General Terms & Conditions


Talon.One GmbH

Last Updated: December 1, 2022

1. Scope of Application

1.1 The following General Terms and Conditions apply to all contracts and services rendered between and/or by Talon.One GmbH, Wiener Straẞe 10, 10999 Berlin, ('Talon.One') and its customers with regard to the use of Talon.One products and Talon.One services (hereinafter collectively 'Talon.One Services'). These General Terms and Conditions constitute a material part of each agreement unless expressly agreed otherwise in writing.

1.2 These General Terms and Conditions apply to any future business transaction between Talon.One and the customer, even without express reference thereto.

1.3 Differing regulations in services agreements, price lists, special contract conditions for Talon.One Services shall have priority to these General Terms and Conditions.

1.4 When using the Talon.One Services the customer unconditionally agrees and accepts these General Terms and Conditions. Any deviating terms and conditions of the customer as well as any deviations and/or amendments to these General Terms and Conditions shall only become part of the agreement if they have been expressly acknowledged by Talon.One in writing (email is sufficient). These General Terms and Conditions shall also apply exclusively if Talon.One has not explicitly objected any contrary terms and conditions.

1.5 Talon.One reserves the right to modify these General Terms and Conditions with effect for the future at any time. In this case, Talon.One will notify the customer of these changes. The changes shall be deemed to be accepted if the customer does not object within three (3) weeks after receipt of the amendment notification. Talon.One will inform the customer in its amendment notification about the customer's right to object and the effects of a lack of objection. If the customer rejects the changes, Talon.One has the right to terminate the contract and services rendered between and/or by Talon.One and the objecting customer.

2. Offer and Conclusion of a Contract

2.1 Offers by Talon.One are conditional and non-binding and subject to change as long as they are not explicitly referred to as unconditional and/or binding.

2.2 By ordering Talon.One Services the customer is making a binding contract offer. The customer is bound to the offer for a period of two (2) weeks after quotation. Talon.One shall not be obliged to accept such offer by the customer and is entitled to reject such offer without stating reasons.

2.3 The contract between Talon.One and the customer is either concluded upon signature of an individual customer's Order Form ('Order Form' or 'Order') by Talon.One and the customer, or online via Talon.One's online portal by using the respective order form within the web application, or by delivering or performing of Talon.One Services by Talon.One towards the customer.

2.3.1 Order Form

In order to conclude a contract by means of an Order Form, the customer must send the signed Order Form to Talon.One by fax or by email or other electronic means for acceptance by Talon.One. Talon.One shall not be obliged to accept such offer by the customer and is entitled to reject such offer without stating reasons. Talon.One accepts the Order Form by signing it via fax, email or other electronic means . Acceptance by Talon.one is also presumed, if Talon.One does not reject the Order Form within 7 business days from receipt. Rejection can be sent via fax, email or electronic means, sending of a new Order Form is considered rejection of the preceeding one.

2.3.2 Web Application

In order to conclude a contract online via Talon.One's online portal ('Talon.One Self Service Portal'), the customer must register itself online with Talon.One. The registration needs to be confirmed by Talon.One by sending a confirmation email or a direct contact by phone, each by using the respective contact details (email address / phone number) that was provided by the customer. A right to claim registration does not exist; Talon.One expressly reserves the right to reject a registration without stating reasons. The customer's Talon.One user account will be activated by the user by clicking on the activation link. The user account is non-transferable. The customer must keep the password secret and protect it against any wrongful use by unauthorized third parties.

2.4 The customer can order Talon.One's products and services via its user account. Talon.One offers subscriptions for its Talon.One Services. The details for subscriptions can be found in the customer's account or the Order.

2.4.1 Subscriptions

Unless otherwise provided in the applicable Order or order form, Talon.One Services are purchased as subscriptions. Subscriptions may be added during a subscription term at the same pricing as the underlying subscription pricing, prorated for the portion of that subscription term remaining at the time the subscriptions are added, and any added subscriptions will terminate on the same date as the underlying subscriptions. To order a subscription, the customer must click on the button 'Buy' (or any similar or synonymous expression) or sign the provided Order in order to make a binding offer to order the Talon.One Services. Talon.One will confirm the receipt of such order via email. However, such confirmation does not constitute an acceptance of the offer. The contract between the customer and Talon.One will be concluded by Talon.One's acceptance of the customer's offer in writing, via email or by making the Talon.One Services available. Talon.One is not obliged to accept the customer's offer.

2.4.2 Usage Limits

Talon.One Services are subject to usage limits, including, for example, the quantities specified in Order or order form, unless otherwise specified or agreed. Talon.One Service may not be active for more than the respective usage limit. If the customer exceeds a contractual usage limit, Talon.One will charge additional quantities accordingly.

2.4.3 Free Trial

Talon.One might offer a free trial period to new customers. In case of a free trial and lack of a separate Agreement or Order, these Terms and Conditions take into effect from the moment the Customer is granted access to Talon.One Services. The free trial period is available only once to any one customer. Length of the free trial will be communicated by Talon.One. The detailed terms for such free trial are available in the customer's account. If the new customer does not order Talon.One Services within the communicated trial period against payment, he will not be entitled to continue the use of the Talon.One Services after the expiration of the free trial period.

2.5 The customer is aware that contractual declarations (e.g. confirmation emails, amendments to the General Terms and Conditions as well as other notifications) may be sent via email. They are deemed to have been received when they can be retrieved in the email inbox which was specified by the user during the registration under normal circumstances.

