Software as a Service - Terms and Conditions

1. Scope of Applicability

These SaaS Terms set forth the terms and conditions under which YAPU will provide the Customer with access to certain applications as set forth on the Purchase Order (“Hosted Software”) and user documentation that YAPU makes generally available in hard copy or electronic form to its general customer base in conjunction with the licensing of such Software ("Documentation").

2. License Grant and Right of use

2.1. YAPU makes available the Hosted Software to the Customer under a Software-as-a-Service (SaaS) model limited to the term of this Agreement as defined in the Purchase Order (the “Subscription Term”).

2.1. Subject to all limitations and restrictions contained in this Agreement, YAPU grants the Customer a non-exclusive, and non-transferable, non-sublicensable right to access the Hosted Software (and its Documentation) as hosted by YAPU during the Subscription Term and to use it solely to perform those functions described in the Documentation for its internal business purposes (the “SaaS License”).

2.2. Unless expressly prohibited in the Purchase Order, the Customer is allowed to permit any subsidiaries, affiliated companies, or third parties to access the Hosted Software. Sentence 1 applies only if the Customer i) pays the Service Fees indicated on the Purchase Order also for the services used by said parties, and ii) ensures strict adherence of said parties to the terms of this Agreement. The Customer is fully liable for the acts and omissions of such third parties under this Agreement. Any breach of the terms of this Agreement by any such parties shall be regarded as breach of this Agreement by the Customer.

2.4. YAPU shall endeavor to ensure a high degree of availability of the Hosted Software. Notwithstanding, it can be necessary to temporarily suspend availability for maintenance purposes. Where possible, YAPU will notify the Customer in advance in a timely manner of any maintenance schedules and shall design the latter in a fashion that causes the least possible impairment.

2.5. YAPU is entitled to update the Hosted Software on a regular basis as part of its overall approach on lifecycle management and product improvement.

2.6. YAPU reserves the right to subcontract any services under this Agreement.

2.7. The Customer agrees to keep YAPU informed of any changes to its status and to provide YAPU with any information which are relevant to the service provision and/or this Agreement in general (billing address, financial status, etc.).

3. Authorized Users

3.1. Unless agreed otherwise in the Purchase Order, the SaaS License is granted as a license per User Account. A “User Account” means an online account that permits access to the Hosted Software which is set-up for specifically named Authorized Users (as defined below). The maximum number of User Accounts is specified in the Purchase Order.

3.2. Unless expressly provided otherwise in the Purchase Order, “Authorized Users” will only consist of: (i) employees of the Customer, and (ii) subject to Section 7 (Confidentiality), third parties as authorized under Sec. 2.3 above. The Customer is fully liable for the acts and omissions of Authorized Users under this Agreement.

3.3. The Customer is responsible for ensuring that access to a User Account is not shared. Only one individual may authenticate to one User Account.

3.4. The Customer shall be obliged to keep the login names and the passwords required for the use of the Hosted Software confidential, to keep them in a safe place, and to protect them against unauthorized access by third parties with appropriate precautions, and to instruct its Authorized Users to observe copyright regulations. Personal access data must be changed at regular intervals.

4. Non-Permitted Uses

4.1. Except to the extent expressly permitted in this Agreement or required by law on a non-excludable basis, the SaaS License granted by YAPU to the Customer under this Agreement is subject to the following prohibitions:

a) the Customer must not permit any unauthorized person to access or use the Hosted Software;

b) the Customer must not use the Hosted Software to provide services to third parties, unless otherwise specified in the Agreement;

c) the Customer must not republish or redistribute any content or material from the Hosted Software;

d) the Customer must not make any alteration to the Software, except as permitted by the Documentation; and

e) the Customer will not, directly or indirectly: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Hosted Software; (ii) modify, translate or create derivative works based on the Hosted Software (except to the extent expressly permitted by YAPU).

