Privacy Policy

Data protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this Privacy Policy.

The use of our website is generally possible without providing personal data. To the extent that personal data (e.g. name, address or e-mail addresses) is collected on our pages, this is done, where possible, on a voluntary basis. This data will not be shared with third parties without your explicit consent.

Please note that data transfer over the internet (e.g. when communicating via e-mail) may have security vulnerabilities. Complete protection of data from access by third parties is not possible.

Cookies

These web pages partly use what are known as cookies. Cookies do not harm your computer and do not contain viruses. Cookies serve to make our offer more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and by your browser.

Most of the cookies we use are what are known as ‘session cookies’. They are automatically deleted after your visit. Other cookies remain stored on your device until you delete them. These cookies allow us to recognise your browser the next time you visit.

You can set your browser to notify you when cookies are set, allow cookies only in individual cases, accept cookies in certain cases, exclude them as a rule or enable the automatic deletion of cookies when closing the browser. Deactivating cookies may limit the functionality of this website.

Server log files

The provider of the pages automatically collects and stores information in what are known as server log files, which your browser automatically transmits to us. This includes:

• browser type and browser version
• operating system used
• referrer URL
• host name of the accessing computer
• time of the server request

These data cannot be assigned to specific persons. This data is not merged with other data sources. We reserve the right to check this data retroaectively if we become aware of specific indications of illegal use.

Google Analytics

This website uses functions of the Google Analytics web analytics service. The provider is Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. Use includes the ‘Universal Analytics’ operating mode. This makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and thus to analyse the activities of a user across devices.

Google Analytics uses what are known as ‘cookies’. These text files that are stored on your computer and make it possible to analyse your use of the website. The information concerning your use of this website is usually transmitted to a Google server in the USA and stored there. If IP anonymisation is activated on this website, the IP address will be shortened before transfer in the member states of the European Union or in other countries that are signatories to the Agreement on the European Economic Area. The full IP address will be transmitted to a Google server in the USA and shortened there only in exceptional cases. The anonymised IP address sent by your browser in connection with Google Analytics will not be combined with other data from Google.

The legal basis for the use of Google Analytics is § 15 (3) TMG or Art. 6 (1) (f) of the GDPR. The data sent by us and linked to cookies, user recognition (e.g. user ID) or advertising IDs will be automatically deleted after 14 months. Data whose retention period has been reached is deleted automatically once a month. For more information on terms of use and privacy see:

https://www.google.com/analytics/terms/de.htmlhttps://policies.google.com/?hl=de

You can prevent Google’s collection of the data (including your IP address) generated by the cookie and related to your use of the website as well as the processing of this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de

to prevent Google Analytics tracking on this website in the future. An opt-out cookie will be stored on your device. If you delete your cookies, you must click the link again.

Use of LeadForensics

For marketing and optimisation purposes, this website uses products and services from LeadForensics (www.leadforensics.com). The head office of LeadForensics is located at Communication House, 26 York Street, London, W1U 6PZ, United Kingdom. LeadForensics identifies details of your firm, including phone number, web address, SIC code and a description of the business. LeadForensics displays the actual course of your visit to this website, including all the pages that you visited and viewed and how long you spent on each page. Under no circumstances will the data be used to personally identify an individual visitor. As far as IP addresses are collected, these will be anonymised immediately after collection. LeadForensics will use the information collected on behalf of the operator of this website to evaluate your visit to the website, compile reports on website activities and provide other services related to website activity and internet usage to the website operator.

Browser plugin

You can prevent the storage of cookies by making a corresponding setting in your browser software; however, you are warned that in this case you might not be able to make full use of all functions of this website. In addition, you may prevent Google’s collection of the data generated by the cookie and related to your use of the website (including your IP address) as well as the processing of this data by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de

For more information on Google Analytics’ handling of user data, please refer to Google’s Privacy Policy: https://support.google.com/analytics/answer/6004245?hl=de

Contact form

If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provided there, will be stored in order to process the request and in the event of follow-up questions. We will not share this data without your consent.

Newsletter data

If you would like to receive the newsletter offered on the website, we require an e-mail address from you, as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. No further data is collected. We use this data exclusively for the delivery of the requested information and will not share it with third parties.

The consent granted for the storage of data, the e-mail address and their use for sending the newsletter can be revoked at any time, for example via the ‘unsubscribe’ link in the newsletter.

SSL encryption

This site uses SSL encryption for security reasons and to protect the transfer of sensitive content, such as the requests you send to us, the site operator. You can recognise an encrypted connection by observing your browser’s address field change from ‘http://’ to ‘https://’ and the lock symbol in your browser line.

If SSL encryption is enabled, the data you submit to us cannot be read by third parties.

Right to information, deletion, blocking

You have the right to free information about your stored personal data, its origin and recipient and the purpose of the data processing and a right to correct, block or delete this data at any time. To exercise these rights, or for further information on personal data, you can contact us at any time at the address provided on the ‘About us’ page.

Objection to advertising e-mails

The contact data published in accordance with the legal obligation to maintain a page containing contact data (‘Impressum’) may not be used to send unsolicited advertising and information materials. The operators of the pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, e.g. through spam e-mails.

Privacy Policy Unisto Data Trans app:

This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights.

