Lorsque vous cliquez sur »Accepter tous les cookies« en cliquant, vous acceptez le stockage de cookies sur votre appareil afin d'améliorer la navigation sur le site Web, d'analyser l'utilisation du site et de soutenir nos efforts de marketing. Pour plus d'informations, voir notre politique de confidentialité.

Conditions générales d'utilisation

Thank you for using Phonemos by linkyard ltd! We are excited to have you here.

These Phonemos Terms of Service (these "Terms") describe your rights and responsibilities as a customer of the Phonemos Software-as-a-Service cloud product. These Terms are between you ("Customer") and linkyard ltd. ("linkyard" or "Provider"). "You" means the entity you represent in accepting these Terms or, if that does not apply, you individually. If you are accepting on behalf of your employer or another entity, you represent and warrant that:

  • you have full legal authority to bind your employer or such entity to these Terms;
  • you have read and understand these Terms; and
  • you agree to these Terms on behalf of the party that you represent.

If you don't have the legal authority to bind your employer or the applicable entity please do not click "I agree" (or similar button or checkbox) that is presented to you nor use or access a Phonemos instance set up for you. Please note that if you sign up using an Email address from your employer or another entity, your actions will bind your employer or that entity to these terms and the word "you" will refer to your employer or that entity.

These terms do not have to be signed in order to be binding. You indicate you assent to these Terms by clicking "I agree" at the time you register for Phonemos, by placing an order or paying our invoice or by using and accessing the product, whichever is earlier.

1. preamble

1.1 The Provider is the provider of Phonemos, a software product provided to you as a Software-as-a-Service ("SaaS") service. The Customer avails itself of the SaaS services, furnished by the Provider, for the duration of the agreement.

1.2 The present agreement regulates the Provider's SaaS services which the Provider provides to the Customer.

2 Scope of the terms

2.1 Together with the confirmed offer, the Service Level Agreement and any other contractual documents, these Terms of Service constitute the final agreement (hereinafter referred to as "Agreement") between the customer and linkyard ltd. These Terms of Service are an integral part of all offers, order confirmations and invoices.

2.2 The following terms of service apply between the customer and linkyard ltd, unless otherwise specified in individual cases, mandatorily prescribed by law or expressly agreed otherwise in writing by the parties. Furthermore, by using the services of linkyard, customers or users agree to these terms of use.

3 General subject of the terms

3.1 This agreement applies to the use of the "Phonemos" software of linkyard in accordance with the current product description as "Software as a Service" (SaaS) or cloud offer. "Phonemos" is provided to the customer by linkyard as SaaS. This includes, among other things, the provision of licences and the cloud services by the provider to the customer. The customer is enabled to use the software stored and running on the servers of linkyard or a service provider commissioned by linkyard via an internet connection for his own purposes during the term of this contract.

3.2 These Terms are applicable to one or more Phonemos instances ("instance"), each having individually applicable billing periods, subscription plans or number of users. Each instance may be terminated individually, though dependencies between service instances may exist in special circumstances.

3.4 These Terms of service shall apply exclusively. The customer's Terms of Use shall not apply. Counter-confirmations by the customer with reference to his own Terms and Conditions are expressly rejected.

3.5 Phonemos may not be used to store or post content that is unlawful, threatening, abusive, harassing, defamatory, libelous, fraudulent, invasive of another's privacy, tortuous, obscene, vulgar, pornographic, profane, contains or depicts nudity, sexual activity or is otherwise inappropriate or illegal.

3.6 All users of the Customer working with Phonemos must follow the rules of conduct and guidelines for permitted use set out in this Section 3 ("General subject of the terms"). If the Customer breaches this policy or any other provision of this Agreement, linkyard is entitled to suspend or terminate the Customer's account immediately and without prior notice, which shall not affect the Customer's obligations under this Agreement.

4 License management

4.1 The Provider is obligated to obtain all the requisite licenses or subscriptions for the Customer required for fulfilling the present purpose of the agreement. In so doing, the Provider either produces the license directly and acts as licensor or, in case of third party components, acts as a middleman for concluding an agreement between the Customer and the Licensor, without itself being a party to the licensing agreement. The execution of such licensing agreements, namely the payment of the licensing or subscription fees, is done through the Provider.

5 System environments

5.1 The Provider shall provide a fully licensed environment for production use, the scope of which shall be determined on the basis of the subscription plan set out in the signed Offer.

