Standard terms of sale - example

B2B SaaS business model

SUBSCRIPTION FORM        4

SUBSCRIPTION PERIOD (INITIAL TERM):        5

SUBSCRIPTION RENEWAL PERIOD (RENEWAL TERM):        5

Products and Services Pricing:        5

Add-on subscriptions        7

Payment Information        7

Contact Information        7

User Customization        8

Terms of Service        8

COMPANY Subscription Terms        9

DOCUMENTS        9

RIGHT TO ACCESS AND USE        9

PROVISION OF THE SERVICE        9

SUPPORT        10

ADDITIONAL FEATURES AND SERVICES        10

MODIFICATIONS AND IMPROVEMENTS        10

SECURITY MEASURES        10

PROCESSING OF PERSONAL DATA        10

DATA EXPORT        10

ACCEPTABLE USE        11

Users        11

Log-in details        11

Reverse engineering        11

Intentional service interference        11

API’s and integrations        11

Payment for unauthorized use        12

FEES, INVOICING AND PAYMENT TERMS        12

Fees        12

Invoicing        12

Taxes        12

SUBCONTRACTING        12

INTELLECTUAL PROPERTY RIGHTS        13

CUSTOMER DATA        13

Ownership of Customer Data        13

Rights to use Customer Data.        13

No sales of data        13

CONFIDENTIALITY        13

Non-use and Non-disclosure        13

Limitations on the duty of non-disclosure of Confidential Information        14

Disclosures required by Law        14

Survival and remedies        14

TERM AND TERMINATION        14

Initial Term        14

Renewal Term        14

Termination for convenience        14

Termination for breach        15

Refund policy        15

Effect upon Termination        15

REPRESENTATIONS AND WARRANTIES        15

DISCLAIMERS        15

LIMITATION ON LIABILITY.        16

EXCLUSION OF INDIRECT, CONSEQUENTIAL AND RELATED DAMAGES        16

LIMITATION OF TOTAL LIABILITY        16

TEMPORARY SUSPENSION OF SERVICES        16

INDEMNIFICATION        16

By COMPANY        16

By Customer        17

Process        17

COMPANY remedies        17

Sole remedies        17

MISCELLANEOUS PROVISIONS        17

Compliance        17

Assignment        18

Force Majeure        18

Entire Agreement        18

Severability        18

Amendment        18

Notices        19

Survival of Certain Provisions        19

Governing Law and legal venue        19

SERVICE LEVEL AGREEMENT (SLA)        20

DATA PROCESSING AGREEMENT        22

THE PURPOSE OF THE DATA PROCESSING AGREEMENT        22

THE PROCESSING OF PERSONAL DATA        22

THE DATA PROCESSOR’S DUTIES        22

THE DATA PROCESSOR’S OPPORTUNITY TO USE SUB-PROCESSORS        23

TRANSFER OF PERSONAL DATA OUTSIDE THE EU / EEA        24

SECURITY        24

DOCUMENTATION AND SECURITY AUDITS        25

FULFILLING THE RIGHTS OF THE DATA SUBJECTS        25

THE DURATION OF THE DPA AND THE PROCESSING        25

TERMINATION        25

RETURN, DELETION AND/OR DESTRUCTION OF DATA UPON TERMINATION OF THE DPA        26^[a]

SUBSCRIPTION FORM

By and between

This Subscription Form together with the attached Subscription Terms compose the agreement between CUSTOMER and COMPANY for the services rendered by COMPANY.‌

1. SUBSCRIPTION PERIOD (INITIAL TERM):

‌The Initial Term for the agreement shall be [=years]     year(s) starting on [=date]

2. SUBSCRIPTION RENEWAL PERIOD (RENEWAL TERM):

The subscription will upon expiration of the Initial Term automatically renew for a period corresponding to the length of the Initial Term unless terminated in accordance with the timelines set out in the attached Subscription Terms.

3. Products and Services Pricing:

The price does not include taxes. The price for the renewal term will be calculated based on the subtotal price, without the Initial Term discount.

4. Add-on subscriptions

Add-ons to the service are sold separately. To receive a price list or order add-ons, email [=company contact mail].

5. Payment Information

An upfront invoice will be sent according to the payment schedule, payment terms, and customer info below:

6. Contact Information

7. User Customization

8. Terms of Service

By signing this agreement, the CUSTOMER accepts the terms and conditions of this Subscription Form and the attached Subscription Terms.

