MASTER SERVICE AGREEMENT
ACCEPTABLE USE POLICY
SERVICE LEVEL AGREEMENT
GENERAL PERSONAL DATA PROTECTION POLICY
- Purpose, Scope and Users
- Reference Documents
- Definitions
- Basic Principles Regarding Personal Data Processing
- Building Data Protection in Business Activities
- Fair Processing Guidelines
- Organization and Responsibilities
- Guidelines for Establishing the Lead Supervisory Authority
- Response to Personal Data Breach Incidents
- Audit and Accountability
- Conflicts of Law
- Managing records kept on the basis of this document
- Validity and document management
INFORMATION SECURITY POLICY
- Purpose, Scope and Users
- Reference Documents
- Definitions
- Basic Principles Regarding Personal Data Processing
- Building Data Protection in Business Activities
- Fair Processing Guidelines
- Organization and Responsibilities
- Guidelines for Establishing the Lead Supervisory Authority
- Response to Personal Data Breach Incidents
- Audit and Accountability
- Conflicts of Law
- Managing records kept on the basis of this document
- Validity and document management
Legal and Security
MASTER SERVICE AGREEMENT
This MSA is made between Mitto AG, a company incorporated under the Swiss Law, with registered office in Bahnhofstrasse 21, Zug 6300, Switzerland, registration number CHE-476-625-358, (“Mitto”), and Client.
The MSA governs Client’s acquisition and use of MITTO’s Services. Please read this MSA fully and carefully before using the Services.
The Client accepts and agrees to the terms of this MSA, by activating a box indicating acceptance, by executing this MSA or a Service Addendum referencing this MSA, or by using the Services. By accepting this MSA and/or using the Services in any manner, the Client agrees that it has read and understood this MSA and all other documents referenced herein, each of which is incorporated herein by this reference and each of which may be updated from time to time as set forth below, to the exclusion of all other terms. If the Client is accepting this MSA on behalf of an organization, it represents and warrants that it has the authority to do so. If the Client has no such authority, or does not agree to with this MSA, such Client must not accept this MSA and may not use the Services. If the Client’s organization has entered into a separate agreement with MITTO covering its use of the Services, then that agreement shall govern instead.
This MSA is effective between Client and MITTO as of the date of Client’s acceptance of this MSA.
MITTO and Client individually a “Party” or collectively “Parties”.
1. DEFINITIONS
As used hereunder, the following terms shall have the meanings specified below. Except where the context requires otherwise, words in the singular shall include the plural and vice versa.
- “Accessible Mobile Operators” shall mean the digital cellular networks accessible from the MITTO platform;
- “Acceptable Use Policy” the acceptable use of the Services agreed by the Parties;
- “Affiliate” shall mean any person or entity who directly or indirectly through one or more entities, controls or is controlled by or is under common control with any of the Parties. Control, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;
- “Applicable Law” shall mean all laws, regulations, directives, statutes, subordinate legislation, common law and civil codes of any jurisdiction together with all codes of practice having force of law, statutory guidance, regulatory policy or guidance and industry codes of practice;
- “Balance” shall mean the amount of money the Client has paid MITTO less the value of the Services the Client has used with MITTO;
- “Beta Services” shall mean Services or a functionality that may be made available to the Client to try at its option at no additional charge and which is clearly designated as beta, pilot, limited release, developer preview, non-production, evaluation, or by a similar description;
- “Business Day” shall mean any day that is not a Saturday, Sunday or a public or bank holiday in the canton of Zug/Switzerland;
- “Client” shall refer to you, unless you are accepting on behalf of an organization in which case “Client” shall mean that organization. If you are registering for a user account in order to use the Services on behalf of an organization, then you are agreeing to this MSA for that organization and guaranteeing to MITTO that you have the authority to bind that organization to this MSA;
- “Client Data” shall mean all data, works and materials uploaded to or stored within the Services by or for the Client, transmitted by the Services at the instigation of the Client, supplied by the Client to MITTO for uploading to, transmission by or storage with the Services, or generated by the Services as a result of the use of the Services by the Client, but excluding analytics data relating to the use of the Services;
- “Data Protection Laws” shall mean all applicable laws relating to the processing of Personal Data including, the Swiss Federal Act on Data Protection of 19 June 1992, together with its ordinance, and the European General Data Protection Regulation (Regulation (EU) 2016/679);
- “Documentation” shall mean all of the MITTO API instruction manuals and guides, code samples, manuals, guides, online help files and technical documentation made publicly available by MITTO for the Services, and as may be updated from time to time. Such Documentation is appended to the respective Service Addendum or may be available at https://www.mitto.ch and includes terms that are specific to certain Services (namely, what MITTO may refer to as “product specific terms” or “service specific terms”);
- “Information” shall mean any visual, textual data or other material made available through the access to the MITTO Platform or the Services granted to Client under this MSA;
- “Intellectual Property Rights” shall mean all intellectual property rights wherever in the world, whether registrable or unregistrable, registered or unregistered, including any application or right of application for such rights. These intellectual property rights include copyrights and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trademarks, service marks, passing off rights, unfair competition rights, patents, petty patents, utility models, semi-conductor topography rights and rights in designs;
- “Malicious Code” shall mean code, files, scripts, agents or programs intended to do harm, including, for example, viruses, worms, time bombs, Trojan horses, ransomware, spyware, adware and other malicious software programs;
- “MITTO” shall mean MITTO AG, a company incorporated in Switzerland under the registration number CHE-476-625-358, whose principal place of business is at Bahnhofstrasse 21, 6300 Zug, Switzerland;
- “MITTO API” shall mean an application programming interface for the Services (or feature of the Services) provided to the Client by MITTO;
- “MITTO Platform” shall mean the server, hardware, software and other equipment that MITTO uses in connection with performance of the Services;
- “Mobile Operator” or “Operator” shall mean the legal entity, which operates a mobile telecommunications system or network;
- “Mobile Subscriber” shall mean a person having entered into an agreement with a Mobile Operator allowing it to access the Operator’s network;
- “MSA” shall mean this agreement between Client and MITTO incorporating these terms and conditions and all addenda and documentation attached thereto;
- “Personal Data” shall mean any information relating to a living individual who can be identified from such data, or a combination of such data, and other information in the possession of, or likely to come into the possession of, the data controller. If Data Protection Laws definition of Personal Data include data relating to legal entities, such data shall be considered Personal Data;
- “Services” shall mean all products and services, that MITTO offers and the Client orders, described in the respective MSA, Service Level Agreement, or Service Addendum. This includes MITTO services provided to the Client on a trial basis. Services may include Services provided both by MITTO Platform services and MITTO API. And, where applicable, connectivity services that link the Services to the telecommunication providers’ networks via the Internet (refer to the definitions in the respective Service Addendum or available at https://www.mitto.ch/integrations for a more detailed description);
- “Service Addendum” shall mean any Addendum including its Appendices to this MSA containing the description and any specific terms and conditions for a particular Service, as per article 2 of this MSA;
- “Service Level Agreement (SLA)” shall mean the service levels agreed by the Parties as set out in the SLA or in a specific appendix to a Service Addendum, in which case the service levels in the appendix shall prevail.
- “Site” means Mitto’s web domains, including the pricing and all other webpages thereof, available at https://www.mitto.ch/
- “Dashboard” means Mitto’s customer portal available on the Site.
PLEASE NOTE: THESE TERMS LIMIT MITTO’S LIABILITY TO THE CLIENT. For more details, see article 24.
IN ADDITION, DISPUTES RELATED TO TERMS OR RELATED TO CLIENT’S USE OF THE SERVICES GENERALLY MUST BE RESOLVED BY A DISPUTE RESOLUTION PROCESS WHICH MAY LEAD TO BINDING ARBITRATION. For more details, see article 32.
2. SCOPE OF AND CHANGES TO THIS MSA
2.1 Subject to the terms and conditions of this MSA, MITTO agrees to provide Client with the Services defined and described in each Service Addendum, Dashboard or the Site
2.2 From time to time, the Parties may mutually agree to add or remove Services to or from this MSA by adding or removing a Service as a Service Addendum to this Agreement or by using the Dashboard or the Site.