5.2 On request, the Provider will furnish a temporary on demand test environment to conduct integration tests or similar test types. For resource optimization, the test environment is automatically stopped after several hours of non-use. The Customer can request reactivation of the test environment.

5.3 linkyard may add new features to its Phonemos, remove features, suspend modules or discontinue them permanently.

6 System management, support and bugfixing

6.1 Restrictions or impairments of the services provided may arise which are beyond the control of the provider. This includes, in particular, actions by third parties not acting on behalf of the provider, technical conditions of the Internet that cannot be influenced by the provider, and force majeure. The hardware and software and technical infrastructure used by the customer may also have an influence on the services of the provider. Insofar as such circumstances have an influence on the availability or functionality of the service provided by the provider, this shall have no effect on the contractual conformity of the services provided.

6.2 Fault management and corrective maintenance is included in every subscription plan. In the Business and Enterprise subscription plans, up to one hour of support services per month is also included. These hours cannot be cumulated. Additional product-related consulting and support services are charged at USD/EUR/CHF 150.

6.3 The provider basically offers different options regarding service level (standby times/response times/system availability), backup plans and business continuity plans. The different options can be found in the SLA (service level agreement), which forms an integral part of the agreement together with the signed offer and this document.

6.4 For clarification purposes, it is noted that the response times listed in the SLA refer exclusively to fault reports and support requests from the customer which are reported via the Provider's ticketing portal(https://servicedesk.linkyard.ch).

7 Duties of the Customer

7.1 The Customer shall support the Provider as far as reasonable in the fulfilment of the Provider's obligations under this Agreement. In the event of failure to cooperate or in the event of the Customer or third parties causing disruptions for which the Customer is responsible, the Provider shall be free to refuse the corresponding additional expenditure or to invoice the corresponding additional expenditure on a time and material basis.

7.2 Subject to these Terms and during the applicable Subscription Term, the customer may access and use the Cloud Products for his own business purposes or personal use, as applicable, all in accordance with these Terms, the applicable Order and the Documentation. The rights granted to you in this Section 7.2 are non-exclusive, non-sublicensable and non-transferable.

7.3 Restrictions: Except as otherwise expressly permitted in these Terms, you will not: (a) reproduce, modify, adapt or create derivative works of Phonemos; (b) rent, lease, distribute, sell, sublicense, transfer or provide access to Phonemos to a third party; (c) use Phonemos for the benefit of any third party; (d) incorporate Phonemos into a product or service you provide to a third party; (e) interfere with or otherwise circumvent mechanisms in Phonemos intended to limit your use; (f) reverse engineer, disassemble, decompile, translate or otherwise seek to obtain or derive the source code, underlying ideas, algorithms, file formats or non-public APIs to Phonemos, except to the extent expressly permitted by applicable law (and then only upon advance notice to us); (g) remove or obscure any proprietary or other notices contained in Phonemos; (h) use the Cloud Products for competitive analysis or to build competitive products; (i) publicly disseminate information regarding the performance of Phonemos; or (j) encourage or assist any third party to do any of the foregoing.

8 Payment modalities and price

8.1 The price owed by the customer for a Phonemos instance is composed of:

  • A base fee for one Phonemos instance including one site, 100 GB if storage and one editor licence, per month
  • Optional: a fee per additional site, per month
  • Optional: a fee per additional storage space provided, per month
  • Optional: a fee per additional editor licences, per user and month
  • Optional: a fee per additional viewer licences, per user and month
  • Optional: a fee to unlock specific optional features, per month
  • One-off fees, e.g. support, integration, migration

8.2 The total price can be paid either monthly, by credit card only, or annually, by wire transfer or credit card. For non-DACH countries, wire transfer can only be accepted for payments over CHF 5'000. Wire transfer invoices are due within 30 days net.

8.3 Whether the price is paid annually or monthly also determines the length of the individual subscription period.

8.4 Monthly prices are invoiced at the end of a subscription month based on usage.

8.5 Annual prices are invoiced at the start of a subscription period for the full year. Adjustments within the subscription period are invoiced when activated until the end of the current subscription period.

8.6 Advertised prices do not include VAT.

9 Liability of the provider

9.1 The Provider's liability for any damage on the part of the Client or third parties is excluded to the extent permitted by law. The exclusion refers both to damages incurred directly by the customer and to claims for damages by third parties against the customer.

