Main Services Agreement
Last Updated 1st November 2023
Preamble
Choco Communications UK Limited (“Choco”) operates a cloud-based order management and communication platform for suppliers and buyers (restaurants) in the food industry (the "Cloud Service"). Choco further offers professional services in connection with the use of the Cloud Service, such as onboarding and integration services (the “Professional Services”). Together with the Free Services (as defined below), the Cloud Service and the Professional Services collectively referred to as the “Services”.
This Main Services Agreement (“MSA”) governs the provision and use of the Services. Supplier agrees to be bound by the MSA by executing an Order Form with Choco referencing this MSA or by accessing or making use of the Free Services. Capitalised terms not otherwise defined in the MSA will have the respective meanings assigned to them elsewhere in the Agreement.
THEREFORE, in consideration of the foregoing, Choco and Supplier (hereinafter each a "Party" and collectively the "Parties") agree as follows:
1 Scope of the Services
1.1 Access to Cloud Service. Choco hereby grants Supplier a non-exclusive, non-transferable, non-sublicensable right to access and use the Cloud Service during the term of the Agreement, solely for its own business operations and in accordance with the terms and conditions of the Agreement. Supplier is responsible for arranging the necessary equipment and the Internet connection to be able to use the Cloud Service. Supplier will have no right to any specific design or specific functionalities beyond the scope of the Cloud Service agreed in the Order Form.
1.2 Professional Services. Parties may agree on provision of Professional Services in the Order Form or elsewhere in writing, which shall be governed by this Agreement. While providing Professional Services, Choco may create deliverables for Supplier (the “Choco Deliverables”). Choco hereby grants Supplier a non-exclusive, non-transferable, non-sublicensable right to use the Choco Deliverables during the term of the Agreement and in accordance with the terms and conditions thereof. Supplier shall not make any modifications or use the Choco Deliverables for any other purposes than achieving the purpose of the Agreement without prior written approval of Choco.
1.3 Free Services. Choco may offer certain Cloud Services free of charge, such as trial periods, beta versions or delivery of orders from the restaurants using the Cloud Service in a digital form (the “Free Services”). An entity benefiting from the Free Services shall be deemed as a Supplier and shall be subject to the terms of the Agreement governing use of the Cloud Service as long as it benefits from the Free Services. Supplier acknowledges that Choco reserves the right to modify or terminate Supplier’s access to the Free Services or any part thereof, at any time and for any reason in its sole discretion without any notice or liability to Supplier.Free Services are provided as-is and to the maximum extent permitted by applicable law, Choco shall not be liable for any damages, costs, expenses resulting from the use of the Free Services. To the extent such full exclusion of liability is not enforceable, Choco’s (including its legal representatives’, employees’, agents’ and Vicarious Agents’) aggregate liability shall be limited to £1000 (one thousand pounds). In the event of a conflict between this clause and the rest of the Agreement, this section shall take precedence.
1.4 Service Specific Terms. Some Services may be subject to additional terms specific to that Service (“Service Specific Terms”), such as Integration GTCs and Onboarding GTCs. Supplier agrees to be bound by the applicable Service Specific Terms by signing the Order Form or by accessing or using the Services covered by Service Specific Terms.
1.5 Availability. Choco will make commercially reasonable efforts to make the Cloud Service available 98% of the time, based on a monthly average. Excluded therefrom are necessary planned maintenance work as well as disruptions that are not within Choco’s sphere of influence (such as force majeure events, downtime that results from a third party’s equipment, software or technology or internet connectivity issues). If possible, Choco shall in a timely manner notify Supplier about planned maintenance work. Nevertheless, Choco expressly reserves the right to carry out unannounced maintenance work, if necessary, particularly where this is required for data and operational security.
1.6 Modifications. Choco reserves the right to enhance, change or discontinue any and all features of the Cloud Service, or introduce new features or Services at any time. If any such changes materially limit the features of the Cloud Service, Choco shall provide Supplier with advanced notice thereof. Supplier's continued use of the Cloud Service after being notified constitutes acceptance of those changes. In case of an objection by Supplier before such changes enter into force, Choco may terminate the Agreement or offer Supplier a reasonable remedy at its own discretion.
1.7 Third Party Components. Certain components of the Cloud Service may be provided through third party services. Any such components that Supplier could recognize as being subject to third-party rights, including open-source licences, will be subject to applicable third party and open-source software licences. Above all, any components that Choco discloses as third-party content in the Agreement, in the Cloud Service or in any Choco policies will be deemed recognizable within the meaning of the previous sentence. Supplier agrees that availability of the Cloud Service or certain features may be dependent on the corresponding availability of the third-party services. Choco is not responsible for any interruptions or issues with the Cloud Service caused by the third-party components.
1.8 AI-powered Services. The Cloud Service may encompass functionalities that are powered by artificial intelligence (the “AI”). Supplier will retain ownership over the input it provides and the output generated by AI based on the input, both of which shall constitute Supplier Data (as defined below). Choco does not guarantee the accuracy, completeness and reliability of the output generated by AI and, to the extent permitted by law, disclaims all warranties and liability for such output. To the extent such full exclusion of liability is not enforceable, Choco’s (including its legal representatives’, employees’, agents’ and Vicarious Agents’) aggregate liability shall be limited to £1000 (one thousand pounds). Output generated by AI may not be unique to Supplier and it does not represent Choco’s views. Supplier undertakes to comply with the fair use policies of Choco’s third party service providers when using AI-powered functionalities, available here. In the event of a conflict between this section and the rest of the Agreement, this section shall take precedence.
2 Access and Use of Cloud Service
2.1 Authorised Users. The licence granted to Supplier is limited to its employees, agents or contractors who are authorised by Supplier to use the Services (the “Authorised Users”). Supplier is responsible for its Authorised Users’ compliance with the Agreement, including Choco’s policies on the use of the Cloud Service and for all of their acts and omissions. Supplier shall ensure that its Authorised Users keep the access data of their accounts confidential and shall inform Choco without undue delay if there is any suspicion that the access data may have become known to unauthorised persons. Supplier is solely responsible for all activities that occur under the accounts of its Authorised Users.
2.2 Use Restrictions. Supplier shall use the Cloud Services only for offering products that address food and hotel industry needs and comply with all laws applicable to its access and use of the Cloud Service. Supplier shall not (a) reproduce, copy, modify, adapt, or create derivative works, reverse engineer, decompile or engage in any action with the attempt to obtain the source code of the Cloud Service (except as permitted by mandatory law); (b) sublicense, sell, rent, distribute, transfer or provide a third party access to the Cloud Service or otherwise allow the use of the Cloud Service for the benefit of any third party; (c) engage in any conduct that interferes with or threatens the security, integrity or performance of the Cloud Service including any related systems; (d) send any malicious code (e.g., viruses, worms, Trojan horses or other malware) through Cloud Service; (e) attempt to interfere with or otherwise circumvent any security measures, authentication mechanisms or any functional restrictions on the Cloud Service intended to limit its use; (f) use the Cloud Service in order to build a product or service which competes with the Cloud Service; (g) use any software, devices, robots or any other means to scrape data from the Cloud Service; (h) use the Cloud Service for fraudulent purposes; (i) make unfair use of the Cloud Service or (j) use the Cloud Service to send unsolicited commercial communications.
2.3 The relationship with the Customers. Supplier is solely responsible for its use of the Cloud Service, such as for the contact it establishes with other companies, all communications sent via or in connection with the Cloud Service, the content and availability of the products and for the proper management of orders. By making the Cloud Service available, Choco merely provides the infrastructure for placing and managing orders and for communication. Choco itself will not directly or indirectly become a party to the relationship between Supplier and the restaurants who are placing orders from Supplier (the “Customer(s)”). Each order (individual sale and purchase of products) shall be concluded solely between Supplier and the relevant Customer. Choco will have no liability whatsoever with regard to the performance of those orders and shall not be a party to disputes of any kind between Supplier and its Customers (such as disputes relating to incorrect deliveries or late payments). Supplier is solely responsible for its relationship and communication with its Customers and with other users of the Cloud Service and for the proper management of orders.
