Vendor Legal Center

Main Services Agreement

Last Updated 1st October 2024

Unless otherwise agreed, the following terms apply to the Agreements entered into on or after 1 October 2024. For Agreements entered into before 1 October 2024, please see the relevant terms here.

Preamble

Choco Communications UK Limited (“Choco”) operates a cloud-based order management and communication platform for suppliers (e.g., wholesalers) and their customers (e.g., restaurants) in the food industry ("Cloud Service") and provides related Onboarding and Support Services as well as Integration Services s (collectively “Implementation Services” and, together with the Cloud Service, each a “Service” and collectively the “Services”). A description of each Service is available here.

This Main Services Agreement (“MSA”) governs the provision and use of the Services. Supplier agrees to be bound by the MSA by either executing an Order Form which incorporates the MSA or by accessing and/or making use of the Free Services (as defined in section 1.3 below). Capitalised terms not otherwise defined in the MSA shall have the meaning assigned to them elsewhere in the Agreement.

THEREFORE, in consideration of the foregoing, Choco and Supplier (each a "Party" and collectively the "Parties") agree as follows:

1 Scope of the Services

1.1 Access to Cloud Service. Choco hereby grants Supplier a non-exclusive, non-transferable, non-sublicensable right to access and use the Cloud Service during the term of the Agreement, solely for its own business operations and in accordance with the terms and conditions of the Agreement. Supplier is responsible for arranging the necessary equipment and the internet connection to use the Cloud Service. Supplier will have no right to any specific design or specific functionalities beyond the scope of the Cloud Service agreed in the Order Form.

1.2 Choco Deliverables. While providing Services, Choco may create deliverables for Supplier (“Choco Deliverables”). Choco hereby grants Supplier a non-exclusive, non-transferable, non-sublicensable right to use the Choco Deliverables during the term of the Agreement and in accordance with the terms and conditions thereof. Supplier shall not make any modifications to or use the Choco Deliverables for any other purposes than achieving the purpose of the Agreement without prior written approval of Choco.

1.3 Free Services. Choco may offer certain features of the Cloud Service free of charge, such as trial periods, beta versions or delivery of orders from the restaurants using the Cloud Service in a digital form (“Free Services”). An entity benefiting from Free Services shall be deemed to constitute a Supplier and shall be subject to the terms of the Agreement governing use of the Cloud Service as long as it benefits from Free Services. Supplier acknowledges that Choco reserves the right to modify or terminate Supplier’s access to Free Services or any part thereof, at any time and for any reason in its sole discretion without any notice or liability to Supplier. Free Services are provided as-is and, to the maximum extent permitted by applicable law, Choco shall not be liable for any damages, costs or expenses resulting from the use of Free Services. To the extent such full exclusion of liability is not enforceable, Choco’s (including its legal representatives’, employees’, agents’ and Vicarious Agents’ (as defined in section 12.3 below)) aggregate liability shall be limited to £1,000 (one thousand pounds). In the event of a conflict between this section 1.3 and the rest of the Agreement, this section 1.3 shall take precedence.

1.4 Service Specific Terms. Some Services may be subject to additional terms specific to that Service, such as Integration GTCs, Onboarding GTCs and White-Label TCs (“Service Specific Terms”). Supplier agrees to be bound by the applicable Service Specific Terms by signing the Order Form or by accessing or using the Services covered by Service Specific Terms.

1.5 Availability. Choco will make commercially reasonable efforts to make the Cloud Service available 98% of the time, based on a monthly average. Excluded therefrom are necessary planned maintenance work as well as disruptions that are not within Choco’s sphere of influence (such as force majeure events, downtime that results from a third party’s equipment, software or technology or internet connectivity issues). If possible, Choco shall in a timely manner notify Supplier about planned maintenance work. Nevertheless, Choco expressly reserves the right to carry out unannounced maintenance work if necessary, particularly where this is required for data and operational security.

1.6 Modifications. Choco reserves the right to enhance, change or discontinue any and all features of the Cloud Service or introduce new features or Services at any time. If any such changes materially limit the features of the Cloud Service, Choco shall provide Supplier with advanced notice thereof. Supplier's continued use of the Cloud Service after being notified constitutes acceptance of those changes. In case of an objection by Supplier before such changes enter into force, Choco may terminate the Agreement or offer Supplier a reasonable remedy at its own discretion.

1.7 Third Party Components. Certain components of the Cloud Service may be provided through third party services. Any such components that Supplier could recognize as being subject to third-party rights, including open-source licences, will be subject to applicable third party and open-source software licences. Above all, any components that Choco discloses as third-party content in the Agreement, in the Cloud Service or in any Choco policies will be deemed recognizable within the meaning of the previous sentence. Supplier agrees that availability of the Cloud Service or certain features may be dependent on the corresponding availability of the third-party services. Choco is not responsible for any interruptions or issues with the Cloud Service caused by the third-party components.

1.8 AI-powered Services. The Cloud Service may encompass functionalities that are powered by artificial intelligence (“AI”). Supplier will retain ownership over the input it provides and the output generated by AI based on the input, both of which shall constitute Supplier Data (as defined in section 3.1 below). Choco does not guarantee the accuracy, completeness and reliability of the output generated by AI and, to the extent permitted by law, disclaims all warranties and liability for such output. To the extent such full exclusion of liability is not enforceable, Choco’s (including its legal representatives’, employees’, agents’ and Vicarious Agents’) aggregate liability shall be limited to £1,000 (one thousand pounds). Output generated by AI may not be unique to Supplier and it does not represent Choco’s views. Supplier undertakes to comply with the fair use policies of Choco’s third party service providers when using AI-powered functionalities, available here. In the event of a conflict between this section 1.8 and the rest of the Agreement, this section 1.8 shall take precedence.

2 Access and Use of Cloud Service

2.1 Authorised Users. The licence granted to Supplier is limited to its employees, agents or contractors who are authorised by Supplier to use the Services (“Authorised Users”). Supplier is responsible for its Authorised Users’ compliance with the Agreement, including Choco’s policies on the use of the Cloud Service and for all of their acts and omissions. Supplier shall ensure that its Authorised Users keep the access data of their accounts confidential and shall inform Choco without undue delay if there is any suspicion that the access data may have become known to unauthorised persons. Supplier is solely responsible for all activities that occur under the accounts of its Authorised Users.

2.2 Use Restrictions. Supplier shall use the Cloud Service only for offering products that address food and hotel industry needs and comply with all laws applicable to its access and use of the Cloud Service. Supplier shall not (a) reproduce, copy, modify, adapt, create derivative works, reverse engineer, decompile or engage in any action with the attempt to obtain the source code of the Cloud Service (except as permitted by mandatory law); (b) sublicense, sell, rent, distribute, transfer or provide a third party access to the Cloud Service or otherwise allow the use of the Cloud Service for the benefit of any third party; (c) engage in any conduct that interferes with or threatens the security, integrity or performance of the Cloud Service, including any related systems; (d) send any malicious code (e.g., viruses, worms, Trojan horses or other malware) through Cloud Service; (e) attempt to interfere with or otherwise circumvent any security measures, authentication mechanisms or any functional restrictions on the Cloud Service intended to limit its use; (f) use the Cloud Service in order to build a product or service which competes with the Cloud Service; (g) use any software, devices, robots or any other means to scrape data from the Cloud Service; (h) use the Cloud Service for fraudulent purposes; (i) make unfair use of the Cloud Service or (j) use the Cloud Service to send unsolicited commercial communications.

2.3 The relationship with the Customers. Supplier is solely responsible for its use of the Cloud Service, such as for the contact it establishes with other companies, all communications sent via or in connection with the Cloud Service, the content and availability of the products and for the proper management of orders. By making the Cloud Service available, Choco merely provides the infrastructure for placing and managing orders and for communication. Choco itself will not directly or indirectly become a party to the relationship between Supplier and the restaurants or other market participants who place orders with Supplier (“Customer(s)”). Each order (individual sale and purchase of products) shall be concluded solely between Supplier and the relevant Customer. Choco will have no liability whatsoever with regard to the performance of those orders and shall not be a party to disputes of any kind between Supplier and its Customers (such as disputes relating to incorrect deliveries or late payments). Supplier is solely responsible for its relationship and communication with its Customers and with other users of the Cloud Service and for the proper management of orders.