10 Data protection and confidentiality

10.1 The Customer is responsible for the data processing executed through Phonemos (GDPR: "data controller"). All content uploaded and stored in a Phonemos instance is the property of the customer.

10.2 The provider ensures GDPR compliance as a data processor.

10.3 The parties shall ensure that they comply with all requirements of data protection law. In particular, the Customer shall ensure that it obtains all necessary consents for data processing from persons whose personal data is processed. In the event of non-compliance, he shall indemnify the Provider in the event of claims by third parties.

10.4 The Provider is obliged to

  • inform the Customer as soon as possible during the term of the contract, if known, of any access to personal data by public authorities or unauthorized third parties, and
  • after completion of the provision of the Processing Services, to either delete or return all data at the Customer's option.

10.5 Mandatory law which conflicts with the aforementioned obligations is reserved.

10.6 Since it cannot be ruled out that the Provider will have access to personal data of the Customer or third parties, the Parties agree on Section 10.7 on Data Processing by Order.

10.7 As part of the use of linkyard's software in accordance with the terms of service, SLA and signed offer of linkyard ("Agreement"), it is necessary for the Processor to store and process data collected by the Client in the course of using the Processor's software services. It cannot be ruled out that these data are personal data within the meaning of Art. 4 No. 1 GDPR. This Section 10.7 applies exclusively to this data (hereinafter "Client Data").

10.7.1 NATURE, SCOPE, PURPOSE AND DURATION OF THE PROCESSING OF THE ORDER
This section specifies the rights and obligations of the parties under data protection law in connection with the Processor's handling of the Client Data in performance of the contract.
The Processor shall process the Client Data on behalf of and in accordance with the instructions of the Client within the meaning of Art. 28 GDPR (commissioned processing). The Client remains the data controller in the sense of data protection law pursuant to Art. 4 No. 7 GDPR.
The processing of the Client Data within the scope of commissioned data processing shall be carried out in accordance with the specifications on the type, scope and purpose of the data processing contained in Section 15. It refers to the type of client data specified in Section 15, the purpose of the data processing and the group of data subjects specified therein.
The processing of the client data takes place in the territory of Switzerland or in the European Union. The adequate level of protection in Switzerland has been established by an adequacy decision of the EU Commission (Art. 45 (3) GDPR). Any further relocation to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.

10.7.2 POWERS OF INSTRUCTION OF THE PRINCIPAL
The handling of the Principal Data by the Processor shall take place exclusively within the framework of the agreements made and in accordance with the documented instructions of the Principal pursuant to Art. 28 (3) sentence 2 lit. a GDPR, unless the Processor is obliged to process under Union law or the law of the Member States to which it is subject. In such a case, the processor shall notify the controller of these legal requirements prior to the processing, unless the law in question prohibits such notification due to an important public interest.
The Principal reserves a comprehensive right to issue instructions on the type, scope, means and purposes of the data processing within the scope of the job description agreed in this Agreement, which it may concretise by means of individual instructions. The Principal shall immediately confirm verbal instructions in writing or by e-mail (in text form). If the Client issues individual instructions regarding the handling of Client data which go beyond the contractually agreed scope of services, the costs incurred as a result shall be borne by the Client.
Changes to the object of processing and procedural changes shall be jointly agreed and documented. The Processor may only provide information to third parties or the Data Subject with the prior written consent of the Client. The Processor shall not be entitled to disclose the Client Data to third parties and shall not use the data for any other purposes, in particular for its own purposes. The Processor shall not be under any obligation to check the Client's instructions in terms of (data protection) law. The Processor shall inform the Principal without undue delay in accordance with Article 28 (3) sentence 3 of the GDPR if, in its opinion, an instruction issued by the Principal violates statutory provisions. The Processor shall be entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the Controller with the Principal.

10.7.3 OBLIGATIONS OF THE PRINCIPAL
The principal is solely responsible for the lawfulness of the data processing by the processor as well as for the protection of the rights of the data subjects and is thus the "controller" within the meaning of Art. 4 No. 7 GDPR.
The Principal shall be the holder of all rights, if any, concerning the Client Data.
The Principal shall inform the Processor without undue delay if it discovers errors or irregularities in connection with the processing of Principal Data by the Processor.
If third parties assert claims against the Processor due to the processing of Client Data, the Client shall indemnify the Processor against all such claims upon first request.

