Master Subscription Services Agreement for the InLoox Cloud

You are here: InLoox Master Subscription Services Agreement for the InLoox Cloud

  The contractual terms will depend on your contract partner.

If your contract partner is InLoox GmbH based in Munich, Germany, the General Terms and Conditions for the Use of the Online Services in the InLoox Cloud of InLoox GmbH will apply.

If your contract partner is InLoox, Inc. based in San Francisco, USA, the InLoox, Inc. Master Subscription Services Agreement will apply.

Contracting partner

InLoox GmbH

General Terms and Conditions for the Use of the Online Services in the InLoox Cloud

The following General Terms and Conditions of InLoox GmbH, Walter-Gropius-Strasse 17, 80807 München, (hereinafter referred to as "InLoox") apply to the use of the online services in the InLoox Cloud (hereinafter referred to as "Online Services").

1. Scope of application

Our General Terms and Conditions (hereinafter referred to as "T&C") apply exclusively; we do not acccept contrary conditions or conditions of the customer that deviate from our Terms and Conditions unless we explicitly approve of their application in writing.

2. Subject matter of the Agreement

2.1. These T&C govern the Online Services provided by InLoox. Through the Online Services InLoox provides the customer with the technical possibility and authorisation to access services, which are operated on central servers of InLoox, via the Internet under directly in the web browser and/or through apps and to use the functionalities of the Online Services in connection with this Agreement.

2.2. The use of the apps by the customer subject to a separate, independent end-user licence agreement. In connection with the installation of the apps the customer agrees to the terms and conditions of the end-user licence agreement. They can be found on at any time and are provided to the customer upon installation.

3. Services

3.1. The kind and scope of the Online Services are conclusively described on The contractual services are based on the customer's order.

3.2. Unless otherwise agreed in the order, the Online Service is available 24/7 ("Operation Hours"). The average availability during the Operation Hours amounts to a monthly average of 99.5 % with regard to the scope of responsibility of InLoox. The regular maintenance windows of the system, which can be found at, are not included in the calculation of the availability ("Maintenance Times"). During the aforementioned times, the application might still be available, but may also be subject to interruptions and limitations; however, there is no claim for use. If maintenance works are required during the Operation Hours and the application is hence not available, InLoox will, if possible, inform the customer about this in due time.

3.3. During the term of Agreement, InLoox offers a support service to the customer, free of charge, including the supply of new versions, upgrades or updates. The details of the support service can be found at

3.4. Besides, and unless otherwise agreed in the order, InLoox is not obliged to any further services. In particular, InLoox is not obliged to provide services with regards to the installation, equipment, advice, adjustment and/or training as well as with regard to the development and supply of individual programming and/or additional programmes.

3.5. The customer can choose to nominate one of InLoox´ distribution partners as a supporter of the customer´s account within 30 days following the conclusion of contract for initial acquisition of Online Services. In the event of nomination, the distribution partner has to provide customer with free of charge first level support during the term of contract. For the details of support service we refer to the respective terms and conditions of distribution partner. Within the scope of accounting the required customer information will be transmitted to the distribution partner for specific use only. For further details we refer to our privacy policy and to the notice given with the process of nomination.

4. Right of use

4.1. During the term of this Agreement, InLoox grants, against payment, to the customer the non-exclusive, non-assignable, non-sublicensable right to access the Online Services on InLoox' server via the Internet and to use the functionalities linked to the Online Services through a web browser or a desktop software in accordance with this Agreement. The customer does not receive any additional rights, in particular with reference to the software. The software is not handed over to the customer.

4.2. The customer is not entitled to use the Online Services beyond the use permitted in accordance with this Agreement or to make them available to third parties - no matter in which way and whether free of charge or against payment. In particular, the customer is not entitled to reproduce or sell the Online Service wholly or in parts or to permit the use for a certain period; the customer is in particular not entitled to rent or lend it.

4.3. The customer may only use the Online Services for his own business activities through own staff and/or authorised third parties who use the Online Services on behalf of him ("Authorised Users"). The customer ensures that the Authorised Users use the Online Services only within the scope of and pursuant to these T&Cs.

4.4. For each case, in which the customer culpably enables third parties to use the Online Services, the customer has to pay a penalty in the amount of the sixfold regular remuneration; any such payment shall become due immediately. InLoox reserves the right to assert further damages. In any such case penalty will be credited against the claim for damages.

4.5. To the extent InLoox provides the customer with new versions, updates or upgrades of the Online Services during the term of this Agreement, the aforementioned right of use applies accordingly.

4.6. In the case of an unauthorised permit of use, the customer shall immediately and upon request provide InLoox with any information for the assertion of claims against the user, in particular his/her name and address.

4.7. If the contractual use of the Online Services is affected by IP rights of third parties without InLoox' fault, InLoox is entitled to refuse rendering the services affected by this. InLoox will inform the customer about this immediately and will grant him/her access to his/her data in an appropriate way. In any such case the customer is not obliged for payment. Any other claims or rights of the customer shall remain unaffected.

5. Test version, beta version

5.1. If the customer has signed up for a test version or beta version of the Online Services, he can use it free of charge for a period of 30 days in accordance with the provisions of this Agreement. For this period InLoox does not guarantee or warrant and is not liable for damages incurred by the use of the test version, except for wilful acts and gross negligence.

5.2. Any customer data is deleted by InLoox after the 30-day test period, unless the customer decides to enter into an agreement on the use of the Online Services against payment before the expiry of said 30-day test period.