• The app can be found in the Google Play Store under the name Unisto Data Trans
• The app is designed for use with operating system (OS) Android 8 and higher
• The app and or the data download via Bluetooth is not guaranteed on all Android devices due to various factors like quality of Bluetooth and modifications by the device producer both in Android software or the hardware software
• When problems occur ask a person with knowledge and/ or try another Android device

This app needs access to:
Location

• approximate location (network-based)
• precise location (GPS and network-based)

Storage

• read the contents of your USB storage
• modify or delete the contents of your USB storage

Photos/Media/Files

• read the contents of your USB storage
• modify or delete the contents of your USB storage

Other

• allow Bluetooth pairing by Application
• full network access
• run at startup
• prevent device from sleeping
• view network connections
• pair with Bluetooth devices
• access Bluetooth settings

Processing of Personal Data

No personal data is collected for the use of the Unisto Data Trans app. Furthermore, no data is shared with other companies or organizations. No data is used for marketing purposes .

No device data is collected when using the app.

Disclaimer:

The information contained in the Unisto Data Trans App is for general information purposes only.

Unisto AG accepts no responsibility for errors or omissions in the contents of the Unisto Data Trans App or the behavior of the Unisto Data Trans App on the user mobile device.

In no event shall Unisto AG be liable for any special, direct, indirect, consequential, or incidental damages or any damages whatsoever, whether in an action of contract, negligence or other tort, arising out of or in connection with the use of the Data Trans App or the contents of the Data Trans App. Unisto AG reserves the right to make additions, deletions, or modifications to the contents on the Data Trans App at any time without prior notice.

Unisto AG does not warrant that the Unisto Data Trans App will run on all Android versions and Devices.

Errors and omissions disclaimer:

The information given by the Unisto Data Trans App is for general guidance on matters of interest only. Even if Unisto AG takes every precaution to ensure that the content of the Unisto Data Trans App is both current and accurate, errors can occur. Plus, given the changing nature of laws, rules and regulations, there may be delays, omissions or inaccuracies in the information contained on the Unisto Data Trans App.

Unisto AG is not responsible for any errors or omissions, or for the results obtained from the use of this information.

No responsibility disclaimer:

The information on the Data Trans App is provided with the understanding that Unisto AG is not herein engaged in rendering legal, accounting, tax, or other professional advice and services. As such, it should not be used as a substitute for consultation with professional accounting, tax, legal or other competent advisers.

In no event shall Unisto AG or its suppliers be liable for any special, incidental, indirect or consequential damages whatsoever arising out of or in connection with your access or use or inability to access or use the Data Trans App.

Use at your own risk disclaimer:

All information in the Data Trans App is provided as is, with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability and fitness for a particular purpose.

Unisto AG will not be liable to you or anyone else for any decision made or action taken in reliance on the information given by the Data Trans App or for any consequential, special or similar damages even if advised of the possibility of such damages.

Contact:

If you have any questions, you can contact us:

Unisto AG
Seestrasse 7
CH-9326 Horn
Telefon: +41 71 844 24 24
unisto.switzerland@unisto.com

Last updated: July 24th, 2023

Terms of Use Unisto myU:

1. The Unisto app “myU” (the App) is a web-based software application that is provided by Unisto AG, Seestrasse 7, CH-9326 Horn (the Provider) to you or your employer or contracting partner (the Customer), subject to the General Terms and Conditions and its integral parts between Provider and Customer (the Main Contract).
2. The App allows the Customer to track and document use of the Unisto security seals (the “Seals”) that are linked to the Customer’s account, particularly the locking and unlocking processes and to process and store certain information (e.g., geo-location, timestamp, user) with regard to these processes.
3. By logging into and using the App, you understand and agree:
   1. To use the App solely in accordance with these Terms and with the Main Contract;
   2. That it is in Customer’s sole discretion to register you as a User, thereby granting you access to Customer’s account and to suspend or revoke your registration as a User at any time;
   3. To log into the App using only your own user name, password and other credentials (Credentials) and that you are responsible for managing and maintaining the confidentiality of your Credentials, including never sharing them with a third party. You can report any loss of or unauthorized access to your Credentials to unisto.switzerland@unisto.com;
   4. That Provider processes your Credentials and how you use the App and other services provided under the Main Contract as the responsible party (“controller”) under applicable data protection law. You can find further information in Provider’s privacy notice (https://www.unisto.com/digital-security-solutions/data-privacy/);
   5. That your use of the App, in particular in connection with Seals, will be logged for Customer, that such information will be stored by Provider for at least 90 days and made available to Customer as the controller for its use, including the geo-locations and time-stamps of your locking and unlocking of Seals;
   6. That Provider reserves the right to, in its sole discretion, immediately suspend, limit or terminate your User’s account and your access to the App or services provided under the Main Contract in the event that you are suspected of having violated any provision of these Terms, believed to be in violation of applicable law, to be involved in conduct detrimental to Provider or abusive, or that there is other valid cause. The information collected by Provider about you may be used for investigating the matter and shared with Customer or relevant parties;
   7. That your User’s account and your access to the App will be terminated when the contractual relationship between the Provider and the Client ends;
   8. That this App will only work if you have a working Internet connection, if you have turned on Bluetooth and GPS on your device, if you allow the App to use it and if you keep the App updated, which you are obliged to do;
   9. To only upload pictures made with the App and that document the proper sealing process of a Seal and to refrain from uploading pictures of any natural persons or other third-party content insofar possible.