10.7.4 OBLIGATIONS OF THE PROCESSOR
The Processor shall ensure and regularly monitor that the processing of the Client Data within the scope of the provision of services under the Agreement in its area of responsibility, which includes the sub-processors pursuant to the sub-processor policy, is carried out in accordance with the provisions of this Agreement.
The Processor shall be obliged to appoint a competent and reliable data protection officer who can carry out his activities in accordance with Articles 37, 38 and 39 of the GDPR, if and as long as the legal requirements for an obligation to appoint are met. The contact details of the data protection officer shall be provided to the Client upon request.
The Processor is obliged to regularly monitor the internal processes as well as the technical and organisational measures in order to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.
The Processor undertakes to maintain confidentiality when processing the Client's personal data in accordance with the contract. This obligation shall continue to exist even after termination of the contract.
Pursuant to Article 28 (3) sentence 2 lit. b of the GDPR, the Processor shall impose a written obligation of data secrecy on all persons who have access to the Client's personal data in accordance with the order and shall inform them of the special data protection obligations resulting from this order and of the existing obligation to follow instructions or to use the data for a specific purpose.
The Processor may not make copies or duplicates of the Client Data within the scope of the commissioned processing without the Client's prior consent. However, copies shall be exempt from this insofar as they are necessary to ensure proper data processing and the proper provision of the services in accordance with the main contract (including data backup), as well as copies that are necessary to comply with statutory retention obligations.
The Processor is obliged to support the Client in the fulfilment of its legal obligations within the scope of what is reasonable and necessary and against reimbursement of the expenses and costs incurred by the Processor as a result. This includes compliance with technical and organisational measures, reporting data breaches to the supervisory authority and data subjects, conducting data protection impact assessments and consulting the competent supervisory authority in advance.
The Processor is obliged to provide the Principal with all necessary information, including certifications as well as audit and inspection results, which serve to prove compliance with the obligations set out in this contract.
The Processor shall be obliged to inform the Principal without delay about control actions and measures of the supervisory authority insofar as they relate to this contract. This shall also apply to the extent that a competent authority investigates the Processor in the context of administrative offence or criminal proceedings with regard to the processing of personal data in the course of the commissioned processing.

10.7.5 TECHNICAL AND ORGANISATIONAL MEASURES
The Processor shall implement the technical and organisational measures listed in Section 16 prior to the start of the processing of the Principal Data and maintain them during the Contract.
As the technical and organisational measures are subject to technical progress and technological development, the Processor shall be permitted to implement alternative and adequate measures, provided that in doing so the security level of the measures set out in Section 16 is not undercut. The Processor shall document such changes. Significant changes to the measures shall require the prior consent of the Client and shall be documented by the Processor and made available to the Client upon request.

10.7.6 VIOLATIONS OF THE PROCESSOR TO BE COMMUNICATED
The Processor shall inform the Client in a timely manner if it discovers that it or an employee has violated data protection regulations or specifications from this Section 10.7 when processing Client Data, provided that there is a risk of violations of the protection of the Client's personal data within the meaning of Article 4 No. 12 of the GDPR.
The Processor shall, to the extent reasonable and necessary, assist the Principal in complying with the obligations set out in Articles 32 to 36 of the GDPR regarding the security of personal data, data breach notification obligations, data protection impact assessments and prior consultations. These include, but are not limited to:
(a) ensuring an adequate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing as well as the predicted likelihood and severity of a potential security breach and allow for the immediate detection of relevant breach events
(b) the obligation to notify personal data breaches to the contracting authority without undue delay
(c) the obligation to assist the contracting authority in its duty to inform the data subject and. in this context, to provide it with the necessary information, in this context, to provide it with all relevant information without undue delay
(d) to assist the Principal in carrying out its data protection impact assessment
(e) assisting the Principal in the context of prior consultations with the supervisory authority
(f) For support services that are not included in the service specifications or are not due to misconduct of the Processor, the Processor may claim a remuneration