2.3 MITTO may update this MSA from time to time by providing the Client with prior written notice of material updates at least thirty (30) days in advance of the effective date of the update. Notice will be given in Client’s account or via an email to the email address of the owner of Client’s account or as indicated during the sign up Process. This notice will highlight the intended updates. Except as otherwise specified by MITTO, updates will be effective upon the effective date indicated in connection with the update. In case of no such communicated effective date, the update will immediately enter into force. The updated version of this MSA will supersede all prior versions.
2.4 Following such notice, Client’s continued access or use of the Services on or after the effective date of the changes to the MSA constitutes its acceptance of any updates. If Client does not agree to any updates, it should stop using the Services immediately.
2.5 MITTO may not be able to provide at least thirty (30) days prior written notice of updates to this MSA that result from changes in the law or requirements from telecommunications providers.
3. ORDER OF PRECEDENCE
3.1 In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) the Service Addendum including its appendices, (2) product-specific terms, (3) the Service Level Agreement, (4) the MSA and (5) the Documentation.
4. SERVICE TERMS
4.1 The applicable terms for the Service are defined in this MSA unless there are specific terms for a Service in the respective Service Addendum, Dashboard or the Site.
5. CLIENT’S MITTO ACCOUNT(S)
5.1 To use the Services, Client might be asked to create a user account. As part of the account creation process, the Client will be asked to provide its email address, create a password, and provide a telephone number for verification purposes. Until the Client registers for an account, its access to certain Services may be limited. When registering for an account, the Client must provide true, accurate, current and complete information about itself as requested during the setup process.
5.2 The Client is solely responsible for all use (whether or not authorized) of the Services under its account(s) and any sub-account(s), including the quality and integrity of Client Data. In addition, the Client is solely responsible for all acts and omissions of anyone who has access to or otherwise uses any Service (“End User”).
5.3 The Client agrees, represents and warrants taking all reasonable safeguards to prevent unauthorized access to or use of the Services and will notify MITTO promptly of any unauthorized access or use. MITTO is not liable for any loss or damage arising out of unauthorized use of Client’s account(s).
5.4 As part of MITTO’s ongoing and routine monitoring of account activity, and to help MITTO to reduce the risk of fraudulent use of Client’s account(s) and the Services, the Client may initially be limited in the provision of service while MITTO is activating the Client account(s), or where the Client has not used its account in 12 months or longer.
6. CONNECTIVITY
6.1 Client is solely responsible for providing suitable hardware, software, communications equipment and any other equipment, at its own expense, and for the provision of all infrastructures necessary to ensure its access to the MITTO Platform and the Services. Client is also responsible, at its own expense, for the provision and the regular monitoring of telecommunication and access infrastructure between the Client’s operations center and the MITTO Platform.
6.2 MITTO shall be responsible for the MITTO Platform up to and including the Client’s physical point for connection.
7. ACCESS AND USE OF SERVICES
7.1 MITTO makes the Services available to the Client in accordance with this MSA, the Documentation and any applicable Service Addendum, Dashboard or the Site. The Services will comply with the Service Level Agreement or any specific service levels set out in an appendix to a Service Addendum, which may be updated from time to time. MITTO provides the Services in accordance with laws applicable to MITTO’s provision of the Services to its Clients generally (i.e. without regard for Client’s particular use of the Services), and subject to the Client’s use of the Services in accordance with this MSA, the Documentation, any applicable Service Addendum, Dashboard or the Site.
7.2 The Client may use the Services, on a non-exclusive basis, solely to:
• use the Documentation and MITTO APIs as needed to develop its application;
• use and make the Services available to End Users in connection with the use of each Service in accordance with the Documentation and MITTO’s Acceptable Use Policy or other limitations agreed in the Service Addendum, Dashboard or the Site;
• use the Services solely in connection with and as necessary for the Client activities pursuant to this MSA; and
• allow its Affiliates to use the Services pursuant to this MSA or as agreed in the Service Addendum
8. SERVICE AVAILABILITY
8.1 Unless otherwise sets forth in the SLA or any specific service levels in the respective appendix to a Service Addendum, Dashboard or the Site, MITTO uses reasonable endeavors to maintain the availability of the Services to the Client, but does not guarantee 100% availability. Particularly, downtime caused directly or indirectly by any of the following is not considered a breach of this MSA:
• force majeure events (see article 30);
• fault or failure of the Internet or any public telecommunications network;
• fault or failure of the Client’s IT systems or networks;
• any use of third party applications;
• any impact of denial of service attacks or other influence of Malicious Code;
• any breach by the Client of this MSA; or
• scheduled maintenance.
8.2 The Client is obliged to report functional failures, malfunctions or impairments of the Services immediately and as precisely as possible to MITTO.
9. CLIENT DATA
9.1 The Client hereby grants to MITTO a non-exclusive right to copy, reproduce, store, distribute, publish, export, adapt, edit and translate Client Data to the extent reasonably required for the performance of its obligations and the exercise of its rights under this MSA. In addition, the Client grants to MITTO the right to sub-license these rights to its hosting, connectivity and telecommunications service providers.
9.2 The Client warrants to MITTO that Client Data will not infringe the Intellectual Property Rights or any other rights of any third party and does not infringe the Applicable Law.
9.3 MITTO creates an automated backup of Client Data at least daily and ensures that each such backup is sufficient to enable MITTO to restore the Service to the state it was in at the time the backup was made. MITTO or its commissioned service providers retain and securely store each such backup for a period of 30 days.
9.4 MITTO will maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Client Data, as described in the Documentation. Those safeguards will include, but are not limited to, measures designed to prevent unauthorized access to or disclosure of Client Data (other than by Client or End Users).
9.5 The Client acknowledges that the Internet and telecommunications providers’ networks are inherently insecure. The Client agrees that MITTO is not liable for any changes to, interception of, or loss of Client Data while in transit via the Internet or a telecommunications provider’s network.
9.6 If and to the extent that Client Data includes Personal Data, the Parties shall conclude a data processing agreement (see article 26).
10. CLIENT’S OBLIGATIONS
10.1 The Client agrees to:
• be solely responsible for all use (whether or not authorized) of the Services and Documentation under the Client’s account(s), including the quality and integrity of Client Data;
• use Services only in accordance with this MSA, the Acceptable Use Policy, Documentation, Service Addendum or other applicable terms relating to the use of the Services;
• use Services in accordance with all Applicable Law;
• be solely responsible for all acts, omissions and activities of End Users, including their compliance with this MSA, the Documentation, the Acceptable Use Policy and any terms agreed by the Parties;
• prevent unauthorized access to or use of the Services and notify MITTO promptly of any such unauthorized access or use;
• provide reasonable cooperation regarding information requests from law enforcement, regulators, or telecommunications providers; and
• comply with the representations and warranties made in article 23 of this MSA.
11. USE RESTRICTIONS
11.1 Concerning the Services the Client agrees:
• that except to make the Services available to Client’s End Users in connection with the use of each Service as permitted herein, the Client does not transfer, resell, lease, license or otherwise make available the Services to third parties or offer them on a standalone basis;
• not to attempt to use the Services to access or allow access to emergency services (i.e., an official government-sponsored emergency telephone number. such as 144 in Switzerland or 112 in the European Union and other locations worldwide, which is used to dispatch professional emergency responders) unless the Service is expressly approved for emergency services and the Client use those Services strictly in accordance with the specific terms agreed by the Parties or any other agreement as MITTO deems appropriate;
• not to use the Services in any manner that violates any Applicable Law;
• not to use the Services to create, train, or improve (directly or indirectly) a substantially similar product or service;
• not to create multiple service accounts to simulate or act as a single service account or otherwise access the Service in a manner intended to avoid incurring fees; and
• not to reverse engineer, decompile, disassemble or otherwise create, attempt to create or derive, or permit or assist anyone else to create or derive the source code of any software provided in connection with the Services.
12. MAINTENANCE
12.1 MITTO may temporarily suspend the Services for maintenance or upgrade reasons. MITTO will endeavor to give Client five (5) Business Days prior written notice of such suspension. It is understood that suspension of the Services for maintenance reasons, excluding force majeure events or serious outage of the Services (where outage means a situation where the Services can barely be operated if at all), will usually be done during between 00:00-06:00 CET (Central European Time).