Contact:

If you have any questions, you can contact us:

Unisto AG
Seestrasse 7
CH-9326 Horn
Telefon: +41 71 844 24 24
unisto.switzerland@unisto.com

Last updated: July 24th, 2023

General Terms and Conditions:

I. Scope

1. These General Terms and Conditions (“GTC“) govern the contractual relationship between Unisto Switzerland AG, Seestrasse 7, CH-9326 Horn (“Provider“) and the Customer with respect to the provision and use of the services indicated and agreed in the order form (“Services“) that refers to these GTC (“Order“). The Order may be entered into electronically or in writing. The agreement between the Parties (“Agreement“) will commence as soon as Provider has accepted Customer’s Order.
2. The Data Processing Agreement, Service Description & Terms are published on (https://www.unisto.com/digital-security-solutions/data-privacy/) and as amended from time to time by the Provider are an integral part of the Agreement (in their most recent, applicable version). In case of conflicts, the Service Descriptions & Terms and the Data Processing Agreement shall take precedence over these GTC.
3. Any general terms and conditions of Customer are expressly excluded, even if referred to in the Order or any other document.

II. Subscription and Registration

• Customer is responsible for the accuracy of all information provided by it in the Order or otherwise through the Services or App (“Customer Information“) and of the Security Seals registered for use with the Services and assigned to its account by way of their serial number (“Seals“, and each a “Seal“). Customer acknowledges that any Seal may only be assigned to one account and Customer warrants that it alone is entitled to use the Seals listed in the Order or otherwise communicated to the Provider for use with the Services, for the duration of their registration with the Services.
• After having accepted the Order, Provider will open an account for Customer and provide Customer with credentials for an administrator login (“Administrator Credentials“) and with administrator rights.
• Customer may register employees or third parties as Users within the scope of its administrator rights provided to it by Provider. Provider will provide Authorized Users with credentials for a user login (“User Credentials“) and grant Users access according to Customer’s configuration. Customer will ensure that user rights are withdrawn in a timely manner as appropriate. For managing Users and their rights, Provider will provide Customer, as part of the Services, an online console, accessible via Internet using a standard web-browser (“Console“).

III. Provision of Services

• Provider provides Customer with the Services indicated in the Order and materially as described in the Service Descriptions & Terms, as amended from time to time. The Services shall be provided for the term of this Agreement, unless agreed otherwise or terminated prematurely in accordance with the Agreement. Where the Service Descriptions & Terms contain additional service-specific terms, these terms shall apply in addition to these GTC with regard to the respective Service.
• Customer is aware and agrees that the use of the Services requires:
• that Users have downloaded and installed the Unisto app (“App“) on their mobile devices, as available, subject to any conditions set forth by and in the relevant app store and to accepting the terms of use contained in the App, as may be amended from time to time by Provider (note that Provider does not guarantee that the App is and will remain available for the specific mobile devices and their operating systems as used by Customer);
• a functioning Internet connection and a functioning, activated compatible Bluetooth transceiver on the User’s mobile device and that Customer alone is responsible for ensuring both;
• the App being able to continuously communicate with the servers used by Provider in an unrestricted manner, regardless of whether the User has opened it or whether it runs in the background;
• the App being able to continuously obtain the GPS geo-location from the mobile device on which it is operated; and
• a properly authorized User has successfully logged into the App.
• Customer is further aware and accepts that its account can be accessed only through the App or the Console, but that in the case of the Console, the access is limited to accessing the Records (see Clause IV), and in the case of the App, the management of User access as described in Clause II is not possible.
• Provider has taken reasonable measures to protect the Services and the Records from unauthorized access, tampering and misuse. Customer agrees that it had ample opportunity to review such measures and considers them sufficient for its own purposes. Nevertheless, Customer is aware and accepts that unauthorized access and misuse of the Services, including the App and Console, cannot be excluded and that Provider does not guarantee the accuracy, timeliness and completeness of the Records including any information within the Services concerning the Seals or other aspects. Customer acknowledges that it uses the Services at its own risk.
• Provider provides reasonable support with regards to the App and the Services during its normal business hours. Any support beyond what is provided at the discretion of Provider is to be expressly agreed and shall be charged at Provider’s standard rates on a T/M basis, unless agreed otherwise.
• The Provider may use third party providers for the performance of the Services, for whose conduct it is liable as for its own. In particular, the Provider may use carefully selected cloud service providers. Where Provider uses commonly used cloud services (such as those from Microsoft, Google or AWS), Customer accepts that Provider’s obligations and liability under this Agreement with regard to their portion of the Services is limited to what Provider can obtain or claim from these cloud service providers back-to-back. Customer agrees that it had ample opportunity to understand which such cloud services Provider is using.

IV. Logs and further documentation

• Unless otherwise specified in the Service Description & Terms, Provider will log the use of the App and the Services, which includes logging any locking and unlocking procedures of the Seals assigned to Customer’s account by use of the App and the geolocation of the App as received from the mobile device (“Records“).
• Provider may provide further means within the App to document the proper use of the Seals, in particular the locking and unlocking procedures, as indicated in the Service Description & Terms (e.g., by uploading a photograph, where available). This documentation will also be stored in the Records and be part of them.
• Provider will store the Records for at least 90 days. It is Customer’s responsibility to ensure longer storage if necessary, as Provider is free to delete Records or restrict access to them after said time period. Provider is not required to undertake any backups of the Records; this is, as well, the responsibility of Customer, as is retrieval of the Records from the Service using the built-in export functionality (any support on the part of Provider, if any, shall be charged at Provider’s standard rates on a T/M basis).
• Subject to applicable data protection law, to maintaining confidentiality and the pseudonymization or anonymization of any User data, Customer agrees that Provider and its affiliates may use the Records and information on the usage of the Services and App for statistical analysis, improving the services and other own purposes under its own responsibility. Where confidentiality cannot be maintained, Provider shall have any information de-identified with regard to Customer, as well.