3. Talon.One Services

3.1 With its Talon.One Services, Talon.One offers the customer online and software based products and services to maintain, monitor and automatize voucher codes, discounts, loyalty programs, customer referral campaigns and related products and services.

3.2 Talon.One Services are exclusively offered to business customers within the meaning of Section 14 of the German Civil Code (Bürgerliches Gesetzbuch - BGB). The customer represents and warrants that he will use Talon.One Services exclusively and explicitly within his commercial and/or freelance professional activity. In case of a breach of this representation and warranty Talon.One is entitled to suspend the Talon.One Services and to terminate the contract with the customer without notice and with immediate effect.

3.3 The particular specifications of Talon.One Services are defined in the respective service and product descriptions, special contract conditions, Service Level Addendum, individual subjects of performance and/or services, order forms and/or price lists in effect at the time the contract was concluded. Talon.One reserves the right to make technical changes and improvements to its products and services within a reasonable scope.

3.4 Talon.One is entitled to carry out its services either fully or partially in English.

3.5 Talon.One is entitled to use third parties (e.g. subcontractors, freelancer) as vicarious agents in order to carry out and/or fulfil all or part of its contractual obligations.

4. Availability, Change of Services

4.1 Unless expressly specified Talon.One offers its services on the basis of what is currently technically, economically and operationally possible and/or reasonable.

4.2 The customer accepts that uninterrupted availability of the Talon.One Services is technically not possible and cannot be reasonably guaranteed. The Talon.One Services shall be available at least 99,9% of the annual mean. Hereof excluded are times during which Talon.One Services may be interrupted or disrupted by circumstances beyond Talon.One's area of responsibility, including but not limited to acts of third parties that do not act on Talon.One's behalf, technical conditions of the internet that Talon.One cannot influence or force majeure of for maintenance services. If such circumstances interfere with the availability or functionality of the services provided by Talon.One, this has no effect on the contractual conformity of the services provided by Talon.One.

4.3 Talon.One shall notify the customer about planned downtimes or restrictions on the availability of the Talon.One Services within a reasonable period of time. No claims whatsoever against Talon.One can be derived therefrom.

4.4 In case of unforeseen events, Talon.One is entitled to suspend the Talon.One Services for maintenance or repair purposes if this is necessary to ensure the proper operation of the Talon.One Services.

4.5 Under consideration of the entitled interest of the customer, Talon.One reserves the right to change or to alter, limit or discontinue Talon.One Services in particular if this is reasonably necessary to prevent abuse of Talon.One Services or to comply with legal requirements. Talon.One shall notify the customer of any such measure with a notice period of three (3) weeks. In such an event the customer is entitled to request a price adjustment or to terminate the contract, provided that contractual use of the Talon.One Services is significantly impaired. Talon.One is entitled at any time without obligation to notify the customer to improve, adjust, extend and/or to adapt the Talon.One Services to the technical progress provided that the identity of the Talon.One Services are being maintained.

5. Customer's Rights and Obligations

5.1 The customer is entitled to use the Talon.One Services and the software provided by Talon.One only to the extent described hereafter.

5.2 The customer agrees to keep the passwords and login data provided by Talon.One for access to the Talon.One Services confidential and to inform Talon.One immediately as soon as the customer becomes aware of unauthorized third parties gaining access to these passwords. If, due to the customer's fault, unauthorized third parties use any services provided by Talon.One by using the passwords, the customer is liable to Talon.One for usage fees and damages.

5.3 The customer shall not make the software provided by Talon.One available to any third parties. In addition, the customer shall not

  • modify, translate, reverse engineer, decompile, disassemble or otherwise create derivative works from the Talon.One software or documentation. Information pursuant to Section 69e of the German Copyright Act ('UrhG') which is required to achieve interoperability with other programs created independently can be purchased from Talon.One for a fee based on the current price list upon request;

  • transfer, lend, rent, lease, distribute the software provided by Talon.One or the Talon.One Services, or use them for providing services to a third party, or grant any rights in and to the Talon.One software or documentation to a third party in any form, without Talon.One's express prior written and unless all respective fees have been paid and all of Talon.One's other conditions have been met; or

  • remove, modify or make illegible the labels, markers or designations regarding copyrights and other intellectual property rights of the Talon.One software or documentation.

5.4 The customer is obliged to use the HTML (Hypertext Markup Language), JavaScript or other program code provided by Talon.One without any modifications for its intended use.

5.5 If Talon.One has protected its Talon.One Services by technical means (e.g. security codes, firewalls, etc.), the customer is not allowed to circumvent or remove such security measures.

5.6 The customer is obliged to protect its own data by taking appropriate measures and by regularly making backups of its data.

5.7 The customer must follow Talon.One's instructions as well as the protocols and specifications as requested by Talon.One with regard to the telecommunication/data transmission.

5.8 Upon receipt of the Talon.One Services, the customer is obliged to immediately notify Talon.One of any obvious defects in writing whereas timely dispatch shall suffice to keep the term. The customer will provide Talon.One with all documents necessary for the analysis and debugging attempts and will provide Talon.One with access to the customer's servers, if necessary.