2.4 Cooperation. Supplier shall cooperate with Choco in good faith and provide all necessary information as reasonably required by Choco for the proper performance of the Services in a timely manner. All information provided by Supplier shall be up-to-date, complete, and accurate, and Supplier shall notify Choco in writing in case of any changes. Choco will not be liable for any delays in the provision of the Services caused by Supplier’s failure to provide Choco with the required information or cooperation.

2.5 Support and Maintenance: Choco shall offer standard support services to assist Supplier in using the Cloud Service during regular working hours. Choco will also provide maintenance services at its own discretion, including error corrections, updates, and upgrades, as deemed necessary to ensure the Cloud Service's continued functionality. Support and maintenance do not cover issues resulting from Supplier’s misuse, unauthorised modifications or third-party systems.

3 Supplier Data

3.1 Supplier Data. Supplier shall retain all right, title and interest in and to information, images, texts, data, files, Supplier Deliverables and other materials that are transmitted, submitted or otherwise made available by or on behalf of Supplier to Choco in the course of Supplier's access and use the Services ("Supplier Data"). Supplier grants Choco a non-exclusive, royalty-free, perpetual and worldwide licence to collect, process, reproduce, modify, host, store, disclose, display and perform all necessary acts on the Supplier Data for the purposes of operating the Cloud Service and providing the Services to Supplier. In particular, Choco shall be entitled to collect and use the Supplier Data about Supplier’s use of the Cloud Service for internal research, security, analytics and reporting purposes and for developing and improving the Services. Choco shall retain all rights in the aggregated information derived from such practices and may use it at its own discretion during and after the term of this Agreement without being subject to any limitations (such as for distributing insights and reports), to the extent it does not identify Supplier, its Customers or any person. Choco may sublicense or transfer the rights granted herein to its Vicarious Agents for the purposes of this Agreement.

3.2 Supplier’s Warranties. Supplier warrants that (i) it owns or will obtain the necessary rights and permissions to share the Supplier Data with Choco and to authorise the use of the Supplier Data by Choco as contemplated in this Agreement; (ii) it will provide the required information notices and obtain necessary consents under data protection laws from the persons whose personal data may be included in the Supplier Data (such as its Authorised Users and its Customers’ employees) for sharing their data with Choco; (iii) the Supplier Data and its use by Choco as contemplated in this Agreement do not violate any third-party rights or applicable laws; and (iv) the Supplier Data will not include any illegal, defamatory, inappropriate, offensive, hateful or violent content. Supplier shall solely be responsible for the Supplier Data and shall ensure its accuracy, integrity and reliability throughout the term of the Agreement.

3.3 Removal. Choco is not obliged to monitor the Supplier Data but reserves the right to do so at its own discretion. Choco may, without prior notice, remove or disable access to any Supplier Data (including the products offered via the Cloud Service) if (i) it violates the Agreement including Choco policies made available to Supplier, (ii) it constitutes illegal content such as illegal hate speech, terrorist content, unlawful discriminatory content, or any content that the applicable laws render illegal or (iii) it is likely to give rise to complaints by third parties or other Choco customers. Due account of the fundamental rights and freedoms and legitimate interests of all parties involved will be taken when making decisions about removal of the Supplier Data. Choco will comply with binding orders of courts and supervisory authorities to remove any illegal Supplier Data from the Cloud Service.

3.4 Backup. Choco will use commercially reasonable efforts to ensure integrity and availability of the Supplier Data. Notwithstanding the foregoing Supplier shall be solely responsible for the Supplier Data and shall take back-ups on a regular basis and commensurately with the risk.

3.5 Supplier Indemnity. Supplier shall indemnify and hold Choco, its employees, representatives and Vicarious Agents harmless from and against any claims, losses, liabilities, damages and expenses (including reasonable attorneys’ fees) asserted against them by a third party arising out of (i) Supplier's (including its Authorised Users’) use of the Services, (ii) the Supplier Data, (iii) performance of orders submitted to the Supplier, or (iv) Supplier’s (including its Authorised Users’) violation of applicable laws. Choco shall notify Supplier without undue delay about any claims asserted by third parties and shall, upon request, provide the information and documents required for the defence. Moreover, Choco at its own discretion will either surrender the right of defence to Supplier or undertake such defence in consultation with Supplier. In particular, Choco shall neither acknowledge nor dispute any claims asserted by third parties without consulting with Supplier, except where Supplier has not responded to Choco's notification of the claim within a reasonable time period.

4 Fees and Payment

4.1 Fees. Supplier shall pay Choco the fees agreed to in the Order Form or elsewhere in writing for the provision of the Services (the “Fees”). Unless expressly agreed otherwise in the Order Form, the Fees consist of a recurring monthly fee for the use of the Cloud Service (“Subscription Fee”) and a monthly or one-time fee for the Implementation Services (“Implementation Fee”). If the Parties agree on a monthly Implementation Fee, the Implementation Fee shall be payable for a maximum period of five (5) months.

4.2 Payment. If the Parties agree on a monthly Implementation Fee, the Implementation Fee shall be payable at the beginning of each month of the Implementation Phase up to the maximum duration set forth in section 4.1 above. If the Parties agree on a one-time Implementation Fee, the Implementation Fee shall be payable at the Effective Date (as defined in section 9.1 below). The Subscription Fee shall be payable on the Subscription Start Date (as defined in section 9.1 below) and at the beginning of each subsequent month of the Subscription Term (as defined in section 9.1 below). Unless expressly agreed otherwise in the Order Form, all invoiced amounts shall be due within two weeks of the date on the invoice and paid by direct debit. In case of late payment, Choco reserves the right to charge interest on the overdue amount at a rate of 4% per annum above the Bank of England base rate but at the rate of 4% per annum for any period during which that base rate is below 0% (such interest being deemed to accrue from day to day and being compounded on the last day of each calendar month) from the due date to the date of actual payment.

4.3 Taxes. The Fees are exclusive of taxes and Supplier shall be responsible for the taxes associated with the purchase of the Services. The applicable value added tax or other applicable taxes will be charged at the statutory rate to Supplier.

4.4 Discounts. Unless otherwise specified in the Order Form, any discounts are valid only for the relevant Subscription Term in which they are provided and do not automatically extend or apply to subsequent terms, renewals, or extensions.

4.5 Price Adjustments. Choco reserves the right to modify the Fees by providing Supplier with a written notice at least 30 days in advance. In the event that Supplier objects to the updated Fees within such 30-day period, Choco may terminate the Agreement or offer Supplier a reasonable remedy at its own discretion.

5 Intellectual Property

5.1 Reservation of Rights. Supplier acknowledges and agrees that Choco and/or its licensors own or otherwise have all the necessary intellectual property rights in the Cloud Service, Choco Deliverables and any improvements or modifications to the foregoing. Supplier does not have any rights in or to the Cloud Service and the Choco Deliverables, except for the limited express rights granted in this Agreement. The term Cloud Service includes any systems, programs, application programming interfaces or Integrations developed by or on behalf of Choco.

5.2 Feedback. Supplier allows Choco to use, copy, disclose and exploit any suggestions and other feedback provided by Supplier and its Authorised Users freely in order to improve and enhance the Services and for development of other services in any manner without any obligation, royalty, attribution or restriction based on intellectual property rights or otherwise.

5.3 Trademark License. Supplier grants Choco a non-exclusive, worldwide licence to use Supplier's trademarks for operating the Cloud Service and for the performance of the Agreement. Choco shall be specifically entitled to display the trademark on Supplier's supplier profile and to grant sublicenses to its Vicarious Agents to the extent necessary for the performance of the Agreement. Otherwise, the right of use may not be transferred or assigned.

