Terms of Service

1.1 Flouzo SARL dba OpenCraft, 78 allée Primavera, Centre Ubidoca, 74370 Annecy, France (“OpenCraft” or “we/us/our”) provides a web application that helps its users (the “User”) to keep track of recurring business processes that is accessible under https://www.listaflow.com/ (the “Service”).

1.2 These Terms of Use (“the Terms”) guide the legal relationship between OpenCraft and the User (“the Agreement”) and apply to all (especially legal binding) actions of the User and OpenCraft on or in connection with the Service, including the registration of a User Account.

2.1 To use Listaflow, the User has to register and open an account (the "User Account”).

2.2 The User can register by visiting the website www.listaflow.com and using the contact form on the sign up page to get into contact with OpenCraft. OpenCraft will then send an email to the User including all necessary information including information on pricing. This email is OpenCraft’s binding offer to the User to open the User Account and sign up for Listaflow. The user can accept the offer and enter into the contract with OpenCraft by writing back to OpenCraft and stating that he/she accepts the offer.

2.3 The User must be at least 18 years old and in full legal capacity to open a user account. As of right now Listaflow is not available for consumers (Sec. 13 of the Civil Code Germany; Bürgerliches Gesetzbuch). OpenCraft reserves the right to ask the User for verification that the User does not conclude the contract in his/her capacity as a consumer.

2.4 The User can correct or rectify any information at any time by using the functions of their email program. The User can also at any time get into contact with OpenCraft to rectify their information.

2.5 The User can access these terms anytime on the Service’s website in the most recent version. The Agreement is concluded in English and the Terms are available in English exclusively.

3.1 ListaFlow is a web application that is hosted and configured by OpenCraft and made accessible to the User via the internet.

3.2 ListaFlow helps its Users to track business practices and processes that need to be done periodically. To achieve this Users can create checklists, subsections and tasks which the User can assign to specific teams.

3.3 ListaFlow is still in development and OpenCraft will experiment with features and might add new or delete existing features. The core functionality as specified in section 3.2 will be maintained during the contractual term.

3.4 OpenCraft will make the code and documentation of ListaFlow available on its Gitlab group under www.gitlab.com/opencraft/dev/listaflow.

4.1 All prices agreed upon are net prices and are exclusive of any applicable taxes.

4.2 The payment is due for the first month immediately after the conclusion of contract and then upfront at the beginning of each month. OpenCraft uses the payment provider Stripe of the Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland). Stripe provides several options to process the payment, including Credit Card, iDeal, Klarna, Apple Pay and Google Pay. OpenCraft will show the specific options during the payments. A transfer via SEPA is not supported. The payment process may be subject to separate terms depending on the chosen option.

5.1 OpenCraft grants the User a non-exclusive, non-transferable, worldwide right to access and use the Service for his own purposes for the duration of this Agreement via the internet or any other data connection as an SaaS-Service for User’s business purposes. A perpetual licence to use the Backend is explicitly not granted.

5.2 The User grants OpenCraft all rights necessary to any content or material (the “Content”) send or uploaded by the User to fulfil the contractual purposes of the Agreement as specified in these Terms.

6.1 OpenCraft shall implement appropriate measures to ensure the continuous availability and error-free functionality of the Service. However, the User acknowledges that for technical reasons and due to the dependence on external influences, OpenCraft cannot guarantee the uninterrupted availability of the Service.

6.2 OpenCraft will occasionally carry out maintenance tasks to ensure the functionality or extension of the Service. These tasks may lead to a temporary impairment of the usability of the Service.

7.1 OpenCraft is liable for damage that is caused willfully or with gross negligence, or that is the consequence of the absence of a warranted condition of the services, or that is caused by a culpable (meaning: at least negligent) breach of an essential contractual obligation (“Cardinal Duty”, cp. Section 9.2), or that is the consequence of a culpable infringement of health, body or life, or under the legal requirements that are provided for by the German “Produkthaftungsgesetz” (Product Liability Law).

7.2 “Cardinal Duties” are contractual obligations, without the fulfillment of which due performance of the contract would not be possible, in the fulfillment of which the contractual partner may trust, and whose infringement on the other side endangers the achievement of the purpose of the contract.

7.3 In the event of the breach of an essential contractual obligation, however, OpenCraft’s liability is restricted to damage that can be typically foreseen with regard to contracts such as the one between OpenCraft and the User to the extent the damage is based on slight negligence only and does not affect health, body or life.