5.3. Customer data, which was created and/or inserted via beta version, cannot be transferred to a production version; they will be deleted by InLoox after the expiry of the beta period.

6. Obligations of the customer / indemnification

6.1. The customer will protect the authorisations for use and access as well as the identification and authentication protections assigned to him and/or the users from the access by third parties and the customer will not forward this information to unauthorised users. As soon as the customer gets aware that the authorisations for use and access have been obtained by a third party in an illegal way or that they might be misused, the customer is obliged to immediately inform InLoox for the purposes of mitigating the damage.

6.2. The customer will not use the Online Services in any way constituting a misuse, or have them used in any such way; in particular, the customer will not transmit any illegal contents. Moreover, the customer will also refrain from any attempt to illegally retrieve information or data itself or via non-authorised third parties or to intervene into programmes operated by InLoox, or arrange for such intervention, or to intrude into data networks of InLoox in an illegal way.

6.3. The customer will immediately report any errors of the contractual services to InLoox in writing, stating how and under which circumstances the error and/or the defect occurs and the customer will actively support InLoox with the troubleshooting.

6.4. The customer will secure the data transmitted to InLoox on a regular basis and appropriately to possible risks and create own backups in order to be able to restore the data and information in the case of loss.

6.5. When using the Online Services as well as the contractual services, the customer will comply with all applicable laws and other legal provisions. In particular, the customer is not entitled to upload any data or contents infringing legal provisions or other IP rights or copyrights or any other rights of third parties. The customer alone is responsible for the data and contents supplied by him. InLoox neither reviews the contents as to their lawfulness nor as to their correctness.

6.6. The customer indemnifies InLoox from any claims of third parties which are based on an illegal use of the Online Services by him or occur with his approval or which, in particular, result from data protection law disputes, copyright law disputes or any other legal disputes connected to the use of the Online Services. If the customer realises, or has to realise, that any such infringement is imminent, he is obliged to immediately inform InLoox.

7. Use contrary to the Agreement / blocking of access

7.1. If there are specific aspects to the effect that the customer infringes and/or has infringed any material obligation set forth in this Agreement, any statutory provision or any right of third parties or if InLoox has any other justified interest, InLoox is entitled:

7.2. When deciding on a measure to be taken, InLoox will take into consideration the justified interests of the customer, in particular if the infringement was not the customer's fault. In any case, InLoox will inform the customer by email prior to blocking the account.

7.3. The access will only be restored when the infringement of the respective material obligation has been permanently removed and/or the risk of repetition is excluded. In very serious or repeated culpable cases of infringement, InLoox is entitled to block the customer's access to the Online Services permanently.

8. Remuneration / payment terms

8.1. The remuneration agreed upon for the contractual services are based on the customer's order. The invoicing period (1 or 12 months) is based on the customer's order.

8.2. All remunerations and prices are exclusive of respective valid statutory VAT. VAT will be invoiced separately in addition to the remuneration.

8.3. The remuneration contractually agreed on is due in advance of an invoicing period by way of credit card or by direct debit. Irrespective of the payment method chosen, the customer has to keep the data provided for invoicing updated at any time and has to immediately inform InLoox about any changes hereof.

8.4. If the customer provides InLoox with a respective direct debit authorisation for payment, the amount due for the invoicing period is debited from the account referred to in the direct debit authorisation 7 days after receipt of the invoice. The customer has to make sure that there is sufficient coverage on his account at any time. The customer has to refund any costs arising from the fact that a direct debit is not redeemed and if the customer is responsible for this. The customer is free to prove that the costs have not arisen or have not arisen in the asserted amount.

8.5. The customer may only set off costs against receivables that were determined in a legally final and binding way or that are uncontested or he may assert a right of retention.

9. Delay

9.1. In the case of a delay in payment, InLoox is entitled to invoice default interest in the amount of 8 percentage points above‎ the respectively valid basic interest rate vis-à-vis companies and in the amount of 5 percentage points above the respectively valid basic interest rate vis-à-vis consumers. The right to assert further damage shall remain reserved.

9.2. When the consumer is in delay of payment regarding a considerable amount, InLoox is entitled to block the access to the Online Services. In any such cases the customer shall remain obliged to pay the remuneration.

9.3. If the customer is in delay of payment with respect to

a) the remuneration and/or a considerable part of the remuneration for two consecutive invoicing periods or

b) the fees in the amount which corresponds to the amount of fees for two invoicing periods in a period which extends to more than two invoicing periods,

InLoox is entitled to terminate the Agreement without notice and to claim liquidated damages in the amount of a quarter of the remaining monthly prices until the end of the regular term of the Agreement; this amount is due immediately as one sum.

9.4. The amount of damage has to be increased or decreased if InLoox provides evidence for a higher damage or the customer provides evidence for a lower damage.

9.5. InLoox reserves the right to assert further claims for delay of payment.

9.6. If InLoox is in delay with providing operational Online Services, liability is determined in accordance with clause 10. The customer is only entitled to withdraw from the Agreement if InLoox does not comply with a reasonable grace period set by the customer.

10. Liability

10.1. In the case of wilful act, InLoox is unlimitedly liable for any and all damage caused by it and its legal representatives or vicarious agents.

10.2. In the case of slight negligence, InLoox is only liable for any damage caused by it and its legal representatives or vicarious agents as a result of the infringement of a material contractual obligation. Contractual obligations are considered material if required to duly execute the Agreement and on which InLoox regularly relies on and may rely on. In this case, liability shall be limited to the compensation of the foreseeable, typically occurring damage.