13. SERVICE SUSPENSION
13.1 MITTO may suspend, in whole or in part, Client’s rights of access and use of the Services upon notice if:
• the Client violates (or gives MITTO reason to believe it has violated) any provision of this MSA, a Service Addendum, the Documentation or the Acceptable Use Policy;
• there is reason to believe that the traffic created from Client’s use of the Services or its use of the Services is fraudulent or negatively impacting the operating capability of the Services;
• MITTO determines, in its sole discretion, that providing the Services is prohibited by Applicable Law, or it has become impractical or unfeasible for any legal or regulatory reason to provide the Services;
• subject to Applicable Law, upon Client’s liquidation, commencement of dissolution proceedings, disposal of its assets or change of control, a failure to continue business, assignment for the benefit of creditors, or if the Client becomes the subject of bankruptcy or similar proceeding;
• there is any use of the Services by the Client or the End Users that, based on MITTO’s judgment, threatens the security, integrity or availability of the Services;
• the use by the Client or the End Users poses a security risk to the Services or any third party, adversely affects the Services, service offerings, systems or data of another MITTO client, exposes MITTO or its service providers to liability, or may be fraudulent; or
• the Client or the End Users are in breach of this MSA, in particular if the Client is more than ten (10) Business Days in default of payments due.
13.2 The temporary suspension of access and usage rights has the following effects:
• the Client remains fully liable for all fees incurred up to the date of suspension.
• the Client remains liable for all fees and costs applicable to all Services for which access has not been suspended.
• Client Data stored is not affected by the suspension.
14. REQUIRMENTS FOR BUILDING REGULATED SERVICES
14.1 MITTO offers both non-interconnected and interconnected Voice over IP (“VoIP”) Services. If the Client orders interconnected VoIP services, it is responsible, just like MITTO, to comply with the regulatory requirements, taxes, and fees imposed on interconnected VoIP services. If the Client orders a non-interconnected VoIP service from MITTO, it is still possible for the Client to build an interconnected VoIP Service with MITTO’s non-interconnected VoIP services. If the Client builds an interconnected VoIP service (regardless of which MITTO Services are ordered), the Client is solely responsible to comply with the regulatory requirements, taxes, and fees imposed on interconnected VoIP services.
15. CHANGES TO MITTO’S SERVICES
15.1 The features and functions of the Services, including the MITTO Platform, the MITTO API and MITTO’s Service Level Agreement, may change from time to time. It is MITTO’s responsibility to ensure that Services are compatible with MITTO’s former Services, if technically feasible. MITTO tries to avoid making changes to the Services that are not backwards compatible. If any changes become necessary and lack backwards compatibility, MITTO uses reasonable efforts to notify the Client at least sixty (60) days prior to implementing such changes.
16. BETA SERVICES
16.1 From time to time, MITTO may make Beta Services available to Clients. Client may choose to try such Beta Services or not in its sole discretion.
16.2 Beta Services are intended for evaluation purposes and not for production use, are not supported, and may be subject to additional terms. Unless otherwise stated, any Beta Services trial period will expire upon the earlier of one year from the trial start date or the date that a version of the Beta Services becomes generally available without the applicable Beta Services designation. MITTO may discontinue Beta Services at any time in its sole discretion and may never make them generally available.
16.3 BETA SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE” WITH NO WARRANTIES WHATSOEVER, AND MITTO SHALL HAVE NO LIABILITY WHATSOEVER FOR ANY HARM OR DAMAGE ARISING OUT OF OR IN CONNECTION WITH BETA SERVICES.
17. AFFILIATES
17.1 Client’s Affiliates are not permitted to purchase Services using the MSA that Client accepted.
17.2 Client Affiliates will need to accept the MSA themselves. If Client’s Affiliates use the Services under these MSA, then the Client and those Affiliates will be jointly and severally responsible for the acts and omissions of the Affiliates, including, but not limited to, their breach of this MSA. Any claim from any of the Client’s Affiliates that use the Services pursuant to this MSA may only be brought against MITTO by the Client on its Affiliates’ behalf.
18. FEES AND PAYMENT
18.1 The fees to be paid to MITTO by Client are set forth on the Site’s Pricing List page or in each Service Addendum.
Prices applicable to the Client are in accordance with the Standard Price List found on the following link.
In case a customized Price List is sent to the Client on a separate email or as Appendix to a Service Addendum, such customized Price List shall prevail over the Standard Price List.
MITTO has the right to issue a price change to the Client at any time.
18.2 Payments to be made by Client to MITTO for the Services and payment terms are set forth in the applicable Service Addendum, or as described below on article 18.8. MITTO shall not be obliged to perform any Services under this MSA if Client has not provided payments. MITTO has also the right to temporarily suspend the Service until outstanding payments have been received (see article 13).
18.3 All charges and fees for the Services are exclusive of any taxes, including sales, value-added, or other taxes. Client shall be liable for and shall reimburse MITTO for all sales or value-added taxes imposed in connection with or arising from the provision of Services to Client. Client will provide MITTO sufficient information as to the timely payment of all applicable withholding taxes, if so, required by MITTO.
18.4 All payments between the Parties shall be for the full invoiced amount and as such, each Party shall pay any bank charges its bank may charge. Any shortfall between the invoiced amount and the amount received by MITTO will constitute an outstanding amount and will be carried forward.
18.5 If the Client elects to pay via wire transfer, the Client shall pay the charges to Mitto by wire transfer to the bank account indicated by Mitto via e-mail.
18.6 Payment shall be made using the currency indicated in the Service Addendum, Dashboard or the Site.
18.7 Except as otherwise expressly set forth herein, payment obligations are non-cancelable and fees and taxes, once paid, are non-refundable. Except as otherwise set forth herein or in the applicable Service addendum, and subject to 19.3 (payment dispute), Client will pay the fees due hereunder in accordance with the applicable payment method described on 18.8.
18.8 Credit Card. If Client elects to add funds to its account by credit card and use such funds to pay the fees due, Client is responsible for ensuring such funds cover the fees due. If Client’s account does not have sufficient funds or its credit card declines a charge for the fees due, Mitto may suspend the provision of the Services to all Client’s accounts until the Fees due are paid in full. Client is prohibited from creating new accounts until the Fees due are paid in full.
18.9 Invoicing. The Client will receive invoices at the email address indicated during the sign-up process, immediately after the payment has been successfully received by Mitto. Client is regarded to have received the invoice the same day the invoice is sent by MITTO to the Client via email. The Client will also have the option to find its invoices under settings – billing in the Dashboard.
19. BILLING
19.1 MITTO shall take all reasonably feasible measures to ensure that its system for recording the volume of Client’s usage of Services is accurate.
19.2 If the data concerning Client’s use of Services recorded by Client deviates from the data recorded by MITTO, the Parties shall use reasonable endeavors to investigate their reporting systems in order to resolve the deviation.
19.3 Client can contest the amount of an invoice by giving MITTO a written notice of the disputed amount within ten (10) Business Days of receiving the invoice. Within ten (10) Business Days of receiving the notice, MITTO will provide Client by email with an itemized transaction log report of all Service requests it received from Client in the given period. Should Parties fail to resolve within a further fifteen (15) days, the dispute may be escalated to senior management, or such dispute shall be resolved in accordance with article 32. The Client shall pay all amounts other than those in dispute on the due date for payment.
19.4 Unless otherwise agreed in the respective Service Addendum, Dashboard or the Site MITTO will send invoices to Client by email to the email address specified during the Sign-up Process on the Site. Client is regarded to have received the invoice the same day the invoice is sent by MITTO to the Client via email.
20. UNSOLICITED TRAFFIC
20.1 Client undertakes that it will not use any Services for any illegal, immoral or improper purpose or in any manner which contravenes Applicable Law or Mobile Operator requirements as they exist and as they change over time and undertakes not to allow any third party to do so.
20.2 Client shall under no circumstances send unsolicited traffic to the MITTO Platform, the MITTO API or any Service. Client shall at all times ensure that Client’s agreements with its clients contain similar clauses that prohibit sending of unsolicited traffic. Client shall perform all such actions that prevent unsolicited traffic from reaching the MITTO Platform, the MITTO API or any Service.
20.3 Should unsolicited traffic nonetheless be sent by the Client or any of the Client’s clients or client’s clients to the MITTO Platform, the MITTO API or any Service, the following actions shall be taken:
• the Party detecting that unsolicited traffic has been sent shall immediately notify the other Party;
• the Parties shall immediately initiate efforts to work in good faith and exchange information (with timestamp, content, destination number and originator) in order to determine the source of the unsolicited traffic as soon as possible after the incident;
• Client shall immediately terminate the connection with the Client’s client that has originated the unsolicited traffic and shall ensure that such Client’s client is no longer connected to the MITTO Platform, the MITTO API or Services.