5.9 The customer confirms, represents and warrants that all personal as well as other relevant contractual information provided by the customer during the conclusion of the contract is true, complete and correct. The customer is responsible for any disadvantages or damages incurring as a result of providing false, incorrect, incomplete or outdated information. The customer is obliged to promptly inform Talon.One about any changes to this data and/or to update altered data in its user account. In the event of a culpable breach of this obligation, Talon.One is entitled to suspend the Talon.One Services upon giving prior notice.

6. Fees, Payment

6.1 The fees for the Talon.One Services that the customer makes use of are set out in the applicable Order Form and/or Talon.One's current valid price lists. All fees are regarded as in EURO, unless another currency is explicitly agreed. All fees and charges payable by Customer are exclusive of applicable taxes and duties, including VAT, GST and applicable sales tax. If Customer is legally entitled to an exemption from any sales, use, or similar transaction tax, Customer is responsible for providing Talon.One with legally sufficient tax exemption certificates for each taxing jurisdiction. Talon.One shall apply the tax exemption certificates to charges under Customer's account occurring after the date Talon.One receive the tax exemption certificates. If any deduction or withholding is required by law, Customer shall notify Talon.One and shall pay Talon.One any additional amounts necessary to ensure that the net amount that Talon.One receives, after any deduction and withholding, equals the amount Talon.One would have received if no deduction or withholding had been required. Additionally, Customer shall provide Talon.One with documentation showing that the withheld and deducted amounts have been paid to the relevant taxing authority. Talon.One will invoice the customer in advance and otherwise in accordance with the relevant Order. If the customer places an order via its customer account in the Talon.One Self Service Portal, Talon.One accepts the payment methods as shown in the customer account (e.g. payment by credit cards). When paying by credit card, the credit card on file will be charged with the amount as indicated in the agreed order.

6.2 Invoices will be sent to the customer via mail or in electronic form, unless expressly agreed otherwise.

6.3 The payment of the invoices shall be due within 15 days of the invoice date, unless stated different in the applicable order form or Order. In the event of the customer's default of payment, Talon.One is allowed to charge default charges up to EUR 10,00 for every invoice outstanding when due as well as default interest in accordance with the statutory provisions. Talon.One reserves the right to prove and assert greater damages due to default. If the customer's payments are considerably delayed, Talon.One reserves the right to suspend the provision of any further services, in particular the customer's access to the Talon.One Services, at the expense of the customer until all due payments have been made. In the event of suspended services, the customer is nevertheless obliged to pay the agreed fees. After having set the customer a reasonable deadline and expiration of that deadline, Talon.One has the right to terminate the agreement with immediate effect. In case of returned direct debits or unpaid checks, the customer shall reimburse Talon.One for the costs incurred to the extent that the customer was responsible for the event given rise to these costs. Further claims and rights to which Talon.One may be entitled in this respect shall remain unaffected. Even if the customer does not use the provided Talon.One Services, the customer is still obliged to pay the agreed fees.

6.4 As long as Talon.One carries out its Talon.One Services in course of a continuing obligation, Talon.One is entitled to change its fees at any time with a six (6) week notice to the beginning of each calendar month unilaterally via written statement (email is sufficient) to the customer. If such changes exceed 10% of the invoice value of the Talon.One Services provided within the current contact period, the customer has the right to terminate the contract within four (4) weeks from the declaration of fee increase. In case the customer terminates the contract, Talon.One is entitled to decide by its own discretion whether the proposed increase should be revoked. If the customer does not terminate the contract in due timely manner, the higher fees are agreed to be applicable.

6.5 Any complaints relating to an invoice must be submitted to Talon.One in writing or by email to billing@talon.one within four (4) weeks upon receipt of the respective invoice. If no such complaint has been made within four (4) weeks upon receipt of invoice, the invoice is deemed to be accepted. Talon.One will inform the customer of the invoice about the consequences of failing to submit a timely complaint.

7. Grant of Rights, Ownership, Third Party Rights

7.1 Upon conclusion of the agreement, Talon.One grants the customer the simple and non-exclusive, non-transferable and non-sub licensable right to use the Talon.One Services during the term of the agreement, insofar as this is necessary to use the Talon.One Services according to the respective Order or the respective order placed via the Self Service portal. The right of use shall expire with the termination of the contract for whatsoever reason.

7.2 Talon.One shall retain all intellectual property rights as well as any other property rights in and to the Talon.One software, the Talon.One Services as well as other services that are provided under this contract, including source codes, databases, hardware and/or any other material (e.g. documentations, developments, functions, report templates, preparatory material, etc.).

7.3 The customer undertakes to not violate any applicable laws, in particular third party rights (e.g. copyrights, personality rights, intellectual property rights) or the terms of this agreement while using the Talon.One Services. Insofar, the customer shall indemnify and hold Talon.One harmless from any and all third party claims (including but not limited to all costs and expenses, incl. reasonable attorney's fees) that are being asserted against Talon.One upon first request.

7.4 Unless otherwise agreed between the parties, Talon.One is entitled to refer to the collaboration with the customer and the contractual product and to depict the Customer's logo for self-promotional purposes.

8. Liability, Limitation of Liability

8.1 Talon.One shall be responsible that the Talon.One Services correspond to their intended use. Talon.One does not assume any liability for any damages resulting from a usage other than the intended use. The same applies to any damages resulting from a usage that is not in accordance with Talon.One's instructions and recommendations or any other unauthorized usage.

8.2 Talon.One does not assume any liability for any disturbances, limitations, interruptions or disruptions of the Talon.One Services which are caused by circumstances beyond Talon.One's area of responsibility.

