buynomics GmbH, Im Mediapark 7, 50670 Cologne, Germany, as Licensor (hereinafter referred to as “buynomics” or “Licensor”) provides access to its Software as a Service solutions (“SaaS-Solutions”) towards business customers (“Licensee”). If a Licensee or any employee or representative of a Licensee subscribes to a SaaS-Solution, an agreement is concluded between Licensee and Licensor in accordance with these terms and conditions (“SaaS-Agreement”).
Section 1 – Scope of application; Subject of the SaaS-Agreement
(1) Subject of this SaaS-Agreement are the provisioning and the maintaining of Licensor’s SaaS-Solutions – within the frame of the availability according to Section 4 –, as described with all relevant features under www.buynomics.com/solution/#product. The main features of the buynomics pricing platform, a SaaS-Solution of Licensor are:
- The platform allows users to integrate all their relevant pricing data (e.g., sales data, conjoint analyses) to be used for pricing decisions
- The platform allows users to configure their products offer and simulate the effects on sales, revenue, and profit – and choose the best option among different scenarios
- The platform helps users optimize their prices
(2) Further services, like training or customizing are not subject to this SaaS-Agreement and may be requested separately.
(3) The SaaS-Solutions of Licensor are only offered towards entrepreneurs within the meaning of Sec. 13 German Civil Code (i.e. entrepreneur means a natural or legal person or a partnership with legal personality who or which, when entering into a legal transaction, acts in exercise of his or its trade, business or profession.)
(4) These Terms and Conditions are exclusively applicable on the usage of the SaaS-Solution. The Licensee’s Terms and Conditions are not applicable. This also applies in the event that Licensor has not expressly rejected Licensee’s Terms and Conditions.
Section 2 – Further development; Support
(1) Licensor may further develop the range of functions of the SaaS-Solutions, unless original functionality is substantially limited thereby.
(2) The SaaS-Solutions are free from errors, if they fulfil the functions contained in the product description of buynomics (see https://www.buynomics.com/solution/#product) as amended from time to time or separately agreed upon. Licensor does not warrant that the functions of the SaaS-Solution meet the requirements for a specific use case of Licensee, unless otherwise agreed contractually.
(3) Licensor provides a ticket system. All error messages have to be submitted via the ticket system by Licensee. Licensee is to provide reasonable assistance to Licensor in analyzing errors, for example, through screenshot or system descriptions; Error messages are to be sent to Licensor as promptly as possible. If a SaaS-Solution is defective, Licensor shall – within a reasonable time – remedy reported errors insofar as a reported error is reproducible.
Section 3 – Rights of use; Open Source Components
(1) The SaaS-Solutions of Licensor are protected by copyright. Licensor shall grant Licensee no rights of use and exploitation exceeding the intended use. The scope of the intended use arises from these SaaS-Agreements and the specific subscription model. Any further use, exploitation, modification and duplication shall be prohibited. Licensor is not allowed to sub-license the right to use of a SaaS-Solution.
(2) For the operation and the use of the SaaS-Solution, the system and software requirements specified by Licensor as laid down under www.buynomics.com must be complied with. Compliance with the system requirements lies solely in Licensee’s area of responsibility.
(3) Licensee shall not be entitled to edit the SaaS-Solution or to make any changes to it. The source code shall remain solely with Licensor. The rights of Licensee to decompile according to Sections 69d and 69e German Copyright Act shall remain unaffected.
(4) Licensee shall not be authorized to remove or change copyright notices, trademarks, ownership information as well as other features for the identification of Licensor of the SaaS-Solution.
(5) Licensee shall be entitled to permit Licensee’s employees to use the SaaS-Solution, if such employees are registered as users according to Section 5. Licensee ensures that such employees will comply with the terms of the SaaS-Agreement. The granting of additional rights of use is solely the responsibility of Licensor. Licensee shall be liable for infringements of the terms of the SaaS-Agreement by Licensee’s employees as for Licensee’s own infringements and shall notify Licensor of any violations without undue delay. Any exceeding transfer of rights of use to third parties shall not be permitted.
Section 4 – Availability
(1) The SaaS-Solutions of Licensor are available on 99% on the time in an annual average.
(2) Maintenance services announced at least seven (7) days in advance (at a maximum of 3 hours/week on an annual average) will not be considered in the calculation of Section 4(1).
(3) Licensor endeavors to perform maintenance services at times at which – on average – the SaaS-Solutions are not used frequently (i.e. in the weekend).
Section 5 – Registration; Account
(1) For each Licensee an administrator account is created in which the Licensee can activate employees and representatives for the use of the SaaS-Solution. For each employee and representative an own user account has to be created. Only employees and representative of the Licensee are allowed to be provided with a user account.
