Policies and legal docs

General terms

Preamble

The following provider is ProductFlow B.V. Lekdijk 1 3958 ND Amerongen. Regulations to the terms and conditions as well as to these T&C's diverged agreements are legal, preconditioned they have been formally approved in written form by the provider.

1 Subject

  1. Subject to these conditions of use is the provision of data storage and the computing capacity for connecting to the internet (Cloud Webhosting Platform). The client will have access to upload the source code and to adjust the service.
  2. All services described in this terms and conditions are available only to business units, public agencies and entrepreneurs. The registration of private customers is prohibited.

2 Conclusion of the contract

  1. The customer's registration for one of provider’s service shall be deemed to be an offer to enter into a contract. The provider may accept or refuse this offer. The acceptance of this offer takes place either expressly or impliedly by activation of the user's account The concluded contract is not permanently stored by the provider.
  2. It is agreed on concluding this contract between the provider and the customer that there is a contract for the performance of a continuing obligation. If the customer selects the service with costs, he will be obliged to pay monthly the arising fees until the cancellation of the contract. If the customer select the service for less than one calendar month, the fee for the service will be charged proportionately. The billing will be carried out on the following month and on a monthly basis. Customers paying by credit card expressly agree to have their credit card account billed monthly for the recurring charges for the life of the contract including any automatic renewal periods.
  3. A right of revocation does not exist for the customer. But the customer can cancel the contract at any time.

3 Obligations of the provider

  1. The provider shall ensure that customer has access to the provider's services.

4 Obligations of the customer

  1. If the customer is facing any failures using the system, the customer shall inform the provider and without delay of such interferences.
  2. The customer is obliged to use his access data carefully and to avoid an unauthorised use by third parties. Furthermore, the customer shall inform the provider of such unauthorised use by third parties without delay.
  3. The customer shall keep his data up to date at all times and right continuously. The customer is not allowed to sublet the service, unless otherwise agreed with the provider.
  4. The client is not allowed to sublet any service to or with third parties, unless otherwise agreed with the provider.
  5. The customer agrees to be called as a reference customer by the provider in a written and electronic form.
  6. The customer shall receive the necessary permit of the relevant person to the extent that he collects, processes and uses person-related data within the scope of the provider's service, unless there is an legal basis permission for it.
  7. The customer will save the data and the value of it periodically and appropriately and must create backup copies in order to prevent the loss of data and to secure information that will guarantee its reconstruction.
  8. The customer has the obligation to provide regular, risk-appropriate, data assurance at least once a day.
  9. Furthermore, the customer shall exhaustively verify all data and information for virus contamination with the latest virus detection before uploading them.
  10. The customer is obligated not to save any data or content on the storage space whose provision, publishing or use violates the law or an agreement with a third party; law in this context means criminal and copyright laws, trademark laws, privacy rights, and other rights of a third party.
  11. The customer shall not distribute any pornographic, obscene, offensive contents or immoral contents which are adapted to a negative development of children and teenagers or the education to a wrong self-reliance and personality.
  12. The customer has the obligation of diligence for the software he installed and programmed.
  13. The customer must update the software which is used to avoid hacking attempts if a security problem is known.
  14. The customer ensures that in his specific area any unsecured programs or scripts will not be used.
  15. The use of open mail relays or similar systems on which e.g. spam mails are circulated gives the provider the right to immediately block the customer's access.
  16. The customer will immediately inform the provider as soon as there is evidence that a third party has unauthorized use of his or her service.
  17. The customer commits to refraining from procedures which cause an excessive utilization of the provider's facilities.
  18. The customer is obligated to exempt the provider from all claims of third parties, no matter of which kind, which arise from the illegality of contents that the customer has stored on the storage covered by the contract. This obligation of indemnity shall also include the obligation to completely indemnify the provider from any legal defense costs (e.g. court and statutory legal fees). This also applies to sub-domains which are registered at the provider but are provided to the customer.
  19. If and so far as the customer uses the contractual storage in contrary to the assurance the non-distribution of illegal content, the provider will have the right to block access via world wide web to such content.

5 Remuneration and methods of payment

  1. The up-to-date price list applies at all the times (ProductFlow.com/pricing) if not otherwise agreed in a written form.
  2. The cost related service is to be paid monthly.
  3. The usage based billing of data traffic and storage is due to the sum of all transferred data (such as, download, upload, website visitors) related to the customer's contract. 1 gigabytes=1.000 megabytes; 1megabyte=1.000 kilobytes; 1 kilobyte=1.000 bytes.
  4. If a debit order cannot be redeemed or in the event of a claim back his bank or credit card company, the provider is entitled to charge the customer for the fees and bank expenses it incurs for each returned debit order of the customer (currently € 15,-).
  5. The customer may prove that the actual damage has been lower, and the provider may prove that the actual damage has been higher.
  6. The provider has the right to determine the amount of the remunerations by its own reasonable assessment (sec. 315 of the German Civil Code) if more than 6 months after the last price increase.
  7. The provider shall inform the customer about the price adjustment in advance in a written form (email).
  8. If the customer does not agree to the price adjustment, he may cancel the contract in respect to the cancellation period.
  9. The customer's fee will be billed in a written form for remuneration, if expressly required.

