buynomics GmbH, Hohenzollernring 72-74, 50672 Cologne, Germany, as Licensor (hereinafter referred to as “buynomics” or “Licensor”) provides access to its Software as a Service solutions (“SaaS-Solutions”) towards business customers (“Licensee”). If a Licensee or any employee or representative of a Licensee subscribes to a SaaS-Solution, an agreement is concluded between Licensee and Licensor in accordance with these terms and conditions (“SaaS-Agreement”).
(1) Subject of this SaaS-Agreement are the provisioning and the maintaining of Licensor’s SaaS-Solutions – within the frame of the availability according to Section 4 –, as described with all relevant features under www.buynomics.com/solution/#product. The main features of the buynomics pricing platform, a SaaS-Solution of Licensor are:
(2) Further services, like training or customizing are not subject to this SaaS-Agreement and may be requested separately.
(3) The SaaS-Solutions of Licensor are only offered towards entrepreneurs within the meaning of Sec. 13 German Civil Code (i.e. entrepreneur means a natural or legal person or a partnership with legal personality who or which, when entering into a legal transaction, acts in exercise of his or its trade, business or profession.)
(4) These Terms and Conditions are exclusively applicable on the usage of the SaaS-Solution. The Licensee’s Terms and Conditions are not applicable. This also applies in the event that Licensor has not expressly rejected Licensee’s Terms and Conditions.
(1) Licensor may further develop the range of functions of the SaaS-Solutions, unless original functionality is substantially limited thereby.
(2) The SaaS-Solutions are free from errors, if they fulfil the functions contained in the product description of buynomics (see https://www.buynomics.com/solution/#product) as amended from time to time or separately agreed upon. Licensor does not warrant that the functions of the SaaS-Solution meet the requirements for a specific use case of Licensee, unless otherwise agreed contractually.
(3) Licensor provides a ticket system. All error messages have to be submitted via the ticket system by Licensee. Licensee is to provide reasonable assistance to Licensor in analyzing errors, for example, through screenshot or system descriptions; Error messages are to be sent to Licensor as promptly as possible. If a SaaS-Solution is defective, Licensor shall – within a reasonable time – remedy reported errors insofar as a reported error is reproducible.
(1) The SaaS-Solutions of Licensor are protected by copyright. Licensor shall grant Licensee no rights of use and exploitation exceeding the intended use. The scope of the intended use arises from these SaaS-Agreements and the specific subscription model. Any further use, exploitation, modification and duplication shall be prohibited. Licensor is not allowed to sub-license the right to use of a SaaS-Solution.
(2) For the operation and the use of the SaaS-Solution, the system and software requirements specified by Licensor must be complied with. Compliance with the system requirements lies solely in Licensee’s area of responsibility.
(3) Licensee shall not be entitled to edit the SaaS-Solution or to make any changes to it. The source code shall remain solely with Licensor. The rights of Licensee to decompile according to Sections 69d and 69e German Copyright Act shall remain unaffected.
(4) Licensee shall not be authorized to remove or change copyright notices, trademarks, ownership information as well as other features for the identification of Licensor of the SaaS-Solution.
(5) Licensee shall be entitled to permit Licensee’s employees to use the SaaS-Solution, if such employees are registered as users according to Section 5. Licensee ensures that such employees will comply with the terms of the SaaS-Agreement. The granting of additional rights of use is solely the responsibility of Licensor. Licensee shall be liable for infringements of the terms of the SaaS-Agreement by Licensee’s employees as for Licensee’s own infringements and shall notify Licensor of any violations without undue delay. Any exceeding transfer of rights of use to third parties shall not be permitted.
(1) The SaaS-Solutions of Licensor are available on 99% on the time in an annual average.
(2) Maintenance services announced at least seven (7) days in advance (at a maximum of 3 hours/week on an annual average) will not be considered in the calculation of Section 4(1).