4.2. The Customer must not use the Hosted Software in any way that

a) is unlawful, illegal, fraudulent or harmful, or is connected to such behavior;

b) causes, or may cause, damage to the Hosted Software or impairment of the availability or accessibility of the Hosted Software, including through, but not limited to, the promotion or distribution of, or infection with, any viruses, worms, spyware, adware or other harmful or malicious or not-fit-for-purpose software, programs, routines, applications or technologies.

5. Service Fees

5.1. The Customer shall pay YAPU the fees indicated on the Purchase Order (the “Service Fees”).

5.2. Unless otherwise provided in a Purchase Order, all fees are to be paid to YAPU within fifteen (15) days of the date of invoice.

5.3. Any late payment will be subject to any costs of collection (including reasonable legal fees) and will bear interest at the statutory rate.

5.4. If the Customer is delinquent on a payment of Service Fees for fifteen (15) days or more, YAPU may suspend access to the Hosted Software.

5.5. Complaints concerning invoices must be made in writing within fifteen (15) days from the date of the invoice. Invoices will be sent by electronic delivery unless requested otherwise by the Customer, in which case additional fees will apply.

5.6. All amounts stated in or in relation to this Agreement are, unless the context requires otherwise, stated exclusive of any applicable value added taxes or other specific taxes such as withholding tax, which will be added to those amounts and are payable by the Customer to either YAPU or, as applicable, directly to the local tax authorities.

6. IP Ownership

6.1. The Customer acknowledges that, subject to the SaaS Licenses granted herein, the Customer has no ownership interest in the Hosted Software or YAPU materials provided to the Customer.

6.2. YAPU will own all right, title, and interest in such Software and YAPU materials, subject to any limitations associated with intellectual property rights of third parties. YAPU reserves all rights not specifically granted herein.

7. Confidentiality

7.1. Each Party undertakes to treat the confidential information of the respective other Party in strict confidence and to use it only for the performance of this Agreement.

7.2. After termination of this Agreement, all rights and obligations of each Party with respect to the confidential information of the respective other Party shall continue to apply for a period of ten (10) years.

8. Customer Data and Data Protection

8.1. Before entering its data and information to the Hosted Software (such data the “Customer Data”) and/or using hard and software in connection with the Hosted Software, the Customer shall be obliged to check the same for viruses or other harmful components and to use state of the art anti-virus programs for this purpose.

8.2. In addition, the Customer itself shall be responsible for the entry and the maintenance of its Customer Data. YAPU shall create a back-up copy of the Customer Data at least on a weekly basis.

8.3. The Customer grants to YAPU a non-exclusive, royalty-free license to access, use, reproduce, modify, perform, display and distribute Customer Data as is reasonable or necessary for YAPU to perform or provide the Hosted Software.

8.4. The Customer is solely responsible for all Customer Data, in particular that its transfer and use in accordance with this Agreement does not violate any applicable laws, including data protection laws, and/or intellectual property rights of third parties.

8.5. The Customer acknowledges that the YAPU does not exercise any control over Customer Data and that it acts as a mere or passive conduit in transmitting and handling Customer Data.

8.6. Any processing of personal data of the Customer by YAPU on the Customer’s behalf shall be governed by a separate data processing agreement to be executed in accordance with Art. 28 GDPR, if and to the extent required under the GDPR. This data processing agreement is attached hereto.

9. Pilot and Trial Phase

9.1. The Parties may agree on a Pilot Phase and/or a Trial Phase during which specific provisions may apply and during which, in case of a Trial Phase, YAPU will provide the Hosted Software free of charge.

9.2. During such Trial Phase, YAPU assumes no responsibility regarding the completeness and/or correctness of free software, unless YAPU has caused the defect with intent, by gross negligence or by fraudulent concealment.