10.7.7 CONTROL RIGHTS OF THE PRINCIPAL
The Client shall convince itself at its own expense of the technical and organisational measures of the Processor in accordance with Section 16 prior to the commencement of data processing and regularly thereafter and document the result. For this purpose, it may obtain information from the Processor itself, obtain a certificate from an expert or personally inspect the Processor's business and trade secrets after making an appointment in good time without disrupting operations and subject to strict confidentiality. The Processor undertakes to support the Client's inspections in an appropriate manner and to tolerate all necessary inspection measures. The Processor may charge for the inspection related measures if they exceed the provisioning of existing, relevant documentation.
The Processor undertakes to provide the Principal, upon written request and within a reasonable period of time, with all information required to carry out a control.
The Processor shall be entitled, at its own discretion, taking into account the Client's legal obligations, not to disclose information that is sensitive with regard to the Processor's business or if the Processor would violate legal or other contractual regulations by disclosing it. The Principal shall not be entitled to have access to data or information on other customers of the Processor, to information regarding costs, to quality audit and contract management reports and to any other confidential data of the Processor which is not directly relevant for the agreed control purposes.
The Client shall inform the Processor in good time (as a rule at least two weeks in advance) of all circumstances related to the performance of the control. As a rule, the Client may carry out one inspection per calendar year. This shall be without prejudice to the right of the Client to carry out further inspections in the event of special occurrences.
If the Principal commissions a third party to carry out the inspection, the Principal shall oblige the third party in writing in the same way as the Principal is obliged to the Processor on the basis of this Section 10.7.7. In addition, the Client shall oblige the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional confidentiality obligation. At the request of the Processor, the Client shall immediately submit to the Processor the commitment agreements with the third party. The Client may not commission a competitor of the Processor with the inspection.
At the choice of the Processor, proof of compliance with the technical and organisational measures pursuant to Section 16 may also be provided instead of an on-site inspection by submitting a suitable, up-to-date audit certificate, reports or report extracts from independent bodies (e.g. auditor, audit, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit - e.g. in accordance with BSI-Grundschutz - ("audit report"), if the audit report reasonably enables the Client to satisfy itself of compliance with the technical and organisational measures in accordance with Section 16.

10.7.8 SUBCONTRACTING RELATIONS
The Processor may establish subcontracting relationships with regard to the processing of Client Data with the prior consent of the Client. Such prior consent may only be refused by the Client for good cause to be proven to the Processor. Upon request, the Processor shall provide the Client with a current overview of the sub-processors engaged. In the event of written authorisation, the Processor shall always inform the Client of any intended change with regard to the involvement or replacement of other Processors.
The sub-processors named in the sub-processors policy shall be deemed to have already been approved by the Principal.
In the event of the use of a sub-processor, the processor shall impose on the sub-processor, by way of contract or other legal instrument under Union or Member State law, the same data protection obligations as those set out in that contract. Where a sub-processor fails to comply with the obligations laid down in this contract or infringes data protection law, the processor shall be liable to the contracting authority for compliance with the obligations of the sub-processor.
Services which the Processor uses from third parties as an ancillary service to support the execution of the order are not to be understood as subcontracting relationships within the meaning of this provision and therefore do not require the Principal's consent. These include, in particular, telecommunications services, security services, maintenance and user services, cleaners, auditors and the disposal of data carriers. However, in order to ensure the protection and security of the Client's data, the Processor is also obliged to conclude appropriate and legally compliant contractual agreements and to take control measures in the case of ancillary services contracted out to third parties.

10.7.9 RIGHTS OF THE AFFECTED
The rights of the data subjects affected by the data processing shall be asserted against the Principal.
Insofar as a data subject should contact the Processor directly in order to exercise his or her rights under Articles 12 to 22 of the GDPR in respect of the data relating to him or her, the Processor shall immediately refer the data subject to the Principal.
In the event that a data subject asserts his or her rights under Articles 12 to 22 of the GDPR, the Processor shall assist the Principal in fulfilling such claims to the extent reasonable and necessary for the Principal, unless the Principal can fulfil the claims without the assistance of the Processor. The Client shall reimburse the Processor for any additional expenses.
The Processor shall enable the Client to correct, delete or block Client Data or, at the Client's request, carry out the correction, blocking or deletion itself if and to the extent that this is impossible for the Client itself.