8.3 Talon.One shall be liable for any damages which can be attributed to a willful or gross negligent violation of a duty by Talon.One, its legal representatives or employees, as a result of grave organizational neglect or which are based on defects of a warranted quality of the Talon.One Services, pursuant to the statutory provisions. This limitation shall not apply to any damages resulting from injury of life, body or health.

8.4 In the event of gross negligence, Talon.One shall be liable for typical and foreseeable damage.

8.5 Irrespective of the legal grounds, Talon.One shall only be liable for damages that have been caused by the culpable breach of a cardinal contractual obligation by its legal representatives or vicarious agents. Liability in this regard shall be limited to the typical damages that were reasonably foreseeable at the time the contract was concluded, however to a maximum of EUR 25,000.00 per incident of damage and to a maximum of EUR 50,000.00 per contract. Talon.One's liability for indirect damages, in particular loss of profit, is hereby excluded.

8.6 The aforementioned liability provisions shall apply accordingly to Talon.One's employees and agents.

8.7 Any claims for damages arising from a slight negligence by Talon.One shall become time-barred within one (1) year upon occurrence of the damage. This limitation shall not apply to any damages resulting from injury of life, body or health. All other claims for damages shall become time-barred within the statutory period.

8.8 Liability of Talon.One pursuant to the German Product Liability Act (Produkthaftungsgesetz - ProdHaftG) shall remain unaffected by the provisions set forth above.

9. Confidentiality

9.1 The parties shall keep all documents, information and data which have been disclosed, received and/or obtained by either party during the course of the cooperation strictly confidential during the term of the agreement and for three (3) years thereafter. The parties undertake to use the same degree of care in safeguarding the documents, information and data of the other party that is used for its own confidential information, but a least with the due care of a prudent business man. All such documents, information and data shall be used exclusively to perform the contractual services.

9.2 These confidentiality obligations also apply to documents, information and data that relate to companies affiliated with the parties, other cooperation partners or contractors and to documents, information and data about customers and sales representatives of the parties.

9.3 These confidentiality obligations do not apply to documents, information and data that are in the public domain or later become part of the public domain through no breach of contract by a party, is required to be disclosed by operation of law, court or administrative order or that has been subsequently exempted from this confidentiality obligation by an agreement in writing, per fax or via email.

10. Term, Termination

10.1 The term of the agreement is determined in the Orders or the order form in the Talon.One Self Service Portal. Each party has the right to terminate the agreement at any time by giving 30 days' notice to the end of the agreed term. The agreement will be automatically renewed for the same term as agreed unless terminated or ended otherwise. The termination must be made in writing and be submitted via mail, e-mail or fax.

10.2 The right to immediate termination for cause shall remain unaffected. In particular, Talon.One has the right to immediately terminate the agreement

  • if the customer breaches its obligations pursuant to Section 5.2 through 5.8 (including), 7.3 or 9 of these General Terms and Conditions,

  • if the customer is in default of payment and does not settle the outstanding payment due upon receipt of a warning letter with a deadline for payment and expiration of that deadline to no avail,

  • if the customer publishes racist, pornographic, immoral or illegal content on its website and/or content which glorifies or trivializes violence,

  • if the customer is insolvent, subject to insolvency proceedings, insolvency proceedings have been commenced or the commencement of insolvency proceedings is dismissed due to lack of assets,

  • if the customer violates the provisions of these General Terms and Conditions and fails to remedy this violation upon receipt of a written request with an adequate deadline. No such request is necessary if it has no prospect of success or if the violation is so serious that Talon.One cannot be reasonably expected to adhere to the agreement. A violation is also be deemed serious if the customer has received notices of warnings several times because of similar violations.

10.3 Upon termination of the agreement, the customer is obliged to delete all copies of the codes that were provided by Talon.One.

11. Data Protection, Logo Use and Publicity

11.1 The customer is obliged to comply with the applicable data protection law when using the Talon.One Services.

11.2 Pursuant to Section 11 of the German Data Protection Act (Bundesdatenschutzgesetz - BDSG), the processing of personal data by Talon.One on behalf of the customer may require a written agreement ('Data Processing Agreement'). If applicable, the customer hereby commissions Talon.One to process personal data on its behalf by concluding a separate agreement in accordance with the scope and the conditions of the annex 'Data Processing Agreement'.

11.3 The customer is obliged to ensure that its websites and apps clearly provide appropriate and sufficiently prominent notice to users regarding the collection and use of tracking data by Talon.One. The customer will also ensure that the websites and apps provide facilities for users to opt out of tracking. If a user opts out, the tracking mechanisms provided by Talon.One must be fully disabled. At a minimum, a privacy policy should be available on the website or from inside the app complying with these requirements.

11.4 The customer hereby grants Talon.One a non-exclusive license solely during the term of the Order Form to list Customer's name and display the Customer's logo in the customer section of Talon.One's website and to use the customer's name and logo in Talon.One's customer lists but only to the extent that other customers of Talon.One are also listed on such list. Within 60 days of the Effective Date of this Agreement, the customer agrees to review in good faith a press release announcing the cooperation with Talon.One. Talon.One must obtain written consent by the customer prior to publication of such release, such consent not to be unreasonably withheld. Any other use by Talon.One of the customer's name, logo or trademark requires the customer's prior written consent (such consent not to be unreasonably withheld).