(3) Licensor endeavors to perform maintenance services at times at which – on average – the SaaS-Solutions are not used frequently (i.e. in the weekend).
(1) For each Licensee an administrator account is created in which the Licensee can activate employees and representatives for the use of the SaaS-Solution. For each employee and representative an own user account has to be created. Only employees and representative of the Licensee are allowed to be provided with a user account.
(2) For the creation of each account, a full name, address and e-mail-address have to be indicated. The Licensee ensures the accuracy of account information and keeps this information up-to-date.
(3) An account is personalized and may only be used by the registered employee and/or representatives.
(4) The Licensee is obliged to use secure passwords (at least 8 characters, including a special character) and not to keep any written notes about passwords. Passwords shall not consist of an easy to guess word/expression, for example, a person’s name or date of birth or a word/expression that are used to access other services, The Licensee commits its employees who have a user account to a correspondingly careful handling of passwords.
(5) Licensor may suspend a user account / administrator account if there are indications that it has been used unauthorized and / or attempted or unauthorized access to the SaaS-Solution from the user account / administrator account or the backend systems of Licensor (“hacking”). In such a case, Licensor will promptly notify the Licensee via the e-mail address linked to the user account / administrator account and allow him access via the creation of new accounts again, unless there are facts, which suggest that the Licensor or one of his employees attempted to gain unauthorized access to the Licensors systems.
(6) Access to the SaaS-Solution requires an Internet browser (Google Chrome is recommended) in its current version. The device that calls the SaaS-Solution must be connected to the Internet.
(1) Licensor shall have unlimited liability in case of intentional or grossly negligent breaches of obligation, damage to life, body or health, both within the statutory framework in accordance with mandatory laws, such as in accordance with the German Product Liability Act or the product safety acts. In addition, Licensor shall be liable within the scope of guarantees assumed.
In case of slightly negligent breaches of material contractual obligations, Licensor shall have unlimited liability regarding typically foreseeable damage. These are obligations whose fulfilment actually enables the performance of the contract and on the compliance with which the contractual partner may regularly rely.
Liability for slight negligence is otherwise excluded.
If liability in accordance with the aforementioned provisions is excluded, this shall also apply to the agents and vicarious agents of Licensor.
(2) Licensor shall not be liable for damage arising from settings in the SaaS-Solutions for which Licensor is not responsible.
(3) Occurrences of force majeure (including strikes, lockouts and similar occurrences, insofar as they cannot be foreseen, are severe, and are not the fault of Licensor), which make it significantly more difficult or impossible for Licensor to provide the services owed, shall entitle Licensor to postpone the performance of the obligations by the duration of the obstacle and an appropriate start-up period.
(4) Licensor shall be liable for additional cost incurred during the use of SaaS-Software (in particular, for the cost of data transfer via mobile communications including data roaming) only if Licensor is responsible for intent, gross negligence or the breach of material contractual duties.
(1) Licensee is obliged to use an up-to-date virus scanner / inspection program to check files that Licensee uploads to buynomics in advance for viruses, worms, trojan horses, etc. that may impair the integrity of files and/computer hardware and software and only to upload files that are free of such components. Licensor shall, insofar as it discovers such files or components, notify Licensee thereof without undue delay. If such files or components pose a direct risk to the functioning or integrity of the services of Licensor or the facilities of third parties, Licensor may delete such data or components in order to avoid damage. This may be done even without informing Licensee in advance if the associated risk cannot be mitigated in any other way with appropriate financial and time effort.
(2) If there are signs of use contrary to these Terms and Conditions, Licensor shall be entitled, taking into account the severity of the breach with regard to the interests of Licensee, to block the access of Licensee and/or individual employees to SaaS-Solution until the signs are refuted. Licensee shall be notified thereof. If this means that Licensee can no longer use the SaaS-Solution, Licensee shall not be entitled to an extraordinary right of termination.
(1) The license fees accrue per user account, and if not agreed otherwise, the following terms apply.