10.7.10 LIABILITY
The Principal and the Processor shall be jointly and severally liable for the compensation of damage suffered by a person due to unlawful or incorrect data processing within the scope of the contractual relationship.
The Client shall be solely responsible for compensation of damage suffered by a data subject due to inadmissible or incorrect processing of Client data within the scope of the commissioned processing in accordance with the applicable data protection law in the internal relationship with the Processor.
The Client undertakes to indemnify the Processor in the internal relationship from all claims of third parties as long as and insofar as it does not prove that the Processor has not complied with its obligations under the GDPR specifically affecting the Processor or has acted in non-compliance with a lawfully issued instruction of the Client or against a lawfully issued instruction.
If a data protection authority or a court imposes a fine on the Processor on the basis of a data processing by the Processor that is based on an instruction from the Principal, the Principal shall reimburse the Processor the relevant amount in full upon written notice within 30 days of the written notice.
The Principal shall reimburse the Processor for all costs resulting from the infringement for which the Processor is responsible in accordance with paragraphs 3 and 4, including the costs of legal proceedings.
Unlimited liability: The Processor shall be liable without limitation for intent and gross negligence, in the event of breach of a contractually granted guarantee and in accordance with the Product Liability Act. The Processor shall be liable for slight negligence in the event of damage to the life, body and health of persons. In all other respects, the following limited liability shall apply: In the event of slight negligence, the processor shall only be liable in the event of a breach of a material contractual obligation of the agreement, the fulfilment of which makes the proper performance of the agreement possible in the first place and on the observance of which the client may regularly rely (cardinal obligation). The liability for slight negligence is limited to the amount of the damages foreseeable at the time of the conclusion of the contract, the occurrence of which must typically be expected.

10.7.11 RETURN AND DELETION OF CLIENT DATA PROVIDED
The Processor shall return or delete all Client Data at the discretion of the Client after termination of the contractual provision of services (in particular in the event of termination or other termination of the agreement) and destroy existing copies, unless there is a legal obligation to store the data.
The Processor shall draw up a record of the deletion or destruction of Client Data, which shall be submitted to the Client upon request.
Documentation that serves as proof of the orderly and proper data processing or legal retention periods shall be kept by the Processor beyond the end of the contract in accordance with the respective retention periods.

10.8 The Parties undertake to keep confidential any facts, information and data, including related documents, which become known to them in connection with the contractual relationship and which are neither publicly known nor generally accessible ("Confidential Information"). Confidential Information shall also include analyses, summaries and extracts prepared on the basis of Confidential Data.

10.9 Each Party shall ensure that its personnel and third parties engaged by it (including their personnel) are required to maintain the confidentiality of Confidential Information entrusted to them or coming to their knowledge in the course of their work.

10.10 The disclosure of Confidential Information requires the prior written consent of the other party. However, the Client is permitted to disclose Confidential Information internally without the Provider's consent. The Provider is permitted to disclose Confidential Information internally within the group as well as to subcontractors approved by the Customer without the Customer's consent, provided that this is necessary for the performance of the service and the recipients have entered into corresponding confidentiality obligations in writing.

10.11 The confidentiality obligations shall continue to apply after termination of the contractual relationship or after performance of the agreed services.

11 Duration of the agreement and change of the scope of services

11.1 The contract is concluded for an indefinite period.

11.2 Subscriptions can be cancelled at the end of a subscription period (cf. Section 8.3) without a notice period.

11.3 Downgrades (e.g. number of licenses) can only be made at the end of a subscription period.

11.4 Upgrades can be made at any time.

11.5 The contract may be terminated extraordinarily at any time for good cause. Important reasons may include, in particular, infringements of Sections 3.5 and 7.3.

12 Contractual components

12.1 The integrated components of this contract are in descending order of priority:

  1. The signed offer
  2. The terms of service (the present contract document)
  3. The Service Level Agreement
  4. The subprocessor policy

Applicable law and place of jurisdiction

13.1 The court responsible for the location of the linkyard ltd. branch office has exclusive jurisdiction for all disputes arising from this contract, unless another court has exclusive jurisdiction based on mandatory legal provisions.

13.2 This contract is governed exclusively by Swiss law.

14 Final clauses

14.1 In the event of contradictions, the documents with a higher ranking always take precedence over the documents with a lower ranking. If there are several versions of these documents, documents that are more recent in time take precedence over older documents.

14.2 Should a provision of this contract be invalid or should the contract contain a loophole, the legal validity of the remaining provisions shall remain unaffected. In place of the invalid provision or the loophole, a valid provision shall be agreed which comes as close as possible to the economic purpose intended by the parties.

