Terms of Sale

Usted está aquí: InLoox Terms of Sale

  The contractual terms will depend on your contract partner.

If your contract partner is InLoox GmbH based in Munich, Germany, the General Terms of Business of InLoox GmbH will apply.

If your contract partner is InLoox, Inc. based in San Francisco, USA, the InLoox, Inc. Terms and Conditions of Sale will apply.

Contracting partner

InLoox GmbH

General Terms of Business of InLoox GmbH

§ 1 General

1. These General Terms of Business apply to contractual relations and legal relationships between InLoox GmbH – hereinafter also referred to as InLoox – and third parties, unless the contractual parties agree otherwise in writing; the respective current version can be found at www.inloox.com/terms-of-sale. Provisions of the customer or other third parties which are contradictory to or at variance with these General Terms of Business shall apply only to the extent that InLoox has explicitly agreed to them in writing. These General Terms of Business also apply if InLoox is aware of contradictory or differing provisions of the customer or third parties but nevertheless unconditionally carries out its business obligations. Such conduct does not constitute tacit agreement by InLoox regarding the validity of the contradictory or differing provisions advanced by third parties.

2. These General Terms of Business also apply to all future business transactions with customers and/or third parties.

§ 2 Offers, right of withdrawal, cancellation

1. Offers by InLoox are not binding with regard to the date or time of delivery or performance, unless this obligation is explicitly given in writing as part of the offer, or the obligation of setting a price or other aspects is explicitly cited on the electronic ordering page.

2. A contractual relationship first comes into existence after a written or electronic confirmation of order has been sent off, and through the contents reflected therein. Furthermore, offers by InLoox are without obligation. InLoox reserves the right to make technical and other changes to a reasonable extent.

3. For a customer who is a consumer within the meaning of § 13 of the German Civil Code (BGB), the following applies:

The consumer (customer) shall be entitled – to the extent that the contract based on these conditions was concluded solely through means of telecommunications – to a right of withdrawal. The consumer will be instructed about the conditions of the right of withdrawal, its extent and the withdrawal period during the ordering transaction separately. The right of withdrawal for contracts concluded under these General Terms of Business does not apply in the case of goods which have been finished according to customer specifications or unmistakeably adapted to personal requirements, or which, due to their particular characteristics, are inappropriate for return delivery. Audio or video recordings or software are also excluded if the seal on the data carrier has been broken by the customer. The customer (consumer) is, when exercising the right of withdrawal, required to return the goods if the article can be sent as a parcel. In this case, he shall bear the costs of return delivery for orders up to an amount of 40 €, unless the delivered software does not correspond to that which was ordered.

4. If InLoox is unable to perform the agreed-upon services within the time period, due to reasons outside the responsibility of either of the contracting parties (e.g. acts of God, strikes and other obstacles to performance of the service which were not foreseeable and for which InLoox was not responsible, and which cannot be overcome at an economically reasonable cost), and if this performance also cannot be performed within the limits of a reasonable extension of the time period, both parties shall be entitled to cancel the contract without compliance with a deadline. In such cases the customer shall retain the right to the services performed in part up to the moment at which the cancellation enters into force; InLoox retains the right to proportionate compensation. All statements in this connection must be in writing in order to be valid. 

5. The threat to terminate the further exchange of services for some other reason must always be accompanied by a statement of the reasons and the imposition of a time period within which to remedy the problem (as a rule, at least two weeks) and may be issued only two weeks after the expiration of the time period. In cases falling under § 323(2) German Civil Code (BGB), a time delay may be waived. The party which is principally responsible for the nuisance shall not be entitled to demand a reversal of the transaction. All statements in this connection must be in writing to be valid.

§ 3 Object of the contract, scope of use of the software

If the object of the contract is the delivery of InLoox software products (software), the scope of use of the software and the rights and obligations resulting there from are based on the rights of use granted in the license certificate, as well as the terms laid down in any separate licensing agreement and/or in particular, the licensing terms of InLoox GmbH (EULAs) for the software.

§ 4 Prices, payment, off-set

1. Unless the order confirmation or explicitly binding information on the ordering page indicates otherwise, InLoox prices given are for delivery ex works. If the customer is a consumer within the meaning of § 13 BGB, the customer will be charged VAT in addition, which shall be itemised accordingly. Delivery charges and will be billed and displayed separately. Order prices concern solely InLoox software products, and in particular the prices do not include installation costs, training measures, accessories or other additional services, unless this has been otherwise agreed upon in writing by the parties.

2. Upon receipt of the delivery, the customer must immediately pay the purchase price at the full amount, to be paid within 14 days at the latest. In the event that the customer has not settled the outstanding sum within this time period, and is thus in arrears, InLoox shall be entitled to demand interest on arrears of up to 5% above the respective base interest rate of the European Central Bank in accordance with § 247 German Civil Code (BGB). A customer that is a business customer within the meaning of § 14 German Civil Code (BGB), is required to pay interest on arrears of 8% above the respective base interest rate of the European Central Bank in accordance with § 247 German Civil Code (BGB). If InLoox can demonstrate that even greater damages ensued from the delay in payment, InLoox has the right to press these claims. The customer has the right to prove to InLoox that the delay in payment did not result in any, or in significantly smaller, damages to InLoox. The customer is equally in default of payment if he does not settle the bill within 30 days of the due date and of receipt of the invoice at the latest.

3. In the event that the customer is in default of payment for the purchase price, or a petition of bankruptcy has been filed in respect of the customer’s assets, InLoox shall be entitled to withhold all of its services and to exercise its right to reservation of ownership under § 6.

4. A client shall be entitled to offset if his counterclaim has been legally established or acknowledged by InLoox and/or has not been challenged in writing by InLoox after a statement of position has been requested. The customer shall only be entitled to exercise a right of retention to the extent that his counterclaim is based on the same contractual relationship.

§ 5 Delivery, insurance, software download, default in acceptance

1. Compliance with agreed-upon delivery dates and/or undertakings is dependent upon the customer’s timely and orderly fulfilment of the undertakings.

2. If the parties subsequently agree on further services which will affect the agreed-upon delivery deadline, the deadline (time period) shall be extended by an appropriate degree. Reminders and imposed customer deadlines must be in writing in order to be valid. An extension of less than two weeks is only appropriate in the event of cases requiring extreme urgency and which are not the responsibility of the customer.