12. Final Provisions, Miscellaneous

12.1 Place of performance and exclusive place of jurisdiction for all disputes between the parties shall be Berlin if the customer is a merchant, a legal entity under public law or a special fund under public law. Berlin shall also be the exclusive place of jurisdiction if the customer does not have a general place of jurisdiction in Germany, if the customer, once it has concluded the contract, moves its domicile out of Germany or whose domicile is unknown at the time the lawsuit is filed.

12.2 Any modifications and or amendments of offers and these General Terms and Conditions must be made in writing (email is sufficient). This also applies in case of a nullification of the written form requirement.

12.3 If any provision of these General Terms and Conditions or part thereof is invalid or becomes invalid at a later time, the validity of the remaining provisions shall remain unaffected. The relevant provision shall be replaced by a provision that as closely as possible reflects the economic purpose of the invalid provision. The foregoing shall apply analogously if any provision has inadvertently been omitted.

12.4 Unless expressly agreed otherwise, the legal relationship between Talon.One and the customer shall be governed by and construed in accordance with German law.

12.5 Talon.One has the right within the scope of the contractual purpose to process the data that was provided in accordance with applicable data protection law, or to commission third parties.

Exhibit C

Data Processing Agreement

Version: 2.0 | Release Date: 17.October, 2024

Concluded by and between

The Customer as specified in the applicable Order Form (hereinafter: 'Controller') and Talon.One (hereinafter: 'Processor')

Preamble

This Exhibit C  - Data Processing Agreement (“DPA”) details the parties’ obligations on the protection of personal data, associated with the processing of personal data on behalf of Customer as a data controller (hereinafter, “Controller”), and described in detail in the applicable Order Form (hereinafter, the “Agreement”). Its regulations shall apply to any and all activities associated with the Agreement, in whose scope Talon.One’s employees or agents (hereinafter, “Processor”) process personal data (hereinafter, “Data”) provided by and on behalf of Controller (hereinafter, “Contract Processing”).

§ 1 Scope, duration and specification of contract processing of Data

(1) The scope and duration and the detailed stipulations on the type and purpose of Contract Processing shall be governed by the Agreement. Specifically, Contract Processing shall include, but not be limited to, the following Data: 

image

(2) Except where this Exhibit stipulates obligations beyond the term of the Agreement, the term of this Exhibit shall be the term of the Agreement.

§ 2 Scope of application and responsibilities

(1) Processor shall process Data on behalf of Controller. The Contract Processing shall involve carrying out the management and validation of promotions as agreed upon in the Agreement. Within the scope of this Exhibit, Controller shall be solely responsible for compliance with the applicable statutory requirements on data protection, including, but not limited to, the lawfulness of disclosing Data to Processor and the lawfulness of having Data processed on behalf of Controller. Controller shall be the »controller« in accordance with Article 4 no. 7 of the GDPR.

(2) Controller’s individual instructions on Contract Processing shall, initially, be as detailed in the Agreement. Controller shall, subsequently, be entitled to, in writing or in a machine-readable format (E-Mail is sufficient), modifying, amending or replacing such individual instructions by issuing such instructions to the point of contact designated by Processor. Instructions not foreseen in or covered by the Agreement shall be treated as requests for changes to the statement of work. Controller shall, without undue delay, confirm in writing or in text form any instruction issued orally.

§ 3 Processor's obligations

(1) Except where expressly permitted by Article 28 (3)(a) of the GDPR, Processor shall process data subjects’ Data only within the scope of the statement of work and the instructions issued by Controller. Where Processor believes that an instruction would be in breach of applicable law, Processor shall notify Controller of such belief without undue delay. Processor shall be entitled to suspend performance on such instruction until Controller confirms or modifies such instruction.

(2) Processor shall, within Processor’s scope of responsibility, organize Processor’s internal organization so it satisfies the specific requirements of data protection. Processor shall implement technical and organizational measures as defined in Annex 2 to ensure the adequate protection of Controller’s Data, which measures shall fulfill the requirements of the GDPR and specifically its Article 32. Processor shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services. Controller is familiar with these technical and organizational measures, and it shall be Controller’s responsibility that such measures ensure a level of security appropriate to the risk.

Processor reserves the right to modify the measures and safeguards implemented, provided, however, that the level of security shall not be less protective than initially agreed upon.

(3) Processor shall support Controller, insofar as is agreed upon by the parties, and where possible for Processor, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR.

(4) Processor warrants that all employees involved in Contract Processing of Controller’s Data and other such persons as may be involved in Contract Processing within Processor’s scope of responsibility shall be prohibited from processing Data outside the scope of the instructions. Furthermore, Processor warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of the Agreement.

(5) Processor shall notify Controller, without undue delay, if Processor becomes aware of breaches of the protection of personal data within Processor’s scope of responsibility. Processor shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; the Processor shall coordinate such efforts with Controller without undue delay.

(6) Processor shall notify Controller of the point of contact for any issues related to data protection arising out of or in connection with the Agreement.

(7) Processor warrants that Processor fulfills its obligations under Article 32 (1)(d) of the GDPR to implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

(8) Processor shall correct or erase Data if so instructed by Controller and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Processor shall, based on Controller’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media and other material or return the same to Controller.

(9) n specific cases designated by Controller, such Data shall be stored or handed over. The associated remuneration and protective measures shall be agreed upon separately, unless already agreed upon in the Agreement.

(10) Processor shall, upon termination of the Agreement and upon Controller’s instruction, return all Data, carrier media and other materials to Controller or delete the same.