10. Limitation of Liability

10.1. In case of willful misconduct, YAPU shall be liable according to the statutory provisions of applicable law.

10.2. In case of gross negligence, YAPU shall be liable according to the statutory provisions of applicable law.

10.3. In case of ordinary negligence, YAPU shall – provided that the standard of liability is not limited according to statutory provisions of applicable law (such as any limitation to the duty of care observed in own affairs) – only be liable for breach of material contractual obligations (material contractual obligations are obligations the breach of which endangers the purpose of the agreement and the fulfilment of which the Customer generally relies and may reasonably rely on); in this case YAPU’s liability shall be limited to the typical damages that were reasonably foreseeable. Therefore, indirect and consequential damages resulting from defects of the delivered goods and/or work are only eligible for compensation if such damages are typical and reasonably foreseeable and when the goods and/or work are used in conformity with its intended purpose.

10.4. The aforementioned limitations do not apply to

a) damages resulting from injury to life, body or health;

a) liability pursuant to the German Product Liability Act;

b) the assumption of a guarantee for the condition of goods and/or work or fraudulent concealment of defects by YAPU.

10.5. The aforementioned limitations of liability shall, subject to the provisions of Section 9.5, apply to (i) any liability claims for whatever legal reason but in particular due to impossibility, default, defective or incorrect delivery, breach of contract, breach of obligations in contractual negotiations and tort, as far as such claims are subject to fault, and (ii) any breach of duty by vicarious agents or any other person for whose conduct YAPU can be held liable according to the statutory provisions of applicable law.

11. Term and Termination

11.1. The Subscription Term shall be defined in the Purchase Order.

11.2. This Agreement may be terminated by YAPU: (i) if the Customer fails to make any payments due hereunder within fifteen (15) days of the due date; (ii) on thirty (30) days written notice to the Customer if the Customer fails to perform any other material obligation required of it hereunder, and such failure is not cured within such thirty (30) day period; or (iii) the Customer files a petition for bankruptcy or insolvency, has an involuntary petition filed against it, commences an action providing for relief under bankruptcy laws, files for the appointment of a receiver, or is adjudicated a bankrupt concern.

11.3. Upon termination of this Agreement, the Customer shall no longer access the Hosted Software and the Customer shall not circumvent any security mechanisms contained therein.

11.4. Within thirty (30) days following the termination of this Agreement for any reason and the submission of a request to transfer data (“Data Transfer Request”), whatever is later, YAPU will provide the Customer with an extract of all Customer Data stored on the Software at the moment of termination, in machine-readable format. A Data Transfer Request must be submitted within seven (7) days of termination. Absent a Data Transfer Request, YAPU will delete the Customer Data from its Software.

11.5. Anonymized data previously produced from the Customer Data may be retained by YAPU, in particular for academic and product development purposes. Technical copies produced within an IT archiving system may be retained.

12. Updates of these SaaS Terms

12.1. YAPU reserves the right to change these SaaS Terms from time to time by providing the Customer with a corresponding notice in writing (email sufficient).

12.2. Any such change shall become effective upon expiration of thirty (30) days of receipt of YAPU’s notice to the Customer.

12.3. During that period, the Customer shall have the right to terminate this Agreement by providing a corresponding written notice to YAPU, should the Customer not be prepared to accept the revised SaaS Terms.

12.4. Should the Customer not exercise its early termination right within said period, the Agreement shall continue on the basis of the revised SaaS Terms.

13. Final Provisions

13.1. Amendments or additions to this Agreement shall require written form to be effective, unless a stricter form is required under mandatory law. The same applies to the waiver of this written form requirement. Unless expressly agreed otherwise in this Agreement, e-mails do not comply with this written form requirement. The written form requirement under this Agreement shall be deemed to have been met when the copy of a declaration is being transmitted by telecommunications (e.g. as an attachment to an e-mail) and that copy contains the signature of the person making that declaration, unless a stricter form is required under mandatory law. In case of convenience translations of this Agreement, only the English version of this Agreement shall be binding.

