Logo of mailfino, the newsletter & form builder
Login

Terms & Conditions

General Terms and Conditions of 4OfficeAutomation GmbH for the provision of mynewsletter.rocks.

§ 1 Subject matter of the contract

The following agreements regulate the framework conditions for the provision of access to the functionalities of the Software-as-a-Service (SaaS) solution "mailfino" from 4OfficeAutomation GmbH (hereinafter referred to as 4OA) described in more detail below. This solution is ordered by means of individual orders (also possible by e-mail) in accordance with this framework agreement.

§2 Rights and obligations

Rights and obligations of 4OA

  1. 4OA provides the "mailfino" service platform. This is a technical, internet-based platform for sending e-mails, which is operated on one or more servers provided by 4OA in Germany. In addition, functions for creating e-mails, managing users and compiling statistics are integrated. The service is also referred to below as the "service".
  2. 4OA is solely the transmitter of e-mails and is not responsible for the content of the e-mails sent via the service. 4OA carries out multiple delivery attempts for all e-mails to be sent. However, due to the lack of influence on the behavior of recipients and recipient servers, no guarantee can be given for successful delivery.
  3. 4OA shall maintain "mailfino" for the entire term of the contract. There is no entitlement to specific extensions or additions to the software. The usability of the software shall be ensured in accordance with the service description (through maintenance and care of the software as well as through the provision of new software versions) with an availability of 98%.


Rights and obligations of the customer

  1. For a fee, 4OA grants the customer the non-exclusive right, limited in time to the term of this contract, to access "mailfino" in the current version via the Internet and to use the associated functionalities in accordance with this contract. The provision of the customer's access to the Internet is expressly not part of the service.
  2. The customer must have agreed to the rules of participation (Appendix A), which form part of this contract, in order to be allowed to use the service. 4OA is entitled to refuse or discontinue the provision of the service immediately and without prior notice to customers who violate or have violated the rules of participation.
  3. The customer shall treat the usage and access authorizations assigned to him or the users as well as identification and authentication safeguards confidentially and ensure that no unauthorized person gains knowledge of them or can use them. As soon as the Customer becomes aware that the latter has occurred, he shall inform 4OA of this immediately in text form.
  4. The customer shall ensure that all industrial property rights and copyrights are observed (e.g. when transferring third-party texts and data to the server).
  5. The customer shall not use "maifino" improperly or allow it to be used improperly, and in particular shall not transmit any information offers with illegal or immoral content.
 

§3 Remuneration

  1. The remuneration to be paid by the customer corresponds to the current version of the price list available at mailfino.com, which is an integral part of this contract.
  2. If the maximum number of permitted e-mails is changed during the term, the resulting change in remuneration is due from the date of the change.
  3. The contractually agreed remuneration is to be paid in advance for the next agreed contractual period. The remuneration for the first period shall be paid upon receipt of the respective individual order. Unless otherwise agreed, the amount shall be debited by 4OA by direct debit from the customer's account or credit card by our payment processor Stripe. For failed or returned direct debits, 4OA will charge a processing fee of €50 each.
  4. The applicable value added tax shall be added to the remuneration to be charged.
  5. 4OA is entitled to block access to "mailfino" while the customer is in default of payment. Return debit costs for unpaid direct debits shall be borne by the customer. In the event of late payment, interest shall be charged on outstanding receivables at a rate of 3% p.a. above the respective ECB discount rate. The costs of any dunning procedure shall be charged to the user.
  6. Neither the discontinuation of the service nor a delay in payment shall mean the termination of the contract.
  7. If the customer meets his payment obligations in full, 4OA shall resume the service within one working day.


§4 Contract term and termination

  1. Unless otherwise agreed, the minimum term of this framework agreement is 1 calendar year from the date of conclusion of the contract (date of order). Thereafter, the contract can be terminated by the customer or 4OA with a notice period of 30 days to the end of the term. 
  2. The right to extraordinary termination for good cause remains unaffected. Good cause shall be deemed to exist in particular if one or more material agreements are not complied with by one of the parties and, following a written request for rectification, this has not taken place within a period of 14 days and the non-culpability has not been sufficiently proven. 4OA shall also be entitled to extraordinary grounds for termination in the event of a delay in payment of more than 1 month.
  3. In the event of an increase in the usage fee in accordance with the price list, the customer has a special right of termination within 14 days of receipt of the invoice.
  4. Any termination must be in text form.