3. Services may be rendered by InLoox in part, to the extent that the delivered parts are of genuine use to the customer in isolation from each other.

4. If the customer so desires, InLoox will insure the delivery with transport insurance; the resulting costs shall be borne by the customer.

5. In the event that the software is transmitted via the Internet, i.e. in particular by e-mail or by internet download, the risk of loss and/or alteration of data is transferred to the customer after the data have been received once completely.

6. If the customer is in default of acceptance or if he violates other duties to cooperate, InLoox shall be entitled to demand compensation for resulting damages, including any possible extra expenditure. In this case, the danger of an incidental loss or an incidental deterioration of the object of the contract is transferred to the customer at the moment at which he is in default of acceptance.

7. The customer may claim training courses or workshops for a period of up to six months from the date of the order. The customer is actively involved in scheduling. A claim to delivery on a specific date shall only come into effect upon written confirmation of the date by InLoox.

8. If the customer does not make use of a training course or workshop within six months of the date of the order, InLoox is entitled to invoice the full amount. Irrespective of this, the customer's right to make use of the service remains valid, but only within the regular statutory limitation period.
9. In the event of cancellation or postponement of a confirmed training or workshop date by the customer, the customer shall bear the cancellation costs and/or travel costs including travel, transfer and overnight accommodation, if any. In the event of cancellation or postponement later than 14 days prior to the start of the event, the full fee must be paid. The same applies to non-appearance of the customer on the day of the event.

§ 6 Right to reservation of ownership

1. InLoox reserves the right to ownership of the object of the contract up until such time as all payments due as a result of the contract have been received. InLoox will release this security upon request, at its discretion, insofar as its value exceeds the claims which are due to InLoox from the customer – regardless of the legal basis – on a sustained basis by more than 20 %. In the event of conduct in violation of the contract on the part of the customer, in particular default of payment, InLoox shall be entitled to take back the object of the contract, as well as to withhold those parts of the object of the contract which have not yet been delivered. The taking-back of the object of the contract on the part of InLoox in no way implies a withdrawal from the contract unless InLoox explicitly declares this in writing. The attachment of the object of the contract on the part of InLoox always implies a withdrawal from the contract. After taking back the object of the contract InLoox shall be entitled to reuse it. The realisation proceeds are to be credited against the customer’s liabilities – minus the actual realisation costs.

2. The customer shall only be entitled to resell software which is still owned by InLoox in the normal course of business with the written permission of InLoox. However, he thereby assigns in advance to InLoox all amounts due to him from his purchaser or third parties as a result of the resale, which shall be deducted from the outstanding sum (including VAT), and, what is more, regardless of whether the object of the contract has been resold without or after reworking. The customer shall be entitled to collect this claim even after assignment has taken effect. The power of InLoox to recover its claim itself shall remain unaffected by this; InLoox undertakes, however, not to recover the claim as long as the customer fulfils his payment obligations out of the revenues thus obtained and in particular, is not in default of payments, has not submitted a petition for bankruptcy proceedings, and nor have payments been suspended. If this, however, is the case, InLoox shall be entitled to demand that the customer assign the claims to InLoox and inform its debtor, provide all information necessary for the recovery of the claim, release the relevant documentation and inform the debtor (third party) of the assignment.

3. In the event of attachments or other interventions by third parties, the customer is obliged to inform these of InLoox’s ownership rights and to immediately inform InLoox, so that InLoox can file a suit in accordance with § 771 German Code of Civil Procedure (ZPO). Should the third party not be in a position to refund the court and out-of-court costs incurred by InLoox as a result of a successful suit in accordance with § 771 ZPO, the customer shall be held liable for the losses incurred by InLoox.

4. If the object of the contract has been inextricably combined with other objects which are not the property of InLoox, InLoox thus acquires joint property rights in the newly-created object in proportion to the value of the object of the contract in relation to the other combined objects at the time at which the items were combined. If the combination is effected in such a way that the object of the customer may be deemed the main object, it may be considered as having been agreed that the customer has transferred proportional joint property rights to InLoox. The customer thus retains sole property rights hereby created or joint ownership with InLoox.

§ 7 Inspection obligations and duty to give notice of defects

1. The customer is obliged to examine the delivered goods, especially software, for obvious defects which would be immediately obvious to the average user. InLoox must be given notice in writing of obvious defects, in particular the absence of data-carriers or handbooks, as well as significant, easily visible damage to the data-carrier within a period of two weeks after delivery. Business representatives must give immediate notice of such defects in writing.

2. Customers who are not consumer within the meaning of § 13 German Civil Code (BGB) must give InLoox written notice of defects which are not immediately obvious within two weeks after of having come to their attention.

3. The defects, in particular the symptoms which appear, must be precisely described.

4. A violation of the inspection obligations and duty to give notice of defects has as consequence for customers that the good or software shall be considered as accepted, despite the defect.

§ 8 Warranty

1. Delivered software possesses the agreed-upon characteristics, is suitable for the applications assumed by the contract and which are otherwise standard, and has usual quality of software of this type. Not every flaw which is connected with the software is a defect which implies warranty rights. An impairment in the software’s functioning which results from hardware defects, environmental conditions, improper operation and the like, is not a defect. An insignificant deterioration in quality will not be taken into account. InLoox guarantees that no rights of third parties are violated through the use of the software by the customer in accordance with the provisions of the contract.

2. Customers who are consumers within the meaning of § 13 German Civil Code (BGB) have in respect to defects of the purchased good the rights set out in the German Civil Code (BGB). In case that a consumer is entitled to claim damages hereafter, § 9 applies accordingly.