20.4 If any clauses in this article 20 are violated, MITTO can immediately suspend (i.e. temporarily stop providing the Service see article 13) or terminate this Agreement, at its sole option, without prejudice to any damages that MITTO may be entitled to claim.
21. SUBCONTRACTORS
21.1 MITTO may employ subcontractors of its choice to fulfil its obligations. MITTO is responsible for acts and omissions of its subcontractors as if they were its own.
22. INTELLECTUAL PROPERTY RIGHTS
22.1 All Intellectual Property Rights in all software, information, technology or data whatsoever supplied by either Party under the Agreement shall remain the property of that Party or its licensors. Any Intellectual Property Rights to any developments shall be the property of the developing party.
22.2 For the avoidance of doubt: MITTO exclusively owns and reserves all right, title and interest in and to the Services, Documentation, or Confidential Information (see section 25 below) and all anonymized or aggregated data resulting from the use and operation of the Services (including but not limited to volumes, frequencies, or bounce rates, etc.) and that do not identify a natural person as the source of the information, as well as any feedback, recommendations, correction requests, or suggestions (“Contributions”) from the Client or any End User about the Services.
22.3 The Client exclusively owns and reserves all right, title and interest in and to Client Data and Client’s Confidential Information.
22.4 By submitting Contributions, the Client agrees that:
• MITTO is not under any obligation of confidentiality with respect to Client’s Contributions;
• MITTO may use or disclose (or choose not to use or disclose) Client’s Contributions for any purpose and in any way;
• MITTO owns Client’s Contributions; and
• Client is not entitled to any compensation or reimbursement of any kind from MITTO under any circumstances for its Contributions.
22.5 The Client grants MITTO the right to use its name, logo, and a description of its use case to refer to the Client on MITTO’s website, earnings release and calls, marketing or promotional materials, subject to Clients standard trademark usage guidelines that Client may provide to MITTO.
23. REPRESENTATIONS AND WARRANTIES
23.1 MITTO MAKES NO EXPRESS WARRANTIES TO CLIENT REGARDING THE SERVICES. THE SERVICES ARE BEING PROVIDED TO CLIENT “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTY OF ANY KIND. TO THE MAXIMUM EXTENT PERMITTED BY THE APPLICABLE LAW, MITTO DISCLAIMS ALL WARRANTIES WITH REGARD TO THE SERVICES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, MERCHANTABLE QUALITY, OR NON-INFRINGEMENT OF THIRD-PARTY RIGHTS. MITTO ADDITIONALLY DISCLAIMS ALL WARRANTIES RELATED TO THIRD PARTY TELECOMMUNICATIONS PROVIDERS.
23.2 NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY MITTO, ITS AFFILIATES, ITS DISTRIBUTORS, AGENTS OR EMPLOYEES SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF ANY WARRANTY PROVIDED HEREIN.
23.3 The Services are not designed, intended or licensed for use in hazardous environments requiring fail-safe controls, including without limitation, the design, construction, maintenance or operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, and life support or weapons systems. MITTO expressly disclaims any express or implied warranty of fitness for such purposes.
23.4 MITTO represents and warrants providing to Client Services that meet reasonable commercial standards and good industry practice. MITTO does not warrant that the Services will be fault-free, that any Service will be available continuously or that all the Accessible Mobile Operators will be reachable at all times.
23.5 MITTO cannot guarantee that the Services will never be faulty but will do its reasonable commercial efforts to correct reported faults and make the Services available as soon as MITTO reasonably can.
23.6 MITTO is not responsible in any way for any mobile telecommunications systems or networks, which it does not operate and in particular for the network of the Operators. Therefore, MITTO is not liable for the acts or omissions of other providers of telecommunication services (including suspension or termination of MITTO connections and/or contracts with any Operator) or for faults in or failures of their apparatus or network, and in general for any other technical reason attributable to Operator’s network or telecommunication service provider.
23.7 Client acknowledges that MITTO has no control over the Information and data, which passes through the use of the Services and that MITTO does not examine the use of such Information and data or the nature or the source of the Information and data. Client shall be solely liable for the content of the Information, data and any other material transmitted by Client or anyone else using the Services including but not limited to Mobile Subscribers. MITTO excludes all liability of any kind in connection with the transmission or reception of such content.
23.8 The Client represents and warrants that, if it records or monitors all and any communications using the Services, it complies with all Applicable Laws prior to doing so and secures all required prior consents to record or monitor communications using the Services. MITTO makes no representations or warranties with respect to recording or monitoring of any communications. The Client acknowledges that these representations, warranties, and obligations are essential to MITTO’s ability to provide the Client with access to recording and monitoring features that are part of the Services, and it further agrees to indemnify MITTO and its Affiliates in accordance with the terms of article 24 for claims arising out of or related to Client’s acts or omissions in connection with providing notice and obtaining consents regarding such recording or monitoring of communications using the Services.
23.9 The Client further represents and warrants that it has provided (and will continue to provide) adequate notices and has obtained (and will continue to obtain) the necessary permissions and consents to provide Client Data to MITTO for use and disclosure pursuant to article 9.
24. INDEMNIFICATION AND LIMITATION OF LIABILITY
24.1 Notwithstanding anything else to the contrary in this MSA, Client will defend and handle at its own expenses, indemnify and hold harmless MITTO, parent companies, subsidiaries and Affiliates, their respective officers, directors, employees and agents, subcontractors, suppliers (each, an “Indemnified Party”) from and against any and all claims, demands, actions, damages, costs and expenses (including attorney fees), or liability of whatever nature incurred or to be incurred by an Indemnified Party arising out of or relating to (i) Client’s use of the Services other than as expressly authorized in this MSA, the Documentation and the respective Service Addendum, (ii) Client’s infringement of any third party Intellectual Property Rights in using the Services, (iii) any breach of Client’s obligations under this Agreement, (iv) any claims arising from Information, data, or messages transmitted by Client using the Services, including, but not limited to, claims for libel, slander, infringement of copyright, and invasion of privacy or alteration of private records or data.
24.2 MITTO agrees to promptly notify the Client of any such third party claim, to permit the Client to control the defense and/or settlement of such claim and to assist the Client, at its sole expense and reasonable request, in the defense and/or settlement of any such claim. The Client agrees that MITTO shall have the right to additionally participate, at MITTO expense, in the defense of any such claim through counsel of its own choice.
24.3 “IN NO EVENT SHALL MITTO BE LIABLE TO THE CLIENT FOR ANY LOSS OF USE, LOSSES DUE TO FORCE MAJEURE, INTERRUPTION OF BUSINESS, OR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOSS OF CUSTOMERS, LOST PROFITS, LOST REVENUES OR ANTICIPATED SAVINGS OR EARNINGS, INTERFERENCE WITH BUSINESS OR COST OF PURCHASING REPLACEMENT SERVICES) REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT PRODUCT LIABILITY OR OTHERWISE, EVEN IF MITTO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, ARISING OUT OF THE USE OF, OR INABILITY TO USE THE SERVICES, OR THE PERFORMANCE OR FAILURE TO PERFORM BY MITTO OF ANY PROVISION OF THIS MSA, WHETHER OR NOT CAUSED BY THE ACTS OR OMISSIONS OF MITTO, ITS AFFILIATES, EMPLOYEES OR AGENTS.
24.4 To the extent that MITTO is liable, its maximum total liability is limited to the total amount of paid fees by the Client in the last twelve (12) months under this MSA. This limitation of liability does not apply to the liability for death or personal injury.
24.5 No liability is assumed for the Services being suitable for the purposes of the Client and for it working together with the Client’s existing soft- and hardware or any other infrastructure.
24.6 The liability of MITTO is excluded in the case of non-contractual use by the Client.”
24.7 Neither MITTO nor its representatives, Affiliates or employees will be liable under any legal or equitable theory for any claim, damage, or loss (and Client will hold MITTO harmless against any and all such claims) arising from or relating to the inability to use the Services to contact emergency services, as defined in article 11.1. MITTO’s outbound communication Services should not be used for contacting emergency services, unless the Service is expressly approved for such purpose and the Client and MITTO have entered in a separate agreement in connection with the use of such approved Service.