§5 Data protection

  1. 4OA usually stores the following data for one year when the service is used:
    1. The content of the e-mail.
    2. The IP address of the customer at the time a mailing is sent.
    3. The list of recipients including all personalization data.
    4. The shipping results
    5. Statistics, in particular statistics on clicks, openings and unsubscribes.
    6. All data generated when filling in and sending forms provided by 4OA, e.g. in the case of a double opt-in, is stored permanently
    7. Data of persons who use mechanisms provided by 4OA to unsubscribe from future mailings are stored permanently
  2. The Customer acknowledges that the confidentiality of his data can only be guaranteed if he treats the access data provided to him confidentially and does not pass it on to third parties, and does not grant third parties access to his system. Should the data be lost or should the customer become aware that unauthorized persons could possibly have knowledge of this data, the customer must inform 4OA immediately so that 4OA can prevent the unauthorized use.
  3. For the purposes of technical analysis and troubleshooting, 4OA has the right to access the customer's data, even without informing the customer.
  4. 4OA undertakes to guarantee data protection in accordance with the Federal Data Protection Act and not to pass on the customer's data to third parties or use it for purposes not defined in this contract.
  5. An order processing agreement has been concluded between 4OA and the customer (Annex B), which forms part of this contract.


§6 Severability clause

Should a provision of this contract be or become invalid in whole or in part, this shall not affect the validity of the remaining provisions. The parties undertake to replace an invalid provision with a provision that comes as close as possible to the invalid provision.

§7 Miscellaneous

  • The place of jurisdiction is the city of Hanover in the Federal Republic of Germany.
  • This contract is subject to the law of the Federal Republic of Germany to the exclusion of the UN Convention on Contracts for the International Sale of Goods.
  • Changes must be made in text form.


Attachments

The following annexes are part of the contract:

  1. Rules of participation
  2. Order processing
  3. TOMs

A. Rules of participation

1. responsibility
 
(1) The creator and sender, hereinafter referred to as the "user", is solely responsible for the content of the e-mails. 
 
(2) The sender is responsible for ensuring that the e-mails are sent lawfully and, in particular, that the content of the e-mails sent does not contravene legal prohibitions and requirements.
 
(3) The user must take note of the fact that the sending of e-mails may be subject to the legal systems of the respective countries in which the recipient has its registered office or place of residence and undertakes to observe the laws and regulations applicable in the same countries, i.e. it may not send any e-mails that violate such legal rights or regulations.
 
2. consent
 

(1) The user undertakes to only send emails to recipients who have given their consent (see Art. 7 GDPR). The recipient's consent must be documented and provided to 4OA on request. This consent must meet the following requirements in particular

a. Consent must be given actively and separately. The addressee must either click/check a box or make a similarly clear declaration of consent. This declaration may only relate to advertising and may not be part of other declarations (e.g. consent to general terms and conditions or general data protection provisions).
b. Consent must have been given for the specific case and in an informed manner. The beneficiary of the consent must be specifically named. The sectors and areas to be advertised must also be clearly and comprehensibly stated.
c. The consent of minors is only valid if they have reached the age of 16 or if their legal guardians have given their consent.
d. When consent is obtained, it must be clearly stated that consent can be withdrawn at any time with effect for the future. The notice must contain information on how and to whom consent can be withdrawn. The possibility of revocation must not be more complicated than the granting of consent. The revocation must be implemented within five working days at the latest.
 

(2) By way of exception, emails may also be sent to customers without an explicit opt-in (see 2.1.) under the following conditions:

a. existing customer relationship (existence of an exchange contract for consideration),
b. Direct advertising for own similar products or services,
c. Information on the possibility to object at any time (for the collection and any use of the e-mail address) without incurring any costs other than transmission costs according to the basic rates, and
d. no objection is raised.
 
(3) When using e-mail addresses that the user or his customers have acquired from third parties, the following applies:
a. The user or their customer must ensure that they have given their consent (see section 2.2) before advertising is carried out. This consent must also explicitly refer to the user or their customer.
b. When collecting the data, it must have been easy and clear for the recipient to take note of the list of beneficiary companies.
c. The number of companies or persons for whom the address data was collected was reduced to a level that excludes the forwarding of user data to a disproportionately large group of third parties. The number must allow the user to easily understand the scope and extent of their consent and to easily check the lawful handling of their data
d. To clarify, it should be noted that the companies for which the address data is generated may not pass this address data on to third parties without obtaining separate consent from the user.
 
(4) At the request of 4OA, the user must explain how the e-mail addresses of recipients have been collected. 
 
(5) The sending of spam emails is not permitted.
 