V. Customer’s Responsibilites

• The Customer shall use, and shall undertake that all Users use, the App, the Seals and the Services solely in accordance with the Agreement and only as intended and comply with any restrictions on the use of the App and the Services pursuant to the Service Descriptions & Terms and as communicated through the App or the Console. Further, Customer shall comply, and shall undertake that all Users comply, with all laws applicable to the Customer in connection with its use of the App, the Seals and the Services, including without limitation transportation law, customs law, data protection law and any industry self-regulation applicable to Customer.
• Customer will keep all Customer Information and information on Users up-to-date and will update them where necessary through the Console.
• Customer will ensure that User Credentials are kept confidential and otherwise secure, that they are not shared between Users and that they are revoked immediately upon indication of them being compromised.
• Customer is responsible for the conduct of its Users as it is for its own conduct; any User activity shall be considered an activity of Customer and authorized by it. Customer agrees to notify the Provider immediately of any unauthorized use of the Administrator Credentials or User Credentials, any other known or suspected breach of security or any other misconduct on its account (which, however, as such does not relieve Customer from its aforementioned responsibility).
• Customer ensures that its Users always use the latest version of the App. Customer accepts that the Services might otherwise no longer be usable or available or work properly.
• Customer is obliged to update the software on the Seals upon Provider’s request. The Customer will strictly adhere to Provider’s instructions for doing so, otherwise this may render the Seals unusable and any warranties to the Seals will be forfeited. Customer agrees that the contractual terms the Parties agreed on upon purchase of the Seal shall also apply to the updated software of the Seals.
• Customer shall, at its own cost and without undue delay, provide Provider any reasonably requested information and other support in providing the Services and fulfilling its obligations under this Agreement.

VI. Modification and Updates

• Provider may at any time modify the Services and the App in its sole discretion. This may include adding, changing and removing functionality, or adding new services. Customer accepts that data formats supported by the App or the Services may change as part of the foregoing.
• The implementation of such modifications may result in the App and the Services (including the Console) being unavailable for a certain period of time, or until the App has been updated by a User. Where reasonably possible, the Provider will inform Customer of such periods in advance.

VII. Intellectual Property

• Customer acknowledges and agrees that Provider shall own any and all intellectual property rights with regard to the App and the Services. Any reverse engineering is prohibited to the extent permitted by law.
• Provider hereby grants Customer a non-exclusive, non-transferable right to access and use, and permit Users to use, the App and the Services (including the Console) solely for Customer’s internal business purposes and in full compliance with this Agreement. The License is granted for the duration of the Agreement or the respective Service, whichever is shorter.
• Customer shall not license, sell, rent, lease, transfer, assign, distribute, display, host, disclose or otherwise commercially exploit or make the App or the Services available to any third party, save to its Users as expressly laid out herein.

VIII. Suspension

• Provider may, where reasonably possible with reasonable advance notice to Customer, suspend a User’s or Customer’s access to or use of the Services and the App, in total or in part, if Provider reasonably concludes that Customer’s or User’s use of the Services or a third-party activity (e.g., a cyber-attack) is causing or may cause harm to Provider, the Services or others.
• Provider will use commercially reasonable efforts to resolve the issues causing the suspension and the suspension as soon as possible. Customer agrees that the Provider will not be liable to Customer or any third-party for any such suspension of a User’s or Customer’s access to or use of the Services or App.

IX. Fees and Invoice

• Customer owes the fees according to the Price List or as otherwise agreed (the Order shall take precedence over the Price List in case of conflicts), using the payment method offered by the Provider.
• Payment must be made in advance for each payment period, unless agreed otherwise in the Order. The fees are non-refundable, in particular in cases where the Services are not used.
• Should Customer fail to pay the invoiced fees within this period, it is automatically in default. In this case, Provider may charge a reasonable reminder fee and interest as per applicable law. If Customer subsequently fails to pay the invoiced fees within a reasonable grace period set by the Provider, Provider shall be entitled to restrict Customer’s ability to use the Services and the App, in total or in part, or terminate the Agreement or the Services extraordinarily in total or in part.
• If fees are usage-based, the use of the Services shall be deemed to be proven subject to any evidence to the contrary by Customer if it has been logged by the Service. Customer can access its usage data in its account through the Console. Any objection to such usage data logs shall be made within 10 days following the end of the calendar month in which they were created, as they are otherwise considered correct.
• Provider reserves the right to amend the fees with three months’ notice by the end of a calendar quarter. Any increase that cannot be based on inflation and other external factors (such as increased third-party costs) shall entitle Customer to extraordinarily terminate the Agreement within 30 days written notice upon being provided with the basis of the amendment of the fees by Provider. For amendments of the Price List that do not concern fees of Services currently subscribed by Customer or relate to other payment terms, the provisions for amending the Service Descriptions & Terms apply accordingly.