2.4 Cooperation. Supplier shall cooperate with Choco in good faith and provide all necessary information as reasonably required by Choco for the proper performance of the Services in a timely manner. All information provided by Supplier shall be up-to-date, complete, and accurate, and Supplier shall notify Choco in writing in case of any changes. Choco will not be liable for any delays in the provision of the Services caused by Supplier’s failure to provide Choco with the required information or cooperation.
3 Supplier Data
3.1 Supplier Data. Supplier shall retain all right, title and interest in and to information, images, texts, data, files, Supplier Deliverables and other materials that is transmitted, submitted or otherwise made available by or on behalf of Supplier to Choco in the course of Supplier's access and use the Services (the "Supplier Data"). Supplier grants Choco a non-exclusive, royalty-free, perpetual and worldwide licence to collect, process, reproduce, modify, host, store, disclose, display and perform all necessary acts on the Supplier Data for the purposes of operating the Cloud Service and providing the Services to Supplier. In particular, Choco shall be entitled to collect and use the Supplier Data about Supplier’s use of the Cloud Service for internal research, security, analytics and reporting purposes and for developing and improving its Services. Choco shall retain all rights in the aggregated information derived from such practices and may use it at its own discretion during and after the term of this Agreement without being subject to any limitations (such as for distributing insights and reports), to the extent it does not identify Supplier, its Customers or any person. Choco may sublicense or transfer the rights granted herein to its Vicarious Agents for the purposes of this Agreement.
3.2 Supplier’s Warranties. Supplier warrants that (i) it owns or will obtain the necessary rights and permissions to share the Supplier Data with Choco and to authorise the use of the Supplier Data by Choco as contemplated in this Agreement; (ii) it will provide the required information notices and obtain necessary consents under data protection laws from the persons whose personal data may be included in the Supplier Data (such as its Authorised Users and its Customers’ employees) for sharing their data with Choco; (iii) the Supplier Data and its use by Choco as contemplated in this Agreement do not violate any third-party rights or applicable laws; (iv) the Supplier Data will not include any illegal, defamatory, inappropriate, offensive, hateful or violent content. Supplier shall solely be responsible for the Supplier Data and shall ensure its accuracy, integrity and reliability throughout the term of the Agreement.
3.3 Removal. Choco is not obliged to monitor the Supplier Data but reserves the right to do so at its own discretion. Choco may, without prior notice, remove or disable access to any Supplier Data (including the products offered via the Cloud Service) (i) if it violates the Agreement including Choco policies made available to Supplier, (ii) if it constitutes illegal content such as illegal hate speech, terrorist content, unlawful discriminatory content, or any content that the applicable laws render illegal or (iii) if it is likely to give rise to complaints by third parties or other Choco customers. Due account of the fundamental rights and freedoms and legitimate interests of all parties involved will be taken when making decisions about removal of the Supplier Data. Choco will comply with binding orders of courts and supervisory authorities to remove any illegal Supplier Data from the Cloud Service.
3.4 Backup. Choco will use commercially reasonable efforts to ensure integrity and availability of the Supplier Data. Notwithstanding the foregoing Supplier shall be solely responsible for the Supplier Data and shall take back-ups on a regular basis and commensurately with the risk.
3.5 Supplier Indemnity. Supplier shall indemnify and hold Choco, its employees, representatives, Vicarious Agents harmless from and against any claims, losses, liabilities, damages and expenses (including reasonable attorneys’ fees) asserted against them by a third party arising out of (i) Supplier's (including its Authorised Users’) use of the Services, (ii) the Supplier Data, (iii) performance of orders submitted to the Supplier, or (iv) Supplier’s (including its Authorised Users’) violation of applicable laws. Choco shall notify Supplier without undue delay about any claims asserted by third parties and shall, upon request, provide the information and documents required for the defence. Moreover, Choco at its own discretion will either surrender the right of defence to Supplier or undertake such defence in consultation with Supplier. In particular, Choco shall neither acknowledge nor dispute any claims asserted by third parties without consulting with Supplier, except where Supplier has not responded to Choco's notification of the claim within a reasonable time period.
4 Fees and Commissions, Reporting, Payment
4.1 Fees. Supplier shall pay Choco the fees agreed to in the Order Form or elsewhere in writing for the provision of the Services (the “Fees”). Unless expressly indicated in the Order Form, the Fees consist of recurring monthly fees for the use of the Cloud Service (the “Monthly Fee”) and a one-time fee for Professional Services (the “Implementation Fees”). Parties may agree on a minimum monthly fee in the Order Form (the “Minimum Monthly Fee”). If the amount of Monthly Fee in a calendar month falls below the amount of the Minimum Monthly Fee, then Supplier shall pay Choco the Minimum Monthly Fee.
4.2 Payment. Unless expressly agreed otherwise in the Order Form, the Fees shall be invoiced monthly in arrears and all invoiced amounts shall be due within two weeks of the date on the invoice and paid by direct debit. In case of late payment, Choco reserves the right to charge interest on the overdue amount at a rate of 4% per annum above the Bank of England base rate but at the rate of 4% per annum for any period during which that base rate is below 0% (such interest being deemed to accrue from day to day and being compounded on the last day of each calendar month) from the due date to the date of actual payment.
4.3 Taxes. The Fees are exclusive of taxes and Supplier shall be responsible for the taxes associated with the purchase of the Services. The applicable value added tax or other applicable taxes will be charged at the statutory rate to Supplier.
4.4 Calculation of Monthly Fees. Supplier is aware that the Cloud Service transmits to Choco an evaluation of the orders transmitted to Supplier via the Cloud Service during a calendar month (the “Order Evaluation”) for the purpose of calculation the Monthly Fees. Monthly Fees shall be calculated in accordance with the method agreed in the Order Form and based on the Order Evaluation. Upon request, Supplier shall without undue delay provide Choco with any additional information and evidence necessary for calculating the Fees and verifying the accuracy of the information provided by Supplier. In case of a conflict between the information provided by Supplier and the Order Evaluation, the Order Evaluation shall take precedence and be used as a basis for calculation.
4.5 Audit. Choco is entitled to have the accuracy of the information provided by Supplier verified by an independent auditor, who shall be bound by confidentiality obligations and not be a competitor of Supplier. The audit may take place once each calendar quarter at Supplier's premises during Supplier's normal business hours. Choco shall give Supplier at least two (2) weeks' prior notice of any such audit. The auditor shall disclose audit findings to Choco to the extent that the findings deviate from the information provided by Supplier; otherwise, the auditor may confirm to Choco only the accuracy of the information provided by Supplier. Supplier shall be obligated to provide the auditor with all information and disclose all documents that are necessary for the performance of the reviews. If a review by the auditor reveals a deviation of more than 5% to the detriment of Choco, then Supplier shall bear the costs of the respective audit and the Fees shall be calculated based on amounts identified by the auditor; otherwise Choco shall bear the costs of the respective audit.
5 Intellectual Property
5.1 Reservation of Rights. Supplier acknowledges and agrees that Choco and/or its licensors own or otherwise have all the necessary intellectual property rights in the Cloud Service, Choco Deliverables and any improvements or modifications to the foregoing. Supplier does not have any rights in or to the Cloud Service and the Choco Deliverables, except for the limited express rights granted in this Agreement. The term Cloud Service includes any systems, programs, application programming interfaces or Integrations developed by or on behalf of Choco.
5.2 Feedback. Supplier allows Choco to use, copy, disclose and exploit any suggestions and other feedback provided by Supplier and its Authorised Users freely in order to improve and enhance the Services and for development of other services in any manner without any obligation, royalty, attribution or restriction based on intellectual property rights or otherwise.