(6) The user acknowledges that, due to legal obligations, e-mail addresses to which no e-mails can be permanently delivered due to a so-called hard bounce will be placed on a blacklist by 4OA and excluded from future delivery attempts. The same applies to the e-mail addresses of recipients from whom complaints have been received.
 
3. e-mail requirements
 
(1) Every business e-mail sent must contain an easily recognizable imprint as full text. The imprint must contain the following information:
a. the name and address at which the client is established, in the case of legal entities additionally the legal form, the commercial register, register of associations, partnership register or register of cooperatives in which they are entered and the corresponding register number,
b. Contact information, but at least a valid telephone number or an electronic contact form, as well as an e-mail address and imprint with the name and company name of the user and complete contact information (see §5 paragraph 1 TMG),
c. a VAT identification number or a business identification number, if available.
Further information obligations under national laws remain unaffected.
(2) It must be indicated in every e-mail that the sending of further e-mails can be canceled (opt-out). It must always be possible for the recipient to unsubscribe from e-mails without knowledge of access data (e.g. login and password).
 
(3) Neither the sender nor the commercial nature of the message may be disguised or concealed in the header and subject line of the email. Disguising or concealing is deemed to occur if the header and subject line are intentionally designed in such a way that the recipient receives no or misleading information about the actual identity of the sender or the commercial nature of the message before viewing the content of the communication.
 
(4) E-mails containing any of the following content may not be sent:
a. Offers or links to offers that are prohibited by law in the European Union or the country of the addressee, such as illegal software, cracks, pirated copies, MP3s, DVDs, illegal narcotics.
b. Radical, fraudulent, racist, offensive, pornographic, defamatory, violence-glorifying or otherwise immoral content. 
c. Demonstrably dubious offers, in particular those that violate the law against unfair competition. 
d. Content that violates the provisions of the Youth Protection Act. 
e. Intentionally misleading content, such as a misleading sender or subject line, which is intended to disguise the content or origin of an email. 
f. Viruses, scripts or similar potentially dangerous content.
 
(5) For the provision of images, file attachments and for the creation of e-mails and the import of addresses, it is possible for the user to upload files to the 4OA server. The user assumes full responsibility and liability for all data that he uploads to the server and undertakes not to upload any data to a 4OA server that 
a. Contain viruses
b. Infringement of copyright
c. Other illegal, immoral content or content that jeopardizes the service.
 
(6) 4OA reserves the right to randomly check the content of e-mails that have been or are to be sent using the software. 
 
4. violations
 
(1) Users who violate one or more participation rules may be immediately and without prior notice temporarily or permanently excluded from using the service. 
 
(2) In the event of complaints, 4OA shall be entitled to prevent the user from sending further e-mails without prior notice and to block the user account at its own discretion, if necessary for a fee. 
 
(3) If a user is excluded from using the service due to a breach of the conditions of participation, there is no entitlement to a refund of fees already paid.
 
(4) If the sending of a mailing by the user demonstrably results in the blocking of one or more IP addresses or domains of 4OA or the inclusion of one or more IP addresses or domains of 4OA in so-called blacklists, 4OA shall be entitled to charge the current hourly rate to rectify the situation and, if necessary, to demand compensation.
 
5. data storage
 
(1) 4OA has the right to store the user's IP addresses each time an e-mail is sent, usually for a period of one year.
 
(2) 4OA stores the following data for the use of the service, usually for one year:
a. The content of the e-mail.
b. The IP address of the user at the time a mailing is sent.
c. The list of recipients including all personalization data.
d. The shipping results
e. Statistics, in particular also statistics on clicks, openings and unsubscribes
 
(3) Data from unsubscriptions and complaints (recipient's e-mail address, date, IP, user ID) are usually stored permanently in order to comply with the legal provisions of the GDPR (in particular Art. 7 3).
 
(4) The user acknowledges that the confidentiality of his data can only be guaranteed if he treats the access data provided to him confidentially and does not pass it on to third parties, and does not grant third parties access to his system. Should the data be lost or should the user become aware that unauthorized persons could possibly have knowledge of this data, the user must inform 4OA immediately so that 4OA can prevent the unauthorized use. 
 
(5) For the purposes of technical analysis and troubleshooting, 4OA has the right to inspect the user's data, even without informing the user. 
 
(6) 4OA undertakes to guarantee data protection within the meaning of the Federal Data Protection Act and not to pass on the User's data to third parties or use it for purposes not defined in this contract.  
 