25. CONFIDENTIALITY
25.1 The Parties shall treat all material and Information, including this MSA, which is delivered by the other Party in order to perform its obligations under this MSA as confidential (“Confidential Information”). The Parties shall not disclose such Confidential Information to a third party without a prior written consent of the other Party.
25.2 Confidential Information shall not include (i) information which was in the public domain at the time of disclosure, (ii) information which, though originally Confidential Information, subsequently falls into the public domain other than a result of any breach of this clause or any other duty of confidence, (iii) information received by a Party from a third Party, without any breach of this clause or any obligation of confidentiality, (iv) information that is required to be disclosed by a government body or court of competent jurisdiction or by operation of law or in order to comply with the rules of a recognized stock exchange, but only to the extent so required.
25.3 At the disclosing Party’s written request at any time, the receiving Party shall promptly return the Confidential Information to the disclosing Party promptly, or certify in writing to the disclosing Party that the Confidential Information has been destroyed.
25.4 This article 25 shall not prevent the disclosure by the Parties to regulators or Mobile Operators requested by them.
26. DATA PROTECTION
26.1 Each Party shall comply with Data Protection Laws with respect to the processing of Personal Data.
26.2 For the purposes of this provision and the MSA as a whole, data is information provided, submitted or uploaded by the Client or End Users of the Services in connection with the use of the Service. Data includes, in particular, Personal Data that is provided to MITTO by the Client or on Client’s instructions or to which MITTO is granted access in connection with the performance of its obligations under this MSA.
26.3 MITTO does not obtain any rights to the data. However, MITTO is allowed to generate aggregated statistical data on an anonymous basis regarding the use of the Service.
26.4 As service provider, MITTO stores Client Data for the Client, which the Client enters and stores or makes available for retrieval when using the Services. The Client undertakes to refrain from uploading and using any Client Data that are illegal and any Malicious Code in connection with the Services.
26.5 In the context of data processing, the Client remains the data controller within the meaning of Data Protection Laws and must therefore always ensure that the processing of data relating to the use of the Services fully complies with Data Protection Laws. MITTO qualifies as a data processor pursuant to Data Protection Law. The Client and MTTO shall enter into a data processing agreement, if necessary, to comply with the Data Protection Laws.
26.6 For the purposes of executing the MSA, the Client grants MITTO the right to reproduce the Client Data to be stored by MITTO for the Client in connection with the use of the Services, insofar as this is necessary for the provision of the Services under this MSA. In particular, MITTO is entitled to store the Client Data in a backup system or separate backup data center. In order to eliminate failures, MITTO is authorized to make changes to the structure of the data or the data format.
26.7 MITTO is entitled to process Client Data for billing and administrative purposes.
27. TERMINATION AND SURVIVAL
27.1 The terms and conditions of this MSA shall remain in force until the expiry or termination of all of the Service Addenda.
27.2 The right to terminate for good cause remains reserved.
27.3 This MSA may be terminated by:
• either Party if the other Party has breached any material obligations under this MSA or as set forth in any Service Addendum and has failed to cure such breach within ten (10) Business Days of receiving written notice of such breach;
• either Party to the extent permissible by law, if the other Party ceases to trade or to pay its debts in the normal course, enters into or proposes to enter into a voluntary arrangement or composition with its creditors, becomes insolvent, bankrupt or goes into liquidation (other than for the purpose of solvent reconstruction or amalgamation) or has a receiver, administrator, trustee or similar officer appointed in respect of all or part of its business and assets or anything occurs analogous to the foregoing under the laws of the place where that Party is established or otherwise ceases to be a validly existing corporation;
• either Party in an event of Force Majeure, and this event has lasted for a period longer than thirty (30) days;
• the Client in the event that a price change notice is served in accordance with article 18.1 provided that the notice of termination is served in writing within five (5) Business Days from the date of the price change notice;
• the Client in the event that clauses in this MSA or any of the Service Addenda, Dashboard or the Site are modified in accordance with article 2 and 15 provided that the notice of termination is served in writing within five (5) Business Days from the date of the modification;
• MITTO if Client has breached its obligations under article 10 or 20;
• MITTO if the Client is subject to a change of control.
27.4 Except for termination of this MSA in accordance with article 27.3, any Balance remaining after termination of this MSA will be repaid by MITTO to Client within ten (10) Business Days of termination.
27.5 Provisions which explicitly or implicitly survive the termination of this MSA (e.g. the duty of confidentiality) shall not be affected by the termination and remain in full force. These articles include, but are not necessarily limited to the articles 18, 22, 24, 25, 26, 27, 28 and 33 that will survive any termination or expiration of this MSA.
28. EFFECTS OF TERMINATION
28.1 If the Client causes the termination, the Client shall pay to MITTO the agreed-upon fees until the MSA or the respective Service Addendum would have ended or would have been properly terminated without the termination.
28.2 Upon termination of the MSA, the Client’s right to use the Services ceases immediately.
28.3 The termination of the MSA causes all payment obligations arising during the term of the MSA and each Service Addendum to be due.
28.4 The termination of the MSA shall not prejudice any other remedies, which the Parties may have under this MSA.
28.5 MITTO shall return to the Client all documents and Client Data that have been handed over by the Client in connection with this MSA and are still in MITTO’s possession. If requested by the Client in writing, MITTO shall transfer all Client Data to transportable data carriers and hand them over to the Client. After an inspection of the data carrier by the Client, MITTO will delete all Client Data.
29. ASSIGNMENT
29.1 The Client will not assign or otherwise transfer this MSA, in whole or in part, without MITTO’s prior written consent. Any attempt by the Client to assign, delegate, or transfer this MSA will be void. MITTO may assign this MSA, in whole or in part, without consent. Subject to this article 29, this MSA will be binding on both the Client and MITTO and each of its successors and assigns.
30. FORCE MAJEURE
30.1 Any delay or failure by either Party hereto in performance hereunder shall be excused if and only to the extent that such delays or failures are caused by occurrences beyond such Party’s control, including acts of war, earthquakes, hurricanes, floods, fires or other similar casualties, embargos, riots, terrorism, sabotage, strikes, governmental acts, insurrections, pandemics, epidemics, failures of power, restrictive laws or regulations, court orders, condemnation, failure of the Internet or other event of a similar nature, provided that the Party seeking to excuse its performance shall promptly notify the other Party of the cause therefore, such performance shall be so excused during the inability of the Party to perform but for no longer period, and the cause thereof shall be remedied so far as possible with all reasonable dispatch.
31. NOTICES
31.1 Any notice or other document required or authorized hereby may be served on Client at the address(es) and email address(es) and upon the persons specified during the Sign-up process..
31.2 Any notice or other document required or authorized hereby may be served on MITTO at:
MITTO AG
Bahnhofstrasse 21
6300 ZUG
Switzerland
31.3 Each Party may update its notice information by giving written notice in accordance with this article
32. GOVERNING LAW
32.1 The Parties shall endeavor to resolve any controversy through good faith negotiations. In the highly unlikely event that the parties are unable to resolve the matter within thirty (30) days of the matter being referred to them, or any other period agreed upon, such matter shall be resolved exclusively by arbitration.
32.2 This Agreement, and all matters arising out of or relating to this Agreement, shall be governed by and interpreted in accordance with the substantive laws of Switzerland under the exclusion of United Nations Convention on Contracts for the International Sale of Goods.
32.3 Any dispute, controversy or claim arising out of, or in relation to, this MSA, including the validity, invalidity, breach, or termination thereof, shall be resolved by arbitration in accordance with the Swiss Rules of International Arbitration of the Swiss Chambers’ Arbitration Institution in force on the date on which the notice of arbitration is submitted in accordance with these Rules.
32.4 The number of arbitrators shall be one (1).
32.5 The seat of the arbitration shall be Zurich/Switzerland.
32.6 The arbitral proceedings shall be conducted in English.
33. GENERAL PROVISIONS
33.1 The waiver by either party of any default or breach of this MSA shall not constitute a waiver of any other subsequent default of breach.
33.2 The Parties are independent contractors. This MSA does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties. Each Party will be solely responsible for payment of all compensation owed to its employees, as well as all employment-related taxes.
33.3 This MSA, including the annexes and documents referred to herein, constitutes the entire agreement among the Parties with respect to the subject matter hereof. This MSA shall supersede all prior written or oral agreements or understandings related to the subject matters provided in this MSA.