5.3 Trademark License. Supplier grants Choco a non-exclusive, worldwide licence to use Supplier's trademarks for operating the Cloud Service and for the performance of the Agreement. Choco shall be specifically entitled to display the trademark on Supplier's supplier profile and to grant sublicenses to its Vicarious Agents to the extent necessary for the performance of the Agreement. Otherwise, the right of use may not be transferred or assigned.
5.4 Customer Reference. Choco may use Supplier’s name and logo in its marketing materials, presentations and similar communications to refer to Supplier as a customer. Supplier may revoke this consent any time by giving prior written notice.
6 Confidentiality
6.1 Duty of Confidentiality. The Parties undertake to keep confidential any information and documents of the disclosing party, which are either to be regarded as confidential due to the nature of the information or the circumstances of their disclosure or have been designated or marked as confidential by the disclosing party, such as business and/or trade secrets ("Confidential Information") and to use them exclusively for the purposes allowed under this Agreement. The technical components, documentation and the source code of the Cloud Service and the terms of the Order Form shall be considered as Confidential Information of Choco. The receiving party shall undertake reasonable technical and organisational measures to protect Confidential Information.
6.2 Disclosure of Confidential Information. The receiving party is entitled to disclose Confidential Information of the disclosing party solely (i) to its employees, contractors, Vicarious Agents or consultants on a need to know basis for the performance of this Agreement, provided that they are bound by the confidentiality obligations at least as protective as those contained herein, (ii) in a legal proceeding, (iii) where required by law, (iv) to third parties upon prior written approval of the disclosing party. "Affiliates" (meaning, in relation to a party, any: (i) subsidiary or holding company of that party; (ii) body corporate with an ultimate holding company in common with that party; and (iii) officer of that party or of such subsidiary, holding company or body corporate, and “subsidiary”, “holding company”, “body corporate” and “officer” shall have the meanings set out in sections 1159 and 1173 respectively of the Companies Act 2006) of the receiving party shall not be considered third parties and the receiving party may freely disclose Confidential Information to its Affiliates. When requests are made by judicial or administrative authorities relating to the disclosure of Confidential Information, the receiving party shall without undue delay notify the disclosing party thereof in writing, to the extent permitted by law.
6.3 Exclusions from Confidentiality. Confidential Information does not include information that (i) was already known to the receiving party prior to disclosure, (ii) is generally known or becomes known to public through no fault of the receiving party, (iii) is independently developed by the receiving party itself without access to the Confidential Information of the disclosing party or (iv) was brought to the attention of or shared with the receiving party by a bona fide third party authorised to do so.
6.4 Duration of Confidentiality. The duty of confidentiality shall commence upon gaining knowledge of the Confidential Information and will continue for the entire term of this Agreement. In addition, the duty of confidentiality shall remain in place for a period of three (3) years after cessation of the Agreement, unless statutory provisions provide for a longer confidentiality obligation. In particular, any business secrets shall be treated confidentially for as long as they are business secrets.
7 Data Protection
7.1 With regard to the personal data that Choco processes on behalf of Supplier for provision of the Services and the personal data that the Parties process as joint controllers under this Agreement, the Parties conclude a Data Processing Agreement available here ("DPA") and which is hereby incorporated by reference into this MSA.
8 Suspension
8.1 Suspension. Choco is entitled, but not obliged, to monitor Supplier’s and its Authorized Users’ use of the Services and may suspend Supplier's or its any of its Authorized Users’ access to the Cloud Service (i) if Choco reasonably believes a violation of the Agreement has occurred, (ii) if the suspension is necessary for technical or security reasons or to avert imminent damage to Choco, Supplier or third parties or (iii) if Choco is obliged to suspend access by law. Choco will use commercially reasonable efforts to provide advance notice of suspension, unless prohibited by law. Choco shall lift the suspension if the reason for the suspension no longer exists. Choco will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Supplier may incur as a result of a suspension triggered by its Authorized Users’ own acts or omissions.
9 Term and Termination
9.1 Term. The Agreement shall commence on the Effective Date indicated in the Order Form and shall have a term of twelve (12) months unless terminated earlier pursuant to the Agreement. The Agreement shall be renewed for successive periods of twelve (12) months if it is not terminated in writing by either Party upon three (3) months' notice to the end of the respective Agreement period. Choco may update the terms of the Agreement, including the Fees, with effect from the start of a renewal term by giving notice to Supplier before commencement of the renewal term.
9.2 Termination for Cause. Without prejudice to any other rights or remedies, either party may, by written notice to the other, terminate the Agreement with immediate effect on the happening of any of the following events: (i) the other party commits a material breach of the Agreement which is incapable of remedy; or (ii) the other party commits a material breach of the Agreement which is capable of remedy and fails to remedy such material breach within thirty (30) days after receiving written notice requiring it to remedy that material breach. This clause shall not apply to breach of limited warranty provided by Choco as per section 9 and the exclusive remedies of Supplier are listed therein.
9.3 Termination by Choco. For the purpose of section 18.2 in the case of Choco material breach incapable of remedy will be deemed to exist specifically if (i) Supplier has repeatedly placed Supplier Data or products that is not permissible under the Agreement; (ii) Supplier is in default of its payment obligations for more than two (2) weeks; (iii) Supplier becomes insolvent, files for or has filed against it, a petition of bankruptcy or (iv)if Supplier acts against use restrictions set out in section 2.2. Choco may terminate the Agreement for convenience without having to give any reasons any time with a notice period of one (1) month.
9.4 Effects of Termination. When the Agreement for the Services offered against remuneration is terminated Supplier shall lose its access to the Services, with the exception of the Free Services which may be still provided to the Supplier at Choco’s sole discretion. After termination, Choco will have no obligation to Supplier to continue storing Supplier Data and will delete the Supplier Data in its systems upon Supplier’s request or in line with its retention policy, whichever is earlier. Notwithstanding the foregoing, Choco will be entitled to retain the Supplier Data if Choco is obliged to do so by law or to the extent that the Supplier Data is required for accounting and documentation purposes or for the operation of the Cloud Service.
9.5 Survival. The sections 1.3 (Free Services), 3.5 (Indemnification), 4 (Fees and Commissions, Reporting, Payment), 6 (Confidentiality), 9.4 (Effects of Termination) and 11 (Limitation of Liability) and others which by their nature are intended to survive, shall survive after termination or expiration of this Agreement.
10 Warranty
10.1 Limited Warranty. Choco provides a limited warranty against defects in the Services. A defect is deemed to exist in case of any significant deviations from the functional scope of the Services as described in the Agreement that render the use of the Service impossible or greatly restricted. Supplier shall without undue delay notify Choco in writing of any defect and provide all information that is available to Supplier and is necessary for Choco to identify, reproduce, analyze and remedy the defect. Furthermore, Supplier shall assist Choco in remedying defects free of charge and in a reasonable manner. Choco will either rectify the defect or deliver the impacted Service once again at its discretion and within a reasonable period of time upon receiving written notification of the defect. The provision of instructions for use, with which Supplier can reasonably workaround the defects, will also be deemed to be a remedy of defects. If both remedies fail, Choco will at its own discretion offer Supplier a reasonable remedy (such as by giving Supplier a reasonable discount on the affected Services or terminating the Agreement partially or in whole). This limited warranty does not apply (i) to any defects caused by unauthorized use, abuse, negligence or equipment of Supplier, (ii) to any defects not notified by Supplier within 30 days upon noticing the defect. Choco's sole responsibility and Supplier's sole exclusive remedies against defects are set out in this section.
10.2 Limitation period. All claims by Supplier shall become time barred upon elapse of the earlier of the statutory limitation period, or a period of twelve (12) months from Supplier becoming aware of the fact or event giving rise to the cause of action.