15. CLIENT DATA

15.1 The Processor shall provide the services agreed in accordance with this Annex to the Client exclusively in accordance with the Client's instructions and on the basis of the agreement concluded between the Parties on the processing of personal data on behalf of the Client. The Processor shall process the following personal data on behalf of the Client for the aforementioned purposes:

Type of data
Purpose of the date processing
Data subjects
User-created content
The application allows service users (customers) to store personal data, for example in free text fields. Instructions about the admissibility of such information and monitoring of compliance are the sole responsibility of the client.
Any person
Operation and support: name, email address, telephone number of customer contactsitical
Handling business correspondence between Processor and Client.
Customer contacts
Linking of user accounts with user data (e.g. assigned tasks).
Enabling efficient cooperation between users (use of core functionality of applications and of add-ons used). Specific configuration of such links is the responsibility of the customer.
Service users
(customers)
Further log files
Recording of actions on the system, possibly with user reference, for the purpose of analysis of faults or other specific incidents.
Service users
(customers)
Email notifications
Creation, storage and sending of emails sent via the application.
Service users
(customers)
Customer user accounts (name, email address, avatar) and group affiliation/assigned role
Management of user accounts for access to service.
Service users
(customers)
Audit logs (amendments by users/customers)
Recording of amendments made to the system with user reference for purpose of reproducibility and auditability.
Service users
(customers)

16. TECHNICAL AND ORGANISATIONAL MEASURES

16.1 The Processor assures the Principal that it has taken the following technical and organisational measures in accordance with Section 16.4 (3) BDSG-neu and the associated Annex.
Contract with subcontractors:
a) Microsoft: "Terms and Conditions for Online Services".
Status: 1 June 2018
b) cloudscale.ch AG: "Agreement on commissioned processing".
Status: 24 August 2018

16.2 Access control
Access control is intended to prevent unauthorised persons from gaining access to processing equipment with which processing is carried out.
The control of access to the server systems has been contractually agreed with our suppliers and is ensured by them:
c) For data centre location Netherlands: Microsoft "Appendix B - Security Measures".
d) For data centre location Switzerland: cloudscale.ch AG.
No personal data is stored outside the above-mentioned systems.

16.3 Data carrier control
The data carrier control is intended to prevent unauthorised persons from reading, copying, modifying or deleting data carriers.
No personal data is stored on data carriers outside the server locations mentioned under "Access control". The contracts mentioned there also cover the careful handling of data carriers.

16.4 Storage control
The purpose of storage control is to prevent unauthorised persons from gaining knowledge of stored personal data and from entering, modifying and deleting such data.
All discs are clearly assigned to a client and before the data on the disc is made available, it is automatically checked whether this data is really from the client and application concerned. Only if this is the case is the data made available.
The operators of the infrastructure (Microsoft for the Netherlands or cloudscale for Switzerland) have undertaken in the contracts [1] and [2] to restrict access to the systems to a minimum and not to make any changes to the data.
For the "hard disk encryption" option (Switzerland only): All data on the disks is encrypted using AES256. The key for this is only accessible to carefully selected linkyard employees; subcontractors have no access to this data. This measure requires manual intervention when restarting the systems concerned and thus increases the recovery time.

16.5 User control
User control is intended to prevent unauthorised persons from using automated processing systems by means of data transmission.
The applications used authenticate the end users according to industry standards. If desired, we will additionally activate authentication with a second factor or by means of an authentication server provided by the customer (e.g. ADFS) as a chargeable option.
The customer can make individual or all contents of the applications publicly available and thus waive authentication for these contents. This is the customer's responsibility and linkyard has no influence on it. Upon delivery, linkyard configures the products in such a way that only authenticated users have access.
For the administration of the systems, linkyard uses special access points to which only specially trained and vetted employees have access.

16.6 Authorisation control
Authorisation control is intended to ensure that those authorised to use an automated processing system have access only to the personal data covered by their access authorisation.
The standard authorisation system integrated into the respective products shall be used to manage and check the authorisations of users.

16.7 Transmission control
The purpose of transmission control is to ensure that it is possible to verify and establish to which entities personal data has been or may be transmitted or made available by means of data transmission equipment.
Linkyard does not transfer customer data to third parties without an explicit request from the customer. These requests will be documented by linkyard.