10.3. InLoox' liability for indirect losses and lost profits is excluded.

10.4. InLoox' strict liability for damages (Sec. 536a para. 1 German Civil Code(Bürgerliches Gesetzbuch, BGB)) as a result of defects existing at the time of the conclusion of the Agreement is excluded.

10.5. The liability pursuant to the product liability act shall remain unaffected.

10.6. Insofar as InLoox's liability is excluded or limited, such exclusion or limitation applies mutatis mutandis to the personal liability of its employees, members of staff, representatives and vicarious agents of InLoox.

11. Data protection and data security

11.1. The data uploaded by the customer will be saved on servers in Germany in data centers in Frankfurt am Main and Magdeburg. The basis for data processing is the agreement on data processing attached to these conditions, which is expressly agreed between the parties by acceptance of these conditions.

11.2. InLoox does not collect, process or use any personal data on behalf of the customer in connection with rendering the services pursuant to this Agreement except as the data stored by customer as defined in clause 11.1 above; InLoox does not have access to any such data either.

11.3. If the customer collects, processes or uses personal data, he is responsible for being entitled to do so pursuant to the applicable provisions, in particular pursuant to data protection provisions; in the case of an infringement, he indemnifies InLoox from claims of third parties. If contrary to clause 11.2. the customer uploads personal data onto InLoox' server without the consent of InLoox, the customer indemnifies InLoox from any claims of third parties.

11.4. As part of the "Customer Experience Improvement Program" (CEIP), InLoox will gather anonymized usage statistics and error reports. Customer can turn off this feature at any time. More information can be found at

12. Force majeure

12.1. InLoox is released from the obligation to render services arising from this Agreement if and insofar the non-performance of services can be attributed to the occurrence of conditions of force majeure after the conclusion of the Agreement.

12.2. Circumstances of force majeure include for example war, strike, riot, expropriation, fundamental legal changes, storm, floods and other natural disasters as well as any other circumstances for which InLoox is not responsible, in particular water ingress, blackouts and cut-offs or destruction of data cables.

12.3. Each contractual party has to immediately inform the respective other contractual party in writing about the occurrence of a case of force majeure.

13. Secrecy

The contractual parties undertake to treat as confidential any business and trade secrets which they - including their vicarious agents - have obtained on the occasion of entering into the Agreement or fulfilling the Agreement. These obligations do not apply to information, knowledge and experiences which

(a) are publicly known as can be verified without infringing this secrecy obligation,

(b) the parties already verifiably knew prior to receipt of this information, knowledge and experience

(c) were received by a third party which is not subject to a secrecy obligation or

(d) were verifiably gained through independent work.

14. Term of Agreement, termination

14.1. The Agreement is entered into for the contractual term as agreed upon in the order (minimum term). The Agreement is extended by the same period of time as the minimum term (extension term), unless one of the contractual parties terminates the Agreement prior to the end of the minimum term or the respective extension term.

14.2. The right of termination for good cause shall remain unaffected. In addition to clause 8.2., InLoox is, in particular, entitled to extraordinarily terminate the Agreement if the customer

14.2.1. infringes material provisions of this Agreement or does not fulfil main duties arising out of the Agreement and does not remedy this breach of duty despite a written warning within a reasonable deadline;

14.2.2. fails to make payments due under this Agreement and the default is not temporary;


14.2.3. ceases its business operations on a more than temporary basis, whether based on its own decision or by court order.

14.3. The customer's right to extraordinarily terminate the Agreement without notice is excluded if the contractual use of the Online Services, whether wholly or in parts, is not granted in time or is blocked again (Sec. 543 para. 2 item 1 BGB).

14.4. If the customer extraordinarily terminates the Agreement, InLoox refunds to the customer the remuneration already paid in advance.

14.5. If InLoox extraordinarily terminates the Agreement for a reason for which the customer is responsible, the customer has to pay the outstanding remuneration until the end of the minimum term.

14.6. All notices of extraordinary termination pursuant to this Agreement have to be made in writing. The point in time of receipt of the termination letter is decisive for adhering to the notice periods.

15. Obligations upon and after termination of the Agreement

15.1. During the term of the Agreement and within 30 days after the termination of the Agreement the customer's data saved on InLoox' servers are available for download by the customer, provided that the customer has not finally deleted the respective data from the server.

15.2. For these purposes, InLoox provides the customer with a download application within the Online Services. Customer data can be downloaded as a file in the SQL format; documents and enclosures can be downloaded in their original format.

15.3. After expiry of 30 days after termination of the Agreement, the customer does not have any claim for transmission of the data saved by him. InLoox will separately point this out to the customer after receipt of the termination.

16. Final provisions

16.1. In the case of deviations and/or contradictions of the provisions of this Agreement and the provisions of the exhibits, the provisions of this Agreement shall prevail.

16.2. The customer can only transfer the rights and obligations out of this Agreement to third parties upon written consent of InLoox. However, InLoox is entitled to transfer the rights and obligations out of this Agreement to an allied company within the meaning of Secs. 15 et seqq. German Stock Corporation Act (Aktiengesetz). InLoox will inform the customer about this in writing; in any such case, the customer is entitled to extraordinarily terminate the Agreement.

16.3. Amendments or supplements to the contract and its appendices must be made in text form, unless a special written form is agreed in this agreement.

16.4. This Agreement shall be governed by the laws of the Federal Republic of Germany under exclusion of the UN Convention on the International Sale of Goods (CISG) and international law (in particular German laws of conflict).