7 Guarantee or liability

  1. In the event of a material breach of this agreement caused by slight negligence, the provider excludes all liability unless the liability involves injury of life, body or health or the breach of fundamental contractual duties that facilitate the enforcement of this contract in such due form the customer trustfully relies upon or to the claims granted by the Product Liability Act.
  2. In cases of force majeure (in particular in case of strikes, lockouts, official or legal orders, technical difficulties, negligence of a third party) that are not in the responsibility of the provider, the provider will not be liable.
  3. The limitation of liability related to section 7 (1) of this agreement also applies to the providers vicarious agents within the scope of the contract compliance.

8 Duration and termination

  1. The contract is agreed for an indefinite time period, and both parties have the right to terminate the contract.
  2. The customer may terminate the contract without reason for the future effect in the Dashboard.
  3. The provider shall terminate the contract with a term of 12 weeks.
  4. In all cases each of the parties may terminate the contract instantly, if the termination party can base the termination on an important reason.
  5. A due and sufficient cause for cancellation without notice exists if the customer comes into default of payment obligations, has suspended payments, or if the customer fails to meet its contractual obligations.
  6. In the event of a severe violation of 4 of this Terms and Conditions the provider may terminate the contract instantly.

9 Final provisions

  1. The contract shall be governed by German law, without regard to any choice of law rules adopted thereunder.
  2. Court of jurisdiction will the providers head office, if the customer is a merchant as defined in sec. 1 to 7 HGB (German Code of Commerce).
  3. The invalidity or inoperativeness of one or more provisions of this contract does not affect the validity of the rest of the contract and the remaining provisions shall thereby remain unaffected.
  4. The provider is not subject to a code of conduct.
  5. Contracting languages are German and English. The German version of the T&C shall be binding for the interpretation of the contract.

Privacy policy

1. Name and address of the responsible

The legal responsible, hereinafter also "we", "our" or "operator", within meaning of the General Data Protection Regulation and other national data laws of the member states as well as other data protection regulations, is the:

ProductFlow B.V. Lekdijk 1 3958 ND Amerongen

The following "websites" refer to the internet addresses: www.productflow.com and cloud.productflow.com.

2. General information about data processing

1. Scope of processing of personal data

  1. In principle, we process personal data of our users only insofar as this is necessary to provide a functional website and our content and services.
  2. The processing of personal data of our users takes place regularly only with the consent of the user.
  3. An exception applies in cases in which prior consent is not possible for reasons of fact and the processing of the data is permitted by law.

2. Legal basis for the processing of personal data

  1. Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) as legal basis.
  2. In the processing of personal data necessary for the performance of a contract of which the data subject is a party, Art. 6 para. 1 lit. b DSGVO as legal basis. This also applies to processing operations required to carry out pre-contractual actions.
  3. If processing of personal data is required to fulfill a legal obligation that is subject to our company, Art. 6 para. 1 lit. c DSGVO as legal basis.
  4. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d DSGVO as legal basis.
  5. If processing is necessary to safeguard the legitimate interests of our company or a third party and if the interest, fundamental rights and freedoms of the data subject do not prevail over the first interest, Art. 6 para. 1 lit. f DSGVO as legal basis for processing.

3. Data deletion and storage duration

  1. The personal data of the data subject shall be deleted or blocked as soon as the purpose of the storage is removed.
  2. It may also be stored if provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject.
  3. A blocking or deletion of the data takes place even if a prescribed by the standards mentioned storage period expires, unless there is a need for further storage of the data for a contract or fulfillment of the contract.

3. Providing the website and creating logfiles

1. Description and scope of data processing

  1. Whenever our website is accessed, our system automatically collects data and information from the computer system of the calling computer.
  2. The following data is collected here: information about the browser type and the version used, the user's operating system, the IP address of the user, the date and time of access, websites from which the user's system accesses our website, websites, which are accessed by the user's system through our website.
  3. The data is also stored in the log files of our system.

2. Legal basis for data processing

  1. The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f DSGVO.

3. Purpose of the data processing

  1. The temporary storage of the IP address by the system is necessary to allow delivery of the website to the computer of the user. To do this, the user's IP address must be kept for the duration of the session.
  2. Storage in log files is done to ensure the functionality of the website.
  3. In addition, the data is used to optimize the website and to ensure the security of our information technology systems.
  4. An evaluation of the data for marketing purposes does not take place in this context.
  5. In these purposes, our legitimate interest in the processing of data according to Art. 6 para. 1 lit. f DSGVO.

4. Duration of storage

  1. The data will be deleted as soon as they are no longer necessary for the purpose of their collection.
  2. In the case of the collection of data for the provision of the website, this is the case when the respective session is completed.
  3. In the case of storing the data in log files, this is the case after no more than seven days, unless legal or technical reasons or the need for security make longer storage necessary.
  4. Further storage is possible.
  5. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.

5. Removal possibility

  1. The collection of the data for the provision of the website and the storage of the data in log files is essential for the operation of the website.
  2. There is consequently no contradiction on the part of the user.

4. Use of cookies

1. Description and scope of data processing

  1. Our websites use cookies. Cookies are text files that are stored in the browser on the user's computer system. When a user visits a website, a cookie may be stored on the user's operating system.
  2. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is reopened.
  3. We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser be identified even after a page break.
  4. The cookies store and transmit data such as currency, session and account information, selection in ordering systems, CSRF tokens and potentially other metadata.