AGREED TO AND ACCEPTED:

COMPANY Subscription Terms

These subscription terms with appendices, together with any subscription order form(s) (“Subscription Form”) entered into between the parties, set out terms and conditions under which the customer identified in the Subscription Form (“Customer”) purchase services from the COMPANY entity identified in the Subscription Form (“COMPANY”).

Capitalized terms shall have the meaning designated to them in the paragraph in which it is written in bold between quotation marks.

1. DOCUMENTS

Reference to the term “Agreement” means this document, any Subscription Form(s) and the following appendices:

Appendix 1: Solution Description

Appendix 2: Service Level Agreement

Appendix 3: Data Processing Agreement

Appendix 4: COMPANY Information Security

In the event of any conflict or inconsistency between this document and any Subscription Form(s), the Subscription Form(s) shall take precedence. In the event of any conflict or inconsistency between this document and the appendices, this document shall take precedence.  In the event of any conflict or inconsistency between the appendices, they shall take precedence in the order they are listed above.

2. RIGHT TO ACCESS AND USE

COMPANY grants to Customer, during the term of the Agreement, a right to remotely access and use the COMPANY SaaS services listed in the relevant Subscription Form (“Service”) in accordance with this Agreement. The services offered by COMPANY in general are described in Appendix 1 and Customer will have access to those features that are agreed in the Subscription Form.

3. PROVISION OF THE SERVICE  

The Service will be provided by qualified personnel, suitably skilled and trained in the performance of the Service and performed in a diligent and professional manner.

COMPANY shall provide the Service materially in accordance with this Agreement and the applicable service level agreement attached as Appendix 2 (“Service Level Agreement”).  

4. SUPPORT

COMPANY will provide support as described in the Subscription Form. The Customer will provide access to the necessary resources for COMPANY to be able to support the Customer in a timely manner.    

5. ADDITIONAL FEATURES AND SERVICES

The parties may from time to time agree to include additional features and services (“Add-On Service”). The Agreement will apply for such Add-On Services. Specific terms may apply for the individual Add-On Service. COMPANY will provide the Customer with such specific terms prior to the Add-On Services is agreed upon.

6. MODIFICATIONS AND IMPROVEMENTS

COMPANY seeks to constantly improve the Service. COMPANY may from time to time make improvements, add, modify, or remove functionality, or correct any errors or defects in the Service as further described in the Service Level Agreement. The Customer will get access to modifications and improvements that are made generally available to all customers who have purchased the same features. Additional features and services introduced from time to time may be purchased as an Add-On Service.

7. SECURITY MEASURES

COMPANY has implemented and shall during the term of the Agreement maintain appropriate technical and organizational measures, internal controls, and information security routines. The routines applicable at the time of entering into the Agreement are described in Appendix 4. COMPANY may during the term of the Agreement change and/or update the measures as desired, provided that such changes shall not materially decrease the overall security of the service compared with the measures described in Appendix 4.  

8. PROCESSING OF PERSONAL DATA

COMPANY shall process Customer personal data only as permitted under this Agreement. The data processing agreement set out in Appendix 3 (“Data Processing Agreement”) reflects the parties’ agreement with respect to COMPANY’s processing of personal data on behalf of the Customer.

9. DATA EXPORT

COMPANY provides a standardized format to export the Customer’s data via the built-in export function in the Service. This function may be used by Customer during the term of the Agreement.

10. ACCEPTABLE USE

1. Users

The Service shall be available for use by Customer employees and contractors acting on behalf of the Customer (“Users”). Affiliates may use the Service only if agreed in writing in the Subscription Form.

The Customer shall only permit authorized Users to use the Service. Customer shall remain the contracting party and remain responsible for all Users compliance under this Agreement, also if the Customer extends the rights, benefits and protections provided under the agreement to affiliate and contractor Users.

The Customer shall only use the Service for internal business purposes and not resell, distribute, sublicense, or otherwise transfer any right in and to the Service to others, including allowing user rights to third parties not specifically granted rights under this Agreement.

Users will need to accept COMPANY’s end user terms before use of the Service. In the event of any inconsistency or conflict, the terms of this Agreement take precedence over any similar terms in the end user terms of service. Nothing in the end user terms of service is intended to limit Customer’s options or rights as set forth in this Agreement.

2. Log-in details

Customer and each of its Users shall maintain the confidentiality of any credentials, passwords and other log-in details used to access or use the Service. Such log-in details are personal and shall not be shared between Users or used by more than one User. The Customer will notify COMPANY immediately of any unauthorized use of a User’s account or any other breach of security.