10.3 Disclaimer of Warranty. Except as expressly provided herein and to the maximum extent permitted by applicable law, the Services are provided as-is and on an as available basis. Choco hereby disclaims all warranties of any kind, whether express or implied by statute or common law, including, but not limited to, warranties of merchantability, fitness for a particular purpose, or non-infringement. Choco does not warrant that all errors can be corrected, or that operation of the Services shall be uninterrupted or error-free, nor does Choco guarantee any specific results in connection with use of the Services.
11 Limitation of Liability
11.1 Limitation of Liability. Choco’s (including any representatives’, employees’, agents’, and Vicarious Agents’) full and aggregated liability for any and all damages arising out of or in connection with this Agreement (whether such liability arises from contract, tort (including negligence), misrepresentation, breach of any duty (including strict liability) or otherwise), shall be limited to the Fees paid by Supplier during the last 12 months preceding the last event giving rise to liability. In cases of ordinary negligence, Choco shall be liable when there has been a breach of a material contractual duty. A material contractual duty within the meaning of this section is an obligation the fulfilment of which makes the performance of the Contract even possible in the first place.
11.2 Disclaimer of Consequential and Related Damages. Choco (and any representatives, employees, agents, and Vicarious Agents) shall only be liable for direct and foreseeable damages at the time of the conclusion of the Agreement and shall not be liable for incidental, indirect, special, consequential or punitive damages, regardless of the nature of the claim, including, without limitation, lost profits, loss of data, damage to reputation, costs of delay or procurement of substitute services, any business interruption, even if Choco has been advised of the possibility of such damages.
11.3 Exclusions from Limitation of Liability. The limitations on liability set out in this section shall not apply for losses caused by death or personal injury caused by its negligence, or the negligence of its personnel, agents, Vicarious Agents, fraud or fraudulent misrepresentation; and any other liability which cannot be limited or excluded by applicable law.
12 Final Provisions
12.1 Force Majeure. Choco shall have no liability to the Supplier under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes (whether involving the workforce of Choco or any other party), failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of vendors or sub-contractors, provided that the Supplier is notified of such an event and its expected duration.
12.2 Amendments. Choco may amend this Agreement with effect for the future. Any amendments and side agreements to this Agreement must be made in writing. In case of minor or cosmetic amendments that do not affect Supplier, the amendments shall be posted on Choco's website. In other cases, Choco will provide Supplier with notice before the changes enter into force and allow Supplier a reasonable time to review. Amendments shall be deemed as agreed by Supplier if Supplier has not expressly objected to them by the time they take effect. In case of objection, Choco may terminate the Agreement or offer Supplier a reasonable remedy at its own discretion. Notwithstanding the foregoing, Choco may amend its policies from time to time to make necessary adjustments due to changes in its Services or laws without prior notice.
12.3 Assignment and Subcontracting. Supplier shall not, without the prior written consent of Choco, assign, transfer, charge, subcontract or deal in any other manner with all or any of its rights or obligations under this Agreement. Choco may at any time assign, transfer or deal in any other manner with all or any of its rights or obligations under this Agreement without Supplier’s consent. If Choco subcontracts any of its obligations to its subcontractors or affiliates (“Vicarious Agents”), Choco will remain responsible for their acts and omissions.
12.4 Entire Agreement and Order of Precedence. This Agreement includes the MSA (including DPA), the Order Form, applicable Service Specific Terms and Choco’s policies that are made available to the Supplier. It shall constitute the entire agreement between the Parties regarding the provision and use of the Services. The Agreement shall supersede any previous agreements, communications, representations and understandings between them, whether written or oral, relating to this subject matter. In case of any inconsistency or conflict between the provisions of this Agreement, the following order of precedence shall apply: DPA, Order Form, Service Specific Terms and MSA.
12.5 Headings. Headings or titles used in this agreement are for convenience and reference purposes only and shall not be considered in the interpretation or construction of any provision of this Agreement.
12.6 Waiver and Severability. No failure or delay by a Party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver, nor shall it prevent or restrict the further exercise of any right or remedy. If any part of this Agreement is determined to be invalid or unenforceable by a competent court, that part shall be deemed deleted, but this shall not affect the validity and enforceability of the rest of the Agreement.
12.7 Governing Laws and venue. The Agreement shall be governed by the laws of England and Wales. Exclusive jurisdiction and venue for all disputes arising from or connected with this Agreement shall lie with the competent courts of England and Wales.
Integration-GTC
Last updated 1st November 2023
Integration General Terms and Conditions
These Integration General Terms and Conditions (the "Integration-GTC") together with the Main Services Agreement (the “MSA”) govern Choco’s performance of Integration Services consisting of development of a technical infrastructure for digital transmission of information between the Cloud Service and Supplier’s enterprise resource planning (the “ERP”) system (the “Integration”) and the Parties’ obligations in relation to that.
These Integration-GTC, together with the Annex-1 attached thereto, constitute an integral part of the Agreement entered into between Choco and Supplier. Capitalised terms not otherwise defined in these Integration-GTC shall have the meanings assigned to them in the Agreement. In the event of any inconsistency between these Integration-GTC and the Agreement, the order of precedence prescribed in the MSA shall apply.
1 Subject Matter of the Integration-GTC
1.1 The subject matter of these Integration-GTC is the development of the Integration until its delivery to Supplier. Once accepted by Supplier, the Integration shall constitute a part of the Cloud Service.
1.2 Integrations built by or on behalf of the Supplier do not fall under the scope of these Integration GTC and Choco does not assume any responsibility for such integrations.
1.3 The services of Supplier’s ERP provider that are accessed through the Integration do not fall under the scope of the Agreement and are solely governed by the terms and conditions of the specific ERP provider.
2 Provision of the Integration Services
2.1 If the Parties agree on a minimum number of active Customers for the launch of the Integration Services in the Order Form, then Choco will start to perform the Integration Services only once that minimum number is reached. A Customer shall be deemed active if it has placed at least one order with Supplier using the Cloud Service in the relevant calendar month (“Active Customer”). If the minimum number is not reached within twelve months from the Effective Date of the Agreement, either Party shall be entitled to terminate the Integration Services, unless Choco has already commenced with the performance of the Integration Services.
2.2 The Parties shall mutually agree on the scope and channel of Integration, based on the standard content, channels and file formats supported by Choco as described in Annex-1. In case of any subsequent additions or changes to the agreed-upon scope, Choco reserves the right to adjust the timelines and charge additional Fees taking into consideration any extra efforts required to implement the changes.
2.3 Supplier shall provide Choco with a distinct technical contact person from its ERP provider who shall have sufficient technical knowledge and capacity to cooperate with Choco for the provision of the Integration Services.
2.4 Upon request, Supplier shall provide and shall ensure that its ERP provider provides Choco with all information required by Choco for the provision of the Integration Services in a timely manner, including sample catalog files, sample order files, API docs, documentation related to the system environment as well as with staging credentials and access rights to its ERP system and the test environment. Supplier shall ensure that Choco only gets access and permissions to the agreed transmission content and not to any other information that is not necessary for the Integration.
2.5 If Supplier cannot provide any test environment, then Supplier shall alternatively provide Customer information with which Choco can perform integration tests. Unless delivery of the test results is automated, Supplier shall provide Choco with the test results. Supplier shall ensure that the provided test environment corresponds to the same technical parameters as the live product environment. Supplier will provide Choco with (test) access data of the selected authentication method. Any Choco Deliverables provided by Choco for the Integration Services as well as instructions regarding their use shall be deemed Confidential Information of Choco and Supplier shall not be entitled to edit, distribute or post publicly the documentation or instructions for use.
2.6 Supplier shall inform Choco in a timely manner about any upcoming adjustments to its technical systems that could have an impact on the functionality of the Integration Services or the performance of Choco's obligations under the Agreement.