5.4 Customer Reference. Choco may use Supplier’s name and logo in its marketing materials, presentations and similar communications to refer to Supplier as a customer. Supplier may revoke this consent any time by giving prior written notice.

6 Confidentiality

6.1 Duty of Confidentiality. The Parties undertake to keep confidential any information and documents of the disclosing party, which are either to be regarded as confidential due to the nature of the information or the circumstances of their disclosure or have been designated or marked as confidential by the disclosing party, such as business and/or trade secrets ("Confidential Information") and to use them exclusively for the purposes allowed under this Agreement. The technical components, documentation and the source code of the Cloud Service and the terms of the Order Form shall be considered as Confidential Information of Choco. The receiving party shall undertake reasonable technical and organisational measures to protect Confidential Information.

6.2 Disclosure of Confidential Information. The receiving party is entitled to disclose Confidential Information of the disclosing party solely (i) to its employees, contractors or consultants on a need to know basis for the performance of this Agreement, provided that they are bound by the confidentiality obligations at least as protective as those contained herein, (ii) in a legal proceeding, (iii) where required by law, (iv) to third parties upon prior written approval of the disclosing party. "Affiliates" (meaning, in relation to a party, any: (i) subsidiary or holding company of that party; (ii) body corporate with an ultimate holding company in common with that party; and (iii) officer of that party or of such subsidiary, holding company or body corporate, and “subsidiary”, “holding company”, “body corporate” and “officer” shall have the meanings set out in sections 1159 and 1173 respectively of the Companies Act 2006) of the receiving party shall not be considered third parties and the receiving party may freely disclose Confidential Information to its Affiliates. When requests are made by judicial or administrative authorities relating to the disclosure of Confidential Information, the receiving party shall without undue delay notify the disclosing party thereof in writing, to the extent permitted by law.

6.3 Exclusions from Confidentiality. Confidential Information does not include information that (i) was already known to the receiving party prior to disclosure, (ii) is generally known or becomes known to public through no fault of the receiving party, (iii) is independently developed by the receiving party itself without access to the Confidential Information of the disclosing party or (iv) was brought to the attention of or shared with the receiving party by a bona fide third party authorised to do so.

6.4 Duration of Confidentiality. The duty of confidentiality shall commence upon gaining knowledge of the Confidential Information and will continue for the entire term of this Agreement. In addition, the duty of confidentiality shall remain in place for a period of three (3) years after cessation of the Agreement, unless statutory provisions provide for a longer confidentiality obligation. In particular, any business secrets shall be treated confidentially for as long as they are business secrets.

7 Data Protection

7.1 With regard to the personal data that Choco processes on behalf of Supplier for provision of the Services under this Agreement, the Parties conclude a Data Processing Agreement available here ("DPA") and which is hereby incorporated by reference into this MSA.

8 Suspension

8.1 Suspension. Choco is entitled, but not obliged, to monitor Supplier’s and its Authorised Users’ use of the Services and may suspend Supplier's or its any of its Authorised Users’ access to the Cloud Service (i) if Choco reasonably believes a violation of the Agreement has occurred, (ii) if the suspension is necessary for technical or security reasons or to avert imminent damage to Choco, Supplier or third parties or (iii) if Choco is obliged to suspend access by law. Choco will use commercially reasonable efforts to provide advance notice of suspension, unless prohibited by law. Choco shall lift the suspension if the reason for the suspension no longer exists. Choco will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Supplier may incur as a result of a suspension triggered by its Authorised Users’ own acts or omissions.


9 Term and Termination

9.1 Term. The Agreement shall commence on the date of the Parties’ last signature on the Order Form (“Effective Date”). The term of the Agreement comprises the “Implementation Phase” and the “Subscription Term”. The Implementation Phase starts with the Effective Date and ends on the date when integration is complete, meaning that order information (meaning the list of ordered products, their product IDs and quantities), order’s expected delivery date and the Customer number are successfully transmitted and integrated into Supplier's ERP or designated system (“Subscription Start Date”). Whilst additional components may be identified and assessed by the Parties depending on the specific functionalities of Supplier’s systems during the Implementation Phase, these will not be considered in determining the Subscription Start Date. The Subscription Term starts on the day after the Subscription Start Date and continues for a period of twelve (12) months or as otherwise indicated in the Order Form. The Subscription Term shall be renewed for successive periods of twelve (12) months if the Agreement is not terminated in writing by either Party with three (3) months' prior notice before the end of the respective Subscription Term.

9.2 Termination for Cause. Without prejudice to any other rights or remedies, either Party may, by written notice to the other, terminate the Agreement with immediate effect on the happening of any of the following events: (i) the other Party commits a material breach of the Agreement which is incapable of remedy; or (ii) the other Party commits a material breach of the Agreement which is capable of remedy and fails to remedy such material breach within thirty (30) days after receiving written notice requiring it to remedy that material breach. This clause shall not apply to breach of limited warranty provided by Choco as per section 10 and the exclusive remedies of Supplier are listed therein.

9.3 Termination by Choco. For the purpose of section 9.2(i) above a material breach by Supplier will be deemed incapable of remedy if (i) Supplier has repeatedly used the Services to place Supplier Data or products that are not permissible under the Agreement; (ii) Supplier is in default of its payment obligations for longer than two (2) weeks; (iii) Supplier becomes insolvent, files for or has filed against it, a petition of bankruptcy or; (iv) Supplier has acted against the use restrictions set out in section 2.2 above. Choco may terminate the Agreement for convenience without having to give any reasons any time with a notice period of one (1) month.

9.4 Effects of Termination. When the Agreement for the Services offered against remuneration is terminated Supplier shall lose its access to the Services, with the exception of the Free Services which may be still provided to the Supplier at Choco’s sole discretion. After termination, Choco will have no obligation to Supplier to continue storing Supplier Data and will delete the Supplier Data in its systems upon Supplier’s request or in line with its retention policy, whichever is earlier. Notwithstanding the foregoing, Choco will be entitled to retain the Supplier Data if Choco is obliged to do so by law or to the extent that the Supplier Data is required for accounting and documentation purposes or for the operation of the Cloud Service.

9.5 Survival. The sections 1.3 (Free Services), 3.5 (Supplier Indemnity), 4 (Fees and Payment), 6 (Confidentiality), 9.4 (Effects of Termination) and 11 (Limitation of Liability) and others which by their nature are intended to survive, shall survive after termination or expiration of this Agreement.

10 Warranty

10.1 Limited Warranty. Choco provides a limited warranty against defects in the Services. A defect is deemed to exist in case of any significant deviations from the functional scope of the Services as described in the Agreement that render the use of the Service impossible or greatly restricted. Supplier shall without undue delay notify Choco in writing of any defect and provide all information that is available to Supplier and is necessary for Choco to identify, reproduce, analyse and remedy the defect. Furthermore, Supplier shall assist

Choco in remedying defects free of charge and in a reasonable manner. Choco will either rectify the defect or deliver the impacted Service once again at its discretion and within a reasonable period of time upon receiving written notification of the defect. The provision of instructions for use, with which Supplier can reasonably workaround the defects, will also be deemed to be a remedy of defects. If both remedies fail, Choco will at its own discretion offer Supplier a reasonable remedy (such as by giving Supplier a reasonable discount on the affected Services or terminating the Agreement partially or in whole). This limited warranty does not apply (i) to any defects caused by unauthorised use, abuse, negligence or equipment of Supplier, (ii) to any defects not notified by Supplier within 30 days upon noticing the defect. Choco's sole responsibility and Supplier's sole exclusive remedies against defects are set out in this section.

10.2 Limitation period. All claims by Supplier shall become time barred upon elapse of the earlier of the statutory limitation period, or a period of twelve (12) months from Supplier becoming aware of the fact or event giving rise to the cause of action.