33.4 The Parties may not issue press releases or other forms of promotion that mention the other in regards to this MSA announcing the Service without the prior written consent of the other.
33.5 If any provision of this MSA or any part of such provision is or becomes invalid or unenforceable or is missing, the other provisions of this MSA shall not be affected thereby. The invalid or unenforceable or missing provision shall be replaced by a valid and enforceable provision, the effect of which comes as close as possible to the intended economical effect of the invalid or unenforceable or missing provision.
33.6 Each Service Addendum to which reference is made herein or any services referenced on the Dashboard or the Site, shall be deemed to be incorporated in this MSA by such reference.
ACCEPTABLE USE POLICY
1. DEFINITIONS AND SCOPE
Capitalized terms not defined herein have the meanings ascribed to them in the Master Service Agreement (MSA), or other similar written agreement between the Parties.
This Acceptable Use Policy governs the Clients and the End Users use of the Services.
If Customer or any End User violates this AUP, Mitto may suspend Customer’s use of the Services. This AUP may be updated by Mitto from time to time upon reasonable notice, which may be provided via Customer’s account, e-mail, or by posting an updated version of this AUP on the Site.
2. ACCEPTABLE USE OF CLIENT AND END USERS
The Client agrees that it, its Affiliates and the End Users will not, and will not authorize, assist or enable any third party to engage in any of the following:
- Infringing any Applicable Law;
- Infringing standards, policies or applicable guidelines or industry standards for telecommunication providers, other generally-recognized industry standards or other telecommunications or service provider requirements as communicated to the Client by MITTO;
- Damaging, interfering with, overburdening, or otherwise adversely affecting the availability, reliability, or stability of the Services or third-party systems or networks relating to the Services;
- Attempting to circumvent or break any security mechanism on any of the Services, or using the Services in any manner that poses a security or other risk to MITTO, its Affiliates or any other client that uses the Services;
- Benchmarking, tampering with, unauthorized testing, reverse engineering, decompiling, or otherwise using the Services in order to discover limitations or vulnerabilities, or evade filtering capabilities;
- Engaging in fraudulent, deceptive, inaccurate, or misleading activity with respect to third parties (including impersonation of identity or identifiers such as phone numbers or email addresses) or otherwise bypassing legitimate identification systems;
- Using the Services to collect information about individuals, including email addresses or telephone numbers, under false pretenses or without complying with the Applicable Laws, in particular Data Protection Laws;
- Engaging in spamming, or other unsolicited, unwanted, or harassing advertising, marketing or other activities that infringe Applicable Laws;
- Forwarding from a virtual number to a dead endpoint (i.e., if the Client forwards from a virtual number, it must make a reasonable attempt to receive or answer the message or call, as applicable);
- Using the Services in any manner that results in charges to MITTO by third parties without MITTO’s prior written consent in each instance;
SERVICE LEVEL AGREEMENT
1. System responsibilities – General Conditions
This SLA is applicable as from the Effective Date of the Master Service Agreement and shall remain in effect until amended or terminated in terms of the same. This SLA sets out the service levels to which Mitto commits itself with regards to the availability of the SMS transit service. This service is at all times provided subject to the terms and conditions as set out in the Agreement.
The availability commitment is restricted to the Mitto Platform and does neither include possible discomfort nor technical problems related to Operators and/or any type of external connection. However, Mitto will use its best reasonable endeavors to provide the best possible quality of service, in line with the industry’s standards. Moreover, Mitto ensures by all possible means to give prior information to Customer when service disruptions are to be expected.
Mitto undertakes to bring its reasonable efforts in order for message transmission time through the Mitto Platform up to delivery to or from Mitto’s network operator connection to be lower than 15 sec. In case of heavy traffic such as during exceptional events this time could be longer.
2. Central Notification Addresses
Each Party must name a central entity (single point of contact) that is reachable 24 hours a day, 365 days a year and responsible for official notification processes in case of service faults.
The requirements for the central notification contact are:
Contact must be available 24 hours a day at a single point of contact
Competency concerning operational issues for SMS services
Relevant access to tools, resources and knowledgebase to solve problems
24 x7 Reference Details | Mitto Details |
Contact Point (NOC or 24/7 monitoring network)
| Support team
|
Telephone Number: | +49 30 6098 19734 |
Email Address: | support@mitto.ch |
3. Fault Classification
Each Party shall open a trouble ticket in the case of any fault affecting the Services (a “fault”). A severity level shall be assigned to each trouble ticket to describe the effect of the fault on the Service availability.
The following three levels of severity shall be used:
Critical
Total interruption or serious degradation of the performance of the Services; Includes but it is not limited to:
• Total loss of connectivity between Customer Infrastructure and Mitto service platform
• Serious degradation of the quality of SMS messages transit
Major
Problems of this rating have suffered a partial or complete loss of customer functionality of the service, but service is generally available. This should be assigned when any partial loss of functionality has occurred.
Minor
This is non-service affecting and has little or no effect on the system’s or service’s operation.
4. Fault Restoration Times
The following fault correction times and procedure shall apply.
Severity | Contact method | Maximum fault correction time | Initial Feedback | Update Interval |
Critical | Email/Phone | 4 hours | 30 minutes | on change of status or request |
Major | 2 working days | 5 hours | on change of status or request | |
Minor | 10 working days | 12 hours | on change of status or request |
5. Fault Reporting procedures
The following section describes the fault reporting procedure for both Parties.
- Fault Reporting
Each Party shall provide a fault reporting capability that is available 24x7x365.
Suspected faults shall be reported to the other Party by email to the contact indicated in the matrix within this Schedule. For critical faults, it will be also followed by a phone call to the same contact. Faults will be logged, and each call will be time-stamped and allocated a unique call reference number in the affected Party’s trouble ticket system to be used for all progress updates.
- Fault Resolution
Each Party will resolve faults within the time interval described in paragraph 4 of this Schedule. The time interval shall start from the moment when the trouble ticket is opened (i.e. from the moment when the fault is reported by one Party to the other Party). The latter Party shall provide the former Party with updates as required pursuant to the table in paragraph 4 above.
In connection with such agreed progress updates, an e-mail (accompanied with a phone call, optionally whenever it is considered necessary and mandatory whenever it is a critical fault) shall be sent with the following information as a minimum:
- Fault resolution date/time
- Cause information
- Actions performed
- Further information
- Result of end-to-end measurement if applicable
If a Party cannot resolve a fault within the time specified in paragraph 4 of this Schedule, the affected Party will, via an escalation procedure, use reasonable endeavors to achieve its resolution.
6. Escalation Procedure
Both Parties must name contact persons as single point of contact for escalation.
Both Parties shall comply with their internal procedures for the escalation of faults. However, the reporting Party may (at any time) request that a fault is escalated in advance of the times set out above. This is done if in the reasonable opinion of that Party, an escalation is required to increase the resources dedicated to a fault.
The receiving Party may escalate a fault in advance of the times set out above if it requires further information to progress the fault and that information has not been provided within a reasonable time scale.
In some cases certain faults need not be escalated automatically. A case can occur where the investigation of a fault is in progress and any escalation out of hours would serve no practical purpose. Both Parties are to use reasonable judgment regarding the benefit of escalating a particular fault.
All escalation between the Parties must be accomplished using the following steps through the headquarters of the Parties.
Escalation Level | Severity | Mitto Contact |
Level I | Critical, Major, Minor | Support team +49 30 6098 19734 |
Level II | Critical, Major | Head of Support cc_head@mitto.ch |
Level III | Critical | CTO Ramon Kania ramon@mitto.ch |
Level IV | Critical | COO Ilja Gorelik ilja@mitto.ch |
GENERAL PERSONAL DATA PROTECTION POLICY
1. Purpose, Scope and Users
Mitto, hereinafter referred to as the “Company”, strives to comply with applicable laws and regulations related to Personal Data protection in countries where the Company operates. This Policy sets forth the basic principles by which the Company processes the personal data of consumers, customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its business departments and employees while processing personal data.
This Policy applies to the Company and its directly or indirectly controlled wholly-owned subsidiaries conducting business within the European Economic Area (EEA) or processing the personal data of data subjects within EEA.
The users of this document are all employees, permanent or temporary, and all contractors working on behalf of The Company.