(2) If Licensee choses an annual subscription, the payment becomes due after the start of each 12-months-period. The annual subscription may be terminated by notice 3 months prior to the end of a 12-months-period. The termination notice must be submitted in text-form (i.e. E-mail). If the annual subscription is not terminated, it is automatically prolonged for a further 12-months-period.
(3) If Licensee choses a monthly subscription, the payment becomes due at the first work day of each months. For the first months the fee must be paid pro rata temporize. The monthly subscription may be terminated by notice 3 days prior to the end of a months. The termination notice must be submitted in text-form (i.e. E-mail). If the monthly subscription is not terminated, it is automatically prolonged for a further month.
(4) The subscription fee does not include manual services. Licensor may charge extra services, which include manual work, separately. Details will be defined in a separate agreement.
(5) The prices and terms for the paid services shall apply in accordance with the Licensor’s price list agreed at the time of the agreement or at the time or valid at the time of later extensions or separately agreed terms and conditions. If there is a price increase of more than 4% of the previous fee in accordance with the price list at the time of an extension, Licensee shall be entitled to terminate this agreement. Paid services shall be extended automatically if determined in the price list or in separately agreed terms and conditions for the service and if they are not terminated within the notice period stated in the price list or other separately agreed terms and conditions. Termination for good cause shall remain unaffected.
(6) If due license payment is not received, Licensor may charge interest on arrears at the level defined by statutory German law. Licensor shall, furthermore, be entitled, without prejudice to other rights, to block Licensee’s use of the use of the SaaS-Solution after issuing a reminder giving a reasonable deadline for the payment.
(7) Licensor shall be entitled to terminate this license agreement for good cause, in particular in case of serious breaches of these Terms and Conditions or in the event of infringement of Licensor’s copyrights in the SaaS-Solution. Any and all of Licensee’s rights of use shall expire upon receipt of the notice of termination. In less severe cases, Licensor shall allow Licensee a grace period to correct the situation. If the issue occurs repeatedly, Licensor shall be entitled to terminate the agreement without notice.
The Terms and Conditions and the SaaS-Agreements based upon them may be amended or supplemented at Licensor’s discretion to an extent that is reasonable for Licensee. In such event, Licensee shall be notified in writing (e.g., to the email address provided by Licensee or via the information service for the product) not less than six weeks prior to the change coming into effect. The amended or supplemented Terms and Conditions shall apply unless Licensee objects prior to the date when they come into effect. Licensor is obliged to inform Licensee about the consequences of an omitted objection. If the changes of the Terms and Conditions and the SaaS-Agreements does not significantly affect Licensee (for example because the changes does only consist in the addition of a further product or a change of a technical term), Licensee does not have the right to object. If Licensee does object, Licensor may terminate this agreement with a notice period of one month after notification of the objection
Licensor processes personal data of Licensee and Licensee’s employees in accordance with Art 28 General Data Protection Regulation (“GDPR”) based on the terms and conditions of commissioned data processing of bionomics (Annex 1),
(1) Should individual provisions of these Terms and Conditions be or become ineffective, they shall be replaced by provisions most closely resembling the economic intent of the ineffective provision. Should a provision of these Terms and Conditions be or become ineffective, the effectiveness of the remaining provisions of these Terms and Conditions or agreements shall remain unaffected.
(2) This agreement shall be governed by and construed in accordance with the laws of Germany. Exclusive legal venue shall be Cologne, Germany, where Licensee is a legal entity under public law.
(1) The Subject matter of this Data Processing Agreement conducted by buynomics (“Supplier”) towards any customer of buynomics (“Client”) within the frame a SaaS-Agreement and/or any further services agreement (hereinafter collectively referred to as “Service Agreement”). Client is and continues to be the controller of the processed personal data.
(2) Nature and purpose of the intended processing of data are precisely defined in the Service Agreement.
(3) The duration of this Data Processing Agreement corresponds to the duration of the Service Agreement.