10.3 Disclaimer of Warranty. Except as expressly provided herein and to the maximum extent permitted by applicable law, the Services are provided as-is and on an as available basis. Choco hereby disclaims all warranties of any kind, whether express or implied by statute or common law, including, but not limited to, warranties of merchantability, fitness for a particular purpose, or non-infringement. Choco does not warrant that all errors can be corrected, or that operation of the Services shall be uninterrupted or error-free, nor does Choco guarantee any specific results in connection with use of the Services.

11 Limitation of Liability

11.1 Limitation of Liability. Choco’s (including any representatives’, employees’, agents’, and Vicarious Agents’) full and aggregated liability for any and all damages arising out of or in connection with this Agreement (whether such liability arises from contract, tort (including negligence), misrepresentation, breach of any duty (including strict liability) or otherwise), shall be limited to the Fees paid by Supplier during the last 12 months preceding the last event giving rise to liability. In cases of ordinary negligence, Choco shall be liable when there has been a breach of a material contractual duty. A material contractual duty within the meaning of this section is an obligation the fulfilment of which makes the performance of the Contract even possible in the first place.

11.2 Disclaimer of Consequential and Related Damages. Choco (and any representatives, employees, agents, and Vicarious Agents) shall only be liable for direct and foreseeable damages at the time of the conclusion of the Agreement and shall not be liable for incidental, indirect, special, consequential or punitive damages, regardless of the nature of the claim, including, without limitation, lost profits, loss of data, damage to reputation, costs of delay or procurement of substitute services, any business interruption, even if Choco has been advised of the possibility of such damages.

11.3 Exclusions from Limitation of Liability. The limitations on liability set out in this section shall not apply for losses caused by death or personal injury caused by its negligence, or the negligence of its personnel, agents, Vicarious Agents, fraud or fraudulent misrepresentation; and any other liability which cannot be limited

or excluded by applicable law.

12 Final Provisions

12.1 Force Majeure. Choco shall have no liability to the Supplier under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes (whether involving the workforce of Choco or any other party), failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of vendors or sub-contractors, provided that the Supplier is notified of such an event and its expected duration.

12.2 Amendments. Choco may amend this Agreement with effect for the future. Any amendments and side agreements to this Agreement must be made in writing. In case of minor or cosmetic amendments that do not affect Supplier, the amendments shall be posted on Choco's website. In other cases, Choco will provide Supplier with notice before the changes enter into force and allow Supplier a reasonable time to review. Amendments shall be deemed as agreed by Supplier if Supplier has not expressly objected to them by the time they take effect. In case of objection, Choco may terminate the Agreement or offer Supplier a reasonable remedy at its own discretion. Notwithstanding the foregoing, Choco may amend its policies from time to time to make necessary adjustments due to changes in its Services or laws without prior notice.

12.3 Assignment and Subcontracting. Supplier shall not, without the prior written consent of Choco, assign, transfer, charge, subcontract or deal in any other manner with all or any of its rights or obligations under this Agreement. Choco may at any time assign, transfer or deal in any other manner with all or any of its rights or obligations under this Agreement without Supplier’s consent. If Choco subcontracts any of its obligations to its subcontractors or affiliates (“Vicarious Agents”), Choco will remain responsible for their acts and omissions.

12.4 Entire Agreement and Order of Precedence. The Agreement consists of this MSA (including DPA), the Order Form, the applicable Service Specific Terms and Choco’s policies that are made available to the Supplier. It shall constitute the entire agreement between the Parties regarding the provision and use of the Services. The Agreement shall supersede any previous agreements, communications, representations and understandings between them, whether written or oral, relating to this subject matter. In case of any inconsistency or conflict between the provisions of this Agreement, the following order of precedence shall apply: DPA, Order Form, Service Specific Terms and MSA.

12.5 Headings. Headings or titles used in this agreement are for convenience and reference purposes only and shall not be considered in the interpretation or construction of any provision of this Agreement.

12.6 Waiver and Severability. No failure or delay by a Party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver, nor shall it prevent or restrict the further exercise of any right or remedy. If any part of this Agreement is determined to be invalid or unenforceable by a competent court, that part shall be deemed deleted, but this shall not affect the validity and enforceability of the rest of the Agreement.

12.7 Governing Laws and venue. The Agreement shall be governed by the laws of England and Wales. Exclusive jurisdiction and venue for all disputes arising from or connected with this Agreement shall lie with the competent courts of England and Wales.


Service Specific Terms

Integration-GTC

Last updated 15th November 2024

Integration General Terms and Conditions

These Integration General Terms and Conditions (the "Integration-GTC") together with the Main Services Agreement (the “MSA”) govern Choco’s performance of Integration Services consisting of development of a technical infrastructure for digital transmission of information between the Cloud Service and Supplier’s enterprise resource planning (the “ERP”) system (the “Integration”) and the Parties’ obligations in relation to that.

These Integration-GTC, together with the Annex-1 attached thereto, constitute an integral part of the Agreement entered into between Choco and Supplier. Capitalised terms not otherwise defined in these Integration-GTC shall have the meanings assigned to them in the Agreement. In the event of any inconsistency between these Integration-GTC and the Agreement, the order of precedence prescribed in the MSA shall apply.

1 Subject Matter of the Integration-GTC

1.1 The subject matter of these Integration-GTC is the development of the Integration until its delivery to Supplier. Once accepted by Supplier, the Integration shall constitute a part of the Cloud Service.

1.2 Integrations built by or on behalf of the Supplier do not fall under the scope of these Integration GTC and Choco does not assume any responsibility for such integrations.

1.3 The services of Supplier’s ERP provider that are accessed through the Integration do not fall under the scope of the Agreement and are solely governed by the terms and conditions of the specific ERP provider.

2 Provision of the Integration Services

2.1 If the Parties agree on a minimum number of active Customers for the launch of the Integration Services in the Order Form, then Choco will start to perform the Integration Services only once that minimum number is reached. A Customer shall be deemed active if it has placed at least one order with Supplier using the Cloud Service in the relevant calendar month (“Active Customer”). If the minimum number is not reached within twelve months from the Effective Date of the Agreement, either Party shall be entitled to terminate the Integration Services, unless Choco has already commenced with the performance of the Integration Services.

2.2 The Parties shall mutually agree on the scope and channel of Integration, based on the standard content, channels and file formats supported by Choco as described in Annex-1. In case of any subsequent additions or changes to the agreed-upon scope, Choco reserves the right to adjust the timelines and charge additional Fees taking into consideration any extra efforts required to implement the changes.

2.3 Supplier shall provide Choco with a distinct technical contact person from its ERP provider who shall have sufficient technical knowledge and capacity to cooperate with Choco for the provision of the Integration Services.

2.4 Upon request, Supplier shall provide and shall ensure that its ERP provider provides Choco with all information required by Choco for the provision of the Integration Services in a timely manner, including sample catalog files, sample order files, API docs, documentation related to the system environment as well as with staging credentials and access rights to its ERP system and the test environment. Supplier shall ensure that Choco only gets access and permissions to the agreed transmission content and not to any other information that is not necessary for the Integration.

2.5 If Supplier cannot provide any test environment, then Supplier shall alternatively provide Customer information with which Choco can perform integration tests. Unless delivery of the test results is automated, Supplier shall provide Choco with the test results. Supplier shall ensure that the provided test environment corresponds to the same technical parameters as the live product environment. Supplier will provide Choco with (test) access data of the selected authentication method. Any Choco Deliverables provided by Choco for the Integration Services as well as instructions regarding their use shall be deemed Confidential Information of Choco and Supplier shall not be entitled to edit, distribute or post publicly the documentation or instructions for use.

2.6 Supplier shall inform Choco in a timely manner about any upcoming adjustments to its technical systems that could have an impact on the functionality of the Integration Services or the performance of Choco's obligations under the Agreement. Choco will not be responsible for any delays or defects in the transmission of orders due to updates not notified on time.

