) in such a way that only the data necessary for the specific processing purpose in question are processed.

That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. Such measures must, in particular, ensure through pre-settings that personal data are not made available to an indefinite number of natural persons without the intervention of the person.

Measures

a. Developing a concept for data protection through technology (‘privacy by design’)

b. Developing a concept for data protection-oriented default settings (‘privacy by default’)

c. Minimising the amount of data collected

d. Reducing the scope of data processing

e. Reducing storage periods

f. Making it harder to access data

 

4.4 Job control

 

Aim

The aim of monitoring contracts is to ensure that contract data processing as defined in Art. 28 of the GDPR takes place only as specifically instructed by the contracting party.

 

Measures

a. Selection of contractors on the basis of diligence (in particular with regard to data security) 

b. Instructions to the contractor are issued in writing. (e.g. through a customer data processing contract) 

c. Contractors in IT & Development sign a declaration of commitment to maintaining confidentiality and data secrecy.

d. Effective rights of control are agreed upon with the contractor

e. Obligation of the contractor’s employees to data secrecy

f. Ensuring the destruction of data following upon completion of contracts

g. Ongoing reviews of contractors and their operations

 

Appendix 2: Existing subcontractors:

 

Subcontractor	Address / Country	Services
Blue Focus Soft Sp. z o.o.	Ul. 1 May 18/540-284 Katowice, Poland   Poland	Programming and customer support services, APIs and data infrastructure
Google Ireland Limited	Gordon House Barrow Street Dublin 4 Ireland	Provision and operation of server capacity and cloud computing services

 

Appendix 3: Cookies

Number	Name of Domain	Name of Cookies	Purpose of the cookie	To whom are the contents of the cookies made available?		Structure of Cookie / example		Duration	Cookie category
1	.messagelink.com	guid	Attribution / Contact identification of Shopper End customers of the  SLACE customers	SLACE		string identifier (LNElBokVcg)		5 years or maximum cookie lifetime of the browser	Strictly necessary cookies
2	.messagelink.com	{organzization id}	Attribution / Contact identification of Shopper End customers of the  SLACE customers	SLACE		string identifier (LNElBokVcg)		5 years or maximum cookie lifetime of the browser	strictly necessary cookies
3	.slace.com	slace_state_{org_id}	SLACE Dashboard users	SLACE		{„organizationId“:““,“state“:“interactions-edit“,“channelId“:“qSCNIhhGzW“,“language“:“en“}		Local Storage	functionality cookie
4	.api.slace.com	RID	SLACE dashboard users	SLACE		auth refresh token as string		24h	strictly necessary cookies

General Terms and Conditions | Version 3.11 | July 4th, 2024