2. Legal basis for data processing

  1. The legal basis for the processing of personal data using cookies is Article 6 (1) lit. f DSGVO.

3. Purpose of the data processing

  1. The purpose of using technically necessary cookies is to facilitate the use of websites for users.
  2. Some features of our website can not be offered without the use of cookies.
  3. For this it is necessary that the browser is recognized even after a page break.
  4. For these purposes, our legitimate interest in the processing of personal data pursuant to Art. 6 para. 1 lit. f DSGVO.

4. Duration of storage, objection and disposal options

  1. Cookies are stored on the computer of the user and transmitted by this on our side.
  2. Therefore, as a user, you have full control over the use of cookies.
  3. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies.
  4. Already stored cookies can be deleted at any time.
  5. This can also be done automatically.
  6. If cookies are disabled for our website, not all features can be fully used.

5. Registration

1. Description and scope of data processing

  1. On our website, we offer users the opportunity to register by providing personal information.
  2. The data is entered into an input mask and transmitted to us and stored.
  3. A transfer of the data to third parties does not take place.
  4. In addition to the data that the user enters in our input masks, the IP address of the user, location data and date and time of registration are also stored.
  5. As part of the registration process, the user's consent to the processing of this data is obtained.

2. Legal basis for data processing

  1. Legal basis for the processing of the data is in the presence of the consent of the user Art. 6 para. 1 lit. a GDPR.
  2. If the registration serves the fulfillment of a contract of which the user is a party or the implementation of pre-contractual measures, an additional legal basis for the processing of the data is Art. 6 (1) lit. b DSGVO.

3. Purpose of the data processing

  1. User registration is required for the provision of certain content and services on our websites. In the case of registration for free trial offers, in particular the registration for the prevention of abuse is required.
  2. Registration of the user in connection with the ordering of paid services is required to fulfill a contract with the user or to carry out pre-contractual measures.

4. Duration of storage

  1. The data will be deleted as soon as they are no longer necessary for the purpose of their collection.
  2. This is the case during the registration process for the performance of a contract or for the performance of pre-contractual measures if the data are no longer necessary for the performance of the contract.
  3. Even after conclusion of the contract, there may be a need to store personal data of the contracting party in order to comply with contractual or legal obligations, the latter in particular according to the tax law.

5. Opposition and removal possibility

  1. As a user, you have the option of canceling the registration at any time. You can change the data stored about you at any time.
  2. If the data are necessary for the fulfillment of a contract or for the execution of pre-contractual measures, a premature deletion of the data is only possible, as far as non-contractual or legal obligations preclude a deletion.

6. Product information

1. Description and scope of data processing

  1. We regularly contact our registered customers via e-mail for updates, such as scheduled maintenance, new releases and updates inform security-relevant changes.
  2. The data from the input mask are transmitted to us during registration.
  3. For the processing of the data, your consent is obtained during the registration process and reference is made to this privacy policy.
  4. In connection with the processing of data for the shipment of product information, no transfer of the data to third parties takes place.
  5. The data will be used exclusively for sending the product information.

2. Legal basis for data processing

  1. Legal basis for the processing of the data after the user has registered for the newsletter is the consent of the user Art. 6 para. 1 lit. a GDPR.

3. Purpose of the data processing

  1. The collection of the user's e-mail address serves to provide the product information.

4. Duration of storage

  1. The data will be deleted as soon as they are no longer necessary for the purpose of their collection. The e-mail address of the user is therefore (as all contract-related data) stored as long as the customer maintains an active user account.

5. Opposition and removal possibility

  1. You may object to storage for the future if you terminate your customer account at the same time.
  2. It is also possible to suspend the receipt of e-mails temporarily, but this does not end the storage of your e-mail address, which is required for the execution of the contract.

7. E-mail contact

1. Description and scope of data processing

  1. It is possible to contact the provided e-mail address.
  2. In this case, the user's personal data transmitted by e-mail will be stored.
  3. The data is used exclusively for the processing of the conversation.

2. Legal basis for data processing

  1. Legal basis for the processing of the data is in the presence of the consent of the user Art. 6 para. 1 lit. a GDPR. The legal basis for the processing of the data transmitted in the course of sending an e-mail is Article 6 (1) lit. f DSGVO. If the e-mail contact aims to conclude a contract, then additional legal basis for the processing is Art. 6 para. 1 lit. b DSGVO.

3. Purpose of the data processing

  1. In the case of contacting by e-mail, this also includes the necessary legitimate interest in the processing of the data.

4. Duration of storage

  1. The data will be deleted as soon as they are no longer necessary for the purpose of their collection.
  2. For the personal data sent via e-mail, this is the case when the respective conversation with the user has ended.
  3. The conversation ends when it can be inferred from the circumstances that the relevant facts have been finally clarified.
  4. Statutory regulations, such as the obligation to store business mail, may preclude premature cancellation.

5. Opposition and removal possibility

  1. The user has the opportunity to revoke his consent to the processing of personal data at any time.
  2. If the user contacts us by e-mail, he may object to the storage of his personal data at any time.
  3. In such a case, the conversation can not continue.