3. In all other cases of liability for defects the following terms apply:

a) InLoox may first attempt to remedy any material defects. InLoox may choose to remedy the defect by eliminating it, i.e. also by demonstrating possibilities by means of which the effects of the defect can be avoided, or through delivery of a program which does not contain the defect. An equivalent new program version or the equivalent previous program version which had not contained the faults is to be accepted by the customer, when this is reasonable. In the case of defects in title, InLoox shall give the assurance that it will provide the customer with legally unchallengeable option to use either the software or equivalent software, at its option.

b) The customer shall support InLoox in the analysis of faults and removal of defects by specifically describing problems which occur, providing InLoox with complete information and granting it the necessary time and opportunities to remove the defect. InLoox may also remove the defect on-site or at its place of business, at its discretion. The performance of InLoox may also take the form of remote maintenance. The customer must ensure the necessary technical prerequisites at his own expense and, after due prior notification, provide InLoox with access to his computer equipment.

c) InLoox may levy additional charges, when the software is modified, employed outside the environment provided for or incorrectly operated. It may demand compensation if no defect is found or if it is incorrectly/insufficiently informed of a fault. The burden of proof lies with the customer in accordance with § 254 German Civil Code (BGB).

d) If InLoox ultimately refuses to remedy the defect, if it ultimately is unsuccessful or if this is unreasonable for the customer, he may withdraw in writing from the contract or correspondingly curtail the payment and in accordance with § 9 demand damages or reimbursement of expenses.

e) Insofar as the above has not been otherwise agreed, further liability on the part of InLoox within the meaning of liability for defects is excluded. In particular, liability for defects does not apply if and to the extent that the software is improperly used by the customer or used in a defective or incompatible hardware or software environment. The same applies in the event that the customer undertakes unauthorised modifications of the software.

f) The statute of limitation for claims for defects is 1 year as of the statutory commencement of the limitation period.

§ 9 Liability

The following limitations of liability apply in case of claims for damages of the customer arising from liability for defects or from any other reasons:

1. InLoox is liable for intent and gross negligence in accordance with the statutory provisions. The same applies to injury of life, body or health as well as to claims arising from warranties or from the German Product Liability Act (Produkthaftungsgesetz, ProdHaftG).

2. Moreover, InLoox is only liable for culpably infringing contractual obligations the fulfilment of which renders a correct execution of the contract possible, and the customer can always trust on said material obligations being observed (cardinal obligation). This includes, in particular, the obligation to fulfil a performance free from defects. In this case InLoox’s liability is limited to the loss or damage foreseeable upon conclusion of the contract.

3. A further liability of InLoox is excluded.

4. Should the liability for damages on the part of InLoox be excluded or reduced, this shall also apply with regard to personal liability for compensation for damages on the part of its employees, representatives and persons employed in auxiliary tasks.

5. The right to contest the charge of contributory negligence remains open to InLoox. It is pointed out to the customer that, within the framework of his obligation to exercise diligence, before using the software for the first time, he must test whether the installation of the software might lead to particular interference with pre-installed software, and that he must further ensure back-up of his data before the first installation as well as during the course of operations and, in the case of a suspected fault in the software, that he implements all additional reasonable measures required for security.

6. The statute of limitation for claims of the client who is not a consumer is 1 year as of the statutory commencement of the limitation period.

§ 10 Third party rights

The customer shall immediately inform InLoox in writing, in the event that a third party claims industrial property rights (e.g. copyright or patent rights) against him. The customer shall authorise InLoox with the sole right to undertake legal action against such third parties. If InLoox makes use of this authorisation, the customer shall not be entitled to decide himself to acknowledge the claims of third parties without the agreement of InLoox. InLoox shall contest claims by third parties at its own expense and release the customer from the payment of all costs connected with contesting these claims, insofar as these are not occasioned by conduct by the customer in violation of his obligations (e.g. the use of programs in violation of the contract).

§ 11 Data protection

The customer consents to the collection, processing and use of personal data as necessary for the conclusion of the contract and the fulfilment of the contractual and non-contractual obligations of InLoox. The customer retains the right to withdraw this consent at any time, with effect for the future. InLoox wishes to point out that it makes use of third parties to meet its contractual and non-contractual obligations, to whom the collected data may be transmitted in order that they may fulfil these obligations. Examples of such third parties may include resellers/authorised dealers, suppliers, credit card firms as well as marketing service providers. Furthermore, the customer also declares his consent to the use of personal data for purposes exclusively internal to the firm, e.g. statistical evaluation, and for marketing and sales promotion as well as that of customer retention.

The basis for data processing is the agreement on data processing attached to these conditions, which is expressly agreed between the parties by acceptance of these conditions.

§ 12 Naming of references

InLoox is entitled to name customers who are not consumers within the meaning of § 13 BGB (German Civil Code) as references. The reference shall include the use of the customer's logo or trademark. The customer may object to this reference at any time for the future. Accordingly, the customer may name InLoox as a reference, whereby InLoox also reserves the right to object at any time.

§ 13 Applicable law, place of performance, legal venue, other

1. This agreement is subject to the law of the Federal Republic of Germany with the exception of the UN Convention for the International Sale of Goods (CISG) of April 11, 1980, as amended, and international law (in particular German laws of conflict).

2. Place of performance is Munich, Germany. As far as the licensee is not a consumer in the sense of § 13 BGB, the place of jurisdiction for all disputes arising from this contract including its appendices is Munich. The same applies if the customer has no general place of jurisdiction in Germany or his place of residence or usual abode is not known at the time the action is filed.

3. The rights and obligations resulting from an agreement reached by the parties on the basis of these provisions cannot be transferred to a third party without the prior written consent of InLoox.

4. Modifications and supplementary agreements must be made in writing if this is specifically agreed. This also applies to the amendment of a written form clause. Otherwise, text form shall apply in each case, in particular for communication fulfilling the contract.

5. Should one or several provisions in this agreement wholly or partly become invalid, the validity of the remaining provisions shall not thereby be affected. If an invalid provision concerns a current contractual relationship, the parties shall agree upon a valid provision to replace the invalid provision which comes the closest to the desired business results and the purpose of the contract.

6. Contract language is German. These General Terms of Business are available in German language at any time. Other language versions are only for information and translation purposes. In case of conflicts in interpretation or wording between different language versions of these General Terms of Business the German version shall always be the overriding and binding version.

Date: 2023-09-18


Order Processing Contract in accordance with Art. 28 GDPR

Version: January 29, 2021


between the

customer of InLoox GmbH
- Party responsible - hereinafter referred to as the Client -


InLoox GmbH, Walter-Gropius-Strasse 17, D-80807 München
- Order processor - hereinafter referred to as the Contractor -

1. Subject matter and duration of the order

(1) The subject matter of the order depends on the respective order of the customer and the general terms and conditions referenced therein, which are referred to altogether here (hereinafter referred to as “Service Agreement”).