16.5. As far as the customer is not a consumer in the sense of § 13 BGB, the place of jurisdiction for all disputes arising from this contract including its appendices is Munich. The same applies if the customer has no general place of jurisdiction in Germany or his place of residence or usual abode is not known at the time the action is filed.

16.6. If individual clauses of the present Agreement are invalid wholly or in part, any possibly invalid provision shall be reinterpreted, supplemented or replaced in a way that the economic purpose that was originally intended with the invalid provision is achieved. The same shall apply if this Agreement contains any gaps.

16.7. The contract language shall be German. These General Terms and Conditions are available in German and in English. The German version only is decisive and binding for the interpretation of individual provisions and/or if there are any contradictions between the language versions.

Date: 2022-10-31


Order Processing Contract in accordance with Art. 28 GDPR

Version: January 29, 2021


between the

customer of InLoox GmbH
- Party responsible - hereinafter referred to as the Client -


InLoox GmbH, Walter-Gropius-Strasse 17, D-80807 München
- Order processor - hereinafter referred to as the Contractor -

1. Subject matter and duration of the order

(1) The subject matter of the order depends on the respective order of the customer and the general terms and conditions referenced therein, which are referred to altogether here (hereinafter referred to as “Service Agreement”).

(2) The duration of this order (term) is the same as the term of the Performance Agreement.

2. Specification of the order content

(1) The type and purpose of the processing of personal data by the Contractor for the Client are described specifically in the Service Agreement. The Contractor will provide the following services in particular for the Client within the framework of the Service Agreement:

The provision of the contractually agreed data processing will be carried out by the Contractor itself exclusively in a member state of the European Union or in another contracting country of the Agreement on the European Economic Area. Any other relocation to a third country requires the prior permission of the Client and may only take place if the specific requirements in accordance with Art. 44 et seqq. GDPR are fulfilled. This consent can be granted for individual processing cases named in this Contract for one specific third country at a time, even with regards to subcontracting relationships. Where expressly indicated in Appendix 1 - Technical and Organisational Measures - individual processing operations take place outside a Member State of the European Union or in another Contracting State to the Agreement on the European Economic Area; in these cases, however, the appropriate level of protection is always guaranteed in the third country (see Appendix 2) and ensured by the measures specified in Appendix 1. Any other transfer to a third country requires the prior consent of the Client and may only take place if the special requirements of Art. 44 et seqq. GDPR are fulfilled. Such consent may be granted for individual processing operations referred to in this contract for a specific third country, including in respect of subcontracting relationships.

(2) The subject matter of the processing of personal data is the following data types/categories (list/description of the data categories):

(3) The categories of the persons concerned by the processing include:

3. Technical and organisational measures

(1) Before beginning the processing, the Contractor must document the implementation of the necessary technical and organisational measures specified before the placing of the order, in particular with regards to the specific order performance, and hand the documentation over to the Client for verification. Upon acceptance by the Client, the documented measures will form the basis of the order. If the verification/an audit by the Client results in a need for adjustment, this must be carried out mutually.

(2) The Contractor must establish the security in accordance with Art. 28(3)(c) and Art. 32 GDPR in particular in connection with Art. 5(1) and (2) GDPR. Altogether, the measures to be executed are measures for data protection and to guarantee a protection level appropriate to the risk in terms of the confidentiality, integrity, availability and capacity of the systems. The technical sophistication, the implementation costs and, and the type, extent and purpose of the processing, and the different likelihood of occurrence and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32(1) GDPR must thereby be considered. The particular technical and organisational measures taken are listed in Appendix 1.

(3) The technical and organisational measures are subject to the technical progress and the further development. In this respect, the Contractor is permitted to implement alternative adequate measures. The security level of the set measures may thereby not fall below the minimum requirement. Significant changes must be documented.

4. Amendment, restriction and deletion of data

(1) The Contractor may not amend or delete data that is processed in the order, or restrict its processing, on its own authority, but may only do so after receiving documented instructions from the Client, if no statutory requirements oblige the Contractor to take action independently. Should a person concerned contact the Contractor directly in this respect, the Contractor will forward this solicitation immediately to the Client.

(2) If included in the scope of the service, the deletion plan, right to be forgotten, correction, data portability and information must be ensured directly by the Contractor after receiving documented instruction from the Client.

5. Quality assurance and other duties of the Contractor

In addition to compliance with the regulations of this order, the Contractor also has statutory duties in accordance with Art. 28 to Art. 33 GDPR; in this respect, it guarantees adherence to the following standards in particular:

a) Written order of a data protection officer that carries out its activities in accordance with Art. 38 and Art. 39 GDPR. The contact details of the data protection officer must be shared with the Client upon contract conclusion. Changes of the data protection officer must be reported to the Client immediately.

b) The safeguarding of confidentiality in accordance with Art. 28(3)(2)(b), Art. 29 and Art. 32(4) GDPR. When carrying out its work, the Contractor will only use employees who are bound to confidentiality and have been familiarised beforehand with the data protection provisions relevant to them. The Contractor and any person subordinate to the Contractor who has access to personal data may only process this data in accordance with the instructions of the Client, including the authorisations granted in this Contract, unless they are legally obliged to process the data.

c) The implementation of and compliance with all technical and organisational measures necessary for this order in accordance with Art. 28(3)(2)(c) and Art. 32 GDPR. The details are listed in Appendix 1.

d) The Client and the Contractor will work together with the supervisory authority, upon request, in the performance of their tasks.

e) The immediate informing of the Client about control actions and measures by the supervisory authorities, if they relate to specific and fundamental assignments and if such information is not prohibited by law. This also applies if a competent authority is carrying out an investigation of the order processing by the Contractor in relation to the processing of personal data, within the framework of administrative offence or criminal proceedings.

f) If the Client is subject in turn to an examination by the supervisory authority, administrative offence or criminal proceedings, the liability claim of a person concerned or a third party, or another claim in connection with the order processing by the Contractor, the Contractor must support it to the best of its abilities, to the extent legally permitted.

g) The Contractor will regularly control the internal processes, as well as the technical and organisational measures, in order to guarantee that the processing within its area of responsibility takes place in accordance with the requirements of the applicable data protection law, and that the protection of the rights of the person concerned is guaranteed.

h) Verifiability of the technical and organisational measures for the Client within the framework of its control authorisation in accordance with Figure 7 of this Contract.