8. Data collection by third party companies

We are using third party sub processors to improve our service offerings. That might also include sharing some personal data. See a list of services in use and their application here: sub-processors

9. Rights of data subjects

1. Right to information

  1. You may ask the person in charge to confirm if personal data concerning you is processed by us.
  2. If such processing is available, you can request information from the person responsible about the following information:
  3. the purposes for which the personal data are processed;
  4. the categories of personal data that are processed;
  5. the recipients or the categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed;
  6. the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
  7. the right of rectification or deletion of personal data concerning you, a right to restriction of processing by the person responsible or a right to object to such processing;
  8. the existence of a right of appeal to a supervisory authority;
  9. all available information on the source of the data if the personal data are not collected from the data subject;
  10. the existence of automated decision-making including profiling under Article 22 (1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved, and the scope and intended impact of such processing on the data subject.
  11. You have the right to request information about whether the personal data concerning you are transmitted to a third country or to an international organization. In this connection, you can request the appropriate guarantees in accordance with. Art. 46 GDPR in connection with the transfer.
  12. In the case of data processing for scientific, historical or statistical research purposes: This right of access may be restricted to the extent that it is likely that the realization of the research or statistical purposes is impossible or seriously impaired and the restriction is necessary for the performance of research or statistical purposes.

2. Right to rectification

  1. You have a right to rectification and / or completion to the controller, if the personal data you process is incorrect or incomplete.
  2. You can correct many data yourself as a registered and registered customer. Incidentally, the responsible person must make the correction without delay.
  3. In the case of data processing for scientific, historical or statistical research purposes: Your right of rectification may be limited to the extent that it is likely to render impossible or seriously affect the realization of the research or statistical purposes and the restriction is necessary for the performance of the research or statistical purposes.

3. Right to restriction of processing

  1. Under the following conditions, you may request the restriction of the processing of your personal data:
  2. if you deny the accuracy of your personal information for a period of time that enables the controller to verify the accuracy of your personal information;
  3. the processing is unlawful and you refuse the deletion of the personal data and instead demand the restriction of the use of the personal data;
  4. the person responsible no longer needs the personal data for the purposes of the processing, but you need them for the assertion, exercise or defense of legal claims, or
  5. if you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the person responsible prevail over your reasons.
  6. If the processing of personal data concerning you has been restricted, these data may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for important reasons the public interest of the Union or of a Member State.
  7. Has the restriction of processing been applied to the o.g. If conditions are restricted, you will be informed by the person in charge before the restriction is lifted.
  8. In the case of data processing for scientific, historical or statistical research purposes: Your right to restriction of processing may be limited to the extent that it is likely to render impossible or seriously affect the realization of the research or statistical purposes and the restriction is necessary for the performance of research or statistical purposes is.

4. Right to cancellation

1. Obligation to delete

  1. You may require the controller to delete the personal information concerning you without delay and the controller shall immediately erase that information provided that any of the following is true:
  2. The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
  3. You revoke your consent, to which the processing acc. Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. DSGVO and there is no other legal basis for processing.
  4. You place acc. Art. 21 para. 1 DSGVO objection to the processing and there are no prior justifiable reasons for the processing, or you lay gem. Art. 21 para. 2 DSGVO Opposition to processing.
  5. Your personal data have been processed unlawfully.
  6. The deletion of personal data concerning you is required to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject.
  7. The personal data concerning you were collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.

2. Information on third parties

  1. If the person responsible has made the personal data relating to you public and is in accordance with. Article 17 (1) of the GDPR, it shall take appropriate measures, including technical means, to inform data controllers who process the personal data that you have been identified as being affected, taking into account available technology and implementation costs Persons requesting deletion of all links to such personal data or of copies or replications of such personal data.

3. Exceptions

  1. The right of erasure does not exist if the processing is necessary:
  2. to exercise the right to freedom of expression and information;
  3. to fulfill a legal obligation required by the law of the Union or of the Member States to which the controller is subject, or to carry out a task which is in the public interest or in the exercise of official authority delegated to the controller;
  4. for reasons of public interest in the field of public health pursuant to Art. 9 (2) lit. h and i and Art. 9 (3) GDPR;
  5. for archival purposes of public interest, scientific or historical research purposes or for statistical purposes acc. Article 89 (1) GDPR, to the extent that the law referred to in subparagraph (a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
  6. to assert, exercise or defend legal claims.

5. Right to information

  1. If you have asserted the right of rectification, erasure or restriction of the processing to the controller, the latter is obliged to notify all recipients to whom your personal data have been disclosed of this correction or deletion of the data or restriction of processing because, this proves to be impossible or is associated with a disproportionate effort. You have a right to the person responsible to be informed about these recipients.

6. Right to data portability

  1. You have the right to receive personally identifiable information relating to you provided to the controller in a structured, common and machine-readable format. You also have the right to transfer this data to another person without hindrance by the person responsible for providing the personal data, provided that:
  2. the processing on a consent acc. Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a DSGVO or on a contract acc. Art. 6 para. 1 lit. b DSGVO is based and
  3. the processing is done using automated procedures.
  4. In exercising this right, you also have the right to obtain that personal data concerning you are transmitted directly from one person responsible to another person responsible, as far as this is technically feasible. Freedoms and rights of other persons may not be affected.
  5. The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the controller.

7. Right to object

  1. You have the right at any time, for reasons arising from your particular situation, to prevent the processing of your personal data, which pursuant to Art. 6 para. 1 lit. e or f DSGVO takes an objection; this also applies to profiling based on these provisions.
  2. The controller will no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is intended to assert, exercise or defend legal claims.
  3. If the personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct mail.
  4. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
  5. Regardless of Directive 2002/58 / EC, you have the option, in the context of the use of information society services, of exercising your right to opt-out by means of automated procedures that use technical specifications.
  6. In the case of data processing for scientific, historical or statistical research purposes: You also have the right, for reasons arising from your particular situation, to process personal data relating to you for scientific or historical research purposes or for statistical purposes. Art. 89 para. 1 GDPR is to be contradicted. Its right of objection may be limited to the extent that it is likely to render impossible or seriously affect the realization of the research or statistical purposes, and that the restriction is necessary for the performance of the research or statistical purposes.