3 Acceptance Procedure
3.1 Choco shall submit the Integration to Supplier for inspection and acceptance and shall notify Supplier about such submission. Supplier shall test and inspect the Integration for its conformity with these Integration-GTC and shall do so within a reasonable period of time which shall not be longer than two (2) weeks. The Supplier shall notify Choco immediately of any defects in writing (email acceptable).
3.2 Supplier shall declare its formal acceptance in writing if the Integration is essentially in conformity with these Integration-GTC. Formal acceptance by Supplier may not be refused due to insignificant flaws or defects. Choco shall within a reasonable period of time use commercially reasonable efforts to remedy such insignificant defects after formal acceptance, provided Supplier has notified Choco in writing thereof during the inspection of conformity and prior to formal acceptance.
3.3 If, within a period of three (3) weeks after submission of the Integration, Supplier no longer reports any more significant defects or if Supplier agrees to deployment of the Integration into production environment, then the Integration shall be deemed formally accepted.
3.4 With respect to defects that were known to Supplier at the time of formal acceptance, defects that would have been obvious in the course of a proper inspection or defects that were otherwise not known to Supplier due to negligence or that were not reported by Supplier, Supplier will not be entitled to the rights related to defects as governed in section 10 of the MSA on Warranty, otherwise any defects that occur and notified to Choco after formal acceptance will be subject to section 10 of the MSA on Warranty.
3.5 If the Integration is delivered partially per component, the acceptance procedure shall apply mutadis mutandis to each part.
Annex 1 - Integration Services
This Annex sets out the standard scope of Integration, in particular the transmission content, transmission channels, file formats and technical procedures supported by Choco. Supplier-specific customizations may be possible subject to additional charges.
A. Transmission Content
It is possible to transmit different components through an Integration. At a minimum, an Integration will transmit orders from Cloud Service to Supplier and Product Catalogs from Supplier to Cloud Service.
In addition to this minimum content, Choco supports transmission of prices, order comments, order confirmation, images, customer lists, Order Guides of Customers, order updates and edits.
Parties will agree on the transmission content in the technical coordination meeting. After such meeting, there may be a possibility for adding more components to the scope subject to additional charges.
B. Data Transmission
Data transmission may consist of one or a combination of the following technical channels:
1. HTTP(s) API
2. (S)FTP Server
a) Hosting by Choco
b) Hosting by the Supplier or a third-party provider
3. Choco App for an ERP system (Connector)
More details on the transmission channels are given below:
1. HTTP(s) API
Choco supports the following authentication:
•Oauth 1.0 and 2.0
•Basic Auth
•Open ID
All other types of authentication (SAML, TLS, JWT,... ) require detailed technical review and may be subject to additional fees. Choco will keep all credentials strictly confidential and use them only for the purpose of Integration.
Choco supports all common methods (GET, POST, PUT, PATCH) with a transmission of orders placed via POST and a retrieval of product catalogs via GET. Supplier will ensure endpoint availability throughout the entire term of the contract. Choco will repeat erroneous transmissions, but cannot guarantee a transmission in the absence of available endpoints.
2. (S)FTP server
a) Hosting by Choco
Choco shall make a (S)FTP (SSH) server available and shall provide Supplier with username, password, URL and port. Supplier will be granted CRUD rights for the folders in question. Choco will provide separate (S)FTP servers for test and live operation.
b) Hosting by the Supplier
Supplier shall provide Choco with the username, password, URL and port of the (S)FTP server. Supplier shall ensure the availability of the endpoints throughout the entire term of the Agreement. Choco will repeat faulty transmissions but cannot guarantee a transmission in the absence of available endpoints.
3. Choco-App for an ERP system (Connector)
Choco provides system-side integration for selected ERP systems via an app or another standardized interface, whereby Choco builds a connector between the Cloud Service and Supplier’s ERP.
C. File Formats
Choco supports multiple file formats for the exchange: CSV, XML, JSON, TXT, Excel, EDI, X12.
In the event there are unclear or missing specifications from the Supplier, Choco shall provide files in a standard format (including documentation).
D. Technical Procedure
1. Orders from Cloud Service to Supplier
After the Integration is delivered (deployed in the production environment), Choco will send the orders to Supplier in real time via one of the transmission channels or shall make them available on an (S)FTP server. The Supplier shall import the orders in real time into its own ERP system. The purchase orders will follow the prescribed format, but will at a minimum contain (if not explicitly defined otherwise):
•Order number (unique)
•Product numbers (as specified by Supplier)
•Supplier number
2. Product catalogs from Supplier to Cloud Service
Supplier shall regularly send a (complete and up to date) Product Catalog and/or Order Guides of its Customers to Choco or make them available via one of the selected transmission technologies. Choco shall import them in real time or at least every 24 hours (unless explicitly defined otherwise).
Technical procedure for transmission of other components shall be agreed by the Parties. Unless agreed otherwise, both Parties shall use commercially reasonable efforts to transmit all components through Integration in real time.
Onboarding and Support -GTC
Last updated 18th January 2024
These Onboarding and Support General Terms and Conditions (the "O&S-GTC") together with the Main Services Agreement (the “MSA”) govern Choco’s performance of the Onboarding and Support Services as described in the Order Form or agreed elsewhere between the Parties (“O&S Services”) and the Parties’ obligations in relation to that.
These O&S-GTC constitute an integral part of the Agreement entered into by and between Choco and Supplier. Capitalized terms not otherwise defined herein shall have the respective meanings assigned to them in the Agreement. In the event of any inconsistency between these O&S-GTC and the Agreement, the order of precedence prescribed in the MSA shall apply.
1 Provision of the O&S Services
1.1 The Parties shall agree on a project plan for providing the O&S Services and Supplier shall appoint a project manager who will attend all the meetings and complete or arrange for completion of all Supplier activities as outlined in the project plan.
1.2 At the sole discretion of Choco, training may be given via workshops, training materials, dedicated point of contacts or any alternative methods. The Parties shall mutually agree on the time, duration, group of participants and location of such training. Unless otherwise agreed, training shall take place virtually. Both Parties shall be entitled to postpone agreed training dates with reasonable notice in advance of the agreed date.
1.3 Supplier asks Choco to onboard its Customers to the Cloud Service and Choco shall use commercially reasonable efforts to do so. Any contact with the Supplier’s Customers made by Choco for this purpose is made exclusively on behalf and in the name of Suppler, as well as in accordance with the instructions issued by Supplier. The Parties shall agree on when, how and to what extent Choco should contact Supplier’s Customers. In no case does Choco owe a duty to ensure a successful approach.
1.4 Subject to a respective agreement between the Parties, Choco shall create Choco Deliverables for the purpose of introducing the Cloud Service to Supplier’s Customers. Supplier shall use the Choco Deliverables only for the purpose they are created for and shall be solely responsible for the use of the Choco Deliverables, including the uses made by Choco upon Supplier’s instructions.
2 Supplier Obligations and Warranties
2.1 Supplier shall provide Choco with all information, documents and other materials required for onboarding Supplier and its Customers to the Cloud Service, setting up their accounts and implementing the Cloud Service (the “Supplier Deliverables”) in a timely manner upon Choco's request. Such information includes, without limitation, Supplier’s delivery days, cut-off times and its product catalogue containing all the products in Supplier’s product range together with their designation, product number, name, ID, availability, order unit, list price and image (“Product Catalogue”), which will be displayed in Supplier’s account on the Cloud Service to its Customers.
2.2 For onboarding its Customers, Supplier shall provide a list of all - or the number specified in the Order Form – of Customers, including at least the customer number, name, address, telephone number, email address of the Customer, as well as telephone number and email address of one contact person, and order history of those Customers for the last two hundred (200) days in order to be turned into individual shopping lists for the Customers (“Order Guide”).