(11) Where a data subject asserts any claims against Controller in accordance with Article 82 of the GDPR, Processor shall support Controller in defending against such claims, where possible.

§ 4 Controller's obligations

(1) Controller shall notify Processor, without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by Controller in the results of Processor’s worker. 

(2) Section 3 para. 11 above of this Exhibit shall apply, mutatis mutandis, to claims asserted by data subjects against Processor in accordance with Article 82 of the GDPR.

(3) Controller shall notify to Processor the point of contact for any issues related to data protection arising out of or in connection with the Agreement.

§ 5 Enquiries by data subjects

Where a data subject asserts claims for rectification, erasure or access against Processor, and where Processor is able to correlate the data subject to Controller, based on the information provided by the data subject, Processor shall refer such data subject to Controller. Processor shall forward the data subject’s claim to Controller without undue delay. Processor shall support Controller, where possible, and based upon Controller’s instruction insofar as agreed upon. Processor shall not be liable in cases where Processor is not able to correlate the data subject to Controller or Controller fails to respond to the data subject’s request in total, correctly, or in a timely manner.

§ 6 Options for documentation of Processor’s compliance

(1) Processor shall document and prove to Controller Processor’s compliance with the obligations agreed upon in this Exhibit by appropriate measures, such as provision of certificates or technical documentation.

(2) Controller or an auditor appointed by Controller may conduct audits and inspections of Processor’s Contract Processing once per year, provided, however: that (a) Controller gives Processor at least four weeks’ written notice; (b) any audit or inspection will be conducted during normal business hours and shall not interfere with Processors operations; and (c) Controller shall not be entitled access to any information that is not Data or that is subject to a confidentiality obligation under law or contract, including without limitation any such obligation owed to another customer of Processor. Notwithstanding the foregoing, Controller shall be entitled to exercise its audit and inspections rights under this Section 6 (2) more than once per year during the term of the Exhibit in the event of a data security incident or if required by a supervisory authority. All audits and inspections are subject to the execution of a confidentiality undertaking. Processor shall be entitled to reject auditors which are competitors of Processor. 

Controller hereby consents to the appointment of an independent external auditor by Processor, provided that Processor provides a copy of the audit report to Controller.

Processor shall be entitled to request a remuneration for Processor’s support in contributing to audits and inspections. Processor’s time and effort for such contribution shall be limited to one day per calendar year, unless agreed upon otherwise. Processor is not entitled to request a remuneration for Processor’s support in audits and inspection in case of data security incidents or if required by a supervisory authority.

§ 7 Subcontractors (further processors on behalf of Controller)

(1) Controller gives Processor a general authorization to engage sub-contractors as further sub-processors in connection with the provision of the Services. Processor will enter into an agreement with each sub-processor that provides for, in substance, the same data protection obligations as those binding the Processor under this DPA, to the extent applicable to the services provided by the sub-processor.

(2) Processors' list of sub-processors is available as an Annex 1 to this Exhibit. Prior to engaging any new sub-processors that process Controller’s personal data, Processor will notify Controller via email and allow Controller thirty (30) days to object. If Controller has legitimate objections to the appointment of any new sub-processors, the parties will work together in good faith to resolve the grounds for the objection for no less than thirty (30) days. If Controller and Processor cannot reach an agreement over the engagement of a new sub-processor, both parties shall be entitled to terminate the respective services which Processor cannot provide without using the new sub-processor to which Controller objected.

§ 8 International Data Transfers

  • The Controller agrees that where the Processor engages a sub-processor in accordance with Section 7 for carrying out specific processing activities on behalf of the Controller and those processing activities involve a transfer of personal data to a jurisdiction for which the European Commission has not issued an adequacy decision, the Processor and the sub-processor can ensure compliance with Regulation 2016/679 (GDPR) by signing the Standard Contractual Clauses (Module Three (Processor to Sub-Processor)) adopted by the European Commission in June 2021, provided the conditions for the use of those standard contractual clauses are met. 

§ 9 Obligations to inform, mandatory written form, choice of law, venue

  • Where the Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any Data affected thereby is in Controller’s sole property and area of responsibility, that Data is at Controller’s sole disposition, and that Controller is the responsible body in the sense of the GDPR.

  • No modification of this Exhibit and/or any of its components – including, but not limited to, Processor’s representations and warranties, if any – shall be valid and binding unless made in writing or in a machine-readable format (E-Mail is sufficient), and furthermore only if such modification expressly states that such modification applies to the regulations of this Exhibit. The foregoing shall also apply to any waiver or modification of this mandatory written form.

  • In case of any conflict, the data protection regulations of this Exhibit shall take precedence over the regulations of the Agreement. Where individual regulations of this Exhibit are invalid or unenforceable, the validity and enforceability of the other regulations of this Exhibit shall not be affected.

  • This Exhibit is subject to the laws of Germany. Any dispute arising from this Exhibit shall be resolved by the courts of Berlin. 

    § 10 Liability and damages

    Controller and Processor shall be liable to data subject in accordance with Article 82 of the GDPR. As between Controller and Processor, the liability provisions of the Agreement shall apply to the liability of the Processor.

Annex 1: List of approved sub-processors

Version 2.0 | Release Date: 01. October 2024

image

Annex 2: Technical and Organizational Security Measures

Version 1.0 | Release Date: 16. December, 2019

This Annex 2 describes the Technical and Organizational Measures taken by Talon.One GmbH at the Berlin office location and the IT systems operated there.