8. Right to revoke the data protection consent declaration

  1. You have the right to revoke your data protection consent declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

9. Automated decision on an individual basis including profiling

  1. You have the right not to be subject to a decision based solely on automated processing - including profiling - that will have legal effect or similarly affect you in a similar manner. This does not apply if the decision:
  2. is required for the conclusion or performance of a contract between you and the controller,
  3. is permitted by Union or Member State legislation to which the controller is subject, and where such legislation contains appropriate measures to safeguard your rights and freedoms and legitimate interests, or
  4. with your express consent.
  5. However, these decisions may not be based on specific categories of personal data under Art. 9 (1) GDPR, unless Art. 9 (2) lit. a or g DSGVO applies and reasonable measures have been taken to protect the rights and freedoms as well as your legitimate interests.
  6. With regard to the cases referred to in (1) and (3), the person responsible shall take reasonable measures to uphold the rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person by the person responsible Position and contesting the decision.

10. Right to complain to a supervisory authority

  1. Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of its place of residence, employment or the place of the alleged infringement, if you believe that the processing of your personal data relates to you Data violates the GDPR.
  2. The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

Sub processors

Cloud hosting & data centers

The ProductFlow platform runs on Amazon Web Services, (AWS). That includes our web properties (www and cloud). Various different services from AWS (EC2, RDS, S3, Route53, Cloudfront …) are used in combination. See AWS Service Terms. All data is stored in Ireland.

Managing the deployment of the ProductFlow platform is done by Fortrabbit. See Fortrabbit Terms

Marketing & tracking

We potentially might use Google AdWords for re-marketing, as it is an effective way to stay on the radar of potential clients (currently disabled). We might also advertise on Twitter in a similar way, for this we are sharing about your visit, think "Tailored Audiences" (currently disabled).

Client communication

In order to help you successfully, we need to be able to communicate with you. In most cases we will chat or have contact by e-mail.

Product information subscription

We are using MailChimp to send occasionally e-mail updates to subscribed Accounts. These e-mails include relevant information on service updates and feature announcements, so these are not newsletters in classical sense. With MailChimp we share e-mail addresses and names (for personalization). New ProductFlow Accounts get signed up for the newsletter automatically. That's why you need to confirm that we contact you by e-mail upfront. Each newsletter — of course — includes a one-click opt-out option. Additionally, there is a Account notification setting with the Dashboard to manage subscriptions. We will write from "pleasereply@productflow.com". See MailChimp Terms.

Personal e-mails

We are required by law to store all business communication for ten years. So we will save your e-mails, when you are contacting us by e-mail. Our personal mail (MX) accounts are by Google (gSuite). See gSuite Terms.

Transactional e-mails

We are using MailGun to send automated transactional e-mails to Accounts. These e-mails include relevant information. They are either triggered by intervals or user interaction. Examples are: "company invitation", "trial expire notice" or "password reset". Naturally, there is no opt-out for these. Again, that's why you need to confirm that to be contacted by e-mail when signing up. We will write from "pleasereply@productflow.com". See MailGun Terms.

Internal case management

We use Trello as an internal ticketing system to keep track of ongoing business tasks. We might link client cases from the chat system or billing related information there as well. See Atlassian Cloud Terms.

Account profile pictures

We are sending a hash of your e-mail address to the Gravatar service to see if you have an Account over there. When you have, we are displaying your profile picture from over there, when not a unique generic profile icon will be displayed. See Gravatar Terms.

Accounting

We are employing a accountant software called Odoo. Naturally, these service providers have reading access to billing related data and invoices. Billing related data, like invoices. See Odoo Terms.

Content Delivery Network

We use a CDN to serve static assets (IMG,JS,CSS) on all of the ProductFlow websites (www and cloud). The CDN helps us to deliver those files fast, from your nearest location. Currently we are using DigitalOcean services for this. When your browser sends the requests to those files, your IP address will be transmitted. See DigitalOcean Terms.

Disclaimer

To err is human. We do our best to keep this page up-to-date, complete and correct. We reserve the right to add, change or remove certain services and practices without further announcement.

Data processing agreement

1. Introduction, scope, definitions

  1. This contract is concluded between the customer of ProductFlow B.V., hereinafter referred to as "client", and ProductFlow B.V., hereinafter referred to as "contractor". It supplements every existing contract between the contractor and the client, when the client processes personal data on the platform of the contractor. In his area of ​​application he proceeds to the principal contract of the contractor.
  2. This contract governs the rights and obligations of client and contractor, hereinafter referred to as the parties.
  3. This contract applies to all activities in which employees of the contractor or subcontractors commissioned by it (subcontractors) process personal data of the client.
  4. Terms used in this agreement shall be understood as defined in the EU General Data Protection Regulation. Insofar as declarations have to be made in the following "in writing", the written form according to § 126 BGB is meant. Incidentally, declarations may also be made in other forms insofar as adequate verifiability is ensured.