7.4 Except for the cases defined in Clause 7.1 to Clause 7.3, OpenCraft’s or its vicarious agent’s liability, or the liability of the persons employed in the performance of OpenCraft’s obligations under this Agreement, for whatever reason is excluded.

7.5 If OpenCraft is liable for the loss of the user's data under the provisions 9.1 to 9.4, OpenCraft’s liability is limited to the typical recovery costs that would have been incurred even if the user had regularly made backups according to the risk.

8.1 For a comprehensive information on how OpenCraft collects, processes, or uses personal data of the User in the context of the Agreement and the usage of the Service, please refer to ListaFlow’s Privacy Policy.

8.2 Insofar as any Content provided by the User contains personal data of third parties (such as Users or employees), the User remains the controller of such data and OpenCraft shall act as the User’s processor of personal data pursuant to the GDPR. For these purposes, the parties conclude the data processing agreement in Addendum 1.

9.1 OpenCraft has the right to introduce additional functions to the Service and add corresponding rules to the Terms. OpenCraft shall announce these changes at least four weeks before they enter into force to the user by email. If the User does not object in text form (e.g. letter, fax, e-mail) within a period of two weeks, beginning with the day following the announcement of the changes, OpenCraft assumes that the User agrees to the changes.

9.2 OpenCraft shall inform the User in the notice of his right to object, its requirements and consequences. If the User objects to the changes, the contractual relationship shall be continued under the most recent version of the Terms before the change. In such case, OpenCraft reserves the right to terminate the contractual relationship with effect to the next possible date.

9.3 Otherwise, a change of the terms of use is possible at any time with the consent of the user.

10.1 The term of this Agreement is indefinite , starting from the date the contract is concluded. The contract can be cancelled with effect to the end of the respective month with a notice of two weeks.

10.2 The right to terminate for good cause shall remain unaffected.

11.1 The sole place of jurisdiction for all differences arising out of or in connection with this Agreement shall be Berlin, Germany if the User is a merchant pursuant to the German Commercial Code (Handelsgesetzbuch), a legal entity of public law or a public special fund. Additionally, this shall be the case if the User’s place of residence or usual place of residence is unknown at the time of making the complaint is filed or it is moved out of the scope of the German Code of Civil Procedure after the Agreement is concluded. Statutory provisions regarding exclusive jurisdiction shall remain unaffected.

11.2 This Agreement shall be governed and construed in accordance with the laws of the Federal Republic of Germany under exclusion of German International Private Law and the UN Convention on the International Sale of Movable Goods.

11.3 If any provision of this Agreement is entirely or partly invalid or unenforceable, this shall not affect the validity and enforceability of any other provision of this Agreement. The invalid or unenforceable provision shall be regarded as replaced by such valid and enforceable provision that as closely as possible reflects the economic purpose that both parties hereto had pursued with the invalid or unenforceable provision.

by and between
the User,  as identified on the Agreement

– hereinafter, “User”–,

and OpenCraft as identified in the Agreement
– hereinafter, “OpenCraft”–,

on the processing of personal data on behalf of a controller in accordance with Article 28 (3) of the EU General Data Protection Regulation (GDPR).

Preamble
This Data Processing Agreement (“DPA”) details the parties’ obligations on the protection of personal data, associated with the processing of personal data on behalf of the User as a data controller, and described in detail in the Agreement for Open edX hosting (hereinafter, the “Agreement”). Its provisions shall apply to any and all activities associated with the Agreement, in whose scope OpenCraft’s employees or agents may process User’s personal data (hereinafter, “Data”) on behalf of User as a controller (hereinafter, “Data Processing”).

1.1 The scope and duration and the detailed stipulations on the type and purpose of Data Processing shall be governed by the Agreement.

1.2 Specifically, the Data Processing shall include, but not be limited to, the following Data:

1.3 Except where this DPA stipulates obligations beyond the term of the Agreement, the term of this DPA shall be the term of the Agreement.

2.1 OpenCraft shall process Data on behalf of User. Such Data Processing shall include all activities detailed in the Agreement. Within the scope of this DPA, the parties shall be responsible for compliance with the applicable statutory requirements on data protection. The User shall be responsible specifically for the lawfulness of disclosing Data to OpenCraft and the lawfulness of having Data processed on behalf of User. User shall be the »controller« in accordance with Article 4 no. 7 of the GDPR.