2. Reference Documents
- EU GDPR 2016/679 (Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
- Relevant national law or regulation for GDPR implementation
- Local laws and regulations
- Employee Personal Data Protection Policy
- Data Retention Policy
- Data Subject Access Request Procedure
- Data Protection Impact Assessment Guidelines
- Cross Border Personal Data Transfer Procedure
- Information security policies
- Breach Notification Procedure
3. Definitions
- The following definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation:Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject”) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.ensitive Personal Data: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.Data Controller: The natural or legal person, public authority, agency or any other body which alone or jointly with others, determines the purposes and means of the processing of personal data.Data Processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.
Processing: An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
Anonymization: Irreversibly de-identifying personal data such that the person cannot be identified by using reasonable time, cost, and technology either by the controller or by any other person to identify that individual. The personal data processing principles do not apply to anonymized data as it is no longer personal data.
Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymization reduces, but does not completely eliminate, the ability to link personal data to a data subject. Because pseudonymized data is still personal data, the processing of pseudonymized data should comply with the Personal Data Processing principles.
Cross-border processing of personal data: Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the EU GDPR.
Lead supervisory authority: The supervisory authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data; it is responsible, among others, for receiving the
data breach notifications, to be notified on risky processing activity and will have full authority as regards to its duties to ensure compliance with the provisions of the EU GDPR.
Each “local supervisory authority” will still maintain in its own territory, and will monitor any local data processing that affects data subjects or that is carried out by an EU or non-EU controller or processor when their processing targets data subjects residing on its territory. Their tasks and powers includes conducting investigations and applying administrative measures and fines, promoting public awareness of the risks, rules, security, and rights in relation to the processing of personal data, as well as obtaining access to any premises of the controller and the processor, including any data processing equipment and means.
“Main establishment as regards a controller” with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment.
“Main establishment as regards a processor” with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation.
Group Undertaking: Any holding company together with its subsidiary.
4. Basic Principles Regarding Personal Data Processing
The data protection principles outline the basic responsibilities for organisations handling personal data. Article 5(2) of the GDPR stipulates that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
4.1. Lawfulness, Fairness and Transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
4.2. Purpose Limitation
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
4.3. Data Minimization
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The Company must apply anonymization or pseudonymization to personal data if possible to reduce the risks to the data subjects concerned.
4.4. Accuracy
Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified in a timely manner.
4.5. Storage Period Limitation
Personal data must be kept for no longer than is necessary for the purposes for which the personal data are processed.
4.6. Integrity and confidentiality
Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of personal data risks, the Company must use appropriate technical or organizational measures to process Personal Data in a manner that ensures appropriate security of personal data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access to, or disclosure.
4.7. Accountability
Data controllers must be responsible for and be able to demonstrate compliance with the principles outlined above.
5. Building Data Protection in Business Activities
In order to demonstrate compliance with the principles of data protection, an organisation should build data protection into its business activities.
5.1. Notification to Data Subjects
(See the Fair Processing Guidelines section.)
5.2. Data Subject’s Choice and Consent
(See the Fair Processing Guidelines section.)
5.3. Collection
The Company must strive to collect the least amount of personal data possible. If personal data is collected from a third party, Chief Information Security Officer (CISO) role must ensure that the personal data is collected lawfully.
5.4. Use, Retention, and Disposal
The purposes, methods, storage limitation and retention period of personal data must be consistent with the information contained in the General Data Protection Notice. The Company must maintain the accuracy, integrity, confidentiality and relevance of personal data based on the processing purpose. Adequate security mechanisms designed to protect personal data must be used to prevent personal data from being stolen, misused, or abused, and prevent personal data breaches. Chief Technical Officer (CTO) and CISO roles are responsible for compliance with the requirements listed in this section.
5.5. Disclosure to Third Parties
Whenever the Company uses a third-party supplier or business partner to process personal data on its behalf, Security&Compliance Office must ensure that this processor will provide security measures to safeguard personal data that are appropriate to the associated risks. For this purpose, the Processor GDPR Compliance Questionnaire must be used.
The Company must contractually require the supplier or business partner to provide the same level of data protection. The supplier or business partner must only process personal data to carry out its contractual obligations towards the Company or upon the instructions of the Company and not for any other purposes. When the Company processes personal data jointly with an independent third party, the Company must explicitly specify its respective responsibilities of and the third party in the relevant contract or any other legal binding document, such as the Supplier Data Processing Agreement (DPA).
5.6. Cross-border Transfer of Personal Data
Before transferring personal data out of the European Economic Area (EEA) adequate safeguards must be used including the signing of a Data Transfer Agreement, as required by the European Union and, if required, authorization from the relevant Data Protection Authority must be obtained. The entity receiving the personal data must comply with the principles of personal data processing set forth in Cross Border Data Transfer Procedure.
5.7. Rights of Access by Data Subjects
When acting as a data controller, Security&Compliance Office is responsible to provide data subjects with a reasonable access mechanism to enable them to access their personal data, and must allow them to update, rectify, erase, or transmit their Personal Data, if appropriate or required by law. The access mechanism will be further detailed in the Data Subject Access Request Procedure.
5.8. Data Portability
Data Subjects have the right to receive, upon request, a copy of the data they provided to us in a structured format and to transmit those data to another controller, for free. CISO role is responsible to ensure that such requests are processed within one month, are not excessive and do not affect the rights to personal data of other individuals.
5.9. Right to be Forgotten
Upon request, Data Subjects have the right to obtain from the Company the erasure of its personal data. When the Company is acting as a Controller, Security&Compliance Office must take necessary actions (including technical measures) to inform the third-parties who use or process that data to comply with the request.
6. Fair Processing Guidelines
Personal data must only be processed when explicitly authorised by Chief Executive Officer (CEO), CTO or CISO.
The Company must decide whether to perform the Data Protection Impact Assessment for each data processing activity according to the Data Protection Impact Assessment Guidelines.
6.1. Notices to Data Subjects
At the time of collection or before collecting personal data for any kind of processing activities including but not limited to selling products, services, or marketing activities, Customer’s sales representative or Account Manager roles are responsible to properly inform data subjects of the following: the types of personal data collected, the purposes of the processing, processing methods, the data subjects’ rights with respect to their personal data, the retention period, potential international data transfers, if data will be shared with third parties and the Company’s security measures to protect personal data. This information is provided through General Data Protection Notice.
Where personal data is being shared with a third party, Security&Compliance Office must ensure that data subjects have been notified of this through a General Data Protection Notice.
Where personal data is being transferred to a third country according to Cross Border Data Transfer Policy, the General Data Protection Notice should reflect this and clearly state to where, and to which entity personal data is being transferred.
Where sensitive personal data is being collected, the CISO or CTO roles must make sure that the General Data Protection Notice explicitly states the purpose for which this sensitive personal data is being collected.
6.2. Obtaining Consents
Whenever personal data processing is based on the data subject’s consent, or other lawful grounds, Customer’s sales representative role is responsible for take it and pass to the Security&Compliance Office for retaining a record of such consent. Customer’s sales representative role is responsible for providing data subjects with options to provide the consent and must inform and ensure that their consent (whenever consent is used as the lawful ground for processing) can be withdrawn at any time.
When requests to correct, amend or destroy personal data records, CISO must ensure that these requests are handled within a reasonable time frame. Security&Compliance Office must also record the requests and keep a log of these.
Personal data must only be processed for the purpose for which they were originally collected. In the event that the Company wants to process collected personal data for another purpose, the Company must seek the consent of its data subjects in clear and concise writing. Any such request should include the original purpose for which data was collected, and also the new, or additional, purpose(s). The request must also include the reason for the change in purpose(s). The Data Protection Officer is responsible for complying with the rules in this paragraph.
Now and in the future, CISO and CTO roles must ensure that collection methods are compliant with relevant law, good practices, and industry standards.
Security&Compliance Office is responsible for creating and maintaining a Register of the General Data Protection Notices.
7. Organization and Responsibilities
The key areas of responsibilities for processing personal data lie with the following organisational
roles:
The responsibility for ensuring appropriate personal data processing lies with everyone who works
for or with the Company and has access to personal data processed by the Company.
The Security&Compliance Office makes decisions about and approves the Company’s general
strategies on personal data protection.
The Chief Information Security Officer (CISO) is responsible for managing the personal data
protection program and is responsible for the development and promotion of end-to-end personal
data protection policies.