(4) The subject matter of the processing of personal data comprises the following data types/categories:
(5) The categories of data subjects comprise of:
(1) The undertaking of the contractually agreed processing of data shall be carried out exclusively within a member state of the European Union (EU) or within a member state of the European Economic Area (EEA), except Client has its seat outside the EU and EEA.
(2) Suppliers does subcontract Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg (“AWS”) and has selected the exclusive usage of data centers in Germany.
(3) Each and every transfer of data to a state which is not a member state of either the EU or the EEA requires the prior agreement of the Client and shall only occur if the specific conditions of Article 44 et seq. GDPR have been fulfilled.
(1) The Supplier shall establish the security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 GDPR must be taken into account.
(2) Supplier refers to the “AWS Security Standards”, as laid down in the AWS GDPR Data Processing Addendum(.pdf).
(3) Suppliers organizes its own internal It-Security according to the standards of ISO 27001.
(4) The technical and organizational measures are subject to technical progress and further development. In this respect, it is permissible for the Supplier to implement alternative adequate measures. In doing so, the security level of the defined measures must not be reduced. Substantial changes must be documented.
(1) The Client shall immediately confirm oral instructions (at the minimum in text form).
(2) The Supplier shall inform the Client immediately if he considers that an instruction violates data protection regulations. The Supplier shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or changes them.
(3) The Supplier may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only on documented instructions from the Client.
(4) Insofar as a data subject contacts the Supplier directly concerning a rectification, erasure, or restriction of processing, the Supplier will immediately forward the data subject’s request to the Client.
(5) Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by the Supplier in accordance with documented instructions from the Client without undue delay. Even if the aforementioned services are not included in the scope, Supplier supports Client in complying with Article 17 GDPR (’deletion of data’).
(1) In addition to complying with the rules set out in this Data Processing Agreement, the Supplier shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the Supplier ensures, in particular, compliance with the following requirements:
(2) The Supplier shall assist the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include:
(1) Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Supplier shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Client’s data, even in the case of outsourced ancillary services.
(2) Outsourcing to subcontractors or changing the existing subcontractor
are permissible when:
(3) Currently the following subcontractor provides services on which the SaaS-Solutions of Supplier are based:
(1) The Client has the right, after consultation with the Supplier, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. With respect to audits conducted in the data centers of AWS, reference is been made to Sec. 10 and 11 of the Data Processing Addendum of AWS, which shall also apply between Client and Supplier.
(2) The Supplier shall ensure that the Client is able to verify compliance with the obligations of the Supplier in accordance with Article 28 GDPR. The Supplier undertakes to give the Client the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures.
(3) Evidence of such measures, which concern not only this specific Data Processing Agreement, may be provided by
(1) Copies or duplicates of the data shall never be created without the knowledge of the Client, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.
(2) After conclusion of the contracted work, or earlier upon request by the Client, at the latest upon termination of the Service Agreement/this Data Processing Agreement, the Supplier shall hand over to the Client or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.
(3) Documentation which is used to demonstrate orderly data processing in accordance with this Data Processing Agreement shall be stored beyond the contract duration by the Supplier in accordance with the respective retention periods. It may hand such documentation over to the Client at the end of the contract duration to relieve the Supplier of this contractual obligation.
(1) The liability of Supplier under this Data Processing Agreement is limited in the same way as in the Service Agreement.
(1) No modification of this annex and/or any of its components – including, but not limited to, Supplier’s representations and warranties, if any – shall be valid and binding unless made in writing and then only if such modification expressly states that such modification applies to the regulations of this annex. The foregoing shall also apply to any waiver or modification of this mandatory written form.
(2) In case of any conflict, the regulations of this annex shall take precedence over the regulations of the Service Agreement.
(3) Where individual regulations of this annex are invalid or unenforceable, the validity and enforceability of the other regulations of this annex shall not be affected.
(4) This annex is subject to the laws of the Federal Republic of Germany and the place of jurisdiction is Cologne.