6. Subcontracting relationships

(1) Subcontracting relationships within the meaning of this rule are such services that relate directly to the provision of the main service. These do not include secondary services that the Contractor uses, e.g. in the form of telecommunications services, post/transport services, maintenance and user services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and capacity of hardware and software of data processing systems. However, the Contractor is obliged to also use appropriate and lawful contractual agreements and control measures to guarantee the data protection and data privacy of the Client’s data in the case of outsourced secondary services.

(2) The Contractor may only assign subcontractors (other order processors) after receiving prior explicit written permission or documented permission from the Client.

a) The Client agrees to the tasking of the subcontractors named in Appendix 2 under the condition of a contractual arrangement in accordance with Art. 28(2-4) GDPR.

b) Changes of the existing subcontractor are permitted provided that:

(3) If the subcontractor provides the agreed service outside the EU/EEA, the Contractor will ensure legitimacy under data protection law by corresponding measures. The same applies if service providers within the meaning of Sect. 1(2) are used.

(4) Any further outsourcing by the subcontractor requires the explicit permission of the main client (text form at least). All contractual regulations in the contract chain must also be imposed on the other subcontractor. The technical and organisational measures of subcontractors must comply with the technical and organisational measures defined herein and may only fall below the level agreed herein in justified circumstances.

7. Control rights of the Client

(1) The Client has the right, in consultation with the Contractor, to carry out reviews or have reviews carried out by examiners named on a case-by-case basis. It has the right to convince itself of the adherence to this Agreement by the Contractor in its business operations by means of random sample controls that must generally be announced in a timely manner and 14 days beforehand at the latest.

(2) The Contractor will ensure that the Client can be convinced of the adherence to the obligations of the Contractor in accordance with Art. 28 GDPR. The Contractor is obliged to share with the Client, upon request, the required information and in particular demonstrate the implementation of the technical and organisational measures.

(3) The demonstration of such measures that do not just concern the specific order can take place by:

8. Reporting of violations by the Contractor

(1) The Contractor will support the Client in the compliance with the duties for the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations, named in Articles 32 to 36 GDPR. This includes, inter alia:

a) Ensuring a suitable protection level by means of technical and organisational measures that consider the circumstances and purpose of the processing and the forecasted probability and severity of a possible rights violation by security flaws, and enable immediate detection of relevant incidents of violation;

b) the obligation to immediately report breaches of personal data to the Client;

c) the obligation to support the Client within the framework of its obligation to provide information to the party concerned, and provide it with all relevant information in this regard immediately:

d) immediately forwarding solicitation from people concerned, e.g. right to information, to the Client;

e) supporting the Client in its data protection impact assessment;

f) supporting the Client within the framework of prior consultation with the supervisory authority.

(2) For support services that are not included in the service description or cannot be traced back to misconduct of the Contractor, the Contractor may claim a compensation. The basis for the calculation of the remuneration is the Service Agreement or the general remuneration rates of the Contractor for comparable activities.

9. Authority of the Client to issue instructions

(1) The Client will confirm verbal instructions immediately (text form at least).

(2) The Contractor must inform the Client immediately if it is of the opinion that an instruction violates data protection regulations. The Contractor is entitled to discontinue the implementation of the corresponding instruction until it is confirmed or changed by the Client.

10. Deletion and return of personal data

(1) Copies or duplicates of data will not be produced without the knowledge of the Client. Exceptions are backup copies, if they are necessary to guarantee proper data processing, and data that is necessary in terms of adherence to statutory retention obligations.

(2) After the completion of the contractually agreed work or earlier upon request by the Client – upon the termination of the Service Agreement at the latest – the Contractor must hand over all documents, processing and use results produced, and databases, that it obtains possession of in connection with the contractual relationship, to the Client or destroy them in accordance with data protection law after obtaining prior permission. The same applies for test and scrap material. The determination of the termination of the service agreement requires notification by the Client. With the declaration that the contractual relationship is to be terminated, the deletion period with regard to documents subject to retention shall also commence.

(3) Documentation that proves proper data processing that is suitable for the order must be stored by the Contractor in accordance with the respective retention periods beyond the end of the Contract. It may transfer it to the Client for its relief at the end of the Contract.

11. Other

The point of contact on the part of the Client, and also for data protection, is generally the point of contact named as the billing contact; this can be changed or added to at any time by the Client. The point of contact on the part of the Contractor is its respective data protection officer, which can be reached at

Appendix 1 – Technical and Organisational Measures

A. Contractor:

1. Confidentiality (Art. 32(1)(b) GDPR)

2. Integrity (Art. 32(1)(b) GDPR)

3. Availability and capacity (Art. 32(1)(b) GDPR)

4. Procedure for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)

B. Subcontractors:

See also the references to the current state of the measures for each respective subcontractor in Appendix 2.