13.2. This Agreement shall be governed by the laws of the Federal Republic of Germany, excluding the conflict of laws rules of private international law. The applicability of the UN Convention on Contracts for the International Sale of Goods (CISG) is excluded.

13.3. Exclusive place of jurisdiction for all disputes arising out of or in connection with this Agreement shall be Berlin, Germany, unless otherwise required by mandatory law.

13.4. The language of the Agreement is English, translations are indicative only.

13.5. Should any provision of this Agreement be or become invalid or unenforceable in whole or in part, the validity of the remaining provisions of this Agreement shall not be affected. The same shall apply if and insofar as a gap in this Agreement becomes apparent. In place of the invalid or unenforceable provision or to fill the gap, an appropriate provision shall apply which, as far as legally possible, comes closest to or corresponds to what the Parties economically intended or would have intended according to the spirit and purpose of this Agreement, had they considered this point.

Data Processing

This Data Processing Agreement (“DPA”), which does not require separate signature, is an integral part of the Agreement (“Agreement”) between YAPU Solutions GmbH (“YAPU”) and “Customer” as executed by execution of a Purchase Order dated [___].

All capitalized terms not defined in the below shall have the meaning set forth in the Agreement.

In the course of providing the services to Customer in accordance with the Agreement, YAPU may process Personal Data on behalf of Customer, and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

The provisions of this DPA are applicable throughout the Subscription Term of the Agreement. Sec. 6 of this DPA shall survive the termination of the Agreement. Any provision of the Agreement that directly contradicts this DPA shall be superseded by this DPA. All other provisions of the Agreement, including those on services, warranties, warranty limitations, limitation of liabilities, force majeure, events of default, notices and miscellaneous provisions, shall be read as supplementing and complementing this DPA.

1. Scope and Purpose

This DPA concerns the rights and obligations between the parties concerning the operations that are or may be performed on Personal Data as part of the Agreement, whether or not through automated means, as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval consultation, use, disclosure by transmission, dissemination or other use, restriction, erasure or destruction (“Processing”). It aims to ensure full compliance with the General Data Protection Regulation and the German Bundesdatenschutzgesetz (BDSG), as amended from time to time.

2. Data Covered and Territorial Scope

The DPA covers all Customer Data including all Personal Data. Transfer of data to a country other than (i) the country or countries from where the Customer Data generates, (ii) Germany and (iii) Ireland, where YAPU maintains its servers, shall not occur without prior written consent of the Controller and only to the extent permitted by law.

3. Roles and Responsibilities

3.1 Roles and Functions

(a) The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the entity which determines the purposes and means of the Processing of Personal Data (“Controller”), while YAPU is the entity which Processes Personal Data on behalf of the Controller (“Processor”).

(b) The purpose of the Processing of Personal Data is the performance of the services and the fulfilment of the Agreement (“Processing Purpose”).

(c) YAPU may engage third parties to process Customer Data (“Sub-Processors”) pursuant to the requirements set forth in this DPA.

(d) At the time of execution of this Agreement, YAPU uses the following Sub-Processors: MongoDB Limited, Amazon Web Services, Heroku.

(e) YAPU shall not engage additional Sub-Processors without prior specific or general written authorisation of the Customer. The Customer hereby grants such general written authorisation.

(f) In the case of general written authorisation, YAPU shall inform the Customer of any intended changes concerning the addition or replacement of other Sub-Processors, thereby giving the Customer the opportunity to object to such changes.

3.2 Responsibilities

(a) Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer has acquired and uses Personal Data.

(b) Customer’s instructions concerning the Processing of Customer Data shall at all times comply with applicable Data Protection Laws.

(c) Processor shall act exclusively on documented instructions from the Controller. The Processor shall ensure that the Customer Data entrusted is not used for other purposes or Processed in any other way than as stated in the Controller's instructions.