(2) For the creation of each account, a full name, address and e-mail-address have to be indicated. The Licensee ensures the accuracy of account information and keeps this information up-to-date.
(3) An account is personalized and may only be used by the registered employee and/or representatives.
(4) The Licensee is obliged to use secure passwords (at least 8 characters, including a special character) and not to keep any written notes about passwords. Passwords shall not consist of an easy to guess word/expression, for example, a person’s name or date of birth or a word/expression that are used to access other services, The Licensee commits its employees who have a user account to a correspondingly careful handling of passwords.
(5) Licensor may suspend a user account / administrator account if there are indications that it has been used unauthorized and / or attempted or unauthorized access to the SaaS-Solution from the user account / administrator account or the backend systems of Licensor (“hacking”). In such a case, Licensor will promptly notify the Licensee via the e-mail address linked to the user account / administrator account and allow him access via the creation of new accounts again, unless there are facts, which suggest that the Licensor or one of his employees attempted to gain unauthorized access to the Licensors systems.
(6) Access to the SaaS-Solution requires an Internet browser (Google Chrome is recommended) in its current version. The device that calls the SaaS-Solution must be connected to the Internet.
Section 6 – Liability
(1) Licensor shall have unlimited liability in case of intentional or grossly negligent breaches of obligation, damage to life, body or health, both within the statutory framework in accordance with mandatory laws, such as in accordance with the German Product Liability Act or the product safety acts. In addition, Licensor shall be liable within the scope of guarantees assumed.
In case of slightly negligent breaches of material contractual obligations, Licensor shall have unlimited liability regarding typically foreseeable damage. These are obligations whose fulfilment actually enables the performance of the contract and on the compliance with which the contractual partner may regularly rely.
Liability for slight negligence is otherwise excluded.
If liability in accordance with the aforementioned provisions is excluded, this shall also apply to the agents and vicarious agents of Licensor.
(2) Licensor shall not be liable for damage arising from settings in the SaaS-Solutions for which Licensor is not responsible.
(3) Occurrences of force majeure (including strikes, lockouts and similar occurrences, insofar as they cannot be foreseen, are severe, and are not the fault of Licensor), which make it significantly more difficult or impossible for Licensor to provide the services owed, shall entitle Licensor to postpone the performance of the obligations by the duration of the obstacle and an appropriate start-up period.
(4) Licensor shall be liable for additional cost incurred during the use of SaaS-Software (in particular, for the cost of data transfer via mobile communications including data roaming) only if Licensor is responsible for intent, gross negligence or the breach of material contractual duties.
Section 7 – Licensee’s duty of care and security
(1) Licensee is obliged to use an up-to-date virus scanner / inspection program to check files that Licensee uploads to buynomics in advance for viruses, worms, trojan horses, etc. that may impair the integrity of files and/computer hardware and software and only to upload files that are free of such components. Licensor shall, insofar as it discovers such files or components, notify Licensee thereof without undue delay. If such files or components pose a direct risk to the functioning or integrity of the services of Licensor or the facilities of third parties, Licensor may delete such data or components in order to avoid damage. This may be done even without informing Licensee in advance if the associated risk cannot be mitigated in any other way with appropriate financial and time effort.
(2) If there are signs of use contrary to these Terms and Conditions, Licensor shall be entitled, taking into account the severity of the breach with regard to the interests of Licensee, to block the access of Licensee and/or individual employees to SaaS-Solution until the signs are refuted. Licensee shall be notified thereof. If this means that Licensee can no longer use the SaaS-Solution, Licensee shall not be entitled to an extraordinary right of termination.
Section 8 – Payment models; Termination
(1) The license fees accrue per user account, and if not agreed otherwise, the following terms apply.
(2) If Licensee choses an annual subscription, the payment becomes due after the start of each 12-months-period. The annual subscription may be terminated by notice 3 months prior to the end of a 12-months-period. The termination notice must be submitted in text-form (i.e. E-mail). If the annual subscription is not terminated, it is automatically prolonged for a further 12-months-period.
(3) If Licensee choses a monthly subscription, the payment becomes due at the first work day of each months. For the first months the fee must be paid pro rata temporize. The monthly subscription may be terminated by notice 3 days prior to the end of a months. The termination notice must be submitted in text-form (i.e. E-mail). If the monthly subscription is not terminated, it is automatically prolonged for a further month.
(4) The subscription fee does not include manual services. Licensor may charge extra services, which include manual work, separately. Details will be defined in a separate agreement.
(5) The prices and terms for the paid services shall apply in accordance with the Licensor’s price list agreed at the time of the agreement or at the time or valid at the time of later extensions or separately agreed terms and conditions. If there is a price increase of more than 4% of the previous fee in accordance with the price list at the time of an extension, Licensee shall be entitled to terminate this agreement. Paid services shall be extended automatically if determined in the price list or in separately agreed terms and conditions for the service and if they are not terminated within the notice period stated in the price list or other separately agreed terms and conditions. Termination for good cause shall remain unaffected.