(2) The duration of this order (term) is the same as the term of the Performance Agreement.

2. Specification of the order content

(1) The type and purpose of the processing of personal data by the Contractor for the Client are described specifically in the Service Agreement. The Contractor will provide the following services in particular for the Client within the framework of the Service Agreement:

The provision of the contractually agreed data processing will be carried out by the Contractor itself exclusively in a member state of the European Union or in another contracting country of the Agreement on the European Economic Area. Any other relocation to a third country requires the prior permission of the Client and may only take place if the specific requirements in accordance with Art. 44 et seqq. GDPR are fulfilled. This consent can be granted for individual processing cases named in this Contract for one specific third country at a time, even with regards to subcontracting relationships. Where expressly indicated in Appendix 1 - Technical and Organisational Measures - individual processing operations take place outside a Member State of the European Union or in another Contracting State to the Agreement on the European Economic Area; in these cases, however, the appropriate level of protection is always guaranteed in the third country (see Appendix 2) and ensured by the measures specified in Appendix 1. Any other transfer to a third country requires the prior consent of the Client and may only take place if the special requirements of Art. 44 et seqq. GDPR are fulfilled. Such consent may be granted for individual processing operations referred to in this contract for a specific third country, including in respect of subcontracting relationships.

(2) The subject matter of the processing of personal data is the following data types/categories (list/description of the data categories):

(3) The categories of the persons concerned by the processing include:

3. Technical and organisational measures

(1) Before beginning the processing, the Contractor must document the implementation of the necessary technical and organisational measures specified before the placing of the order, in particular with regards to the specific order performance, and hand the documentation over to the Client for verification. Upon acceptance by the Client, the documented measures will form the basis of the order. If the verification/an audit by the Client results in a need for adjustment, this must be carried out mutually.

(2) The Contractor must establish the security in accordance with Art. 28(3)(c) and Art. 32 GDPR in particular in connection with Art. 5(1) and (2) GDPR. Altogether, the measures to be executed are measures for data protection and to guarantee a protection level appropriate to the risk in terms of the confidentiality, integrity, availability and capacity of the systems. The technical sophistication, the implementation costs and, and the type, extent and purpose of the processing, and the different likelihood of occurrence and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32(1) GDPR must thereby be considered. The particular technical and organisational measures taken are listed in Appendix 1.

(3) The technical and organisational measures are subject to the technical progress and the further development. In this respect, the Contractor is permitted to implement alternative adequate measures. The security level of the set measures may thereby not fall below the minimum requirement. Significant changes must be documented.

4. Amendment, restriction and deletion of data

(1) The Contractor may not amend or delete data that is processed in the order, or restrict its processing, on its own authority, but may only do so after receiving documented instructions from the Client, if no statutory requirements oblige the Contractor to take action independently. Should a person concerned contact the Contractor directly in this respect, the Contractor will forward this solicitation immediately to the Client.

(2) If included in the scope of the service, the deletion plan, right to be forgotten, correction, data portability and information must be ensured directly by the Contractor after receiving documented instruction from the Client.

5. Quality assurance and other duties of the Contractor

In addition to compliance with the regulations of this order, the Contractor also has statutory duties in accordance with Art. 28 to Art. 33 GDPR; in this respect, it guarantees adherence to the following standards in particular:

a) Written order of a data protection officer that carries out its activities in accordance with Art. 38 and Art. 39 GDPR. The contact details of the data protection officer must be shared with the Client upon contract conclusion. Changes of the data protection officer must be reported to the Client immediately.

b) The safeguarding of confidentiality in accordance with Art. 28(3)(2)(b), Art. 29 and Art. 32(4) GDPR. When carrying out its work, the Contractor will only use employees who are bound to confidentiality and have been familiarised beforehand with the data protection provisions relevant to them. The Contractor and any person subordinate to the Contractor who has access to personal data may only process this data in accordance with the instructions of the Client, including the authorisations granted in this Contract, unless they are legally obliged to process the data.

c) The implementation of and compliance with all technical and organisational measures necessary for this order in accordance with Art. 28(3)(2)(c) and Art. 32 GDPR. The details are listed in Appendix 1.

d) The Client and the Contractor will work together with the supervisory authority, upon request, in the performance of their tasks.

e) The immediate informing of the Client about control actions and measures by the supervisory authorities, if they relate to specific and fundamental assignments and if such information is not prohibited by law. This also applies if a competent authority is carrying out an investigation of the order processing by the Contractor in relation to the processing of personal data, within the framework of administrative offence or criminal proceedings.

f) If the Client is subject in turn to an examination by the supervisory authority, administrative offence or criminal proceedings, the liability claim of a person concerned or a third party, or another claim in connection with the order processing by the Contractor, the Contractor must support it to the best of its abilities, to the extent legally permitted.

g) The Contractor will regularly control the internal processes, as well as the technical and organisational measures, in order to guarantee that the processing within its area of responsibility takes place in accordance with the requirements of the applicable data protection law, and that the protection of the rights of the person concerned is guaranteed.

h) Verifiability of the technical and organisational measures for the Client within the framework of its control authorisation in accordance with Figure 7 of this Contract.

6. Subcontracting relationships

(1) Subcontracting relationships within the meaning of this rule are such services that relate directly to the provision of the main service. These do not include secondary services that the Contractor uses, e.g. in the form of telecommunications services, post/transport services, maintenance and user services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and capacity of hardware and software of data processing systems. However, the Contractor is obliged to also use appropriate and lawful contractual agreements and control measures to guarantee the data protection and data privacy of the Client’s data in the case of outsourced secondary services.

(2) The Contractor may only assign subcontractors (other order processors) after receiving prior explicit written permission or documented permission from the Client.

a) The Client agrees to the tasking of the subcontractors named in Appendix 2 under the condition of a contractual arrangement in accordance with Art. 28(2-4) GDPR.

b) Changes of the existing subcontractor are permitted provided that:

(3) If the subcontractor provides the agreed service outside the EU/EEA, the Contractor will ensure legitimacy under data protection law by corresponding measures. The same applies if service providers within the meaning of Sect. 1(2) are used.