4. Data Subjects

4.1 Data Subject Requests

(a) As the Controller, Customer is responsible to respond to any requests from a person identified or identifiable in any Personal Data Processed within the scope of the Agreement (“Data Subject”) concerning access, rectification or erasure (“Data Subject Request”).

(b) When YAPU receives a request from a Data Subject, YAPU will promptly notify Customer of such request.

4.2 Assistance

(a) Where possible, YAPU shall give appropriate assistance to Customer for the fulfilment of the latter’s obligation to respond to a Data Subject Request.

(b) Customer shall be responsible for any costs arising from YAPU’s assistance.

5. Confidential Handling

5.1 Secure from Interference

(a) YAPU shall organize the Processing operations in such a way that Personal Data is reasonably secure from loss, damage, alteration, unintended Processing or non-authorized interference of whatever nature (“Data Security Infrastructure”). YAPU regularly monitors the Data Security Infrastructure.

(b) YAPU leverages the following tools and installations for its Data Security Infrastructure:

a. Software:

i. Network security:

1. Firewalls: YAPU through its Sub-Processors utilizes firewalls to restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business need.  Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.

Host-based firewalls restrict customer applications from establishing localhost connections over the loopback network interface to further isolate customer applications. Host-based firewalls also provide the ability to further limit inbound and outbound connections as needed.

2. DDoS Mitigation: YAPU through its Sub-Processors’ infrastructure provides DDoS mitigation techniques including TCP Syn cookies and connection rate limiting in addition to maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth. YAPU works closely with its Sub-Processors to quickly respond to events and enable advanced DDoS mitigation controls when needed.

3. Spoofing and sniffing protections: YAPU through its Sub-Processors’ managed firewalls prevents IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. YAPU through its Sub-Processors utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.

4. Port scanning: Port scanning is prohibited and every reported instance is investigated by YAPU through its Sub-Processors’ infrastructure provider.  When port scans are detected, they are stopped and access is blocked.

ii. Data security

1. YAPU applications: YAPU’s application runs on Sub-Processors’ platforms within its own isolated environment and cannot interact with other applications or areas of these Sub-Processors’ systems. This restrictive operating environment is designed to prevent security and stability issues.  These self-contained environments isolate processes, memory, and the file system using LXC while host-based firewalls restrict YAPU’s and other applications hosted on the same Sub-Processors from establishing local network connections.

2. Sub-Processor postgres: YAPU data is stored in separate access-controlled databases. YAPU databases require a unique username and password that is only valid for that specific database and is unique to a single application.

YAPU connections to postgres databases require SSL encryption to ensure a high level of security and privacy.

Stored data can be encrypted by YAPU applications in order to meet data security requirements. YAPU can implement data storage, key management, and data retention requirements when developing their application.

iii. System security:

1. System configuration: System configuration and consistency is maintained through standard, up-to-date images, configuration management software, and by replacing systems with updated deployments. Systems are deployed using up-to-date images that are updated with configuration changes and security updates before deployment. Once deployed, existing systems are decommissioned and replaced with up-to-date systems.

2. System authentication: Operating system access is limited to Sub-Processors’ staff and requires username and key authentication. Operating systems do not allow password authentication to prevent password brute force attacks, theft, and sharing.

b. Hardware:

i. Data centers: YAPU’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology.

ii. Physical security: YAPU through its Sub-Processor utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means.

Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.

c. Third-party certification:

a. Hardware

i. Data centers: YAPU through its Sub-Processors relies on secure data centers managed by Amazon. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards Amazon’s data center operations have been accredited under: ISO 27001, SOC 1 and SOC 2 / SSAE 16 / ISAE 3402, PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX).

d. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, YAPU shall facilitate reasonable access of Customer to relevant certificates held by the YAPU and/or its Sub-Processors.