The Talon One Promotion Engine is operated in a cloud environment (Google Cloud Platform) provided by Google Ireland Limited. The data processing within the Talon One Promotion Engine is therefore carried out in ISO 27001-certified data centers of the Google Cloud Platform. The administration of this infrastructure is carried out from the Berlin location, but the company does not maintain its own server infrastructure at the Berlin location. Accordingly, no information is documented in this respect. For more information about technical and organizational measures to secure the Google Cloud Platform, click here.

Measures at the Berlin location

  • Physical access control

Measures to prevent unauthorized parties from gaining access to data-processing equipment that processes or uses personal data.

  • Manual locking system

  • Key control (key output)

  • Determination of authorized access persons

  • Use of security guards/security service

  • Transponder and chip card control (regarding alarm system)

  • Alarm system/ intrusion detection system

  • Personal control (porter/reception)

2.Access control

Measures to prevent unauthorized parties from using data processing systems.

  • authorization concept

  • Authentication with username and password

  • Use of a password policy (minimum length and complexity)

  • Incorrect access attempts are logged

  • Encryption of data carriers

  • Principle of minimum authorization assignment

  • Authentication-free accesses are deactivated by default

  • Inactive implements automatically deactivate themselves after using a password-protected screen saver.

Employees block their work equipment during absence

3. Controlling access

Measures to ensure that those authorized to use a data processing system can only access the data subject to their right of access and that personal data cannot be read, copied, changed or removed without authorisation during processing, use and after storage.

  • Rules for creating, changing and deleting authorization profiles/users

  • Documentation of authorization assignment

  • Administration of users and rights by the system administrator(s)

  • Principle of minimum authorization assignment

  • Encryption of data carriers

  • Data carriers are deleted before reuse

  • Definition and use of authorization and role profiles

  • Observance of the separation of functions

  • Users are, if possible, limited in time

  • Data carriers are stored securely

  • Data carriers are properly destroyed

4. Transfer control

Measures to ensure that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or during transport or storage on data carriers, and that it can be verified and established at which points personal data is to be transmitted by means of data transmission facilities.

  • Installation of tunnels and VPN tunnels

  • Encrypted transmission (SSL/TLS)

  • Encryption of data carriers

  • Backups are stored locked

5. Input control

Measures to ensure that it is possible to verify and establish at a later stage whether and by whom personal data have been entered, modified or removed in data processing systems.

  • Logging of read, input, change and delete transactions (depending on the system)

  • Control of input options in the data processing systems

  • Control of input options in the data processing systems

  • Documentation of input authorizations

  • Traceability of changes in the IT systems

    6. Order control

Measures to ensure that personal data processed on behalf of the client can only be processed in accordance with the instructions of the client.

  • Partially written agreement with data-processing (sub-)contractors

  • Careful selection of the (sub-) contractors with regard to data protection and data security

  • Ensuring the destruction of data after completion of the order

  • Raising employee awareness

  • Examination of the measures taken by (sub-)contractors

  • Data protection officer appointed in writing

  • Commitment of employees to data secrecy (§ 5 BDSG) / confidentiality

  • In case of serious violations the client will be informed immediately..

7. Availability control

Measures to ensure that personal data is protected against accidental destruction or loss.

  • Use of a backup concept

  • Regular backups

  • Deployment of an emergency plan

  • Backup Recovery Tests

  • Store backups in an outsourced and secure location

  • Alarm

  • Encrypted backups

  • Mirroring of the data in a colocation

  • Hardware monitoring

  • Hardware protection against theft

8. Separation control

Measures to ensure that data collected for different purposes can be processed separately.

  • Logical client separation (software-side) through virtualization

  • Separate databases

  • Separate directory structures

  • Production and test systems are separated from each other

  • Various data carriers / dedicated servers for different clients

SERVICE LEVEL ADDENDUM

This SERVICE LEVEL ADDENDUM (the 'Addendum') is an addendum to, and is hereby incorporated into, the TALON.ONE General Terms and Conditions between TALON.ONE and Customer, (collectively, the 'Agreement').

1. DEFINITIONS

Certain capitalized terms, not otherwise defined in this Service Level Addendum, will have the meanings set forth in the Agreement. The following capitalized terms will have the definitions set forth below:

1.1 'System Uptime' will mean the total amount of time during any calendar month, measured in minutes, during which Customer has the ability to access the features and functions of the Software Service according to the Access Protocols and the terms of the Agreement.

1.2 'Scheduled Downtime' will mean the total amount of time during any calendar month, measured in minutes, during which Customer is not able to access the Software Service or to deliver Customer Content, according to the Access Protocols and the terms of the Agreement, due to planned system maintenance performed by TALON.ONE. TALON.ONE will provide reasonable prior notice to conduct system maintenance.

1.3 'Unscheduled Downtime' will mean the total amount of time during any calendar month, measured in minutes, during which Customer is not able to access the features and functions of the Software Service according to the Access Protocols and the terms of this Agreement, other than Scheduled Downtime, as defined above.

1.4 'System Availability' will mean, with respect to any particular calendar month, the ratio obtained by subtracting Unscheduled Downtime during such month from the total time during such month, and thereafter dividing the difference so obtained by the total time during such month. Represented algebraically, System Availability for any particular calendar month is determined as follows:

NOTE: 'Total Monthly Time' is deemed to include all minutes in the relevant calendar month, to the extent such minutes are included within the Term of this Agreement.