16.8 Input control
The purpose of input control is to ensure that it is possible to check and establish retrospectively which personal data has been entered or modified in automated processing systems, at what time and by whom.
The applications keep audit logs for the traceability of changes in the system.

16.9 Transport control
The purpose of transport control is to ensure that the confidentiality and integrity of data are protected during the transmission of personal data and during the transport of data media.
All connections are encrypted using the current state of TLS or by means of SSH. The linkyard uses generally recognised certificates.
Email messages are encrypted using TLS if supported by the other party. At the customer's request, we activate direct encrypted delivery from our systems to the customer's mail server.
A transport of personal data by means of data carriers does not normally take place. If this should take place, the data is encrypted at least AES-256 and the key is transported separately. Corresponding transports are documented.

16.10 Recoverability
Restorability is intended to ensure that deployed systems can be restored in the event of a malfunction.
Backups are created and stored at least daily according to the backup plan selected by the customer. Restoreability is checked at least once a year as part of the application updates. Additional checks can be carried out at the client's request.
The storage of the backups is physically separated from the source data in a separate data centre. The backups are stored in encrypted form, the contractually guaranteed location (Netherlands/Switzerland) only applies to the storage of the keys.

16.11 Reliability
Reliability is to ensure that all functions of the system are available and any malfunctions that occur are reported.
Service monitoring detects service failures and initiates recovery using automatic self-healing procedures. If this fails, the fault is automatically escalated to linkyard's service support.
Service availability is logged and failures are analysed retrospectively.

16.12 Data integrity
Data integrity is intended to ensure that stored personal data cannot be damaged by system malfunctions.
Daily backups exist for all data (compare "Restorability"). The integrity of the backups is checked automatically.
In the case of major interventions such as software updates, an additional backup is created in advance and the interventions in question are tested on test systems beforehand.

16.13 Job control
Order control is intended to ensure that personal data processed on behalf of the client can only be processed in accordance with the client's instructions.
Appropriate, separate contracts for commissioned data processing are concluded with subcontractors.
Upon conclusion of the contract, linkyard's employees will be instructed on the regulations governing the processing of the client's personal data.

16.14 Availability control
Availability control is designed to ensure that personal data is protected against destruction or loss.
All services are designed redundantly at the physical level; the failure of individual devices leads at most to a brief interruption. The infrastructure (servers, storage, networks) is designed for high availability in accordance with contracts with our partners:
Data centre location Netherlands: Microsoft
Data centre location Switzerland: cloudscale.ch AG
Daily backups are made of all customer data, see "Recoverability".
In the event of a major event leading to a prolonged failure of an entire data centre (disaster), we are able to resume operations at a second location on the basis of the backups.

16.15 Separability
Separability is intended to ensure that personal data collected for different purposes can be processed separately.
The applications of the individual clients are separated from each other by the following measures:
Separate database instances: The applications all have their own database with their own access data.
Separate (logical) disks: Each application and each database has its own logical disc available for its data. It has no access to the disks of other applications.
Container: The applications run in separate Linux containers with minimal rights.
Network: Each client has its own separate (software-defined) network (if technically possible).
Access: The customers only have access to the application itself and not to the systems.
On special customer request, the allocation of a dedicated virtual machine only for this customer is possible to achieve an even better separation.
The separation of data within the applications is the responsibility of the customer.

16.16 Handling security incidents
Linkyard has a documented procedure for handling security incidents. Each potential incident is documented, classified and appropriate action is taken as required. Customers are actively informed about incidents that affect them.
For the Netherlands location: An analogous regulation has been agreed with Microsoft.
For the Swiss location: An analogous regulation has been agreed with cloudscale.ch AG.

16.17 Regular review and evaluation
Linkyard has a certified security management system in accordance with ISO 27001:2013, which explicitly includes the regular monitoring of measures and an ongoing assessment of risks. The effectiveness of the measures is regularly reviewed by external bodies.
Microsoft is ISO 27001:2013 certified and is therefore also obliged to conduct regular reviews.
Cloudscale.ch AG is also committed to regular reviews. The Cloudscale.ch AG data centre is also ISO 27001:2013 certified.


Essayez-le gratuitement ?

Cela fonctionne ! Si vous avez des questions en attendant, n'hésitez pas à nous contacter par chat.
Essayez-le dès maintenant