1. Microsoft Corporation, as of April 2018

General practice. Microsoft has taken the following security measures for the online services, and will maintain and follow them. In connection with the security obligations in the OST, these security measures represent the individual responsibility of Microsoft in relation to the security of customer data:

Information security guideline for online services
For Microsoft Azure core services and Microsoft Cloud App Security, a written data security guideline (“Information Security Guideline”) applies, containing the control standards and framework conditions of ISO 27007, inter alia. You will find information about further certification at

Checking of online services by Microsoft
For every online service, Microsoft carries out the following checks regarding computer security, data processing environments and physical data centres that it uses to process customer data (including personal data):

For each test, a test report will be created (“Microsoft test report”), which will count as confidential information of Microsoft. The Microsoft test report will clearly disclose the significant findings of the examiner. Microsoft will immediately rectify all problems detected in a Microsoft test report, to the satisfaction of the examiner.

Upon request by the customer, Microsoft will provide the customer with the individual Microsoft test reports, so that the customer can convince itself of Microsoft’s compliance with the security obligations under the terms of the DPT. The Microsoft test report is subject to the confidentiality and distribution restrictions of Microsoft and the examiner.

2. SendGrid Inc., as of April 2018

1. Network-Level Controls

a) SendGrid will use host-based firewall(s) to protect hosts/infrastructure handling Personal Data. The firewall(s) must be able to effectively perform thefollowing functions: stateful inspection, logging, support for strong encryption and hashing, ICMP and SNMP based monitoring and antispoofing.

b) SendGrid will have network-based security monitoring for the segment(s) on which hosts handling Personal Data are logically located.

c) SendGrid will assess network-level vulnerabilities and address critical vulnerabilities within 30 days.

d) SendGrid will employ change management standards for network/infrastructure components handling Personal Data.

2. Hosting Level Controls

a) SendGrid will implement operating system hardening for hosts/infrastructure handling Personal Data. Operating system hardening includes, but is not limited to, the following configurations: strong password authentication/use of keys, inactivity time-out, disabling or removal of unused or expired accounts and services, turning off unused ports, and log management. In addition, SendGrid will implement access control processes and restrict access to operating system configurations based on the least privilege principle.

b) SendGrid will perform patch management on systems that host or handle Personal Data.
SendGrid will implement critical patches within vendor recommended timeframes on systems that host or handle Personal Data, not to exceed 30 days after the patch is identified.

c) SendGrid will implement specific controls to log activities of users with elevated access to systems that host or handle Personal Data.

d) SendGrid will, at a minimum, assess system-level vulnerabilities on a monthly basis and address critical vulnerabilities within 30 days.

e) SendGrid will employ a comprehensive antivirus or endpoint security solution for endpoints which handle Personal Data.

f) Physical servers will be protected with appropriate physical security mechanisms, including but not limited to badged access, locked cages, secure perimeter, cameras, alarms, and enforced user provisioning controls.

3. Application-Level Controls

a) SendGrid will maintain documentation on overall application architecture, process flows, and security features for applications handling Personal Data.

b) SendGrid will employ secure programming guidelines and protocols in the development of
applications processing or handling Personal Data.

c) SendGrid will regularly perform patch management on applications that host or handle Personal Data. SendGrid will implement critical patches within vendor recommended timeframes on all applications that host or handle Personal Data, not to exceed 30 days.

d) SendGrid will, at a minimum, assess application-level vulnerabilities on a monthly basis and address critical vulnerabilities within 30 days.

e) SendGrid will perform code review and maintain documentation of code reviews performed for applications that host or handle Personal Data.

f) SendGrid will employ change management standards for applications hosting or handling
Personal Data.

4. Data-Level Controls

SendGrid will use strong encryption (TLS) for transmission of Personal Data that is considered Confidential Information. Data backups of Personal Data will be encrypted at rest and while in transit; however due to the dynamic nature of data in SendGrid’s production environment, Personal Data in SendGrid’s production databases will not be encrypted at rest.

5. End User Computing Level Controls

a. SendGrid will employ an end point security or antivirus solution for end user computing devices that handle Personal Data.

b. SendGrid will ensure that end user computing devices that handle Personal Data are encrypted.

6. Compliance Controls

a. SendGrid will make a good faith effort to operate within the parameters of SendGrid’s then-current Information Security Policy. This Policy will be provided to Customer in soft copy format upon request.

b. Notwithstanding any of the foregoing, SendGrid will adopt appropriate physical, technical and organizational security measures in accordance with industry standards, including but not limited to, building access control, employee education and personnel security measures.

3. Freshworks Inc., as of April 2019

Information Security Program 

Physical Access Control

System Access Control

Data Access Control

Transmission Control

Input Control

Availability Control

Data Separation Control

Workstation Security

Information Security Incident Management

Processor maintains a record of security incidents with a description of the incident, the time period, the consequences, the name of the reporter or service, to whom the incident was reported, and the remediation.

Evaluation and certifications

Processor has obtained ISO 27001 certification regarding its data security and/or data protection systems and organization.

Appendix 2 – Approved subcontracting contracts

The order processers below are considered approved upon signing the Agreement:

Name of the order processor:

Microsoft Corporation

Subject of performance:

Microsoft Azure data centres that InLoox hires for internal use, e.g. for administration, development, support and marketing

Company head office and country:

One Microsoft Way, Redmond, Washington 98052, USA

Appropriate protection level (Art. 44 et seqq. GDPR):

Standard data protection clauses (Art. 46 (2)(c) and (d) GDPR):

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “1. Microsoft Corporation”

Name of the order processor:

Microsoft Ireland Operations Limited Subject of performance:

Microsoft Cloud Germany data centres that InLoox hires within the framework of InLoox now!