X. Warranty, Service Levels

• The Provider shall provide the Services “as is”. Any warranties not expressly agreed are hereby disclaimed to the extent permitted by law, including any warranty of a particular quality, functionality, fitness for purpose, compliance with applicable regulations, merchantability, non-infringement or title.
• Unless expressly agreed otherwise in a Service Level Agreement, the Services are provided on a “best effort” basis without any particular service levels.
• Should the Services deviate materially from the Service Description, Provider will make commercially reasonable efforts to remedy such deviations.

XI. Liability

• To the extent permitted by applicable law, Provider, its employees and auxiliary persons shall not be liable for any direct or indirect damages, consequential loss, loss-of-profit or third-party claims resulting from or in connection with the use of the Services or the App, loss or corruption of any Records or other data, delays, nondeliveries, misdeliveries, service interruptions, the infringement of third-party rights or otherwise.

XII. Customer’s indemnity

• Customer shall defend and indemnify Provider against any and all losses incurred by Provider arising out of or in connection with a claim by a third party (i) alleging that the Records, or any use thereof, infringes the rights of, or has caused harm to, a third party (e.g., if Records where to contain third-party personal data that Customer was not entitled to use within the Service), or (ii) arising out of Customer’s breach of its duties and obligations under this Agreement.

XIII. Data Protection

• Customer will act as controller, and Provider as its processor (each term as per the Swiss Data Protection Act, “CH-DPA“), with regards to any personal data processed in the Records, in particular any User, their geo-location and other own or third-party personal data provided by them, according to Clause IV. Customer will comply with all applicable data protection (including the CH-DPA) and employment laws and will use this data solely in accordance with applicable law and its representations (e.g., in privacy notices). Customer will inform its Users, as well as any other potential data subjects, about the collection and processing of their personal data and will get consent for the collection and processing of personal data, if and when required by applicable law. For the deletion of personal data as per applicable law, Customer will use the functions provided in the Services as necessary. Further obligations, in particular of Provider as Processor are specified in the Data Processing Agreement and as amended from time to time. If Customer is located in a country without an adequate level of data protection under the CH-DPA, Provider may require Customer to enter into additional agreements for compliance with applicable data protection law.
• Provider will act as controller with regards to the User Credentials and other Service and App usage information (including as necessary to invoice Customer), save for the processing of Records for Customer. As a controller, Provider will comply with the CH-DPA. Customer will support Provider as reasonably requested in its compliance with applicable law. In particular, Customer will make Provider’s privacy notice available to its Users and ensure that it will only permit those to be Users and provide their personal data whose personal data the Provider may lawfully process for the performance or in connection with this Agreement and as laid out in its privacy notice.

XIV. Confidentiality

• Each Party may have access to information that is confidential to the other Party (“Confidential Information“) and will apply appropriate measures to keep such Confidential Information confidential. For the purposes of this Agreement, Confidential Information shall include any information that is clearly identified in writing at the time of disclosure as confidential as well as any information that, based on the circumstances under which it was disclosed, must reasonably be believed to be confidential. It shall include Records on the part of Customer, and any software code on the part of Provider (e.g., of the App, the Console or the Seals).
• For the avoidance of doubt, the foregoing shall not restrict provider (i) in responding to any order or other request from a competent public authority Provider deems appropriate to receive the Records or any other information related to Customer’s use of the Services, (ii) from disclosing any information as necessary in defending itself against third-party legal claims or pursuing potential misuse of the Services or App, and (iii) making use of any and all know-how gained from the provision of the Services, provided that Confidential Information is not disclosed to unauthorized third parties.

XV. Termination

• Unless a fixed term has been agreed, each Service will run until it is terminated. Each Service may be terminated by either Party with 30 days’ written notice at the end of each month. Any minimum term, as specified in the Order, is reserved. Termination of a Service does not affect the validity and term of the other Services. This Agreement shall continue to apply to these other Services.
• The Agreement can be terminated with 30 days’ written notice by either Party at the end of each month, again subject to any minimum term of a Service still running. With the termination of the Agreement, all Services are terminated.
• The Agreement will end automatically after 30 days if no Seal is assigned to Customer’s account or all Services have been terminated or expired.
• The right of each Party to terminate the Agreement extraordinarily for important reasons remains reserved. The material breach of this Agreement shall be considered an important reason, provided that if such breach can be remedied, the Party in breach shall be given a grace period of at least thirty (30) days to remedy such breach before the Agreement may be terminated. The non-compliance with the restrictions to use the Services and the non-payment of the fees shall be considered a material breach.

XVI. Various

A. Amendments

• Provider may unilaterally modify or amend these GTC, including the DPA, at any time. The proposed amendments will be notified to Customer at least thirty 30 days prior to the proposed effective date of the amendment in text form (including e-mail). The amendment shall be deemed accepted by Customer unless Customer objects within 14 days.
• If Customer timely objects to an amendment, Provider shall the right to terminate the Agreement or a Service without liability with thirty 30 days’ written notice, provided the amendment of the Agreement was proposed for good cause.
• Amendments to the Data Processing Agreement shall be handled accordingly.
• Amendments to Service Descriptions & Terms shall be handled accordingly, with no notification being necessary and right to object exist with regard to changes to services that have not been currently subscribed by Customer.
• Any other amendments of this Agreement shall be only valid if done in writing.

B. Entire Agreement

• This Agreement constitutes the entire agreement between the Parties and supersedes all prior or contemporaneous representations, understandings, agreements or communications between them, whether written or oral, regarding the subject matter of this Agreement. The Parties acknowledge that they have not relied on any representation, warranty or undertaking not expressly incorporated in this Agreement.