2.2 User’s individual instructions on Data Processing shall, initially, be as detailed in the Agreement. User shall, subsequently, be entitled to, in writing or in a machine-readable format (e.g. via email), modify, amend or replace such individual instructions by issuing such instructions to the point of contact designated by OpenCraft. Instructions not foreseen in or covered by the Agreement shall be treated as requests for changes to the Agreement. User shall, without undue delay, confirm in writing or by email any oral instruction given.

3.1 Except where expressly permitted by Article 28 (3)(a) of the GDPR, OpenCraft shall process data subjects’ Data only within the scope of the Agreement and the instructions issued by User. Where OpenCraft believes that an instruction would be in breach of applicable law, OpenCraft shall notify User of such belief without undue delay. OpenCraft shall be entitled to suspending performance on such instruction until User confirms or modifies such instruction.

3.2 OpenCraft shall, within OpenCraft’s scope of responsibility, organize OpenCraft’s internal organization so it satisfies the specific requirements of data protection. OpenCraft shall, in particular, implement technical and organizational measures to ensure the adequate protection of User’s Data, which measures shall fulfil the requirements of the GDPR and specifically its Article 32. 

3.3 OpenCraft shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services. The technical and organizational measures implemented by OpenCraft at the time of entering into this DPA are set forth in Annex 1 to this DPA. . It shall be User’s responsibility that such measures ensure a level of security appropriate to the risk. OpenCraft reserves the right to modify the measures and safeguards implemented, provided, however, that the level of security shall not be less protective than initially agreed upon as per OpenCraft's Security Policy. OpenCraft’s Security Policy can be accessed via its public OpenCraft handbook, available under the address: www.handbook.opencraft.com/en/latest/security_policy. It is User’s responsibility to inform himself on whether the technical and organizational measures have been updated.

3.4 OpenCraft shall support User, insofar as is agreed upon by the parties, and where reasonably possible for OpenCraft, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR.

3.5 OpenCraft warrants that all employees involved in Data Processing of User’s Data and other such persons as may be involved in Data Processing within OpenCraft’s scope of responsibility shall be prohibited from processing Data outside the scope of the instructions. Furthermore, OpenCraft warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Data Processing.

3.6 OpenCraft shall notify User, without undue delay, if OpenCraft becomes aware of breaches of the protection of personal data within OpenCraft’s scope of responsibility. OpenCraft shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; OpenCraft shall coordinate such efforts with User without undue delay.

3.7 OpenCraft’s point of contact for any issues related to data protection arising out of or in connection with the Agreement is Xavier Antoviaque: privacy@opencraft.com.

3.8 OpenCraft warrants that OpenCraft fulfils its obligations under Article 32 (1)(d) of the GDPR to implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

3.9 OpenCraft shall correct or erase Data if so instructed by User and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements or a corresponding restriction of processing is impossible, OpenCraft shall, based on User’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media and other material or return the same to User. In specific cases designated by User, such Data shall be stored or handed over. The associated remuneration and protective measures shall be agreed upon separately, unless already agreed upon in the Agreement. 

3.10 OpenCraft shall, upon termination of Data Processing and/or upon User’s instruction, return all Data, carrier media and other materials to User or delete the same. In case of testing and discarded material no instruction shall be required.

3.11 User shall bear any extra cost caused by deviating requirements in returning or deleting data.

3.12 Where a data subject asserts any claims against User in accordance with Article 82 of the GDPR, OpenCraft shall support User in defending against such claims, where possible, against a reasonable compensation.

4.1 User shall notify OpenCraft, without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by User in the results of OpenCraft’s work. 

4.2 Section 3.10 of this DPA shall apply, mutatis mutandis, to claims asserted by data subjects against OpenCraft in accordance with Article 82 of the GDPR.

4.3 User shall notify to OpenCraft the point of contact for any issues related to data protection arising out of or in connection with the Agreement.

Where a data subject asserts claims for rectification, erasure or access against OpenCraft, and where OpenCraft is able to correlate the data subject to User, based on the information provided by the data subject, OpenCraft shall refer such data subject to User. OpenCraft shall forward the data subject’s claim to User without undue delay. OpenCraft shall support User, where possible, and based upon User’s instructions. OpenCraft shall not be liable in cases where User fails to respond to the data subject’s request, or fails to do so correctly and/or in a timely manner.