2. SYSTEM PERFORMANCE

2.1 System Availability: TALON.ONE will undertake commercially reasonable measures to ensure that System Availability equals or exceeds ninety-nine point nine percent (99.9%) during each calendar month (the 'Service Standard'), provided that any Unscheduled Downtime occurring as a result of circumstances beyond TALON.ONE' reasonable control including, without limitation, (i) Customer's breach of any provision of this Agreement; (ii) non-compliance by Customer with any provision of this Addendum; (iii) incompatibility of Customer's equipment or software with the Software Service; (iv) poor or inadequate performance of Customer's systems; or (vi) force majeure (as contemplated in the Agreement), shall not be considered toward any reduction in System Availability measurements.

2.2 Access to Support; Response Times: Customer may report Unscheduled Downtime by email at support@talon.one 24 hours per day at 7 days per week. TALON.ONE classifies problems with the Software Service using the following problem classification table:

image

Upon discovery of a problem both Parties shall promptly inform each other on discovery of the problem according to the classifications above. The following table specifies the reaction steps, which must be performed by TALON.ONE and Customer by which TALON.ONE deals with the specific problem reports:

  • Step 1 — Identification: TALON.ONE confirms that the problem exists and starts to collect information and performs an analysis.

  • Step 2 — Temporary Solution: TALON.ONE processes the problem and provides a temporary work around, if possible, as soon as possible, in order to make the Software Service at least partially available.

  • Step 3 — Problem Resolution: TALON.ONE provides a final solution to the problem, so that the Software Service is fully available again.

image

Both parties shall inform each other regularly on the status of the error.

3. MEASUREMENT AND REPORTS

3.1 System Monitoring and Measurement: TALON.ONE will provide for monitoring of System Availability on an ongoing basis. All measurements of System Availability will be calculated on a monthly basis for each calendar month during the Term.

3.2 System Performance Reports: Upon Customer's request, TALON.ONE will provide reports to Customer on a quarterly basis setting forth measurements of Unscheduled Downtime and a calculation of System Availability for the relevant preceding quarter. If Customer disagrees with any measurement or other information set forth in any such report, it must so inform TALON.ONE in writing within five (5) calendar days after receipt thereof, provided that the accuracy of any such report shall be deemed conclusive unless such notice is provided by Customer. Any such notice must indicate specific measurements in dispute and must include a detailed description of the nature of the dispute. TALON.ONE and Customer agree to attempt to settle any such disputes regarding System Availability and/or related measurements in a timely manner by mutual good faith discussions.

4. CUSTOMER REQUIREMENTS

4.1 Minimum System: The service standards set forth in this Addendum assume that Customer, as applicable, meets the minimum system standards established by TALON.ONE.

4.2 Additional Customer Obligations: Except as otherwise agreed between the Parties in a separate written agreement, Customer is responsible for (i) maintenance and management of its computer network(s), servers, software, and any equipment or services related to maintenance and management of the foregoing; and (ii) correctly configuring Customer's systems in accordance with the Access Protocols.

4.3 Reporting of Unscheduled Downtime: Customer must promptly notify TALON.ONE in the event Unscheduled Downtime occurs. Unscheduled Downtime will be deemed to begin when TALON.ONE receives accurate notification thereof from Customer, or when TALON.ONE first becomes aware of such Unscheduled Downtime, whichever first occurs.

4.4 Non-Performance by Customer: The obligations of TALON.ONE set forth in this Addendum will be excused to the extent any failures to meet such obligations result in whole or in part from Customer's failure(s) to meet the foregoing requirements.

4.5 Suspension: If the Customer endangers the security, integrity or availability of networks, the TALON.ONE' servers or the Software Services, or if TALON.ONE has an objective reason to suspect so, then TALON.ONE may temporarily suspend Customer's access to the Software Services. In case of deliberate actions by the Customer, TALON.ONE may terminate the contract with immediate effect: (a) if the Customer's system or Software Services becomes an object of Denial of Service attacks by Customer; (b) if Customer is responsible for sending spam mails or text/multimedia messages (SMS/MMS) via the Software Services; or (c) if the Customer saves content on the TALON.ONE' servers, which violates any laws or infringes on rights of third parties.

5. Remedies: In the event Unscheduled Downtime occurs, TALON.ONE will undertake commercially reasonable efforts to remedy such Unscheduled Downtime within a commercially reasonable timeframe. If TALON.ONE is unable to meet the System Availability standards set forth in Section 2.1, Customer shall be entitled to the following service credits, provided that the maximum number of Service Credits to be issued by TALON.ONE to Customer for any and all Unscheduled Downtime shall not exceed one month of service.

image
*All Service Credit shall be applied to the next month's Access Fees.

Talon.One Logo

The World's Most Powerful Promotion Engine

BERLIN

Wiener Strasse 10
10999 Berlin
Germany

BIRMINGHAM

41 Church Street
B3 2RT Birmingham
United Kingdom

BOSTON

One Boston Place, Suite 2600
02108 Boston, MA
United States

SINGAPORE

1 Scotts Road, #21-10 Shaw Centre
228208 Singapore
Singapore

G2 LogoMach Alliance LogoISO 27001 Logo
CCPA Logo
GDPR Logo
SOC2 Logo

© 2024 Talon.One GmbH. All rights reserved.