3 Acceptance Procedure

3.1 Unless otherwise agreed in writing, the Integration shall be deemed ready when the customer number, order information (meaning the list of ordered products, their product IDs and quantities) and order’s expected delivery date are transmitted into the Supplier's ERP system. These constitute the conclusive list of main functionalities of the Integration. Whilst additional components may be identified and assessed by the Parties depending on the specific functionalities of Supplier’s systems during the Implementation Phase, these will not be considered in determining the date that Integration is complete.

3.2 When these main functionalities are ready, Choco shall either (i) conduct a live test in a meeting with the Customer, during which the Supplier shall accept the Integration if the functionalities are working, or (ii) submit the Integration to the Customer for testing at their convenience. Should the main functionalities not perform as expected during live test, Choco shall promptly address the defects and resubmit the Integration for acceptance.

3.3 In the event that the Integration is submitted for the Customer’s independent testing, the Customer shall have a period of one (1) week from the date of submission to test and provide written acceptance. Should the main functionalities not perform as expected, Supplier shall immediately notify Choco of such defects in writing and Choco shall promptly address the defects and resubmit the Integration for acceptance. If the Customer fails to respond or provide acceptance within this period, and no material bugs or issues are reported, the Integration shall be deemed accepted at the conclusion of the one (1) week period.

3.4 Acceptance by the Supplier may not be unreasonably withheld due to minor flaws or defects that do not materially affect the functionality of the Integration. Choco shall within a reasonable period of time use commercially reasonable efforts to remedy such insignificant defects after acceptance.

3.5 With respect to defects that were known to Supplier at the time of formal acceptance but were not reported by Supplier, defects that would have been obvious in the course of a proper inspection or defects that were otherwise not known to Supplier due to negligence, Supplier will not be entitled to the rights related to defects as governed in section 10 of the MSA on Warranty, otherwise any defects that occur and notified to Choco after formal acceptance will be subject to section 10 of the MSA on Warranty.

Annex 1 - Integration Services

This Annex sets out the standard scope of Integration, in particular the transmission content, transmission channels, file formats and technical procedures supported by Choco. Supplier-specific customizations may be possible subject to additional charges.

A. Transmission Content

It is possible to transmit different components through an Integration, such as orders, Product Catalog, prices, order confirmation, images, customer lists, Order Guides of Customers, order updates and edits. The standard transmission content is the order’s expected delivery date, the Customer’s general information, and their product information. Parties will agree on the transmission content in the technical coordination meeting. After such meeting, there may be a possibility for adding more components to the scope subject to additional charges.

B. Data Transmission

Data transmission may consist of one or a combination of the following technical channels:

1. HTTP(s) API

2. (S)FTP Server

a) Hosting by Choco

b) Hosting by the Supplier or a third-party provider

3. Choco App for an ERP system (Connector)

More details on the transmission channels are given below:

1. HTTP(s) API

Choco supports the following authentication:

•Oauth 1.0 and 2.0

•Basic Auth

•Open ID

All other types of authentication (SAML, TLS, JWT,... ) require detailed technical review and may be subject to additional fees. Choco will keep all credentials strictly confidential and use them only for the purpose of Integration.

Choco supports all common methods (GET, POST, PUT, PATCH) with a transmission of orders placed via POST and a retrieval of product catalogs via GET. Supplier will ensure endpoint availability throughout the entire term of the contract. Choco will repeat erroneous transmissions, but cannot guarantee a transmission in the absence of available endpoints.

2. (S)FTP server

a) Hosting by Choco

Choco shall make a (S)FTP (SSH) server available and shall provide Supplier with username, password, URL and port. Supplier will be granted CRUD rights for the folders in question. Choco will provide separate (S)FTP servers for test and live operation.

b) Hosting by the Supplier

Supplier shall provide Choco with the username, password, URL and port of the (S)FTP server. Supplier shall ensure the availability of the endpoints throughout the entire term of the Agreement. Choco will repeat faulty transmissions but cannot guarantee a transmission in the absence of available endpoints.

3. Choco-App for an ERP system (Connector)

Choco provides system-side integration for selected ERP systems via an app or another standardized interface, whereby Choco builds a connector between the Cloud Service and Supplier’s ERP.

C. File Formats

Choco supports multiple file formats for the exchange: CSV, XML, JSON, TXT, Excel, EDI, X12.

In the event there are unclear or missing specifications from the Supplier, Choco shall provide files in a standard format (including documentation).

D. Technical Procedure

1. Orders from Cloud Service to Supplier

After the Integration is delivered (deployed in the production environment), Choco will send the orders to Supplier in real time via one of the transmission channels or shall make them available on an (S)FTP server. The Supplier shall import the orders in real time into its own ERP system. The purchase orders will follow the prescribed format, but will at a minimum contain (if not explicitly defined otherwise):

•Order number (unique)

•Product numbers (as specified by Supplier)

•Supplier number

2. Product catalogs from Supplier to Cloud Service

Supplier shall regularly send a (complete and up to date) Product Catalog and/or Order Guides of its Customers to Choco or make them available via one of the selected transmission technologies. Choco shall import them in real time or at least every 24 hours (unless explicitly defined otherwise).

Technical procedure for transmission of other components shall be agreed by the Parties. Unless agreed otherwise, both Parties shall use commercially reasonable efforts to transmit all components through Integration in real time.

Onboarding and Support -GTC

Last updated 18th January 2024

These Onboarding and Support General Terms and Conditions (the "O&S-GTC") together with the Main Services Agreement (the “MSA”) govern Choco’s performance of the Onboarding and Support Services as described in the Order Form or agreed elsewhere between the Parties (“O&S Services”) and the Parties’ obligations in relation to that.

These O&S-GTC constitute an integral part of the Agreement entered into by and between Choco and Supplier. Capitalized terms not otherwise defined herein shall have the respective meanings assigned to them in the Agreement. In the event of any inconsistency between these O&S-GTC and the Agreement, the order of precedence prescribed in the MSA shall apply.

1 Provision of the O&S Services

1.1 The Parties shall agree on a project plan for providing the O&S Services and Supplier shall appoint a project manager who will attend all the meetings and complete or arrange for completion of all Supplier activities as outlined in the project plan.

1.2 At the sole discretion of Choco, training may be given via workshops, training materials, dedicated point of contacts or any alternative methods. The Parties shall mutually agree on the time, duration, group of participants and location of such training. Unless otherwise agreed, training shall take place virtually. Both Parties shall be entitled to postpone agreed training dates with reasonable notice in advance of the agreed date.

1.3 Supplier asks Choco to onboard its Customers to the Cloud Service and Choco shall use commercially reasonable efforts to do so. Any contact with the Supplier’s Customers made by Choco for this purpose is made exclusively on behalf and in the name of Suppler, as well as in accordance with the instructions issued by Supplier. The Parties shall agree on when, how and to what extent Choco should contact Supplier’s Customers. In no case does Choco owe a duty to ensure a successful approach.

1.4 Subject to a respective agreement between the Parties, Choco shall create Choco Deliverables for the purpose of introducing the Cloud Service to Supplier’s Customers. Supplier shall use the Choco Deliverables only for the purpose they are created for and shall be solely responsible for the use of the Choco Deliverables, including the uses made by Choco upon Supplier’s instructions.

2 Supplier Obligations and Warranties

2.1 Supplier shall provide Choco with all information, documents and other materials required for onboarding Supplier and its Customers to the Cloud Service, setting up their accounts and implementing the Cloud Service (the “Supplier Deliverables”) in a timely manner upon Choco's request. Such information includes, without limitation, Supplier’s delivery days, cut-off times and its product catalogue containing all the products in Supplier’s product range together with their designation, product number, name, ID, availability, order unit, list price and image (“Product Catalogue”), which will be displayed in Supplier’s account on the Cloud Service to its Customers.

2.2 For onboarding its Customers, Supplier shall provide a list of all - or the number specified in the Order Form – of Customers, including at least the customer number, name, address, telephone number, email address of the Customer, as well as telephone number and email address of one contact person, and order history of those Customers for the last two hundred (200) days in order to be turned into individual shopping lists for the Customers (“Order Guide”).