6.1 OpenCraft shall document and prove to User OpenCraft’s compliance with the obligations agreed upon in this DPA by appropriate measures.

6.2 Where, in individual cases, audits and inspections by User or an auditor appointed by User are necessary, such audits and inspections will be conducted during regular business hours, and without interfering with OpenCraft’s operations, upon prior notice, and observing an appropriate notice period. OpenCraft may also determine that such audits and inspections are subject to prior notice, the observation of an appropriate notice period, and the execution of a confidentiality undertaking protecting the data of other Users and the confidentiality of the technical and organizational measures and safeguards implemented. OpenCraft shall be entitled to reject auditors that are competitors of OpenCraft.

6.3 User hereby consents to the appointment of a competent, independent external auditor by OpenCraft if OpenCraft so choses, provided that OpenCraft provides a copy of the audit report to User.

6.4 OpenCraft shall be entitled to request a remuneration for OpenCraft’s support in conducting inspections where such remuneration has been agreed upon in the Agreement. OpenCraft’s time and effort for such inspections shall be limited to one day per calendar year, unless agreed upon otherwise.

6.5 Where a data protection supervisory authority or another supervisory authority with statutory competence for User conducts an inspection, Section 6.2 of this DPA above shall apply mutatis mutandis. The execution of a confidentiality undertaking shall not be required if such supervisory authority is subject to professional or statutory confidentiality obligations the breach of which is sanctionable under the applicable criminal code.

7.1 User hereby consents to OpenCraft’s use of sub-processors. OpenCraft shall, prior to the use or replacement of sub-processors, inform User thereof. The approved sub-processors are listed in Annex 2 to this DPA.

7.2 OpenCraft shall conclude with such sub-processors the contractual instruments necessary to ensure an appropriate level of data protection and information security in accordance with Article 28 (4) GDPR. Where OpenCraft commissions sub-processors, OpenCraft shall be responsible for ensuring that OpenCraft’s obligations on data protection resulting from the Agreement and this DPA are also valid and binding upon sub-processors.

8.1 Where the Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in OpenCraft’s control, OpenCraft shall notify User of such action without undue delay. OpenCraft shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in User’s sole property and area of responsibility, that data is at User’s sole disposition, and that User is the responsible body in the sense of the GDPR.

8.2 No modification of this DPA and/or any of its components – including, but not limited to, OpenCraft’s representations and warranties, if any – shall be valid and binding unless made in writing or in a machine-readable format (in text form), and furthermore only if such modification expressly states that such modification applies to the regulations of this DPA. The foregoing shall also apply to any waiver or modification of this mandatory written form.

8.3 In case of any conflict, the data protection regulations of this DPA shall take precedence over the provisions of the Agreement. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.

The provisions on the parties’ liability contained in the Agreement shall be valid also for the purposes of Data Processing, unless expressly agreed upon otherwise.

OpenCraft’s most recent technical and organizational measures can be accessed via its OpenCraft handbook, available under the address: www.handbook.opencraft.com/en/latest/security_policy

Digital Ocean
Listaflow is hosted on Digital Ocean. We have concluded a DPA with Digital Ocean as well as Standard Contractual Clauses. Digital Ocean is also certified under the Data Privacy Framework so that an adequate level of data protection is ensured.

Gandi.net
Gandi.net is our DNS provider and we do not store PII on Gandi.net

Google
Google provides workspace applications that might be used to store PII. Information on signing the DPA can be found here.

Freshbooks
Freshbooks provides accounting software as a service and stores our Users information. Freshbook's DPA is part of the Service Agreement. Freshbooks processes personal data in Canada. Canada is subject to an adequacy decision of the European Commission so that an adequate level of data protection is ensured.

New Relic
New Relic provides performance monitoring services on our hosted systemsWe have concluded a DPA with New Relic as well as Standard Contractual Clauses. New Relic is also certified under the Data Privacy Framework so that an adequate level of data protection is ensured.

Sentry.io
Sentry offers an application monitoring solution designed to identify, monitor, and alert developers to errors, bugs, and other performance issues that are occurring in their applications. We have concluded a DPA with sentry.io as well as Standard Contractual Clauses. Sentry.io is also certified under the Data Privacy Framework so that an adequate level of data protection is ensured.

Tarsnap
We currently store backups of all our systems and client data on Tarsnap. Here is their DPA