B. Order processing

Order processing according to Art. 28 AB. 3 GDPR

Between the customer (address) (Client) vis-à-vis 4OfficeAutomation GmbH, Schlägelweg 46a, 31275 Lehrte, HRB 203395, Hildesheim Local Court (Contractor)

1. object and duration of the order

The subject matter of the data handling order includes the creation of e-mail newsletters and their transmission to named recipient addresses, in each case to the extent specified by the client. The duration of this order (term) corresponds to the term of the service agreement.

2. nature and purpose of the intended processing of personal data

  • The data to be processed includes, in particular, lists of recipients of an e-mail newsletter and associated personalization data to an extent determined by the client at its own discretion, as well as log data generated by processing the order.
  • The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.


3. technical and organizational measures

  • The Contractor shall document the implementation of the technical and organizational measures set out and required prior to the award of the contract before the start of processing, in particular with regard to the specific execution of the contract, and submit them to the Client for review. If accepted by the client, the documented measures shall form the basis of the order. If the client's review/audit reveals a need for adjustment, this must be implemented by mutual agreement.
  • The contractor must establish security in accordance with Art. 28 para. 3 lit. c, 32 GDPR, in particular in conjunction with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR must be taken into account.
  • The technical and organizational measures are subject to technical progress and further development. In this respect, the contractor is permitted to implement alternative adequate measures. In doing so, the security level of the specified measures must not be undercut. Significant changes must be documented.


4. rectification, restriction and erasure of data

  • The Contractor may not rectify, erase or restrict the processing of data processed on behalf of the Client without authorization, but only in accordance with documented instructions from the Client. If a data subject contacts the Contractor directly in this regard, the Contractor shall forward this request to the Client without delay.
  • If included in the scope of services, the deletion concept, right to be forgotten, rectification, data portability and information shall be ensured directly by the contractor in accordance with documented instructions from the client. Any costs incurred for this shall be borne by the client.


5. quality assurance and other obligations of the contractor

In addition to complying with the provisions of this contract, the Contractor has legal obligations pursuant to Art. 28 to 33 GDPR; in this respect, the Contractor guarantees compliance with the following requirements in particular:

  • Data Protection Officer The contractor is not obliged to appoint a data protection officer. Mr. Johannes Vorwerk, Managing Director, 05132/946 7012 jvorwerk@mynewsletter.rocks is designated as the contact person at the Contractor.
  • Confidentiality Maintaining confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 GDPR. When carrying out the work, the Contractor shall only use employees who have been obliged to maintain confidentiality and who have previously been familiarized with the data protection provisions relevant to them. The Contractor and any person subordinate to the Contractor who has access to personal data may only process this data in accordance with the instructions of the Client, including the powers granted in this contract, unless they are legally obliged to process it.
  • The implementation of and compliance with all technical and organizational measures required for this order in accordance with Art. 28 para. 3 sentence 2 lit. c, 32 GDPR [details in Annex 1]
  • The Client and the Contractor shall cooperate with the supervisory authority in the performance of their tasks upon request.
  • Immediate information of the client about control actions and measures of the supervisory authority, insofar as they relate to this order. This also applies if a competent authority is investigating the processing of personal data in the context of administrative offense or criminal proceedings relating to the processing of personal data by the contractor.
  • If the Client is subject to an inspection by the supervisory authority, administrative offense or criminal proceedings, a liability claim by a data subject or a third party or any other claim in connection with the commissioned processing at the Contractor, the Contractor shall support the Client to the best of its ability. Any costs incurred for this shall be borne by the Client.
  • The Contractor shall regularly monitor the internal processes and the technical and organizational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.


6. subcontracting relationships

  • Subcontracting relationships within the meaning of this provision are those services that are directly related to the provision of the main service. This does not include ancillary services which the Contractor uses, e.g. as telecommunications or hosting services, postal/transport services, maintenance and user service or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Contractor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure the data protection and data security of the Client's data, even in the case of outsourced ancillary services.
  • The Contractor may only commission subcontractors (other processors) with the prior express written or documented consent of the Client.
  • The transfer of personal data of the client to the subcontractor and the subcontractor's initial activities are only permitted once all requirements for subcontracting have been met.
  • If the subcontractor provides the agreed service outside the EU/EEA, the Contractor shall ensure the admissibility under data protection law by taking appropriate measures. The same applies if service providers within the meaning of para. 1 sentence 2 are to be used.
  • Further outsourcing by the subcontractor is not permitted.