(6) If due license payment is not received, Licensor may charge interest on arrears at the level defined by statutory German law. Licensor shall, furthermore, be entitled, without prejudice to other rights, to block Licensee’s use of the use of the SaaS-Solution after issuing a reminder giving a reasonable deadline for the payment.
(7) Licensor shall be entitled to terminate this license agreement for good cause, in particular in case of serious breaches of these Terms and Conditions or in the event of infringement of Licensor’s copyrights in the SaaS-Solution. Any and all of Licensee’s rights of use shall expire upon receipt of the notice of termination. In less severe cases, Licensor shall allow Licensee a grace period to correct the situation. If the issue occurs repeatedly, Licensor shall be entitled to terminate the agreement without notice.
Section 9 – Amendments of these Terms and Conditions
The Terms and Conditions and the SaaS-Agreements based upon them may be amended or supplemented at Licensor’s discretion to an extent that is reasonable for Licensee. In such event, Licensee shall be notified in writing (e.g., to the email address provided by Licensee or via the information service for the product) not less than six weeks prior to the change coming into effect. The amended or supplemented Terms and Conditions shall apply unless Licensee objects prior to the date when they come into effect. Licensor is obliged to inform Licensee about the consequences of an omitted objection. If the changes of the Terms and Conditions and the SaaS-Agreements does not significantly affect Licensee (for example because the changes does only consist in the addition of a further product or a change of a technical term), Licensee does not have the right to object. If Licensee does object, Licensor may terminate this agreement with a notice period of one month after notification of the objection
Section 10 – Data processing
Licensor processes personal data of Licensee and Licensee’s employees in accordance with Art 28 General Data Protection Regulation (“GDPR”) based on the terms and conditions of commissioned data processing of bionomics (Annex 1),
- if Licensee is based in the EU and/or
- if Licensee conducts business in the EU and/or
- if Licensee load up personal data from individuals which life and/or work in the EU
- If the GDPR is applicable due to any other reason based on Art 2 and 3 GDPR.
Section 11 – Final provisions
(1) Should individual provisions of these Terms and Conditions be or become ineffective, they shall be replaced by provisions most closely resembling the economic intent of the ineffective provision. Should a provision of these Terms and Conditions be or become ineffective, the effectiveness of the remaining provisions of these Terms and Conditions or agreements shall remain unaffected.
(2) This agreement shall be governed by and construed in accordance with the laws of Germany. Exclusive legal venue shall be Cologne, Germany, where Licensee is a legal entity under public law.
Terms and conditions of commissioned data processing of buynomics
§ 1 Subject matter and duration of the Data Processing Agreement
(1) The Subject matter of this Data Processing Agreement conducted by buynomics (“Supplier”) towards any customer of buynomics (“Client”) within the frame a SaaS-Agreement and/or any further services agreement (hereinafter collectively referred to as “Service Agreement”). Client is and continues to be the controller of the processed personal data.
(2) Nature and purpose of the intended processing of data are precisely defined in the Service Agreement.
(3) The duration of this Data Processing Agreement corresponds to the duration of the Service Agreement.
(4) The subject matter of the processing of personal data comprises the following data types/categories:
- Names and position of Controller’s employees
- E-Mail Addresses and Account data of Controller’s employees
- Transaction data/ payment data – which also might include personal data
(5) The categories of data subjects comprise of:
- Client’s employees
- Client’s customers
§ 2 International data transfer
(1) The undertaking of the contractually agreed processing of data shall be carried out exclusively within a member state of the European Union (EU) or within a member state of the European Economic Area (EEA), except Client has its seat outside the EU and EEA.
(2) Suppliers does subcontract Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg (“AWS”) and has selected the exclusive usage of data centers in Germany.
(3) Each and every transfer of data to a state which is not a member state of either the EU or the EEA requires the prior agreement of the Client and shall only occur if the specific conditions of Article 44 et seq. GDPR have been fulfilled.
§ 3 Technical and organizational measures
(1) The Supplier shall establish the security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 GDPR must be taken into account.
(2) Supplier refers to the “AWS Security Standards”, as laid down in the AWS GDPR Data Processing Addendum(.pdf).
(3) Suppliers organizes its own internal It-Security according to the standards of ISO 27001.
(4) The technical and organizational measures are subject to technical progress and further development. In this respect, it is permissible for the Supplier to implement alternative adequate measures. In doing so, the security level of the defined measures must not be reduced. Substantial changes must be documented.
§ 4 Authority of the Client to issue instructions
(1) The Client shall immediately confirm oral instructions (at the minimum in text form).