2. Subject and duration of processing

  1. The contractor provides a Product Information Management and Order Management services. The client receives the possibility to process data: save, modify, transmit, delete.
  2. Processing starts from the date on which the client makes use of the services and shall continue for an indefinite period until termination of this contract or the contract by a party and the subsequent final deletion of any personal data.

3. Purpose of the data processing

  1. The client processes data for its own purposes. He is not obliged to disclose the purpose of the processing to the contractor.
  2. The client alone is responsible for the type and structure of the data. The contractor has no influence on the type of data and the circle of those affected.

4. Obligations of the contractor

  1. The contractor processes personal data exclusively as contractually agreed or as instructed by the client, unless the contractor is legally obliged to perform certain processing. If such obligations exist for him, the contractor shall inform the client of these prior to processing, unless the communication is prohibited by law. In addition, the contractor uses the data provided for processing for no other, especially not for own purposes.
  2. The contractor confirms that he is aware of the relevant general data protection regulations. He observes the principles of proper data processing.
  3. The contractor undertakes to strictly observe confidentiality during processing.
  4. Employees who are able to obtain knowledge of the data processing must undertake in writing to maintain confidentiality, insofar as they are not already subject to a relevant secrecy obligation by law.
  5. The contractor warrants that the persons involved in the processing have been made familiar with the relevant provisions of data protection and this contract before the start of processing. Appropriate training and awareness-raising measures should be repeated regularly. The contractor shall ensure that persons employed for the processing of orders are regularly adequately instructed and monitored with regard to the fulfillment of data protection requirements.
  6. If the client is subject to inspection by supervisory authorities or other bodies or if data subjects assert rights against him, the contractor undertakes to support the client to the extent necessary, insofar as the processing on the contract is concerned.
  7. The contractor may only provide information to third parties or the data subject with the prior consent of the client. He will immediately forward inquiries directed to him to the client.
  8. If required by law, the contractor shall appoint a competent and reliable person as data protection officer. It has to be ensured that there are no conflicts of interest for the commissioner. In cases of doubt, the client can contact the data protection officer directly. Changes in the person or the internal tasks of the representative shall be communicated by the contractor to the client without delay.
  9. Order processing takes place within the EU or the EEA as well as on data processing equipment of the company Amazon Web Services, partly in the USA. Any transfer to a third country may only take place with the agreement of the contracting authority and under the conditions set out in Chapter V of the General Data Protection Regulation and in compliance with the provisions of this Treaty. With respect to the above-described use of Amazon Cloud, consent is given upon conclusion of the Agreement.

5. Technical and organizational measures

  1. The data security measures described at Security measures are determined to be binding.
  2. They define the minimum owed by the contractor. The description of the measures must be made in such detail that it is clear to a knowledgeable third party at any time, solely on the basis of the description, what the required minimum should be.
  3. A reference to information that can not be obtained directly from this agreement or its annexes is not permitted.
  4. The data security measures can be adapted to the technical and organizational development as long as the agreed level is not undershot.
  5. The contractor must implement without delay any changes necessary to maintain information security.
  6. Changes are to be communicated to the client immediately.
  7. Significant changes are to be agreed between the parties.
  8. Insofar as the security measures taken do not or no longer meet the requirements of the client, the contractor shall inform the client immediately.
  9. The contractor warrants that the data processed in the contract will be strictly separated from other data.
  10. Copies or duplicates are not made without the knowledge of the client. Excluded are technically necessary, temporary reproductions, as far as an impairment of the here agreed data protection level is excluded.
  11. The Contractor will provide regular proof of fulfillment of its obligations under the website Security measures, in particular the full implementation of the agreed technical and organizational measures.

6. Rules for the correction, deletion and blocking of data

  1. Data processed in the context of the contract will only be corrected, deleted or blocked by the contractor in accordance with the contractual agreement or the instructions of the client.
  2. If the client permanently violates his contractual obligations, the contractor is entitled to delete the client's Account. In this case, all data will be deleted. The client is informed in advance of this measure.
  3. The contractor will comply with the client's instructions at any time and beyond the termination of this contract.

7. Subcontracting

  1. The contractor employs the following subcontractor: Amazon Web Services.
  2. The commissioning of further subcontractors is permitted, the subcontractors are to be notified in writing to the client prior to the beginning of the data processing. The client can reject subcontractors.
  3. All subcontractors shall be subject to at least data protection obligations that are comparable to those agreed in this contract. Upon request, the client will be given access to the relevant contracts between contractor and subcontractor.
  4. The rights of the client must also be exercised effectively against the subcontractor. In particular, the client must be entitled to carry out inspections at subcontractors at any time, to the extent specified here, or have them carried out by third parties.
  5. The responsibilities of the contractor and the subcontractor must be clearly differentiated.
  6. Subcontracting by the subcontractor is permitted. Paragraphs 2 to 5 apply, mutatis mutandis.
  7. The contractor shall carefully select the subcontractor with special regard to the suitability of the technical and organizational measures taken by the subcontractor.
  8. The forwarding of data processed in the contract to the subcontractor is only permitted if the contractor has documented that the subcontractor has completely fulfilled his obligations. The client can inspect the documentation.
  9. Contracting subcontractors who do not carry out on-order processing exclusively from the territory of the EU or the EEA is only possible if the conditions set out in Chapter 4 of this contract are observed. In particular, it is only permissible if and as long as the subcontractor offers adequate data protection guarantees.
  10. The contractor will inform the client on request, which concrete data protection guarantees the subcontractor offers and how proof of this can be obtained.
  11. Subcontractors listed on the website sub processors, hereinafter referred to as the Transparency Page, at the time of signing the contract, will comply with the terms and conditions of the contractor accepted.
  12. The contractor reserves the right to employ new subcontractors or to replace subcontractors.
  13. The contractor publishes changes in subcontractor relations on the transparency page.
  14. If the client does not agree with a new subcontractor, the right to immediate termination exists.
  15. Subcontracting relationships within the meaning of this contract are only those services that have a direct connection with the provision of the main service.
  16. Additional services such as transport, maintenance and cleaning as well as the use of telecommunication services or user services are not included.
  17. The obligation of the contractor to ensure compliance with data protection and data security in these cases remains unaffected.