(4) Any further outsourcing by the subcontractor requires the explicit permission of the main client (text form at least). All contractual regulations in the contract chain must also be imposed on the other subcontractor. The technical and organisational measures of subcontractors must comply with the technical and organisational measures defined herein and may only fall below the level agreed herein in justified circumstances.

7. Control rights of the Client

(1) The Client has the right, in consultation with the Contractor, to carry out reviews or have reviews carried out by examiners named on a case-by-case basis. It has the right to convince itself of the adherence to this Agreement by the Contractor in its business operations by means of random sample controls that must generally be announced in a timely manner and 14 days beforehand at the latest.

(2) The Contractor will ensure that the Client can be convinced of the adherence to the obligations of the Contractor in accordance with Art. 28 GDPR. The Contractor is obliged to share with the Client, upon request, the required information and in particular demonstrate the implementation of the technical and organisational measures.

(3) The demonstration of such measures that do not just concern the specific order can take place by:

8. Reporting of violations by the Contractor

(1) The Contractor will support the Client in the compliance with the duties for the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations, named in Articles 32 to 36 GDPR. This includes, inter alia:

a) Ensuring a suitable protection level by means of technical and organisational measures that consider the circumstances and purpose of the processing and the forecasted probability and severity of a possible rights violation by security flaws, and enable immediate detection of relevant incidents of violation;

b) the obligation to immediately report breaches of personal data to the Client;

c) the obligation to support the Client within the framework of its obligation to provide information to the party concerned, and provide it with all relevant information in this regard immediately:

d) immediately forwarding solicitation from people concerned, e.g. right to information, to the Client;

e) supporting the Client in its data protection impact assessment;

f) supporting the Client within the framework of prior consultation with the supervisory authority.

(2) For support services that are not included in the service description or cannot be traced back to misconduct of the Contractor, the Contractor may claim a compensation. The basis for the calculation of the remuneration is the Service Agreement or the general remuneration rates of the Contractor for comparable activities.

9. Authority of the Client to issue instructions

(1) The Client will confirm verbal instructions immediately (text form at least).

(2) The Contractor must inform the Client immediately if it is of the opinion that an instruction violates data protection regulations. The Contractor is entitled to discontinue the implementation of the corresponding instruction until it is confirmed or changed by the Client.

10. Deletion and return of personal data

(1) Copies or duplicates of data will not be produced without the knowledge of the Client. Exceptions are backup copies, if they are necessary to guarantee proper data processing, and data that is necessary in terms of adherence to statutory retention obligations.

(2) After the completion of the contractually agreed work or earlier upon request by the Client – upon the termination of the Service Agreement at the latest – the Contractor must hand over all documents, processing and use results produced, and databases, that it obtains possession of in connection with the contractual relationship, to the Client or destroy them in accordance with data protection law after obtaining prior permission. The same applies for test and scrap material. The determination of the termination of the service agreement requires notification by the Client. With the declaration that the contractual relationship is to be terminated, the deletion period with regard to documents subject to retention shall also commence.

(3) Documentation that proves proper data processing that is suitable for the order must be stored by the Contractor in accordance with the respective retention periods beyond the end of the Contract. It may transfer it to the Client for its relief at the end of the Contract.

11. Other

The point of contact on the part of the Client, and also for data protection, is generally the point of contact named as the billing contact; this can be changed or added to at any time by the Client. The point of contact on the part of the Contractor is its respective data protection officer, which can be reached at inloox@ws-datenschutz.de.

Appendix 1 – Technical and Organisational Measures

A. Contractor:

1. Confidentiality (Art. 32(1)(b) GDPR)

2. Integrity (Art. 32(1)(b) GDPR)

3. Availability and capacity (Art. 32(1)(b) GDPR)

4. Procedure for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)

B. Subcontractors:

See also the references to the current state of the measures for each respective subcontractor in Appendix 2.

1. Microsoft Corporation, as of April 2018

General practice. Microsoft has taken the following security measures for the online services, and will maintain and follow them. In connection with the security obligations in the OST, these security measures represent the individual responsibility of Microsoft in relation to the security of customer data:

Information security guideline for online services
For Microsoft Azure core services and Microsoft Cloud App Security, a written data security guideline (“Information Security Guideline”) applies, containing the control standards and framework conditions of ISO 27007, inter alia. You will find information about further certification at https://www.microsoft.com/de-de/TrustCenter/Compliance/ISO-IEC-27001.

Checking of online services by Microsoft
For every online service, Microsoft carries out the following checks regarding computer security, data processing environments and physical data centres that it uses to process customer data (including personal data):

For each test, a test report will be created (“Microsoft test report”), which will count as confidential information of Microsoft. The Microsoft test report will clearly disclose the significant findings of the examiner. Microsoft will immediately rectify all problems detected in a Microsoft test report, to the satisfaction of the examiner.

Upon request by the customer, Microsoft will provide the customer with the individual Microsoft test reports, so that the customer can convince itself of Microsoft’s compliance with the security obligations under the terms of the DPT. The Microsoft test report is subject to the confidentiality and distribution restrictions of Microsoft and the examiner.

2. SendGrid Inc., as of April 2018

1. Network-Level Controls

a) SendGrid will use host-based firewall(s) to protect hosts/infrastructure handling Personal Data. The firewall(s) must be able to effectively perform thefollowing functions: stateful inspection, logging, support for strong encryption and hashing, ICMP and SNMP based monitoring and antispoofing.

b) SendGrid will have network-based security monitoring for the segment(s) on which hosts handling Personal Data are logically located.

c) SendGrid will assess network-level vulnerabilities and address critical vulnerabilities within 30 days.

d) SendGrid will employ change management standards for network/infrastructure components handling Personal Data.