2.3 If there are Customers who are already registered with the Cloud Service, Supplier shall provide the Order Guides of such Customers immediately upon signing the Agreement. If a Customer registers for the use of the Cloud Service for the first time, then Supplier shall provide Choco with the Order Guides of such Customers without undue delay (but no later than within twenty-four (24) hours). Supplier shall ensure that the products reported in the Order Guides are also listed in the Product Catalogue and that the products in the Order Guide and in the Product Catalogue can be assigned to each other by means of a clear, identical product number. Unless explicitly indicated by Supplier, any Customer related information provided throughout the Agreement will may be used by Choco for onboarding purposes.
2.4 Supplier warrants that its directives in relation to O&S Services do not violate any applicable legal requirements or third-party rights and that all legal requirements are fulfilled to allow Choco to provide the O&S Services. In particular, Supplier warrants that it has obtained all necessary consents for Choco to legally contact its Customers for the provision of the O&S Services.
2.5 Supplier warrants that the individuals who are contacted by Choco upon the Supplier’s directives are authorized to represent the respective Customer and make use of the Cloud Service on behalf of the respective Customer.
3 Indemnification
3.1 Supplier shall indemnify Choco, its employees, representatives, group companies against all third-party claims, demands, actions, proceedings, losses, fines, penalties, awards, liabilities, damages, compensation, settlements, charges and expenses (including legal costs) asserted against Choco in relation to performance of the O&S Services.
3.2 Choco shall inform Supplier without undue delay about any claims asserted by third parties and shall - upon request - provide the information and documents required for the defense. In addition, Choco shall at its own discretion either relinquish the defense to Supplier or engage in a defense in consultation with Supplier. In the absences of consultation with Supplier, Choco shall above all neither acknowledge nor dispute any claims asserted by third parties, except where Supplier has not responded to Choco's notification of the claim within a reasonable time period.
4 Warranty
4.1 Except as provided otherwise in an Order Form, all warranties, representations, conditions and all other terms of any kind whatsoever implied by law are, to the fullest extent permitted by applicable law, excluded from these O&S-GTC.
Data Processing Agreement
Last updated 7th May 2024
Preamble
This Data Processing Agreement ("DPA") specifies the data protection obligations and rights of the Parties in connection with the personal data processed by Choco as a processor on behalf of Supplier when providing the Services as per the Agreement.
For the purposes of this DPA "Data Protection Laws" means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of personal data, including: (i) EU Regulation 2016/679 ("GDPR"); (ii) GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018; (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time; and the terms "data subject", "processing", "processor" and "controller" shall have the meanings set out in the Data Protection Laws. “Personal Data” has the meaning set out in Data Protection Laws but is limited to personal data processed by Choco acting as a processor on behalf of Supplier under the Agreement as further described in Annex 1 to this DPA below.
1. Subject and Scope of the Assignment
1.1 Choco shall process the Personal Data which Supplier has provided directly or indirectly for the provision of the Services exclusively on behalf of, and in accordance with the instructions of Supplier, unless it is otherwise required by the applicable law. In such a case, Choco shall notify Supplier of such legal requirements prior to the processing, unless the relevant law prohibits such notification.
1.2 The processing of Personal Data by Choco on behalf of Supplier is specified in Annex 1 to this DPA.
1.3 The duration of the processing corresponds to the duration of the Agreement.
1.4 Supplier warrants and represents that it has obtained all necessary consents and complied with all obligations required by Data Protection Laws for making available any Personal Data to Choco and for allowing collection of Personal Data by Choco on the Supplier’s behalf under this Agreement.
1.5 Supplier may issue further instructions regarding the scope of processing of Personal Data. If Choco is of the opinion that a Supplier instruction violates this DPA or Data Protection Laws, it shall without undue delay inform Supplier thereof in writing. Choco shall be entitled to suspend the execution of such instruction until Supplier confirms it in writing. If Supplier insists on the execution of an instruction despite the concerns raised by Choco, Supplier shall indemnify Choco against all damages and costs that it incurs due to the execution of the Supplier's instruction. Choco shall inform Supplier of any damages asserted against it and any costs incurred by it and shall not acknowledge any claims of third parties without Supplier’s consent and shall, at Choco’s option, conduct the defense in consultation with Supplier or leave it to Supplier.
2. Requirements of Personnel
2.1 Choco shall ensure that all persons who are authorized to have access to Personal Data are either under a contractual obligation to maintain confidentiality or are under an appropriate statutory obligation of confidentiality when processing the Personal Data.
3. Processing Security
3.1 Choco shall implement and maintain throughout the term of the Agreement appropriate technical and organizational measures specified in Annex-2 to this DPA ("TOM"), to ensure a level of protection of the Personal Data commensurate to the risk, taking into account the state of the art, the cost of implementation and, to the extent known to Choco, the nature, scope, circumstances and purposes of the processing of the Personal Data and the varying likelihood and severity of the risk to the rights and freedoms of the data subjects. Choco shall regularly assess the effectiveness of the TOMs and implement alternative measures if necessary for ensuring appropriate level of security.
3.2 It shall be incumbent upon Supplier to review the TOM taken by Choco, particularly to review whether these measures are also sufficient with regard to circumstances of the data processing that are not known to Choco.
4. Use of Sub-Processors and Data Transfers
4.1 Supplier generally authorizes Choco to make use of the services of its affiliates and sub-processors when processing the Personal Data.
4.2 The current sub-processors which are engaged by Choco are listed in Annex 3 to this DPA. Choco shall impose substantially similar data protection obligations vis-a-vis its sub-processors which are no less protective than the ones set out under this DPA and will remain liable towards the Supplier for its sub-processors’ performance under this DPA.
4.3 Choco will update the list of sub-processors in Annex 3 to this DPA before authorizing a new sub-processor to process Personal Data on behalf of Supplier. If Supplier wants to receive an individual notification of an update to the list of sub-processors, it shall sign up to the notification mechanism available in Annex 3 to this DPA. If Supplier does not object within 14 days following Choco’s notification by sending an email to legal@choco.com, then the engagement shall be deemed approved. If Supplier objects, Choco shall be entitled, at its choice, to either provide the Services without using the rejected additional sub-processor or to terminate the Agreement.
4.4 Supplier authorizes Choco, its affiliates and its sub-processors to transfer, access or process Personal Data outside the UK or the European Economic Area ("EEA"), provided that the requirements for such transfer, access or processing under Data Protection Laws are complied with.
5. Rights of the Data Subjects
5.1 Taking into account the nature of the processing of the Personal Data, Choco shall assist Supplier with appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Supplier’s obligation to respond to requests for exercising the data subject’s rights laid down in the Data Protection Laws.
5.2 Choco shall in particular:
- inform Supplier without undue delay if a data subject contacts Choco directly with a request to exercise his/her rights;
- provide Supplier upon Supplier's request with all information available to Choco regarding the processing of the Personal Data that Supplier needs to respond to the request of a data subject and that Supplier does not have itself;
- correct, delete or restrict the processing of the Personal Data without undue delay upon the instruction of Supplier, unless Supplier is able to do so itself and it is technically possible for Choco to do so;
- support Supplier to the extent necessary to receive the Personal Data processed in Choco’s sphere of responsibility - insofar as this is technically possible for Choco - in a structured, common and machine-readable format, insofar as a data subject asserts a right to data portability.
6. Support Obligations
6.1 Choco shall notify Supplier without undue delay after becoming aware of a breach of Personal Data. The notification shall include a description, if possible, of the nature of the breach; the categories and approximate number of data subjects affected by the breach; the probable consequences of the breach; of the measures taken or proposed by Choco to remedy the breach of the protection of the Personal Data and, if applicable, measures to mitigate its possible adverse effects.
6.2 Choco shall investigate the cause of the breach and, where appropriate, take reasonable measures to mitigate its possible adverse effects.