Company head office and country:

One Microsoft Place, South County Business Park, Leopardstown, Dublin, D18 P521, Ireland

Data processing location:

EU only

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “1. Microsoft Corporation”

Name of the order processor:

SendGrid Inc.

Subject of performance:

E-mail notifications from InLoox now! to users stored in the project platform about actions of other users, as well as e-mail notifications from InLoox support and other administrative systems, such as the InLoox Online Store.

Company head office and country:

1801 California St., Suite 500, Denver, Colorado 80202, USA

Appropriate protection level (Art. 44 et seqq. GDPR):

Adequacy decision of the Commission (Art. 45(3) GDPR) via the EU-U.S. Privacy Shield

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “2. SendGrid Inc.”

Name of the order processor:

Freshworks Inc.

Subject of performance:

Customer support requests

Company head office and country:

1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA

Appropriate protection level (Art. 44 et seqq. GDPR):

Adequacy decision of the Commission (Art. 45(3) GDPR) via the EU-U.S. Privacy Shield and agreed standard contractual clauses

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “3. Freshworks Inc.”


InLoox, Inc.

InLoox, Inc. Master Subscription Services Agreement


This Master Subscription Services Agreement (“Agreement”) is between InLoox Inc., a Delaware corporation (InLoox), and the entity or individual agreeing to these terms (Customer).

1) ONLINE SUBSCRIPTION SERVICES. This Agreement provides Customer access to a proprietary web-based subscription service, as specified on the order. Details of the available InLoox services are located at:

InLoox will provide this functionality through within a hosted server environment under the terms below (Service) and through InLoox software that acts as the interface to the Service (this software will be contracted for under an End User License Agreement provided as part of the installation of that software). This Agreement contemplates one or more orders for the Services, which orders are governed by the terms of this Agreement and will describe the Services ordered in more detail (these orders may be provided electronically online or via written order forms). 


a) Trial Period and Beta Program. If Customer has registered for a trial or beta use of the Services, Customer may access the Services for a 30-day time period free of charge. The Service is provided AS IS, with no warranty during this time period. For trial accounts, the Customer data will be deleted after the trial period (unless Customer converts its account to the paid Service). For beta accounts, the account and Customer data will be deleted after the beta period.

b) Customer support. The Customer can choose to nominate one of InLoox’s distribution partners as a supporter of the Customer´s account within 30 days following the conclusion of this Agreement for initial purchase of Online Services (hereinafter referred to as “Initial Purchase”). In the event of nomination of one of InLoox’s distribution partners, the distribution partner has to provide Customer with free of charge first level support during the term of this Agreement. For the details of support service please refer to distribution partner’s terms and conditions. Customer information will be provided to the distribution partner only with regard to accounting purposes. For further details with respect to InLoox’s privacy policy, please refer to our privacy policy and to the notice given with the process of nomination.

c) InLoox Responsibilities. InLoox must (i) use commercially reasonable efforts to make the Services available, except for scheduled outages, unavailability caused by force majeure or Customer technology issues, and (ii) provide customer support for the Services as further detailed at:

d) Customer Responsibilities. Customer (i) is solely responsible for Customer Data, (ii) must use commercially reasonable efforts to prevent unauthorized access to the Services, and notify InLoox promptly of any such unauthorized access, and (iii) may use the Services only in accordance with its user guide and applicable law.

Customer may not (i) sell, resell, rent or lease the Services, (ii) use the Services to store or transmit infringing, unsolicited marketing emails, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party rights, (iii) interfere with or disrupt the integrity or performance of the Services, or (iv) attempt to gain unauthorized access to the Services or their related systems or networks.

e) Customer Experience Improvement Program (CEIP). The InLoox software will automatically send anonymized usage statistics and error reports to InLoox. Customer can turn off this feature at any time. More information is located at:

3) PAYMENT TERMS. Customer must pay all fees (US$) with a credit card. If the credit card is not valid or the payment is not otherwise made, Customer must pay the amount owed upon receipt of an invoice. Customer is responsible for sales, use, VAT and other similar taxes. All fees may be changed on 30 days advance notice, unless otherwise described below. All amounts that are not paid within 30 days of receipt of an invoice will accrue late charges of the lesser of 1% per month, or the maximum rate permitted by law, from the original due date until the date InLoox receives payment.

a) Credit Card. Customer agrees to provide InLoox with updated credit card, and authorizes InLoox to charge Customer’s credit card for amounts owed InLoox. If 

then Customer must update its account with valid credit card information as soon as possible, but in no event later than 5 days. If the credit card number is revoked, disputed or not valid for any reason (including without limitation expiration of a credit card), InLoox may suspend or terminate Customer’s use of the Services upon notice to Customer via email (using the then current account email address in the Service). 



a) Definition of Confidential Information. Confidential Information means all non-public information disclosed by a party (Discloser) to the other party (Recipient), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure (Confidential Information). InLoox’s Confidential Information includes without limitation the Services.

b) Protection of Confidential Information. The Recipient must use the same degree of care that it uses to protect the confidentiality of its own confidential information (but in no event less than reasonable care) not to disclose or use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement. The Recipient must make commercially reasonable efforts to limit access to Confidential Information of Discloser to those of its employees and contractors who need such access for purposes consistent with this Agreement and who have signed confidentiality agreements with Recipient no less restrictive than the confidentiality terms of this Agreement.