2. Hosting Level Controls

a) SendGrid will implement operating system hardening for hosts/infrastructure handling Personal Data. Operating system hardening includes, but is not limited to, the following configurations: strong password authentication/use of keys, inactivity time-out, disabling or removal of unused or expired accounts and services, turning off unused ports, and log management. In addition, SendGrid will implement access control processes and restrict access to operating system configurations based on the least privilege principle.

b) SendGrid will perform patch management on systems that host or handle Personal Data.
SendGrid will implement critical patches within vendor recommended timeframes on systems that host or handle Personal Data, not to exceed 30 days after the patch is identified.

c) SendGrid will implement specific controls to log activities of users with elevated access to systems that host or handle Personal Data.

d) SendGrid will, at a minimum, assess system-level vulnerabilities on a monthly basis and address critical vulnerabilities within 30 days.

e) SendGrid will employ a comprehensive antivirus or endpoint security solution for endpoints which handle Personal Data.

f) Physical servers will be protected with appropriate physical security mechanisms, including but not limited to badged access, locked cages, secure perimeter, cameras, alarms, and enforced user provisioning controls.

3. Application-Level Controls

a) SendGrid will maintain documentation on overall application architecture, process flows, and security features for applications handling Personal Data.

b) SendGrid will employ secure programming guidelines and protocols in the development of
applications processing or handling Personal Data.

c) SendGrid will regularly perform patch management on applications that host or handle Personal Data. SendGrid will implement critical patches within vendor recommended timeframes on all applications that host or handle Personal Data, not to exceed 30 days.

d) SendGrid will, at a minimum, assess application-level vulnerabilities on a monthly basis and address critical vulnerabilities within 30 days.

e) SendGrid will perform code review and maintain documentation of code reviews performed for applications that host or handle Personal Data.

f) SendGrid will employ change management standards for applications hosting or handling
Personal Data.

4. Data-Level Controls

SendGrid will use strong encryption (TLS) for transmission of Personal Data that is considered Confidential Information. Data backups of Personal Data will be encrypted at rest and while in transit; however due to the dynamic nature of data in SendGrid’s production environment, Personal Data in SendGrid’s production databases will not be encrypted at rest.

5. End User Computing Level Controls

a. SendGrid will employ an end point security or antivirus solution for end user computing devices that handle Personal Data.

b. SendGrid will ensure that end user computing devices that handle Personal Data are encrypted.

6. Compliance Controls

a. SendGrid will make a good faith effort to operate within the parameters of SendGrid’s then-current Information Security Policy. This Policy will be provided to Customer in soft copy format upon request.

b. Notwithstanding any of the foregoing, SendGrid will adopt appropriate physical, technical and organizational security measures in accordance with industry standards, including but not limited to, building access control, employee education and personnel security measures.

3. Freshworks Inc., as of April 2019

Information Security Program 

Physical Access Control

System Access Control

Data Access Control

Transmission Control

Input Control

Availability Control

Data Separation Control

Workstation Security

Information Security Incident Management

Processor maintains a record of security incidents with a description of the incident, the time period, the consequences, the name of the reporter or service, to whom the incident was reported, and the remediation.

Evaluation and certifications

Processor has obtained ISO 27001 certification regarding its data security and/or data protection systems and organization.

Appendix 2 – Approved subcontracting contracts

The order processers below are considered approved upon signing the Agreement:

Name of the order processor:

Microsoft Corporation

Subject of performance:

Microsoft Azure data centres that InLoox hires for internal use, e.g. for administration, development, support and marketing

Company head office and country:

One Microsoft Way, Redmond, Washington 98052, USA

Appropriate protection level (Art. 44 et seqq. GDPR):

Standard data protection clauses (Art. 46 (2)(c) and (d) GDPR):

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “1. Microsoft Corporation”

Name of the order processor:

Microsoft Ireland Operations Limited Subject of performance:

Microsoft Cloud Germany data centres that InLoox hires within the framework of InLoox now!

Company head office and country:

One Microsoft Place, South County Business Park, Leopardstown, Dublin, D18 P521, Ireland

Data processing location:

EU only

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “1. Microsoft Corporation”

Name of the order processor:

SendGrid Inc.

Subject of performance:

E-mail notifications from InLoox now! to users stored in the project platform about actions of other users, as well as e-mail notifications from InLoox support and other administrative systems, such as the InLoox Online Store.

Company head office and country:

1801 California St., Suite 500, Denver, Colorado 80202, USA

Appropriate protection level (Art. 44 et seqq. GDPR):

Adequacy decision of the Commission (Art. 45(3) GDPR) via the EU-U.S. Privacy Shield

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “2. SendGrid Inc.”

Name of the order processor:

Freshworks Inc.

Subject of performance:

Customer support requests

Company head office and country:

1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA

Appropriate protection level (Art. 44 et seqq. GDPR):

Adequacy decision of the Commission (Art. 45(3) GDPR) via the EU-U.S. Privacy Shield and agreed standard contractual clauses

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “3. Freshworks Inc.”


InLoox, Inc.

InLoox, Inc. Terms and Conditions of Sale

“Seller” means InLoox, Inc., a Delaware corporation. “Buyer” means the legal entity or person purchasing Goods or Services from Seller. “Goods” means the goods offered by Seller and/or purchased by Buyer and “Services” means any services provided by Seller in connection with the offer of Goods. The terms and conditions included herein (hereinafter, this “Agreement”) apply to any present or future quote, proposal, or offer to sell Goods or Services provided by Seller to Buyer in the United States (“Offer”). They also apply to any present or future purchase order or similar instrument issued by Buyer to Seller to purchase Goods or Services in the United States (“Order”) accepted by Seller. Seller and Buyer are sometimes referred to herein individually as a “Party” and collectively as the “Parties”. 


The sale of all new Seller Goods is subject to Seller’s return policy. Seller’s return policy can be found at www.inloox.com/return-policy (“Return Policy”) and Buyer agrees to those terms. Note that under the terms of the Return Policy, not all Goods may be returned. Buyer must contact Seller directly before Buyer attempts to return any Goods. 