8. Rights and obligations of the client

  1. The client alone is responsible for the assessment of the admissibility of the commissioned processing as well as for the protection of the rights of those concerned.
  2. The client issues all contracts, partial contracts or instructions documented. In urgent cases, instructions can be given orally. Such instructions will be confirmed by the contractor without delay.
  3. The client shall be entitled to comply with the provisions on data protection and contractual agreements with the Contractor to an appropriate extent, or by third parties, in particular by obtaining information and viewing the stored data and data processing programs, as well as other on-site inspections check.
  4. The persons entrusted with the control shall, as far as necessary, allow the contractor access and insight.
  5. The contractor is required to provide the necessary information, to demonstrate procedures and to provide the evidence required to carry out an inspection.
  6. Inspections of the contractor shall be carried out without avoidable disruption of his business operations.
  7. Unless otherwise indicated for urgent reasons to be documented by the client, controls shall take place after reasonable advance notice and during business hours of the contractor, and not more frequently than every 12 months.
  8. Insofar as the contractor provides evidence of the correct implementation of the agreed data protection obligations as stipulated in chapter 5.6 of this contract, a check shall be limited to random samples.

9. Notification requirements

  1. The contractor immediately informs the client of personal data protection breaches. Also justified suspicions on this are to be communicated. The notification must be made at the latest within 24 hours after the contractor's knowledge of the relevant event to an address specified by the client. It must contain at least the following information:
  2. the name and contact details of the data protection officer or other contact point for further information;
  3. a description of the likely consequences of the violation of the protection of personal data;
  4. a description of the actions taken or proposed by the contractor to remedy the breach of personal data protection and, where appropriate, measures to mitigate their potential adverse effects.
  5. Immediate notification of any major problems in the execution of the contract as well as breaches by the contractor or persons employed by him against data protection regulations or the stipulations made in this contract.
  6. The contractor shall immediately inform the client of any inspections or measures by supervisory authorities or other third parties, insofar as these relate to order processing.
  7. The contractor undertakes to support the client in the scope of its obligations pursuant to Art. 33 and 34 of the General Data Protection Regulation.

10. Instructions

  1. The client himself has full access to the data at all times, so that it is not necessary for the contractor to cooperate, in particular also for correction, blocking or deletion.
  2. Where the co-operation of the processor is required, the processor shall be obliged to reimburse the reasonable costs incurred. In this case, the person responsible has a comprehensive right to issue instructions on the type, scope and procedure of data processing pursuant to Art. 29 i.V.m. 28 DSGVO too.
  3. The processor must inform the controller without delay if he believes that an instruction violates data protection regulations. The processor shall be entitled to suspend the execution of the relevant instruction until it has been confirmed or changed by a person authorized to do so by the person responsible.
  4. Authorized by the client to issue instructions are all persons with a ProductFlow account, who are registered with the company of the client as an employee. With every directive, the employee will have to legitimize himself.
  5. All employees of the contractor are trained and authorized to receive instructions.

11. Termination of the contract

  1. Upon termination of the contract, the data will be destroyed.
  2. Any existing copies of the data will also be destroyed upon expiry of the retention period, if such exists. The destruction must take place in such a way that it is no longer possible to recover even residual information with justifiable effort.
  3. The contractor is obliged to bring about the immediate return or deletion also with subcontractors.

12. Liability

  1. The contractor is liable in principle only for its own fault.
  2. A liability of the contractor for slightly negligent breaches of duty is excluded, as far as damages from the injury of the life, the body or the health or guarantees are concerned or claims according to the product liability law are not affected.
  3. Furthermore, the liability for the breach of obligations, the fulfillment of which enables the proper execution of the contract in the first place and on whose observance the customer may regularly rely (cardinal obligations) remains unaffected.
  4. The above limitation of liability applies regardless of the legal grounds of liability and also in favor of employees and vicarious agents of the contractor.
  5. A duty of compensation of the contractor against the client is excluded, as far as the damage was caused by the correct implementation of the commissioned service or an instruction given by the client.

13. Special right of termination

  1. The client may terminate the contract and this agreement at any time without notice ("extraordinary termination") in the event of a serious breach by the contractor of data protection regulations or the provisions of this agreement, the contractor can not or will not execute an instruction from the client or the contractor refuses inspection rights of the client in breach of contract.
  2. A serious breach shall, in particular, exist if the contractor has not materially fulfilled or has not fulfilled the obligations specified in this agreement, in particular the agreed technical and organizational measures.
  3. In the case of insignificant infringements, the client shall set a reasonable deadline for the contractor to remedy the situation. If the remedy does not occur in time, the client is entitled to extraordinary termination as described in this section.