5.2 Back-Up and Disaster Recovery Information

YAPU draws daily data back-ups on behalf of the Customer. This includes data on: client general settings, questionnaire templates, end-customer questionnaire data (raw data and reports), end-customer states, business cards and users. Data is stored thirty (30) consecutive days.

In addition, YAPU applies the following measures:

(a) Back-up:

i. YAPU’s application is automatically backed up as part of the deployment process on secure, access controlled, and redundant storage.  YAPU through its Sub-Processors uses these backups to deploy YAPU’s application across Sub-Processor’s platform and to automatically bring YAPU’s application back online in the event of an outage.

ii. YAPU postgres database: Continuous Protection keeps data safe on Sub-Processor Postgres. Every change to YAPU’s data is written to write-ahead logs, which are shipped to multi-datacenter, high-durability storage. In the unlikely event of unrecoverable hardware failure, these logs can be automatically 'replayed' to recover the database to within seconds of its last known state.

iii. Configuration and meta-information: YAPU’s configuration and meta-information is backed up every minute to the same high-durability, redundant infrastructure used to store YAPU’s database information. These frequent backups allow capturing changes made to the running application configuration added after the initial deployment.

iv. Sub-Processor Platform: From Sub-Processor’s instance images to its databases, each component is backed up to secure, access-controlled, and redundant storage.  Its platform allows for recovering databases to within seconds of the last known state, restoring system instances from standard templates, and deploying customer applications and data.  In addition to standard backup practices, Sub-Processor’s infrastructure is designed to scale and be fault tolerant by automatically replacing failed instances and reducing the likelihood of needing to restore from backup.

(b) Disaster recovery:

i. YAPU application and databases: Sub-Processor’s platform automatically restores YAPU application and Sub-Processor Postgres databases in the case of an outage. The Sub-Processor’s platform is designed to dynamically deploy applications within the Sub-Processor’s cloud, monitor for failures, and recover failed platform components including customer applications and databases.

ii. Sub-Processor’s Platform: the Sub-Processor’s platform is designed for stability, scaling, and inherently mitigates common issues that lead to outages while maintaining recovery capabilities. Its platform maintains redundancy to prevent single points of failure, is able to replace failed components, and utilizes multiple data centers designed for resiliency. In the case of an outage, the platform is deployed across multiple data centers using current system images and data is restored from backups. Sub-Processor reviews platform issues to understand the root cause, impact to customers, and improve the platform and processes.

5.3 YAPU Staff

YAPU’s staff shall access Personal Data on a need-to-know basis only. Each staff member has signed a confidentiality agreement obliging him or her to strict confidentiality concerning Personal Data. YAPU has taken reasonable steps to ensure the reliability of its staff.

5.4 Incidents

Whenever YAPU learns of a breach of, damage to, or risk of damage to, the Data Security Infrastructure or the handling of Personal Data through YAPU’s staff or Sub-Processors engaged (“Incident”), YAPU shall immediately inform Customer, prepare a written data log for the Incident, and take all reasonable measures to identify and remediate the cause of the Incident.

5.5 Data Protection Officer

YAPU has appointed a data protection officer that can be reached at data.privacy@yapu.solutions.

6. Data Transfer and Deletion

6.1 Transfer

Within thirty (30) days of termination of the Agreement, Customers may request return of their respective Customer Data Processed within the services (to the extent such data has not been deleted by Customer). YAPU shall provide such Customer Data via a file in comma separated value (.csv) format and attachments in their native format for download.

6.2 Deletion of Data

After termination of the Agreement, Customer Data processed within the services is retained in inactive status for one hundred and twenty (120) days, after which it is securely overwritten or deleted within sixty (60) days, or from backups within ninety (90) days. Anonymized data previously produced from the Customer Data may be retained by YAPU; in particular for academic and product development purposes, as long as Personal Data can no longer be extrapolated from it.

Additional Specifications:

1. Hosted Software:

As specified in [offer] submitted on [date].

2. Additional Consulting Services:

As specified in [] submitted on [date].