Acceptance of Seller’s Offers and of Buyer’s Orders, and any changes or amendments thereto, is expressly conditioned upon Buyer’s assent to this Agreement. Unless specifically agreed to in writing by a duly authorized representative of Seller, Seller objects to, and is not bound by, any terms or conditions that differ from or add to the terms and conditions specified herein. Neither Seller’s commencement, or performance nor delivery shall be deemed or construed as acceptance of such terms or conditions. Seller’s failure to object to any terms and conditions or any other provisions contained in any communication from Buyer, including, but not limited to, Buyer’s Orders, does not waive any of the terms and conditions specified herein. Seller’s acceptance of any resulting Order or Buyer’s receipt of Goods, whichever occurs first, will conclusively evidence Buyer’s unconditional acceptance of these terms and conditions. All Offers, Orders and other documentation between Buyer and Seller shall be non-binding unless expressly stated otherwise and become effective and binding only when approved by Seller. Seller reserves the right to make reasonable technical and other changes to the Goods or the Service. 


Software is subject to the separate software license agreement accompanying or made available to Buyer in connection with the software, in particular InLoox’ End User License Agreement (www.inloox.com/end-user-license-agreement). In case of any discrepancies between the End User License Agreement and this Agreement, the End User License Agreement shall prevail. With respect to software made available to Buyer by Seller in connection with Services, if no license terms accompany the software, then subject to Buyer’s compliance with the terms set forth in this Agreement, Seller hereby grants Buyer a personal, non-exclusive license to access and use such software only during the term of the Services and solely as necessary for Buyer to enjoy the benefit of the Services as stated in the applicable Service Order(s). A portion of the software may contain or consist of open source software, which Buyer may use under the terms and conditions of the specific license under which the open source software is distributed. Buyer agrees that Buyer will be bound by any and all such license agreements. Title to software remains with the applicable licensor(s).


Unless agreed otherwise in writing by Seller, all prices are stated in U.S. Dollars and Ex Works Seller’s shipment facility. The prices offered apply only to the specific quantities, specifications, and delivery schedules set forth in Seller’s Offer. Any variation in quantity, specifications, or delivery schedules may necessitate a price and/or delivery schedule adjustment. All prices relate to the Good or Service only, in particular the prices do not include the costs of installation, teaching, training or instruction or other auxiliary services, unless agreed to in writing.


Unless otherwise agreed to by Seller, payment must be received by Seller prior to Seller’s acceptance of an Order. Payment for the Goods and Services will be made by credit card, wire transfer, or some other prearranged payment method unless credit terms have been agreed to by Seller. Invoices are due and payable within the time period noted on the invoice, measured from the date of the invoice but in no event later than fourteen (14) days after receipt of invoice. Seller may invoice parts of an Order separately. Seller is not responsible for pricing, typographical, or other errors in any Offer by Seller and reserves the right to cancel any Orders arising from such errors. All amounts due to Seller but not paid by Buyer on the due date bear interest payable by Buyer to Seller in U.S. Dollars at a rate that is equal to the lesser of (i) one and one-half percent (1.5%) per month, or (ii) the maximum interest rate permitted under applicable law. Buyer will also be liable to Seller for any expenses incidental to collection of past due amounts, including reasonable attorney’s fees and court costs.


All shipments by Seller are Ex Works Seller’s place of shipment. Title to Goods passes from Seller to Buyer at the latest upon shipment to Buyer. Loss or damage that occurs during shipping is Buyer’s responsibility. Buyer must notify Seller within twenty-one (21) days of the date of invoice or acknowledgement if Buyer believes any part of its purchase is missing, wrong or damaged. Shipping and handling costs and taxes are in addition to the stated purchase price unless otherwise expressly indicated at the time of sale. If Seller prepays shipping, insurance, or other related costs, Buyer agrees to reimburse Seller promptly for the actual costs incurred by Seller. In case of the transmission of software via Internet, in particular via electronic mail or Internet download, risk of loss and the risk of damage or changes to the software shall pass to Buyer upon complete receipt of the undamaged and unchanged data. 


Seller’s prices for Goods include Seller’s standard commercial packing and packaging. Any non-standard or special packing or packaging requirements requested by Buyer will be provided by Seller at additional cost to Buyer.


The amount of any present or future sales, use, excise, import duty, or other tax applicable to the manufacture, sale, or lease of Goods or provision of Service will be added to the invoice and must be paid by Buyer. Unless Buyer provides Seller with a tax exemption certificate acceptable to the applicable taxing authority and applicable to Buyer’s purchase of Good and the Good ship-to location, Buyer is responsible for sales and other taxes associated with the Order. 


If, prior to shipment of Buyer’s Order, Buyer fails to fulfill the terms of payment of any prior invoice submitted by Seller or, if in the sole opinion of Seller, Buyer’s financial condition becomes impaired or unsatisfactory, Seller reserves the right to change, without notice, the terms of payment and/or delay or discontinue further shipments, without prejudice to any other available legal remedies, until past due obligations have been paid and Seller has received acceptable assurance regarding Buyer’s prompt payment of future obligations.


Buyer hereby grants to Seller a first priority purchase money security interest in the Goods and in all proceeds from, all accessions to, substitutions and replacements for such Goods to secure performance of all of Buyer’s obligations hereunder, and if required by Seller, Buyer shall execute and deliver such separate security agreement(s), financing statements or other documents as may be necessary to evidence or perfect such security interests.


Buyer agrees to comply with all applicable laws and regulations of the various states and of the United States. Buyer agrees and represents that Buyer is buying for its own internal use only, and not for resale or export unless (a) Seller expressly authorizes such export, (b) Buyer obtains all necessary permits, licenses or approvals from a U.S. governmental entity of competent jurisdiction, or (c) applicable law allows the export of the Software without such permits, licenses or approvals. Seller has separate terms and conditions governing resale of products by third parties and transactions outside the United States. Goods, which may include technology and software, are subject to U.S. export laws as well as the laws of the country where they are delivered or used for Buyer’s internal purposes. Goods may not be sold, leased, or transferred to restricted countries, restricted end-users, or for restricted end-uses. The Parties agree that Goods purchased from Seller will not be used for activities related to weapons of mass destruction, including activities related to the design, development, production or use of nuclear materials, nuclear facilities, or nuclear weapons, or chemical or biological weapons. Buyer further agrees that Buyer will not sell, lease, or otherwise transfer Goods to end-users engaged in these activities.


Shipping and delivery dates are estimates only. Shipping dates are approximate and require prompt receipt of all necessary Buyer-furnished information and material if applicable.