The Legal Affairs Office together with the CISO monitors and analyses personal data laws and
changes to regulations, develops compliance requirements, and assists business departments in
achieving their Personal data goals.
The IT Manager, supported by the Security&Compliance Office, is responsible for:
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
The Marketing manager, supported by CISO, is responsible for:
- Approving any data protection statements attached to communications such as emails and letters.
- Addressing any data protection queries from journalists or media outlets like newspapers.
- Where necessary, working with the Security&Compliance Office to ensure marketing initiatives abide by data protection principles.
The Human Resources Manager, supported by CISO, is responsible for:
- Improving all employees’ awareness of user personal data protection.
- Organizing Personal data protection expertise and awareness training for employees working with personal data.
- End-to-end employee personal data protection. It must ensure that employees’ personal data is processed based on the employer’s legitimate business purposes and necessity.
The Procurement Manager, supported by CISO, is responsible for passing on personal data protection responsibilities to suppliers, and improving suppliers’ awareness levels of personal data
protection as well as flow down personal data requirements to any third party a supplier they are
using. The Procurement Department must ensure that the Company reserves a right to audit
suppliers.
8. Guidelines for Establishing the Lead Supervisory Authority
8.1. Necessity to Establish the Lead Supervisory Authority
Identifying a Lead supervisory authority is only relevant if the Company carries out the cross-border processing of personal data.
Cross border of personal data is carried out if:
a) processing of personal data is carried out by subsidiaries of the Company which are based in other Member States;
or
b) processing of personal data which takes place in a single establishment of the Company in the European Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
If the Company only has establishments in one Member State and its processing activities are affecting only data subjects in that Member State than there is no need to establish a lead supervisory authority. The only competent authority will be the Supervisory Authority in the country where Company is lawfully established.
8.2. Main Establishment and the Lead Supervisory Authority
8.2.1. Main Establishment for the Data Controller
The Security&Compliance Office needs to identify the main establishment so that the lead supervisory authority can be determined.
If the Company is based in an EU Member State and it makes decisions related to cross-border processing activities in the place of its central administration, there will be a single lead supervisory authority for the data processing activities carried out by the Company.
If Company has multiple establishments that act independently and make decisions about the purposes and means of the processing of personal data, the management of the Company needs to acknowledge that more than one lead supervisory authority exists.
8.2.2. Main Establishment for the Data Processor
When the Company is acting as a data processor, then the main establishment will be the place of central administration. In case the place of central administration is not located in the EU, the main establishment will be the establishment in the EU where the main processing activities take place.
8.2.3. Main Establishment for Non-EU Companies for Data Controllers and Processors
If the Company does not have a main establishment in the EU, and it has subsidiarie(s) in the EU, then the competent supervisory authority is the local supervisory authority.
If the Company does not have a main establishment in the EU nor the subsidiaries in the EU, it must appoint a representative in the EU, and the competent supervisory authority will be the local supervisory authority where the representative is located.
9. Response to Personal Data Breach Incidents
When the Company learns of a suspected or actual personal data breach, Security&Compliance Office must perform an internal investigation and take appropriate remedial measures in a timely manner, according to the Data Breach Policy. Where there is any risk to the rights and freedoms of data subjects, the Company must notify the relevant data protection authorities without undue delay and, when possible, within 72 hours.
10. Audit and Accountability
The Security&Compliance Office is responsible for auditing how well business departments implement this Policy.
Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal liabilities if his or her conduct violates laws or regulations.
11. Conflicts of Law
This Policy is intended to comply with the laws and regulations in the place of establishment and of the countries in which Mitto operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.
12. Managing records kept on the basis of this document
Record name Role/Department responsible for storage Controls for record protection Retention time Data Subject Consent Forms Security and compliance office Only authorized persons may access the forms 10 years Data Subject Consent Withdrawal FormSecurity and compliance office Only authorized persons may access the folder 10 years Supplier Data Processing Agreements Legal Affairs Office Only authorized persons may access the folder 5 years after the agreement has expired13. Validity and document management
This document is valid as of 2019.12.03.
The owner of this document is CISO role, who must check and, if necessary, update the document at least once a year.
INFORMATION SECURITY POLICY1. Purpose,scope and users
The aim of this top-level Policy is to define the purpose, direction, principles and basic rules for information security management.
This Policy is applied to the entire Information Security Management System (ISMS), as defined in the ISMS Scope Document.
Users of this document are all employees of Mitto, as well as relevant external parties.
2. Reference documents
- ISO/IEC 27001 standard, clauses 5.2 and 5.3;
- ISMS Scope Document;
- Risk Assessment and Risk Treatment Methodology;
- Statement of Applicability;
- List of Legal, Regulatory and Contractual Obligations.
3. Basic information security terminology
Confidentiality – Characteristic of the information by which it is available only to authorized persons
or systems.
Integrity – Characteristic of the information by which it is changed only by authorized persons or systems in an allowed way.
Availability – Characteristic of the information by which it can be accessed by authorized persons when it is needed.
Information security – Preservation of confidentiality, integrity and availability of information.
Information Security Management System (ISMS) – Part of overall m a n a g e m e n t processes that takes care of planning, implementing, maintaining, reviewing, and improving the information security.
4. Managing the information security
4.1. Objectives and measurement
General objectives for the information security management system are the following:
- Creating a suitable environment to host third party (customer) sensitive information;
- Defining a set of procedures to lower the risk of information misuse due to human interaction with such information,
- Adopting technical measures to minimize the risk of external unwanted access to information;
Creating a solid brand image and reducing the damage caused by potential incidents.
Goals are in line with the organization’s business objectives, strategy and business plans. The
Managing Director is responsible for reviewing these general ISMS objectives and setting new ones.
Objectives for individual security controls or groups of controls are proposed by the CTO, the CISO, the Head of System Operations, or the Head of Software Engineering, and approved by the management in the role of Managing Director in the Statement of Applicability.
All the objectives must be reviewed at least once a year.
Mitto will measure the fulfillment of all the objectives. CTO and CISO are responsible for setting the method for measuring the achievement of the objectives – the measurement will be performed at least once a year and CTO/CISO will analyze and evaluate the measurement results and report them to top management as input materials for the Management review.
4.2. Information security requirements
This Policy and the entire ISMS must be compliant with legal and regulatory requirements relevant to the organization in the field of information security, personal data protection (EU), data confidentiality as well as with contractual obligations.
A detailed list of all contractual and legal requirements is provided in the List of Legal, Regulatory and Contractual Obligations.
4.3. Information security controls
The process of selecting the controls (safeguards) is defined in the Risk Assessment and Risk Treatment Methodology.
The selected controls and their implementation status are listed in the Statement of Applicability.
4.4. Responsibilities
Responsibilities for the ISMS are the following:
- Managing Director is responsible for ensuring that the ISMS is implemented and maintained according to this Policy, and for ensuring all necessary resources are available;
- CTO, supported by CISO and Head of System Operations is responsible for operational coordination of the ISMS as well as for reporting about the performance of the ISMS;
- The Management board, or the Board of Directors, must review the ISMS at least once a year or each time a significant change occurs, and prepares minutes from that meeting. The purpose of the management review is to establish the suitability, adequacy and effectiveness of the ISMS;
- The CISO, together with the CTO, will implement information security training and awareness programs for employees;
- The protection of integrity, availability, and confidentiality of assets is the responsibility of the owner of each asset;
- All security incidents or weaknesses must be reported to the CTO or Head of System Operations;
- The Managing Director will define which information related to information security will becommunicated to which interested party (both internal and external), by whom and when;
- CISO is responsible for adopting and implementing the Training and Awareness Plan, whichapplies to all persons who have a role in information security management.4.5. Policy communicationCISO has to ensure that all employees of Mitto, as well as appropriate external parties are familiar with this Policy.
5. Support for ISMS implementation
Hereby the Managing Director declares that ISMS implementation and continual improvement will be supported with adequate resources in order to achieve all objectives set in this Policy, as well as satisfy all identified requirements.
6. Validity and document management
This document is valid as of 2016-09-01.
The owner of this document is CISO, who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
- Number of employees and external parties who have a role in the ISMS, but are not familiar with this document;
- Non-compliance of the I S M S with the laws and regulations, contractual other internal documents of the organization;
- Ineffectiveness of ISMS implementation and maintenance;
- Unclear responsibilities for ISMS implementation.