2.3 If there are Customers who are already registered with the Cloud Service, Supplier shall provide the Order Guides of such Customers immediately upon signing the Agreement. If a Customer registers for the use of the Cloud Service for the first time, then Supplier shall provide Choco with the Order Guides of such Customers without undue delay (but no later than within twenty-four (24) hours). Supplier shall ensure that the products reported in the Order Guides are also listed in the Product Catalogue and that the products in the Order Guide and in the Product Catalogue can be assigned to each other by means of a clear, identical product number. Unless explicitly indicated by Supplier, any Customer related information provided throughout the Agreement will may be used by Choco for onboarding purposes.

2.4 Supplier warrants that its directives in relation to O&S Services do not violate any applicable legal requirements or third-party rights and that all legal requirements are fulfilled to allow Choco to provide the O&S Services. In particular, Supplier warrants that it has obtained all necessary consents for Choco to legally contact its Customers for the provision of the O&S Services.

2.5 Supplier warrants that the individuals who are contacted by Choco upon the Supplier’s directives are authorized to represent the respective Customer and make use of the Cloud Service on behalf of the respective Customer.

3 Indemnification

3.1 Supplier shall indemnify Choco, its employees, representatives, group companies against all third-party claims, demands, actions, proceedings, losses, fines, penalties, awards, liabilities, damages, compensation, settlements, charges and expenses (including legal costs) asserted against Choco in relation to performance of the O&S Services.

3.2 Choco shall inform Supplier without undue delay about any claims asserted by third parties and shall - upon request - provide the information and documents required for the defense. In addition, Choco shall at its own discretion either relinquish the defense to Supplier or engage in a defense in consultation with Supplier. In the absences of consultation with Supplier, Choco shall above all neither acknowledge nor dispute any claims asserted by third parties, except where Supplier has not responded to Choco's notification of the claim within a reasonable time period.

4 Warranty

4.1 Except as provided otherwise in an Order Form, all warranties, representations, conditions and all other terms of any kind whatsoever implied by law are, to the fullest extent permitted by applicable law, excluded from these O&S-GTC.

White Label TCs

Last updated 15th July 2024

This White Label Terms and Conditions (the “WL-TC”) together with the Main Services Agreement (“MSA”) govern branding of the Choco's mobile app with Supplier’s name and logo (the “WL-App”), licensing of the WL-App to Supplier’s Customers and the operation and maintenance of the WL-App.

The WL-TC constitutes a Service Specific Term and is incorporated into the Agreement entered into by and between Choco and Supplier by reference. Capitalized terms not otherwise defined herein shall have the respective meanings assigned to them elsewhere in the Agreement. In the event of any inconsistency or conflict between the WL-TC and the MSA, WL-TC shall prevail.

1. License Grant. Choco hereby grants to Supplier a limited, revocable, non-exclusive, non-transferable license to use the WL-App, and grants Supplier the right to sublicense the WL-App to Supplier’s Customers during the term of the Agreement to access and use it solely for placing orders from Supplier and for communication with Supplier, subject to the Choco’s End-User Terms (as defined below) and the terms agreed herein. The WL-App may not be used on behalf of or for the benefit of a third party other than Supplier.

2. Branding. The WL-App will be branded with the Supplier's name and logo. It will include an acknowledgement as "Powered by Choco". Supplier is solely responsible for securing its own copyrights, trademarks and all other intellectual property rights for use of Supplier’s name and logo in the WL-App.

3. Hosting and support. The WL-App will be operated, hosted and maintained by Choco and any customer support to Supplier’s Customers will be provided by Choco in accordance with Choco’s standard support policies.

4. App submission. The WL-App will be submitted to the mobile application stores under Supplier’s developer account. Supplier is responsible for maintaining its developer accounts in good standing and for all associated costs. Supplier will provide Choco with administrator access to its developer account to submit the WL-App for listing on the respective application stores and to maintain the WL-App.

5. Marketing. Supplier may market and promote the WL-App on any form of media, but shall not claim any ownership of the WL-App.

6 Use by Customers. Supplier’s Customers shall not further sublicense nor distribute the WL-App, and use of the WL-App by the Customers shall be subject to Choco’s “Terms and Conditions for App Use” or any other end user terms as determined by Choco (“Choco End-User Terms”). The WL-App will be provided to Supplier’s Customers and such individual end users who are personnel of the Customers, on a strictly “as is” basis, and for free (i.e. Supplier cannot charge its Customers for the WL-App licensed hereunder). Supplier will remain responsible and liable towards Choco for all of its Customers and their end users’ (whether authorized or not) use of the WL-App in accordance with Choco End-User Terms and for their acts and omissions. Choco reserves the right to suspend Suppliers’ Customers access to the WL-App in the event of any violation of Choco End-User Terms.

7. Functionality of WL-App. WL-App will enable Supplier’s Customers to communicate with the Supplier and place orders to Supplier. Choco may make additional functionalities available in the WL-App at its own discretion, but it makes no commitment or gives no guarantee to do so. Supplier acknowledges and accepts that not all of the functionalities available in the Choco's mobile app will be available in the WL-App and that Choco is under no obligation to make any additional functionalities available other than the ones indicated in the first sentence of this section.

8. Fees. The Fees for making the WL-App available will be agreed in the Order Form signed between the Parties or elsewhere in writing. 

9. Use by Supplier. The terms of the MSA will continue to govern the use of the WL-App by Supplier and its Authorized Users.

10. Limitation of liability. Choco’s warranties regarding use of the WL-App by Supplier’s Customers and its sole liability arising out of use of the WL-App by Supplier’s Customers are limited to those set out in the Choco End-User Terms. Specifically, Supplier understands that the WL-App is provided to Supplier’s Customers on an “as is” and “as available” basis without any warranties of any kind, whether express or implied, including, but not limited to, implied warranties of merchantability, fitness for a particular purpose, or non-infringement. Supplier shall be solely liable towards its Customers for any amounts and claims beyond what is undertaken in Choco End-User Terms.

11. Intellectual property. Supplier acknowledges and agrees that Choco and/or its licensors own or otherwise have all the necessary intellectual property rights in the WL-App and all derivative works thereto. Supplier does not have any rights in or to the WL-App, except for the limited express rights granted in this WL-TC.

12. Indemnification by Supplier. Supplier will indemnify, hold harmless, and defend Choco, its licensors, service providers, and their respective affiliates, directors, officers, agents, and employees, from and against any third party claim, suit, or proceeding arising out of or related to (i) any claims related to any infringement or violation of a copyright, trademark, trade secret, or confidentiality obligation by any Supplier branding and any other materials provided or published by Supplier on the WL-App, (ii) claims by Supplier’s Authorized Users or Customers, including claims related to unauthorized disclosure of personally identifiable or other private information, (iii) Supplier’s or its Customers’ and their users negligent acts or omissions in the operation of the WL-App, and their material breach of Supplier’s obligations, representations, warranties or covenants contained herein.

13. Miscellaneous. Unless specifically set forth in this WL-TC, all references to the Cloud Service in the Agreement shall include the WL-App as well.

Data Processing Agreement

Last updated 7th May 2024

Preamble

This Data Processing Agreement ("DPA") specifies the data protection obligations and rights of the Parties in connection with the personal data processed by Choco as a processor on behalf of Supplier when providing the Services as per the Agreement.

For the purposes of this DPA "Data Protection Laws" means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of personal data, including: (i) EU Regulation 2016/679 ("GDPR"); (ii) GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018; (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time; and the terms "data subject", "processing", "processor" and "controller" shall have the meanings set out in the Data Protection Laws. “Personal Data” has the meaning set out in Data Protection Laws but is limited to personal data processed by Choco acting as a processor on behalf of Supplier under the Agreement as further described in Annex 1 to this DPA below.