6.3 If Supplier is obliged to inform the supervisory authorities and/or data subjects about the personal data breach, Choco shall assist the Supplier with complying with this obligation, taking into account the nature of processing and the information available to Choco. Any additional costs incurred by Choco in this context, which exceed statutory processor obligations under the applicable law shalll be borne by Supplier.
6.4 Choco shall notify Supplier of any subpoena or other judicial or administrative order, process or proceeding seeking access to, or disclosure of, the Personal Data insofar as such notification is not prohibited by law. If Supplier is obliged to provide information to a supervisory authority regarding the processing of the Personal Data or to otherwise cooperate with such authorities, Choco shall support Supplier in providing such information insofar as Supplier does not have the information itself and reasonably cooperate with Supplier and with supervisory authorities, including granting the competent supervisory authority the necessary rights of access, information and inspection.
6.5 Choco shall provide reasonable assistance to Supplier regarding Supplier’s compliance with its obligations related to security of processing, data protection impact assessments and prior consultations with the supervisory authorities in each case taking into account the nature of the processing and information available to Choco. Any additional costs incurred by Choco in this context, exceeding the foreseen statutory processor obligations under the applicable law, will be borne by Supplier.
7. Data Deletion and Return
7.1 Upon termination of the Agreement and written request from Supplier, Choco will either delete or return the Personal Data, unless Choco is obliged to continue storing the Personal Data under applicable law.
7.2 Some Personal Data may be archived in Choco’s back-up systems and such archived Personal Data will be deleted in accordance with Choco’s retention policy. Any Personal Data archived in backups will be isolated and protected from any further processing. For the period that the data is stored after the termination of the Agreement, the rights and obligations of the Parties under this DPA shall continue to apply.
8. Verifications and Audits
8.1 Choco shall keep records of its processing activities performed on behalf of Supplier and make available to Supplier upon request these records or any other information necessary to demonstrate compliance with statutory processor obligations set out under the Data Protection Laws.
8.2 Choco shall allow for and contribute to audits, including on-site inspections, by Supplier or an auditor mandated by Supplier in relation to the processing of the Personal Data. The audits and on-site inspections shall not hinder Choco in its normal business operations and should not place an undue burden on Choco. In particular, on-site inspections at Choco for no specific reason shall not take place more than once per calendar year and only during Choco’s normal business hours. Supplier shall notify Choco of inspections in written or text form at least 30 (thirty) days in advance, providing Choco with reasonable information about the scope, duration, and inspection plan. Supplier and Choco shall cooperate in good faith and mutually agree on the scope, duration, and start date of the inspection. Any costs incurred by Choco for any on-site inspections which are not clearly disproportionate or excessive, will be borne by the Supplier. Any auditor mandated by Supplier shall be an independent contractor that does not compete with Choco and such auditor may not commence its work prior to having executed a non-disclosure agreement with Choco.
9. Miscellaneous
9.1 Each Party’s and their affiliates’ liability taken together in the aggregate arising out of or related to this DPA whether in contract, tort, or under any other theory of liability, shall be subject to the limitation of liability provisions of the Agreement.
9.2 This DPA, including its annexes, constitutes an integral part of the Agreement between Choco and Supplier. If there are any inconsistencies between this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
9.3 Any amendments and/or side agreements to any parts of this DPA must be made in writing. This rule also applies to this written form requirement itself. The governing law and jurisdiction under the Agreement shall apply accordingly for any parts of this DPA.
Annex 1 - Description of Personal Data Processing
Purpose of data processing | Provision of the Onboarding and Support Services, Cloud Service and Integration Services |
Nature and scope of data processing | Collection, processing, storage and transfer of Personal Data as necessary for provision and maintenance of the following Services:
|
Type of data |
|
Group of data subjects |
|
Duration of processing | For the duration of the Agreement as further set out in Section 7 of DPA |
Annex 2 - Technical and Organizational Measures
Taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, Choco shall, in its capacity as data processor, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, but not limited to, the following:
1 Confidentiality
1.1 Physical access control
Choco shall take appropriate measures to reduce the risk of unauthorized persons gaining access to data processing systems with which Supplier’s personal data are processed and used.
Technical measures
Automatic access control systems, control of access by gatekeeper services and alarm systems
Lockable server cabinets
key regulation, service directives stipulating that service rooms are to be locked when employees are absent
1.2 System access control
Choco shall take appropriate measures to prevent data processing systems (computers) from being used by unauthorized persons. For this purpose, Choco shall take the following precautions:
Technical measures:
- Login with username + password
- Smartphone encryption
- Encryption of company laptops
- Remote laptop management
- Deployment of anti-virus software for laptops and systems
Organizational measures:
- Manage user permissions
- Create user profiles
- Policies on use of Company Hardware
- General policy on data protection and / or security
1.3 Data access control
Choco shall take appropriate measures to ensure that the persons authorized to use the data processing systems can only access the personal data subject to their access authorization and that the Personal Data of Supplier cannot be read, copied, modified or removed without authorization during processing, use and after storage. For this purpose, Choco shall take the following precautions:
Technical measures:
Erasure of data carriers on laptops before reuse.
Logging of access to important documents, especially when entering, changing and deleting data.
File shredder (min. level 3, cross cut)
Organizational measures:
- Creating an authorization concept
- Management of rights by system administrator
- Reduction in the number of administrators
- Closed area for sensitive documents
1.4 Separation control
Choco shall take appropriate measures to ensure that the Personal Data of Supplier collected for different purposes can be processed separately. For this purpose, Choco shall take the following precautions:
Technical measures:
- Separate storage on different software
- Software-based customer separation
Organizational measures:
- Creation of an authorization concept
- Determination of database rights
2 Integrity
2.1 Transmission control
Choco shall take reasonable measures to reduce the risk that the Personal Data of Supplier can be read, copied, modified or removed without authorization during electronic transmission or during their transport or storage on data carriers. To this end, Choco shall take the following precautions:
Technical measures:
- Email encryption
- Logging of accesses and retrievals of important documents and data
- Provision via encrypted connections such as sftp, https
2.2 Data input control
Choco shall take appropriate measures to ensure that it is possible to check and determine retrospectively whether and by whom personal data of the customer have been entered into data processing systems, changed or removed. For this purpose, Choco shall take the following precautions:
Technical measures:
- Possibility of technical logging of the entry, modification and deletion of personal data.
Organizational measures:
- Traceability of entry, modification, and deletion of personal data through individual user names.
- Retention of forms from which personal data have been transferred to automated processing operations.
- Assignment of rights to enter, change, and delete personal data on the basis of an authorization concept.
3 Availability and resilience
3.1 Availability control
Choco shall take reasonable measures to ensure that the Personal Data of Supplier is protected against accidental destruction or loss. For this purpose, Choco shall take the following precautions:
Technical measures:
- Fire and smoke detection systems
- Careful selection of the hosting service provider
Organizational measures:
- Regular control of the hosting service provider
4 Procedures for regular review, assessment and evaluation.
Choco shall implement procedures for regular review, assessment and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing.
4.1 Data protection management
Organizational measures:
- Central documentation of all procedures, regulations and guidelines on data protection with access for employees as required / authorized
- A review of the effectiveness of the technical protective measures is carried out regularly
- Employees trained and committed to confidentiality
- Raising employee awareness through training
4.2 Incident response management
Organizational measures:
- Documentation of security incidents and data breaches
- Regulation of responsibilities for the follow-up of security incidents and data breaches
- Security breach response support.
- Formalized process for handling requests for information from data subjects is in place.