3. Reverse engineering

The Customer shall not modify, translate, reverse engineer, decompile or disassemble any of the Service or otherwise attempt to derive source code or create derivative works from the Service.

4. Intentional service interference

The Customer shall not intentionally use the Service in a manner that impacts the availability, performance, reliability, or stability of the Service.

5. API’s and integrations

The Service may, depending on Customer’s subscription plan, contain features designed to integrate with third party applications. COMPANY is dependent on third parties for such integrations to work and can therefore not guarantee the continued availability of such features.

The COMPANY may make available its own API’s as part of the Service. Customer’s right to access and use any COMPANY API is subject to restrictions and policies implemented by COMPANY from time to time. COMPANY will monitor the API’s and reserves the right to take necessary measures to prevent misuse.

6. Payment for unauthorized use

COMPANY may investigate access logs to verify that Customer complies with the acceptable use requirements above. The Customer shall upon request from COMPANY reasonably cooperate to clarify compliance. COMPANY reserves the right to charge Customer appropriate usage fees in line with the price for the feature in question in case of repeated or intentional breach of the acceptable use requirements.

11.  FEES, INVOICING AND PAYMENT TERMS  

1. Fees

The Service fees are set forth in the Subscription Form(s) agreed between the parties.

2. Invoicing

COMPANY will issue invoice for subscription fees no more than 60 days before the relevant billing period. Other fees will be invoiced at any time during the term when fees are payable. The Customer shall, unless otherwise stated in the Subscription Form, pay all invoices within 30 days of the invoice date.

COMPANY may claim late payment interest of 2% monthly if an invoice is more than 30 (thirty) days overdue. Interest shall be calculated from the due date until payment is made.

3. Taxes

The fees do not include any taxes, levies, duties, value added tax or other tax applicable to the sale of the Service. Such taxes, when applicable, shall be paid by Customer unless Customer provides proof of tax exemption.

12. SUBCONTRACTING

COMPANY may use subcontractors in the provision of the Service. COMPANY shall be liable for the acts and omissions of its subcontractors and any other affiliates contributing to the performance of its obligations under this Agreement as for its own actions or omission.

13. INTELLECTUAL PROPERTY RIGHTS

This Agreement does not constitute any transfer of ownership of any intellectual property rights. COMPANY owns and shall always retain all right, title, and interest in and to the Service and all intellectual property rights associated therewith.

14. CUSTOMER DATA

1. Ownership of Customer Data

Customer Data is and shall remain the exclusive property of Customer and Customer has sole responsibility for the content of and the right to use Customer Data.  “Customer Data” means for the purpose of this Agreement any data included by Customer in- or generated by Customer’s use of the Service.

2. Rights to use Customer Data.

Customer hereby grants to COMPANY, during the term of this Agreement, a limited right to access and use such Customer Data that are necessary for COMPANY to provide the Service. COMPANY will use Customer Data only as necessary to provide the Service to the Customer.

3. No sales of data

COMPANY will not sell, rent, or lease Customer Data to any third party or otherwise receive any value in exchange for Customer Data.

15. CONFIDENTIALITY

1. Non-use and Non-disclosure

Neither party shall use or disclose any Confidential Information of the other party for any purpose except in relation to its performance under this Agreement. The receiving party shall take reasonable measures to avoid disclosure and/or unauthorized use of the Confidential Information of the disclosing party.

For the purpose of this Agreement, “Confidential Information” means all information disclosed by the disclosing party to the receiving party that is designated as confidential, or that reasonably should be understood to be confidential given the nature of the information and the circumstances of the disclosure. The terms of this Agreement, Customer Data and any other information exchanged pursuant to this Agreement, will be considered Confidential Information.  

2. Limitations on the duty of non-disclosure of Confidential Information

Confidential Information does not include any information or material that (i) is or becomes publicly known other than through violation of this Agreement by the receiving party, (ii) was already in the receiving party's possession or was available to the receiving party on a non-confidential basis before disclosure, (iii) is obtained by the receiving party from a third party that is not bound to separate confidentiality obligations to the other party, (iv) was later communicated by a third party to the receiving party without any confidentiality obligation, or (v) is independently developed by the receiving party without use of or reference to the discloser's Confidential Information.

3. Disclosures required by Law

The recipient may disclose Confidential Information to the extent required by law, provided that the receiving party gives the disclosing party prompt written notice of such requirement prior to such disclosure and assistance in obtaining an order protecting the information from public disclosure.  