1. Subject and Scope of the Assignment

1.1 Choco shall process the Personal Data which Supplier has provided directly or indirectly for the provision of the Services exclusively on behalf of, and in accordance with the instructions of Supplier, unless it is otherwise required by the applicable law. In such a case, Choco shall notify Supplier of such legal requirements prior to the processing, unless the relevant law prohibits such notification.

1.2 The processing of Personal Data by Choco on behalf of Supplier is specified in Annex 1 to this DPA.

1.3 The duration of the processing corresponds to the duration of the Agreement.

1.4 Supplier warrants and represents that it has obtained all necessary consents and complied with all obligations required by Data Protection Laws for making available any Personal Data to Choco and for allowing collection of Personal Data by Choco on the Supplier’s behalf under this Agreement.

1.5 Supplier may issue further instructions regarding the scope of processing of Personal Data. If Choco is of the opinion that a Supplier instruction violates this DPA or Data Protection Laws, it shall without undue delay inform Supplier thereof in writing. Choco shall be entitled to suspend the execution of such instruction until Supplier confirms it in writing. If Supplier insists on the execution of an instruction despite the concerns raised by Choco, Supplier shall indemnify Choco against all damages and costs that it incurs due to the execution of the Supplier's instruction. Choco shall inform Supplier of any damages asserted against it and any costs incurred by it and shall not acknowledge any claims of third parties without Supplier’s consent and shall, at Choco’s option, conduct the defense in consultation with Supplier or leave it to Supplier.

2. Requirements of Personnel

2.1 Choco shall ensure that all persons who are authorized to have access to Personal Data are either under a contractual obligation to maintain confidentiality or are under an appropriate statutory obligation of confidentiality when processing the Personal Data.

3. Processing Security

3.1 Choco shall implement and maintain throughout the term of the Agreement appropriate technical and organizational measures specified in Annex-2 to this DPA ("TOM"), to ensure a level of protection of the Personal Data commensurate to the risk, taking into account the state of the art, the cost of implementation and, to the extent known to Choco, the nature, scope, circumstances and purposes of the processing of the Personal Data and the varying likelihood and severity of the risk to the rights and freedoms of the data subjects. Choco shall regularly assess the effectiveness of the TOMs and implement alternative measures if necessary for ensuring appropriate level of security.

3.2 It shall be incumbent upon Supplier to review the TOM taken by Choco, particularly to review whether these measures are also sufficient with regard to circumstances of the data processing that are not known to Choco.

4. Use of Sub-Processors and Data Transfers

4.1 Supplier generally authorizes Choco to make use of the services of its affiliates and sub-processors when processing the Personal Data.

4.2 The current sub-processors which are engaged by Choco are listed in Annex 3 to this DPA. Choco shall impose substantially similar data protection obligations vis-a-vis its sub-processors which are no less protective than the ones set out under this DPA and will remain liable towards the Supplier for its sub-processors’ performance under this DPA.

4.3 Choco will update the list of sub-processors in Annex 3 to this DPA before authorizing a new sub-processor to process Personal Data on behalf of Supplier. If Supplier wants to receive an individual notification of an update to the list of sub-processors, it shall sign up to the notification mechanism available in Annex 3 to this DPA. If Supplier does not object within 14 days following Choco’s notification by sending an email to legal@choco.com, then the engagement shall be deemed approved. If Supplier objects, Choco shall be entitled, at its choice, to either provide the Services without using the rejected additional sub-processor or to terminate the Agreement.

4.4 Supplier authorizes Choco, its affiliates and its sub-processors to transfer, access or process Personal Data outside the UK or the European Economic Area ("EEA"), provided that the requirements for such transfer, access or processing under Data Protection Laws are complied with.

5. Rights of the Data Subjects

5.1 Taking into account the nature of the processing of the Personal Data, Choco shall assist Supplier with appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Supplier’s obligation to respond to requests for exercising the data subject’s rights laid down in the Data Protection Laws.

5.2 Choco shall in particular:

  1. inform Supplier without undue delay if a data subject contacts Choco directly with a request to exercise his/her rights;
  2. provide Supplier upon Supplier's request with all information available to Choco regarding the processing of the Personal Data that Supplier needs to respond to the request of a data subject and that Supplier does not have itself;
  3. correct, delete or restrict the processing of the Personal Data without undue delay upon the instruction of Supplier, unless Supplier is able to do so itself and it is technically possible for Choco to do so;
  4. support Supplier to the extent necessary to receive the Personal Data processed in Choco’s sphere of responsibility - insofar as this is technically possible for Choco - in a structured, common and machine-readable format, insofar as a data subject asserts a right to data portability.

6. Support Obligations

6.1 Choco shall notify Supplier without undue delay after becoming aware of a breach of Personal Data. The notification shall include a description, if possible, of the nature of the breach; the categories and approximate number of data subjects affected by the breach; the probable consequences of the breach; of the measures taken or proposed by Choco to remedy the breach of the protection of the Personal Data and, if applicable, measures to mitigate its possible adverse effects.

6.2 Choco shall investigate the cause of the breach and, where appropriate, take reasonable measures to mitigate its possible adverse effects.

6.3 If Supplier is obliged to inform the supervisory authorities and/or data subjects about the personal data breach, Choco shall assist the Supplier with complying with this obligation, taking into account the nature of processing and the information available to Choco. Any additional costs incurred by Choco in this context, which exceed statutory processor obligations under the applicable law shalll be borne by Supplier.

6.4 Choco shall notify Supplier of any subpoena or other judicial or administrative order, process or proceeding seeking access to, or disclosure of, the Personal Data insofar as such notification is not prohibited by law. If Supplier is obliged to provide information to a supervisory authority regarding the processing of the Personal Data or to otherwise cooperate with such authorities, Choco shall support Supplier in providing such information insofar as Supplier does not have the information itself and reasonably cooperate with Supplier and with supervisory authorities, including granting the competent supervisory authority the necessary rights of access, information and inspection.

6.5 Choco shall provide reasonable assistance to Supplier regarding Supplier’s compliance with its obligations related to security of processing, data protection impact assessments and prior consultations with the supervisory authorities in each case taking into account the nature of the processing and information available to Choco. Any additional costs incurred by Choco in this context, exceeding the foreseen statutory processor obligations under the applicable law, will be borne by Supplier.

7. Data Deletion and Return

7.1 Upon termination of the Agreement and written request from Supplier, Choco will either delete or return the Personal Data, unless Choco is obliged to continue storing the Personal Data under applicable law.

7.2 Some Personal Data may be archived in Choco’s back-up systems and such archived Personal Data will be deleted in accordance with Choco’s retention policy. Any Personal Data archived in backups will be isolated and protected from any further processing. For the period that the data is stored after the termination of the Agreement, the rights and obligations of the Parties under this DPA shall continue to apply.

8. Verifications and Audits

8.1 Choco shall keep records of its processing activities performed on behalf of Supplier and make available to Supplier upon request these records or any other information necessary to demonstrate compliance with statutory processor obligations set out under the Data Protection Laws.

8.2 Choco shall allow for and contribute to audits, including on-site inspections, by Supplier or an auditor mandated by Supplier in relation to the processing of the Personal Data. The audits and on-site inspections shall not hinder Choco in its normal business operations and should not place an undue burden on Choco. In particular, on-site inspections at Choco for no specific reason shall not take place more than once per calendar year and only during Choco’s normal business hours. Supplier shall notify Choco of inspections in written or text form at least 30 (thirty) days in advance, providing Choco with reasonable information about the scope, duration, and inspection plan. Supplier and Choco shall cooperate in good faith and mutually agree on the scope, duration, and start date of the inspection. Any costs incurred by Choco for any on-site inspections which are not clearly disproportionate or excessive, will be borne by the Supplier. Any auditor mandated by Supplier shall be an independent contractor that does not compete with Choco and such auditor may not commence its work prior to having executed a non-disclosure agreement with Choco.

9. Miscellaneous

9.1 Each Party’s and their affiliates’ liability taken together in the aggregate arising out of or related to this DPA whether in contract, tort, or under any other theory of liability, shall be subject to the limitation of liability provisions of the Agreement.