Annex 3 - Subprocessor List
Name | Entity Location | Purpose |
Amazon Web Services, Inc. | USA Location of processing: EU West 1 (Ireland, EU) | Cloud Infrastructure and AI services |
Google Cloud EMEA Limited | Ireland Location of processing: EU West 1 (Ireland, EU) | Cloud Storage and AI services |
salesforce.com Germany GmbH | Germany Location of processing: EU43 (Frankfurt, Germany; Paris, France) | CRM |
Invisible Technologies Inc | USA | Back-office services |
Iterable, Inc | USA | CRM |
Mindbridge Private Limited | Pakistan | Back-office services |
The Mail Track Company, S.L. | Spain | Customer outreach tool |
Aircall SAS | France | Customer outreach tool |
| Segment.io, Inc. | USLocation of processing: S3 AWS (Ireland, EU) | Customer data platform |
OpenAI, L.L.C. | USA | Generative AI services |
| Twilio Ireland Limited | Ireland | Communication tool |
| Salesloft Inc | USA | Communication tool |
| Intercom, Inc. | Ireland | Customer support and customer communication in the software |
| Lobster DATA GmbH | Germany | Integration tool |
| N8N GmbH | Germany | Integration tool |
| Zynk Software Limited | United Kingdom | Integration service provider |
| Choco Communications DACH GmbH | Germany | Intra-group services |
| Choco Communications Espagna SL | Spain | Intra-group services |
| Choco Communications SAS | France | Intra-group services |
| Atlantic Food Waste Partners LLC dba Choco | USA | Intra-group services |
We may need to add new subprocessors to the list above. If you'd like to receive a notification of these new sub-processors, you can subscribe on this page: https://choco.com/uk/subprocessors.
Service Description
The following list contains a description of all Services that are provided by Choco. The Supplier shall only be entitled to those Services which have either been indicated in the Order Form concluded between the Parties or which are agreed in writing by the Parties from time to time.
Choco Cloud Services:
- Cloud-based web platform and mobile app for order management and communication, enabling the Supplier to
- Have an overview of customer trends to better manage customer relationships,
- Provide its Customers a stellar eCommerce like ordering experience by bringing its Product Catalog digital,
- Receive orders from the Customers via its preferred channel (in-App, email, text or WhatsApp),
- Regain control over its order inflow by defining minimum order values, delivery days and cut-off time,
- Reach the entire customer base on the Cloud Service simultaneously in order to promote Products or run campaigns,
- Easily set access rights and permissions to team members based on their roles,
- Choco AI: Process the orders it received outside of the Cloud Service through Choco AI to be able to manage them in the Cloud Service (Choco AI) (if specifically agreed to between the Parties).
- White Label App: a version of the Choco's cloud-based web platform and mobile app branded with Supplier's logo and branding (if specifically agreed to between the Parties).
Onboarding and Support Services:
- Support with account setup and digitization of Product Catalog,
- Training Supplier’s teams on how to use the Cloud Service,
- Onboarding Supplier’s Customers to Cloud Service, including introducing the Software to Supplier’s Customers, execution of joint promotions for this purpose and setting up the Customers’ accounts.
Integration Services: services for building an Integration between the Cloud Service and the Supplier’s ERP system.
White Label TCs
Last updated 15th July 2024
This White Label Terms and Conditions (the “WL-TC”) together with the Main Services Agreement (“MSA”) govern branding of the Choco's mobile app with Supplier’s name and logo (the “WL-App”), licensing of the WL-App to Supplier’s Customers and the operation and maintenance of the WL-App.
The WL-TC constitutes a Service Specific Term and is incorporated into the Agreement entered into by and between Choco and Supplier by reference. Capitalized terms not otherwise defined herein shall have the respective meanings assigned to them elsewhere in the Agreement. In the event of any inconsistency or conflict between the WL-TC and the MSA, WL-TC shall prevail.
1. License Grant. Choco hereby grants to Supplier a limited, revocable, non-exclusive, non-transferable license to use the WL-App, and grants Supplier the right to sublicense the WL-App to Supplier’s Customers during the term of the Agreement to access and use it solely for placing orders from Supplier and for communication with Supplier, subject to the Choco’s End-User Terms (as defined below) and the terms agreed herein. The WL-App may not be used on behalf of or for the benefit of a third party other than Supplier.
2. Branding. The WL-App will be branded with the Supplier's name and logo. It will include an acknowledgement as "Powered by Choco". Supplier is solely responsible for securing its own copyrights, trademarks and all other intellectual property rights for use of Supplier’s name and logo in the WL-App.
3. Hosting and support. The WL-App will be operated, hosted and maintained by Choco and any customer support to Supplier’s Customers will be provided by Choco in accordance with Choco’s standard support policies.
4. App submission. Where required by the respective mobile application store, the WL-App will be submitted to the mobile application store by Choco under Supplier’s development account. Supplier will be responsible for maintaining its developer accounts in good standing and will provide administrator access to Choco for publishing and maintenance of the WL-App. Choco shall be responsible for submitting the WL-App to be listed on the respective App Store(s).
5. Marketing. Supplier may market and promote the WL-App on any form of media, but shall not claim any ownership of the WL-App.
6 Use by Customers. Supplier’s Customers shall not further sublicense nor distribute the WL-App, and use of the WL-App by the Customers shall be subject to Choco’s “Terms and Conditions for App Use” or any other end user terms as determined by Choco (“Choco End-User Terms”). The WL-App will be provided to Supplier’s Customers and such individual end users who are personnel of the Customers, on a strictly “as is” basis, and for free (i.e. Supplier cannot charge its Customers for the WL-App licensed hereunder). Supplier will remain responsible and liable towards Choco for all of its Customers and their end users’ (whether authorized or not) use of the WL-App in accordance with Choco End-User Terms and for their acts and omissions. Choco reserves the right to suspend Suppliers’ Customers access to the WL-App in the event of any violation of Choco End-User Terms.
7. Functionality of WL-App. WL-App will enable Supplier’s Customers to communicate with the Supplier and place orders to Supplier. Choco may make additional functionalities available in the WL-App at its own discretion, but it makes no commitment or gives no guarantee to do so. Supplier acknowledges and accepts that not all of the functionalities available in the Choco's mobile app will be available in the WL-App and that Choco is under no obligation to make any additional functionalities available other than the ones indicated in the first sentence of this section.
8. Fees. The Fees for making the WL-App available will be agreed in the Order Form signed between the Parties. Unless specifically agreed otherwise, the same Fees that apply to the Cloud Service will apply for the WL-App as well.
9. Use by Supplier. The terms of the MSA will continue to govern the use of the WL-App by Supplier and its Authorized Users.
10. Limitation of liability. Choco’s warranties regarding use of the WL-App by Supplier’s Customers and its sole liability arising out of use of the WL-App by Supplier’s Customers are limited to those set out in the Choco End-User Terms. Specifically, Supplier understands that the WL-App is provided to Supplier’s Customers on an “as is” and “as available” basis without any warranties of any kind, whether express or implied, including, but not limited to, implied warranties of merchantability, fitness for a particular purpose, or non-infringement. Supplier shall be solely liable towards its Customers for any amounts and claims beyond what is undertaken in Choco End-User Terms.
11. Intellectual property. Supplier acknowledges and agrees that Choco and/or its licensors own or otherwise have all the necessary intellectual property rights in the WL-App and all derivative works thereto. Supplier does not have any rights in or to the WL-App, except for the limited express rights granted in this WL-TC.
12. Indemnification by Supplier. Supplier will indemnify, hold harmless, and defend Choco, its licensors, service providers, and their respective affiliates, directors, officers, agents, and employees, from and against any third party claim, suit, or proceeding arising out of or related to (i) any claims related to any infringement or violation of a copyright, trademark, trade secret, or confidentiality obligation by any Supplier branding and any other materials provided or published by Supplier on the WL-App, (ii) claims by Supplier’s Authorized Users or Customers, including claims related to unauthorized disclosure of personally identifiable or other private information, (iii) Supplier’s or its Customers’ and their users negligent acts or omissions in the operation of the WL-App, and their material breach of Supplier’s obligations, representations, warranties or covenants contained herein.
13. Miscellaneous. Unless specifically set forth in this WL-TC, all references to the Cloud Service in the Agreement shall include the WL-App as well.