C. Other Provisions

• If any provision of this Agreement is for any reason held to be invalid, illegal or unenforceable under applicable law, the remaining provisions shall be unimpaired, and the invalid, illegal or unenforceable provision shall be replaced by a valid, legal and enforceable provision that comes closest to the intention of the Parties underlying the original provision.
• Any assignment of this Agreement or the rights and obligations hereunder to another party shall require the consent of the other party, except that Provider may assign this Agreement, its rights and obligations to any of its affiliates.
• The Parties exclude the right to set-off claims under this Agreement.
• The Parties and their representatives entering into this Agreement warrant that they have the necessary power and authority to sign this Agreement on behalf of the respective Party.

D. Applicable Law and Jurisdiction

• This Agreement, and all the rights and duties of the Parties arising out of or in connection with this Agreement, is governed by the substantive Laws of Switzerland, with the exclusion of the CISG.
• The competent courts at Provider’s registered office shall have exclusive jurisdiction with regards to any dispute arising between the Parties out of or in connection with this Agreement. Notwithstanding the foregoing, Provider may request for interim measures and other appropriate relief also from the courts at the location of Customer or its Users concerned.

Contact:

If you have any questions, you can contact us:

Unisto AG
Seestrasse 7
CH-9326 Horn
Telefon: +41 71 844 24 24
unisto.switzerland@unisto.com

Last updated: July 24th, 2023

Data Processing Agreement (DPA):

PROCESSING

A. Scope

• The Parties have entered into a Main Contract (consisting of an Order, General Terms and Conditions, Service Descriptions & Terms and any other agreement referenced therein), to which this DPA is an integral part and according to which Provider as the Processor will process Personal Data for Customer as the Controller. With this Agreement, the Parties govern this processing for the purposes of the Swiss Data Protection Act (“CH-DPA“) and, where applicable, the EU General Data Protection Regulation (“GDPR“).
• The terms “Data Subject“, “Personal Data“, “Processing“, “Controller” and “Processor” shall have their meaning as under the CH-DPA and GDPR. “Country with an Adequate Level of Data Protection” shall mean a country or territory whose legislation ensures an adequate level of data protection according to both an adequacy decision by the European Commission and a corresponding assessment by the Federal Council.
• The subject matter, duration, nature and purpose of the Processing, as well as the types of Personal Data Processed and the categories Data Subjects, are specified in Exhibit A of this DPA.

B. Obligations of Customer

• Customer, as the Controller, confirms to Provider that:
• the engagement of, and instructions to, Provider are in compliance with the CH-DPA and, where applicable, the GDPR;
• it has made or obtained all notifications, registrations, regulatory approvals, and consents from relevant Data Subjects that are necessary for the lawful processing of Personal Data by Provider as a Processor according to the CH-DPA and, where applicable, the GDPR; and
• it shall promptly and in a compliant manner respond to all requests from Data Subjects exercising their rights under applicable data protection laws.