9.2 This DPA, including its annexes, constitutes an integral part of the Agreement between Choco and Supplier. If there are any inconsistencies between this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

9.3 Any amendments and/or side agreements to any parts of this DPA must be made in writing. This rule also applies to this written form requirement itself. The governing law and jurisdiction under the Agreement shall apply accordingly for any parts of this DPA.

Annex 1 - Description of Personal Data Processing

Purpose of data processing

Provision of the Onboarding and Support Services, Cloud Service and Integration Services

Nature and scope of data processing

Collection, processing, storage and transfer of Personal Data as necessary for provision and maintenance of the following Services:

  • Onboarding Services, such as introducing the Cloud Service to Authorized Users and Customers of Supplier, setting up accounts and execution of promotions for introducing the Cloud Service to its Customers
  • Support Services, such as responding to questions of Authorized Users or Customers
  • Cloud Service, such as the transmission of orders and messages, provision of analytic reports about orders and/or communications sent via the Cloud Service, provision of Choco-AI and other functionalities agreed between the parties
  • Building an Integration between the Cloud Service and Supplier’s ERP and
  • any other services as may be instructed by Supplier.

Type of data

  • Name
  • Email address
  • Phone number
  • Title and company name
  • Log-in data
  • Onboarding messages statistics
  • In-App Campaign message statistics
  • Any other personal data that may be provided directly or indirectly by Supplier, its Authorized Users and/or Personnel of its Customers

Group of data subjects

  • Supplier’s Authorized Users
  • Personnel of Supplier’s Customers
  • Personnel of potential customers of the Supplier, if applicable

Duration of processing

For the duration of the Agreement as further set out in Section 7 of DPA


Annex 2 - Technical and Organizational Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, Choco shall, in its capacity as data processor, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, but not limited to, the following:

1 Confidentiality

1.1 Physical access control

Choco shall take appropriate measures to reduce the risk of unauthorized persons gaining access to data processing systems with which Supplier’s personal data are processed and used.

Technical measures

Automatic access control systems, control of access by gatekeeper services and alarm systems

Lockable server cabinets

key regulation, service directives stipulating that service rooms are to be locked when employees are absent

1.2 System access control

Choco shall take appropriate measures to prevent data processing systems (computers) from being used by unauthorized persons. For this purpose, Choco shall take the following precautions:

Technical measures:

  • Login with username + password
  • Smartphone encryption
  • Encryption of company laptops
  • Remote laptop management
  • Deployment of anti-virus software for laptops and systems

Organizational measures:

  • Manage user permissions
  • Create user profiles
  • Policies on use of Company Hardware
  • General policy on data protection and / or security

1.3 Data access control

Choco shall take appropriate measures to ensure that the persons authorized to use the data processing systems can only access the personal data subject to their access authorization and that the Personal Data of Supplier cannot be read, copied, modified or removed without authorization during processing, use and after storage. For this purpose, Choco shall take the following precautions:

Technical measures:

Erasure of data carriers on laptops before reuse.

Logging of access to important documents, especially when entering, changing and deleting data.

File shredder (min. level 3, cross cut)

Organizational measures:

  • Creating an authorization concept
  • Management of rights by system administrator
  • Reduction in the number of administrators
  • Closed area for sensitive documents

1.4 Separation control

Choco shall take appropriate measures to ensure that the Personal Data of Supplier collected for different purposes can be processed separately. For this purpose, Choco shall take the following precautions:

Technical measures:

  • Separate storage on different software
  • Software-based customer separation

Organizational measures:

  • Creation of an authorization concept
  • Determination of database rights

2 Integrity

2.1 Transmission control

Choco shall take reasonable measures to reduce the risk that the Personal Data of Supplier can be read, copied, modified or removed without authorization during electronic transmission or during their transport or storage on data carriers. To this end, Choco shall take the following precautions:

Technical measures:

  • Email encryption
  • Logging of accesses and retrievals of important documents and data
  • Provision via encrypted connections such as sftp, https

2.2 Data input control

Choco shall take appropriate measures to ensure that it is possible to check and determine retrospectively whether and by whom personal data of the customer have been entered into data processing systems, changed or removed. For this purpose, Choco shall take the following precautions:

Technical measures:

  • Possibility of technical logging of the entry, modification and deletion of personal data.

Organizational measures:

  • Traceability of entry, modification, and deletion of personal data through individual user names.
  • Retention of forms from which personal data have been transferred to automated processing operations.
  • Assignment of rights to enter, change, and delete personal data on the basis of an authorization concept.

3 Availability and resilience

3.1 Availability control

Choco shall take reasonable measures to ensure that the Personal Data of Supplier is protected against accidental destruction or loss. For this purpose, Choco shall take the following precautions:

Technical measures:

  • Fire and smoke detection systems
  • Careful selection of the hosting service provider

Organizational measures:

  • Regular control of the hosting service provider

4 Procedures for regular review, assessment and evaluation.

Choco shall implement procedures for regular review, assessment and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing.

4.1 Data protection management

Organizational measures:

  • Central documentation of all procedures, regulations and guidelines on data protection with access for employees as required / authorized
  • A review of the effectiveness of the technical protective measures is carried out regularly
  • Employees trained and committed to confidentiality
  • Raising employee awareness through training

4.2 Incident response management

Organizational measures:

  • Documentation of security incidents and data breaches
  • Regulation of responsibilities for the follow-up of security incidents and data breaches
  • Security breach response support.
  • Formalized process for handling requests for information from data subjects is in place.

Annex 3 - Sub-processor List

You may find the list of sub-processors and the notification mechanism for new sub-processors at https://legal.choco.com/supplier-subprocessors

Service Description

The following contains a description of the Services. Supplier shall only receive the Services which are included in the signed Order Form or which are subsequently agreed to by the Parties in writing. Capitalised terms used in this Service Description shall have the meaning assigned to them elsewhere in the Agreement.

  • Cloud Service:
    • Choco Order Management: Cloud-based web platform and mobile app (Choco App) featuring omnichannel order management and communication solutions which provide the ability to:
      • digitise order intake across a broad range of channels through Choco-App (in-app orders) and Choco-AI (email, text, WhatsApp, voicemail)

      • integrate orders seamlessly into Supplier’s ERP systems for simplified workflows

      • receive overviews of Customers’ order trends to better manage customer relationships,

      • offer a differentiated e-commerce ordering experience for Customers by bringing Supplier’s product catalogue to life in the preferred channel

      • gain control over order inflow by defining minimum order values, delivery days and cut-off time

      • easily promote products and run targeted marketing campaigns

      • easily set access rights and permissions to staff members based on their role

      • obtain access to product and tech support through Choco’s customer support

      • obtain access to support and advice from industry thought leaders with the Choco customer success team.

    • Choco White Label App: Obtain access to, and receive ongoing maintenance for, a bespoke version of the Choco-App which incorporates and operates under Supplier's logo and branding and thereby provides a premium brand experience for Supplier’s Customers when interacting online

  • Implementation Services:

    • Onboarding and Support Services:
      • comprehensive support for account setup ensuring the digitization of product catalogs and tailoring the Choco App to specific needs

      • in-depth training sessions for Suppliers and their teams, guiding them on how to effectively use the Cloud Service

      • assistance for Suppliers in introducing the Cloud Service to Customers, executing joint promotional activities to drive adoption, and setting up Customer accounts for immediate use. This process ensures a smooth transition and maximises operational efficiency from day one

      • best practice advisory on operational questions ranging from IT infrastructure, to process enhancements and sales related optimization

      • pre-training for Choco-AI: Bespoke Supplier-specific optimisation of AI models using historical order information to ensure the highest level of accuracy

    • Integration Services:
      • comprehensive integration services connecting the Cloud Service with Suppliers’ ERP systems enabling seamless data synchronisation and process automation across both platforms

      • ensure real-time data flow and improve the overall efficiency of order management operations for all relevant ERP systems through Choco’s standard connectors or customer builds