Seller is not liable for any damages, re-procurement costs, or penalties related to late deliveries. Without limiting the generality of the foregoing, Seller is not liable for delays due to force majeure, including, but not limited to, weather conditions, acts of God, acts of civil or military authorities, fires, strikes, job actions, floods, earthquakes, epidemics, quarantine restriction, war, terrorism, riot, supplier or vendor delays, or any other causes beyond the reasonable control of Seller. In the event of such delay, Seller will promptly notify Buyer and the date(s) of delivery will be deferred for a period commensurate with the time lost due to the delay. If the excusable delay under force majeure continues for more than ninety (90) days, Seller and Buyer will each have the option of terminating the affected Order(s) after two weeks prior written notice. If Seller’s production is curtailed for any of the above reasons so that Seller is unable to deliver the full quantity of Goods scheduled for delivery to Buyer, Seller may allocate deliveries of available Goods among its various customers then under order for similar Goods. The allocation will be made in a commercially fair and reasonable manner. When such allocation has been made, Buyer will be notified of the estimated quota made available.


Buyer’s Order is subject to cancellation by Seller, in Seller’s sole discretion. Either Party may terminate an Order if the other Party breaches a material provision of this Agreement or of the Order. In the event that a Party (the “Defaulting Party”) is in breach of a material provision of this Agreement or the Order, the other Party (the “Non-Defaulting Party”) will submit a written cure notice to the Defaulting Party advising of such breach. The Defaulting Party will have fourteen (14) days to cure the breach. If the Defaulting Party does not cure the breach within the fourteen (14) day period, the Non-Defaulting Party may terminate the Order.


All change order requests must be submitted by the Buyer to the Seller in writing and will not be effective unless and until Seller consents in writing to the change(s). Seller will advise Buyer in writing of the price and/or delivery schedule impact, if any, of the change request. Seller’s acceptance of changes will be subject to Buyer’s agreement to any price and/or delivery schedule adjustments.


Seller warrants that the Goods manufactured by Seller will conform to its specification in all material respects for a period of twelve (12) months from the date of original shipment. In the event that Buyer identifies any non-conformities, Buyer will promptly notify Seller and describe the symptoms of the non-conformities with reasonable detail. 

Seller, at its sole discretion, will either repair or replace or credit the purchase price paid by Buyer for any such Goods found by Seller to be defective. Seller’s warranty does not apply to any Goods that have been subjected to improper installation, defective hardware or software environment, improper operation, misuse, alteration, repair, neglect, accident, inundation, fire, or the like. In case of a replacement, the Return Procedure referred to in Section 1 hereof shall apply.

The Buyer shall accept any equal or newer versions of the Good as a replacement if reasonable under the circumstances. The Buyer shall support the Seller in the analysis of any defect by providing all reasonably necessary information and reasonable time and opportunity to cure any defects. Seller is entitled to remedy any defects remotely and Buyer shall, after reasonable notice, provide Seller with access to its computer system and networks as necessary to remedy defects to the Goods. Buyer shall reimburse Seller for any costs and expenses and labor incurred if no defect covered by the warranty hereunder exists, or if Buyer reported a defect incorrectly or incompletely. The burden of proof shall be on the Buyer.





Seller represents and warrants to Buyer that it is the owner of, or is otherwise authorized to use, all patents, processes, specifications, information, materials, trade secrets, trademarks, and logos in connection with any Goods sold to Buyer pursuant to this Order, and that the use by Buyer of any or all of the Goods as contemplated by this Order, will not infringe upon, or violate, in any manner or fashion, the intellectual property rights of any third party, whether located in the United States or any other part of the world. In addition, Seller hereby agrees to indemnify, hold harmless, and defend Buyer from and against any and all liabilities, damages, injuries, claims, suits (including claims and/or suits for infringement), expenses (including reasonable attorneys’ fees, court costs, and out-of-pocket expenses) resulting from or arising out of a breach or alleged infringement of such intellectual property rights provided that Seller shall have sole charge and direction of the defense, or settlement without financial liability for Buyer, of any suit or proceeding based on any claim, demand, loss, damage, cause of action, suit on liability for which Seller is responsible under this Section 17; (b) Buyer shall reasonably cooperate with Seller as respects any such claim, and shall provide to Seller such other assistance as may be reasonably necessary to investigate, defend against and resolve any such claim. In no event shall Seller have any liability under this Agreement with respect to any claim, demand, or action identified in this Section 17 unless notice in writing of such claim, accompanied by reasonable written particulars thereof specifying the nature of the claim has been given to Seller as soon as practicable after the Buyer had notice of any claims, assertions and allegations from any third party that may be covered by the indemnity obligations set forth in this Section 17.


All technical specifications of the Goods provided by Seller are intended to be estimates or approximations or design aims rather than guarantees and all such specifications shall be in writing.


The laws of the State of California, excluding its conflicts of laws provisions govern the interpretation and enforcement of this Agreement and Buyer’s Order. Each of the parties hereto hereby irrevocably and unconditionally submits to the exclusive jurisdiction and venue of any California State or Federal court sitting in Santa Clara County, California in any action or proceeding arising out of or relating to this Agreement or the Buyer’s Order. Each of the parties hereto hereby irrevocably waives, to the fullest extent it may effectively do so, the defense of an inconvenient forum to the maintenance of such action or proceeding. The parties agree that the United Nations Convention on the International Sale of Goods (CISG) of April 11, 1980 shall not apply.


Buyer may not assign or transfer this Agreement or any Order, in whole or in part, without the prior written approval of Seller.


Seller may use Buyer’s name and logo in customer lists and related promotional materials describing Buyer as a customer of Seller, which use must be in accordance with Buyer’s trademark guidelines and policies. Buyer can opt-out at any time. Seller will remove Buyer's name and logo from the customer lists and related promotional materials. 


In the event that one or more provisions of this Agreement document is held to be unenforceable, the remaining provisions apply in full and the invalid or unenforceable provision will be replaced by a provision that lawfully enforces the Parties’ intention underlying the invalid or unenforceable provision.


This document is the entire understanding between the Parties, and it supersedes all previous or additional agreements, arrangements, and drafts. This document may be amended or modified only by written agreement of duly authorized representatives of both Parties.

Date: 2016-05-25