C. Processing of Personal Data by Provider

1. Provider is obliged to:

• to process Personal Data only for the purposes of Customer, only for the purpose of fulfilling the Main Contract and only in accordance with the documented instructions of Customer; this does not affect Provider’s right to process the data in anonymized form for its own purposes. The Main Contract, including this DPA, as well as the Services agreed upon by the parties in the Order and the configurations and options chosen by Customer and the instructions provided for in the Main Contract are the final and binding instructions of Customer, unless expressly agreed otherwise. If Customer wishes to adapt these instructions, it shall propose the amendments to Provider; insofar as no special process is provided for adapting the contract, the Provider shall examine the request for amendment in good faith; if the parties cannot agree on an amendment within thirty (30) days, Customer may extraordinarily terminate the Services affected by this (and the DPA for such Services), insofar it can show that the requested amendments refused by Provider are required for its compliance under applicable data protection law;
• not to disclose or transfer any Personal Data abroad, except:
  • to Customer itself, its affiliates (if Personal Data is processed for them with Customer being their Processor) or to third parties in fulfillment of an instruction of Customer or its affiliates or as provided in the Main Contract (this does not apply to transfers to sub-Processors of Provider or other third parties engaged by the Provider);
  • to a recipient in a country that is recognized by the applicable data protection law to have an adequate level of data protection;
  • to a recipient in a country that is not recognized by the applicable data protection law to have an adequate level of data protection, provided that the conditions required under the applicable data protection law for a lawful disclosure or transfer of Personal Data have been met (e.g., the conclusion of standard contractual clauses); or
  • in the case that it has been agreed upon with Customer, either in the Main Contract or otherwise;
• to implement and maintain adequate technical and organizational measures to ensure the confidentiality, integrity, and availability of the Personal Data Processed and to protect the Personal Data against unauthorized processing, unauthorized access or unauthorized disclosure, as well as against accidental or unlawful falsification, destruction or loss, in particular and at least the data security measures mentioned in Exhibit B, Article 32 GDPR and the CH-DPA; the Provider may adapt these measures as necessary, provided that the overall level of security is substantially maintained; in such cases, the Provider shall adapt Exhibit B and notify Customer accordingly in an appropriate manner;
• to entrust the processing of Personal Data only to employees and other auxiliary persons (including all third parties working on the instructions of the Provider and falling under Article 29 GDPR) who are contractually or legally bound to confidentiality;
• to delegate the processing of Personal Data to a sub-Processor only with the prior written consent of Customer, which shall be deemed to have been given for the sub-Processors provided in Exhibit C, and only to a sub-Processor that has undertaken to substantially comply with the applicable provisions pursuant to the CH-DPA and, where applicable, pursuant to the GDPR. If the Provider wishes to expand or adjust Exhibit C to include further sub-Processors, it shall notify Customer thereof in text form in a suitable manner at least thirty (30) days in advance (e.g., by means of an e-mail or a notification function in the event of adjustments to the list, insofar as it is made available on the Internet). Customer may object in writing to an extension or adjustment of the list within fourteen (14) days; it shall do so only for justified reasons relating to data protection law; if the Parties do not reach an agreement within fourteen (14) days, Customer may extraordinarily terminate the Services affected by this (and the DPA for such Services), insofar it can show that the objection is required for its compliance under applicable data protection law;
• to notify Customer without undue delay (at the e-mail address designated by Customer and in the absence thereof at the contact address on the signature sheet of the Order) of any personal data breach (as defined in the GDPR), as well as such information pursuant to Article 33 paragraph 3 GDPR and the corresponding provisions of the CH-DPA as is reasonably available to the Provider;
• to assist Customer, upon its request, in complying with the GDPR, the CH-DPA and other applicable data protection laws in the manner requested by Customer, taking into account the nature of the Processing and the information available to the Provider upon request, in particular, in complying with its obligations (i) towards Data Subjects exercising their rights under applicable data protection laws (including Chapter III of the GDPR and the corresponding provisions of the CH-DPA and other applicable data protection laws; such requests shall be immediately forwarded to Customer and not responded in substance) and (ii) pursuant to Articles 32 to 36 of the GDPR and the corresponding provisions of the CH-DPA and other applicable data protection laws;
• to inform Customer immediately if, in its opinion, an instruction from Customer violates applicable data protection laws or other applicable laws; to the extent reasonable, it will continue the Processing in the absence of other instructions;
• to provide Customer with all information necessary to demonstrate Provider’s compliance with this Section C; Customer agrees that it shall exercise this right of audit, as far as possible, only by relying on the audit of any certifications and audit reports provided by the Provider of independent audit companies. With respect to sub-Processors, Provider shall provide Customer with reasonable means to audit compliance with applicable data protection regulations, which may be limited to the provision of third-party audit reports, subject to applicable confidentiality restrictions of such sub-Processors; and
• to return all or certain Personal Data to Customer, at Customer’s choice, subject to any applicable legal retention obligations, or to delete such Personal Data without retaining a copy upon termination of the Main Contract or upon request of Customer, and to confirm such deletion to Customer.

2. Expenses and Indemnification

• Unless otherwise agreed in the individual case, Customer shall reimburse Provider for its efforts and expenses incurred by it in providing Customer with support services pursuant to Section C or otherwise assists Customer in complying with the CH-DPA, if applicable, the GDPR and other applicable data protection laws, in each case to the extent that Customer cannot show that these expenses are the fault of the Provider or that they are not to be borne by Customer pursuant to an express provision in the Main Contract.
• Customer shall indemnify and hold the Provider harmless against any claims by third parties based on a breach of this DPA (including applicable data protection regulations). Such indemnification shall apply in particular with regard to any and all damages, costs, administrative sanctions, claims or expenses incurred by Provider as a result of such violations.

D. Transfer to Customers in Non-Whitelisted Countries

1. Application of the EU SCC

• If and to the extent that the Customer, as the Controller, is not in a Country with an Adequate Level of Data Protection, the EU SCC as agreed and compiled below shall apply to the transfer of Personal Data to the Customer as a Controller, with the Provider being the “data exporter” and the Customer being the “data importer”:
  1. Clauses 1-6;
  2. Clause 8 with the provisions for “Module Four”, including the introductory paragraph;
  3. Clauses 10-12 with the provisions for “Module Four”, including Clause 11(a), but without the provisions of the “Option” of Clause 11(a);
  4. Clauses 14-15 with the provisions for “Module Four”, if and to the extent that the Provider combines the Personal Data received from the Customer with Personal Data collected by the Provider in the EEA or in Switzerland in the course of the Processing; the Provider may be reimbursed by the Customer for its efforts and expenses in connection with Clauses 14-15 and their fulfillment in accordance with the provision in Section II.C.2.; the Parties agree that the Customer shall provide the documentation required under Clause 14(d) and submit it to the Provider upon first request; the Customer shall also be responsible for any further transfer impact assessments required due to the onward transfer of data collected in the EEA or in Switzerland and shall prove to the Provider upon first request that it has fulfilled this responsibility;
  5. Clause 16 with the provisions for “Module Four”;
  6. Clause 17 with the provisions for “Module Four”, whereby Swiss law shall be deemed to be the law agreed by the Parties for the purposes of Clause 17;
  7. Clause 18 with the provisions for “Module Four”, whereby the courts of Switzerland shall be deemed the competent courts for the purposes of Clause 18;
  8. To the extent that a transfer is subject to the Swiss DPA, the following adjustments to the above agreed Clauses of the EU SCC shall also apply (for the purposes of the GDPR, these adjustments shall have no effect):

(ii) References to “Regulation (EU) 2016/679” or “this Regulation” are to be understood as references to the Swiss DPA, to the extent applicable;

(iii) References to “Regulation (EU) 2018/1725” shall be omitted;

(iv) The terms “Union”, “EU” and “EU Member State” are to be understood as reference to Switzerland.