14. Other

  1. Both parties are obliged to confidentially treat all knowledge of business secrets and data security measures of the respective other party obtained in the course of the contractual relationship as regards the termination of the contract.
  2. If there are any doubts as to whether the information is subject to confidentiality, it must be treated as confidential until written approval by the other party.
  3. If the client property is endangered by measures taken by third parties (such as seizure or confiscation), insolvency or settlement proceedings or other events, the client must inform the contractor immediately.
  4. The written form is required for side agreements.
  5. The plea of ​​retention i. P. V. § 273 BGB is excluded with regard to the data processed in the contract and the associated data carrier.
  6. Should individual parts of this agreement be ineffective, this does not affect the validity of the agreement otherwise.

Security measures

It's our duty to keep your data secure. While we don’t like to expose too much detail — as secrecy is part of security — the following technical and organizational measures may give you some confidence:

Service scope

ProductFlow provides Product Information Management and Order Management services, providing clients a single interface from which they manage all there product content and order fulfilment tasks.

Data centers

ProductFlow's physical infrastructure is hosted and managed within Amazon’s secure data centers on Amazon Web Service (AWS) technology. These data centers are certified under a number of security standards, including:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

AWS enforces a high level of physical security to safeguard their data center with military grade perimeter controls and security staff at all points of ingress. As for environmental protection, AWS has sophisticated fire detection and suppression equipment, fully redundant power infrastructure with integrated UPS units and high-end climate control systems to guarantee an optimal working environment for the hardware. For a more in-depth view, we refer you to the AWS Security Center.

SysOps

A multi-tier security strategy is employed. On the inside, each Node is built around a hardened Linux kernel, which enforces strong privilege and resource separation mechanisms at OS level. All operating systems and software components are kept up-to-date.

At the next tier, each Node exists within isolated virtual containers, which guarantee complete logical separation of Apps. Each App runs within its own isolated environment and cannot interact with other applications or areas of the system. In addition, the container technology allows hard resource capping, which reduces the bad neighbor effect of shared environments to a bare minimum. The setup is designed in a flexible manner to isolate or boost resources quickly.

Penetration testing

Third party security testing is performed by independent security researchers at irregular intervals. Findings from each vulnerability assessment are reviewed with the assessors, risk ranked and resolved swiftly.

Abuse monitoring

User and system activity is monitored for signs of abuse — by algorithms and humans.

Firewalling

On the outside, network firewalling and hardened TCP/IP stacks to mitigate resource exhaustion attempts are utilized. Sniffing and spoofing attacks are prevented through the underlying infrastructure.

By default all outgoing traffic on all ports, except for standard ones (http, https, dns etc)

Web interface

All communication with the Web interface is encrypted via TLS. By default users are going to get logged out after some time of inactivity. For "dangerous actions" re-authentication is required. 2FA is available.

Internal protocols

All employees are trained in safety aspects and best security practices, including how to identify social engineering, phishing scams, and hackers. All employees agree to privacy safeguard policies outlining their responsibility in protecting client data.

Binding internal security policies that are evaluated on a regular basis are in place. It is regularly checked whether all responsibilities have been clearly assigned and that they are practicable. There are documented rules and contingency plans.

The computer systems of employees are secured by encrypted file systems and password authentication.

Access control

All server accesses are equipped with individual minimum rights and are transmitted in encrypted form. SSH access is "jailed" with outbreak prevention. Access will only be via key-pair authentication and where possible through multi-factor authentication. All connections to the server are via encrypted channels and protocols.

Cryptography

All Personal Identifiable information (PII) and sensible access data is stored "hashed + salted". Asymmetric encryption and AES (Advanced Encryption Standard) encryption are used.

Data Retention

All Personal Identifiable information (PII) will be purged after 30 days after creation. If it is required by law to retain archival copies of PII for tax or similar regulatory purposes, then this should be requested directly from the Marketplace itself.

Supplier relationships

All subcontractors are tested for privacy and security suitability. There are appropriate terms in place.

Vulnerability reporting

Do you think you have discovered a security issue here? Or maybe you have concerns, suspicions or found a phishing website, a copyright issue or other illegal content hosted here? Please disclose in a responsible manner. We will work with you to understand the scope of the issue swiftly. Please mail to: security@productflow.com

Acceptable use policy

ProductFlow is intended to be used to manage product content and order fulfilment. This policy describes forbidden uses. The examples described here are not exhaustive. We may modify this policy at any time.

Prohibited content

It is not allowed to use, encourage, facilitate, promote or instruct others to use the services for any illegal, harmful, fraudulent, infringing or offensive use, or to transmit, store, display, distribute or otherwise make available "evil" content. This includes:

  • Illegal or harmful: Illegal contents, that violate the rights of others, or that may be harmful to others, reputation, including disseminating, promoting or facilitating child pornography, offering or disseminating fraudulent goods, services, schemes, promotions, make-money-fast schemes, ponzi and pyramid schemes, phishing, pharming, crypto-currency mining.
  • Infringing: Content that infringes or misappropriates the intellectual property or proprietary rights of others.
  • Offensive: Content that is defamatory, obscene, abusive, invasive of privacy, or otherwise objectionable, including content that constitutes child pornography, relates to bestiality, or depicts non-consensual sex acts.

Monitoring and enforcement

We reserve the right, but do not assume the obligation, to investigate any violation of this policy. In consequence we may: remove, disable access, or even modify content; report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. This reporting may include disclosing appropriate client information.