(2) The Supplier shall inform the Client immediately if he considers that an instruction violates data protection regulations. The Supplier shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or changes them.
(3) The Supplier may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only on documented instructions from the Client.
(4) Insofar as a data subject contacts the Supplier directly concerning a rectification, erasure, or restriction of processing, the Supplier will immediately forward the data subject’s request to the Client.
(5) Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by the Supplier in accordance with documented instructions from the Client without undue delay. Even if the aforementioned services are not included in the scope, Supplier supports Client in complying with Article 17 GDPR (’deletion of data’).
§ 5 General duties of the Supplier
(1) In addition to complying with the rules set out in this Data Processing Agreement, the Supplier shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the Supplier ensures, in particular, compliance with the following requirements:
- Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR. The Supplier entrusts only such employees with the data processing outlined in this contract that have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work.
- Insofar as the one party is subject to an inspection by the supervisory authority, an administrative offence or criminal procedure, a liability claim by a data subject (for example claims based on Article 15 to Article 21 or 82 GDPR) or by a third party or any other claim in connection with the Data Processing Agreement, the parties shall make every effort to support the other party.
- Supplier and Client support each other in drafting the necessary records of processing activities according to Article 30 Paragraph 1 and 2 GDPR.
- Supplier shall mark the data which is stored and processed according to this Data Processing Agreement with the aim to make all data identifiably as Client’s data and make the data clearly assignable to the Client.
(2) The Supplier shall assist the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include:
- Ensuring an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
- The obligation to report a personal data breach immediately to the Client
- The duty to assist the Client upon request with regard to the Client’s obligation to provide information to the data subject concerned and to immediately provide the Client with all relevant information in this regard.
- Supporting the Client upon request with its data protection impact assessment.
- Supporting the Client upon request with regard to prior consultation of the supervisory authority.
§ 6 Subcontracting
(1) Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Supplier shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Client’s data, even in the case of outsourced ancillary services.
(2) Outsourcing to subcontractors or changing the existing subcontractor
are permissible when:
- The Supplier submits such an outsourcing to a subcontractor to the Client in writing or in text form with appropriate advance notice; and
- The Client has not objected to the planned outsourcing in writing or in text form by the date of handing over the data to the Supplier; and
- The subcontracting is based on a contractual agreement in accordance with Article 28 paragraphs 2–4 GDPR.
(3) Currently the following subcontractor provides services on which the SaaS-Solutions of Supplier are based:
|Amazon Web Services EMEA SARL||38 avenue John F. Kennedy, L-1855, Luxembourg (“AWS”)||Hosting, Cloud Services|
§ 7 Supervisory powers of the Client
(1) The Client has the right, after consultation with the Supplier, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. With respect to audits conducted in the data centers of AWS, reference is been made to Sec. 10 and 11 of the Data Processing Addendum of AWS, which shall also apply between Client and Supplier.
(2) The Supplier shall ensure that the Client is able to verify compliance with the obligations of the Supplier in accordance with Article 28 GDPR. The Supplier undertakes to give the Client the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures.
(3) Evidence of such measures, which concern not only this specific Data Processing Agreement, may be provided by
- Compliance with approved codes of conduct pursuant to Article 40 GDPR;
- Certification according to an approved certification procedure in accordance with Article 42 GDPR;
- Current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, data protection officer, IT security department, data privacy auditor, quality auditor);
- A suitable certification by IT security or data protection auditing (e.g. according to ISO/IEC 27001).
§ 8 Deletion and return of personal data
(1) Copies or duplicates of the data shall never be created without the knowledge of the Client, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.
(2) After conclusion of the contracted work, or earlier upon request by the Client, at the latest upon termination of the Service Agreement/this Data Processing Agreement, the Supplier shall hand over to the Client or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.
(3) Documentation which is used to demonstrate orderly data processing in accordance with this Data Processing Agreement shall be stored beyond the contract duration by the Supplier in accordance with the respective retention periods. It may hand such documentation over to the Client at the end of the contract duration to relieve the Supplier of this contractual obligation.
§ 9 Limitation of liability
(1) The liability of Supplier under this Data Processing Agreement is limited in the same way as in the Service Agreement.
§ 10 Miscellaneous Choice of Law
(1) No modification of this annex and/or any of its components – including, but not limited to, Supplier’s representations and warranties, if any – shall be valid and binding unless made in writing and then only if such modification expressly states that such modification applies to the regulations of this annex. The foregoing shall also apply to any waiver or modification of this mandatory written form.
(2) In case of any conflict, the regulations of this annex shall take precedence over the regulations of the Service Agreement.
(3) Where individual regulations of this annex are invalid or unenforceable, the validity and enforceability of the other regulations of this annex shall not be affected.
(4) This annex is subject to the laws of the Federal Republic of Germany and the place of jurisdiction is Cologne.