2. Content of the Annexes

For the EU SCC Annexes referred to in the Clauses of the previous paragraph, the following applies:

• Annex I.A. shall consist of:
  • (ii) the information in the Order, with the Customer as the “Data Exporter” acting as the “Controller”, and the Provider as the “Data Importer” acting as the “Processor”;
  • (iii) the contact information of the Customer and the Provider as set forth in the Order;
  • (iv) the Processing activities as defined in Exhibit A;
• Annex I.B. shall consist of the relevant information regarding (i) the Processing and (ii) any sub-Processing, as defined in Exhibit A;
• Annex II shall consist of Exhibit B to this Agreement.

3. Additional Provisions

• The Parties confirm that they are in possession of the EU SCC and therefore do not need to attach them in duplicate to this Agreement;
• The Customer shall support the Provider in complying with the Swiss DPA and, where applicable, the GDPR and other applicable data protection laws in connection with transfers to recipients that are not located in a Country with an Adequate Level of Data Protection, appropriately and at its own expense upon first request.

E. Various

• Furthermore, the Parties agree as follows:
  • Each party shall bear its own costs for implementing this DPA, unless expressly agreed otherwise in connection with or in this DPA.
  • Each party shall comply with its obligations under the data protection laws applicable to it, in particular those under the CH-DPA and, where applicable, the GDPR.
  • All prior agreements between the Parties regarding processing of Personal Data are deemed superseded by this DPA as of the date hereof.
  • This DPA shall be considered part of the Main Contract. In the event of a conflict between the provisions of this DPA and the provisions of the Main Contract, the provisions of this DPA shall prevail if and to the extent that they relate to the processing of Personal Data by Provider under the Main Contract.
  • In the event of a conflict, the provisions of this Clause D shall prevail over the provisions of Clauses B and C.
  • The provisions of this DPA shall survive the termination of the Main Contract and shall remain in effect as long as the Provider is in possession of or has access to the Personal Data covered by this DPA, after which the DPA shall automatically terminate.
  • The provisions of this DPA shall be governed by and construed in accordance with the substantive laws of Switzerland. The competent courts at Provider’s registered office shall have exclusive jurisdiction with regards to any dispute arising between the Parties out of or in connection with this Agreement.

EXHIBIT A: DESCRIPTION OF PROCESSING

Subject-matter:
The subject-matter of the Processing of Personal Data by Provider is the provision of the services to Customer as described in the Main Contract.

Duration of the processing:
The Personal Data is usually processed for the duration of the Main Contract.

Nature and purpose of the processing:
Provider will process the Personal Data on its systems for the purpose of performing its tasks as set out in the Main Contract with Customer.

Type of personal data:
The Personal Data may concern the following categories of data: name of user, user ID, geo-location data, time stamps, App activities (locking and unlocking of a particular seal), photographs.
The Personal Data usually does not concern special categories of data.

Categories of data subjects:
The Personal Data may concern users employed by or otherwise affiliated with Customer, persons visible and identifiable on the photographs documenting the locking of the seals.

EXHIBIT B: TECHNICAL AND ORGANIZATIONAL MEASURES

1. Technical Measures

• Encryption:
  Data at Rest: Encrypt stored data to prevent unauthorized access in case of a breach. This includes databases, backups, and any data stored on physical media. [planned, not executed yet]
  Data in Transit: Use encryption protocols like TLS (Transport Layer Security) to secure data transmitted over networks, ensuring that data cannot be intercepted and read by unauthorized parties.

• Access Control:
  Authentication: Implement robust authentication mechanisms such as multi-factor authentication (MFA) to verify the identity of users accessing the platform.
  Authorization: Define and enforce user roles and permissions to ensure that users only have access to data and functions necessary for their role.

• Regular Security Testing:
  Conduct regular vulnerability assessments and penetration testing to identify and address security weaknesses. This helps to proactively mitigate potential threats.
  [planned, not executed yet]

• Logging and Monitoring:
  Implement comprehensive logging of all access and activities on the platform.

• Data Backup and Recovery:
  Regularly back up data and ensure that backups are stored securely.
  Implement disaster recovery plans to quickly restore data and services in case of an incident.
  [planned, not executed yet]

• Patch Management:
  Keep software and systems up to date with the latest security patches and updates to protect against known vulnerabilities.

2. Organizational Measures

• Security Policies and Procedures:
  Develop and enforce comprehensive security policies covering data protection, incident response, access management, and other relevant areas. Ensure all employees are trained and aware of these policies.

• Incident Response Plan:
  Establish and maintain an incident response plan to promptly address and mitigate the impact of security incidents. This should include procedures for detecting, reporting, and responding to breaches.

• Employee Training and Awareness:
  Regularly train employees on data protection principles, security best practices, and how to identify and respond to potential security threats such as phishing attacks.

• Data Minimization and Retention Policies:
  Implement policies to minimize the collection and retention of personal data. Only collect data necessary for the platform’s operation and retain it for the minimum period required.

• Third-Party Risk Management:
  Assess and manage risks associated with third-party vendors and subprocessors. Ensure they comply with the same data protection and security standards.

EXHIBIT C: APPROVED SUBPROCESSORS

• The Parties agree to the commissioning of the following Subprocessors:

Contact:

If you have any questions, you can contact us:

Unisto AG
Seestrasse 7
CH-9326 Horn
Telefon: +41 71 844 24 24
unisto.switzerland@unisto.com

Last updated: July 24th, 2023