7. control rights of the client

  • The Client has the right to carry out inspections in consultation with the Contractor or to have them carried out by inspectors to be named in individual cases. It shall have the right to satisfy itself of the Contractor's compliance with this Agreement in its business operations by means of spot checks, which must generally be notified in good time.
  • The Contractor shall ensure that the Client can satisfy itself of the Contractor's compliance with its obligations under Art. 28 GDPR. The Contractor undertakes to provide the Client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.
  • Proof of such measures, which do not only concern the specific order, can be provided by
    • compliance with approved codes of conduct pursuant to Art. 40 GDPR;
    • certification in accordance with an approved certification procedure pursuant to Art. 42 GDPR; current certificates, reports or report extracts from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditors, quality auditors);
    • suitable certification through an IT security or data protection audit (e.g. in accordance with BSI basic protection).
  • The Contractor may claim remuneration for enabling the Client to carry out inspections.


8. notification of violations by the contractor

  • The Contractor shall support the Client in complying with the obligations set out in Articles 32 to 36 of the GDPR regarding the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations. This includes, among other things
    1. ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the predicted probability and severity of a possible infringement through security breaches and enable the immediate detection of relevant infringement events.
    2. the obligation to report personal data breaches to the client without delay
    3. the obligation to support the client in the context of its duty to inform the data subject and to provide it with all relevant information in this context without delay
    4. Supporting the client for its data protection impact assessment
    5. supporting the client in the context of prior consultations with the supervisory authority
  • The Contractor may claim remuneration for support services that are not included in the service description or are attributable to misconduct on the part of the Contractor.


9. authority of the client to issue instructions

  • The client shall confirm verbal instructions without delay (at least in text form).
  • The Contractor must inform the Client immediately if it is of the opinion that an instruction violates data protection regulations. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client.

 
10. deletion and return of personal data

  • Copies or duplicates of the data are not created without the knowledge of the client. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as data required to comply with statutory retention obligations.
  • After completion of the contractually agreed work or earlier at the request of the Client - at the latest upon termination of the service agreement - the Contractor shall hand over to the Client all documents, processing and usage results and data pertaining to the contractual relationship that have come into its possession or, with prior consent, destroy them in accordance with data protection regulations. The same applies to test and scrap material. The deletion log must be submitted on request.
  • Documentation that serves as proof of proper data processing in accordance with the order shall be retained by the Contractor beyond the end of the contract in accordance with the respective retention periods. The Contractor may hand them over to the Client at the end of the contract in order to discharge the Client.

C. Technical and organizational data security measures

Description of the technical and organizational data security measures in accordance with Art. 32 GDPRfor the "mynewsletter.rocks" service of 4OfficeAutomation GmbH

4OfficeAutomation GmbH (hereinafter referred to as "Provider") takes the following technical and organizational measures to ensure the protection of customer data:

1. encryption of personal data

  • HTTPS encryption in web communication (data-at-transport)


2. ability to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services related to the processing

  • Access to systems only with individual user names and passwords
  • Authorized persons can only access data authorized for them
  • Stored personal data can only be read, copied, changed or removed within the scope of the authorization concept
  • Use of continuously updated virus protection software
  • Protection of e-mail traffic against viruses and spam
  • Firewall systems
  • Use of tested software
  • Separation of the production environment from the test and development environment
  • Obligation of employees to maintain data secrecy
  • Air conditioning in server rooms
  • High password security
  • No access for unauthorized persons to the data processing systems of the data center
  • Access to business premises controlled by employees during business hours
  • Visitors to the data centers are accompanied
  • Definition of authorized persons in lists for the sensitive areas of the data centers
  • Defined group of authorized users
  • Secure deletion of data carriers
  • Ban on the use of private data carriers
  • Reception staffed during business hours
  • Fire protection devices 


3. the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident

  • Double or multiple provision of all components during data processing (e.g. data backup and mirroring of hardware components)
  • Data backup and recovery concept
  • Personal data is always available and protected against accidental destruction or loss through regular backups
  • Backup copies
  • Uninterruptible power supply
  • Redundant power supplies
  • Monitoring and reporting systems


4. procedures for the regular review, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the processing

  • Regular review of whether / to what extent access rights are still required
  • Incident response management
  • Order control for order processing
  • Implementation of necessary adaptation measures

As at 20.05.2022

CSA Logo

Helpdesk & FAQ

In our helpdesk you will find answers to numerous questions about mailfino. If the answer to your question is not there, send us a ticket and we will take care of it as quickly as possible.

Helpdesk >

Phone Support

05132/946 7012
Monday to Friday between
11:00 AM and 1:00 PM and 3 PM to 5 PM.

Call Now

Copyright (c) 2024 by 4OfficeAutomation GmbH

Cookie Consent with Real Cookie Banner