c) Exclusions. Confidential Information excludes information that: (i) is or becomes generally known to the public without breach of any obligation owed to Discloser, (ii) was known to the Recipient prior to its disclosure by the Discloser without breach of any obligation owed to the Discloser, (iii) is received from a third party without breach of any obligation owed to Discloser, or (iv) was independently developed by the Recipient without use or access to the Confidential Information. The Recipient may disclose Confidential Information to the extent required by law, but will attempt to provide Discloser with advance notice to seek a protective order.


a) Reservation of Rights by InLoox. The software, workflow processes, user interface, designs, know-how and other technologies provided by InLoox as part of the Services are the proprietary property of InLoox and its licensors, and all right, title and interest in and to such items, including all associated intellectual property rights, remain only with InLoox. InLoox reserves all rights unless expressly granted in this Agreement.

b) Customer Restrictions. Customer may not

  1. Use the Services or the Licensed Documentation (defined below) beyond its internal operations;
  2. Reverse engineer the Services or the Licensed Documentation;
  3. Remove or modify any proprietary marking or restrictive legends in the Service and Licensed Documentation; or
  4. Access the Service to build a competitive product or service, or copy any feature, function or graphic of the Service for competitive purposes.

c) Customer Data. All data uploaded by Customer remains the sole property of Customer, as between InLoox and Customer (Customer Data), subject to the other terms of this Agreement. Customer grants InLoox a non-exclusive term license to use the Customer Data for purposes of InLoox performing under this Agreement. During the term of this Agreement, Customer may download its Customer Data from the Services, and select the location where its Customer Data will be stored. 

d) Licensed Documentation. The Services user guide, sample data, marketing materials, training material and other material provided through the Services or by InLoox, are licensed to Customer as follows: InLoox grants Customer a non-exclusive, license for the duration of the Services to such material for Customer’s internal use solely with the Services, with the right to make additional copies of the material for such duration and purpose (Licensed Documentation). 





a) Term. This Agreement continues until all orders are terminated (Term).


c) Mutual Termination for Material Breach. If either party is in breach of any material term of this Agreement, the other party may terminate this Agreement by providing the other party with a written 30-day notice. Upon receipt of the 30-day notice by either party, the recipient may have to opportunity to cure the breach. In the event that the breach is not cured within the 30-day notice period, this Agreement shall be considered terminated. 

  1. Actions upon Termination.
    1. Upon any termination as provided in 8(c) above by Customer, InLoox must refund any prepaid and unused fees covering the remainder of the Term.
    2. Upon any termination as provided in 8(c) above by InLoox, Customer must pay any unpaid fees, and destroy all InLoox property in customer’s possession. The Services will also be terminated. Customer upon request will confirm that it has complied with these requirements.

d) Return of Customer Data. 

e) Suspension of Service for Violations of Law. InLoox may immediately suspend the Services and remove applicable Customer Data, if it in good faith believes that, as part of using the Services, Customer may be in violation of any applicable federal or state laws. InLoox may try to contact Customer in advance, but it is not required to do so.


a) Defense of Third Party Infringement Claims by InLoox. InLoox will defend or settle any third party claims against Customer alleging that the Service (other than related to the Customer Data) violates a copyright, patent, trademark or other intellectual property right, if Customer:

InLoox will pay infringement claim defense costs, and InLoox negotiated settlement amounts, and court awarded damages.

Remedies. If such a claim appears likely, then InLoox may modify the Service, procure the necessary rights, or replace it with the functional equivalent. If InLoox determines that none of these are reasonable available, then InLoox may terminate the Service and refund any prepaid and unused fees.

Exclusions. InLoox has no obligation for any claim arising from:

b) By Customer. Customer must indemnify, defend, and hold harmless InLoox against all third-party claims (including without limitation by governmental agencies), demands, damages, costs, penalties, fines, and expenses (including reasonable attorneys’ fees and costs) arising out of or related to:



a) Money Damages Insufficient. Any breach by a party of this Agreement or violation of the other party’s intellectual property rights could cause irreparable injury or harm to the other party. The other party may seek a court order to stop any breach or avoid any future breach.

b) Entire Agreement and Changes. This Agreement and the order constitute the entire agreement between the parties, and supersede all prior or contemporaneous negotiations, agreements and representations, whether oral or written, related to this subject matter. No modification or waiver of any term of this Agreement is effective unless both parties sign it.

c) No Assignment. Neither party may assign or transfer this Agreement or an order to a third party, except that this Agreement with all orders may be assigned as part of a merger, or sale of all or substantially all of the business or assets, of a party.

d) Independent Contractors. The parties are independent contractors with respect to each other.

e) Enforceability. If any term of this Agreement is invalid or unenforceable, the other terms remain in effect.

f) No Additional Terms. InLoox rejects additional or conflicting terms of any Customer form-purchasing document.

g) Order of Precedence. If there is an inconsistency between this Agreement and an order, the order prevails.

h) Survival of Terms and Force Majeure. Any terms that by their nature survive termination or expiration of this Agreement, will survive. Neither party is liable for force majeure events.

i) CISG Not Apply. The Convention on Contracts for the International Sale of Goods does not apply.

j) Customer Name. InLoox may use Customer’s name and logo in customer lists and related promotional materials describing Customer as a customer of InLoox, which use must be in accordance with Customer’s trademark guidelines and policies.

Date: 2017-02-14