4. Survival and remedies

The obligations of each receiving party under this section shall survive for five (5) years after the termination of the Agreement. Each party agrees that any violation or threatened violation of this section may cause irreparable injury to the disclosing party, entitling the disclosing party to seek injunctive relief in addition to all legal remedies.

16. TERM AND TERMINATION  

1. Initial Term

The initial term of this Agreement shall commence on the date stipulated in the Subscription Form or at the date of signature if no such date is specified, and shall continue for the period set forth in the applicable Subscription Form or for one year if no such period is specified (“Initial Term”).

2. Renewal Term

The Agreement will upon expiration of the Initial Term automatically renew for a subscription term equivalent in the length to the then expiring subscription term, unless otherwise set out in the Subscription Form (“Renewal Term”). The charges for the Renewal Term will be the standard fees listed in the Subscription form with a price adjustment of 5%.

3. Termination for convenience

Either party may terminate this Agreement for convenience with effect from the end of the Initial Term or subsequent Renewal Term by giving the other party written notice no less than sixty (60) calendar days prior to the expiration of the then-current term. If Customer provides notice of non-renewal within the time limits set out in this section, COMPANY will not invoice Customer for a Renewal Term.

4. Termination for breach

Either party may terminate this Agreement for breach by giving the other party thirty (30) calendar days prior written notice if the other party has materially breached its obligations hereunder and have failed to cure such breach within thirty (30) calendar days’ after being notified in writing of the details of such breach.

Either party may terminate this Agreement with immediate effect if the other party takes or suffers any action for insolvency in any jurisdiction.

5. Refund policy

COMPANY will refund prepaid fees covering the remainder of the applicable subscription term calculated from the effective date of termination if this Agreement is terminated by Customer in accordance with section 16.4.

Except as set out above, all fees paid by The Customer are non-refundable. Customer will not be entitled to any refunds if Customer terminates the Agreement prior to the end of the then current subscription term.

6. Effect upon Termination

Upon expiration or termination of this Agreement for any reason (i) all access rights will cease, (ii) either party shall delete or destroy all Confidential Information of the other party (Confidential Information included in backup copies will first be deleted upon expiration of such encrypted backup copies), and (iii) any and all invoiced and non-invoiced undisputed fees owed by Customer to COMPANY under this Agreement shall become immediately due and payable to COMPANY.

17. REPRESENTATIONS AND WARRANTIES

Each party represents and warrants that the representing party has full power and authority to execute, deliver and perform this Agreement, that this Agreement has been duly and validly executed and delivered by the representing party and that it constitutes the legal, valid, and binding obligation of the representing party, enforceable against it in accordance with its terms.

18. DISCLAIMERS

THE SERVICE IS PROVIDED “AS IS”. COMPANY DOES NOT WARRANT THAT CUSTOMER’S USE OF THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE. CUSTOMER ASSUMES THE RISK OF THE USE, QUALITY, PERFORMANCE, ACCURACY AND COMPLETENESS OF ANY DATA PRODUCED BY THE SERVICE. COMPANY WILL ONLY BE LIABLE FOR A SECURITY INCIDENT UNDER THE AGREEMENT IF COMPANY NEGLIGENTLY BREACHES THE SECURITY MEASURES DESCRIBED IN SECTION 7.

EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, EITHER PARTY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, RELATING IN ANY WAY TO THE SERVICE INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

19. LIMITATION ON LIABILITY.

1. EXCLUSION OF INDIRECT, CONSEQUENTIAL AND RELATED DAMAGES

IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL OR SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES OF ANY KIND, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY THEREOF.

2. LIMITATION OF TOTAL LIABILITY

IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EITHER PARTY RELATED TO THIS AGREEMENT (INCLUDING THE SERVICE LEVEL AGREEMENT AND THE DATA PROCESSING AGREEMENT) EXCEED THE AMOUNT OF FEES RECEIVED BY COMPANY DURING THE TWELVE (12) CALENDAR MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE LIABILITY. THE FOREGOING LIMITATION WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY.

THE FOREGOING LIMITATIONS OF LIABILITY SHALL NOT APPLY TO DAMAGES ATTRIBUTABLE TO GROSS NEGLIGENCE OR INTENTIONAL MISCONDUCT.

20.         TEMPORARY SUSPENSION OF SERVICES

COMPANY may temporarily suspend the Service if Customer is in breach of the Agreement and such breach is not cured within thirty (30) calendar days after Customer’s receipt of written notice thereof. Suspension will last until the breach has been cured by Customer.

21. INDEMNIFICATION  

1.  By COMPANY

COMPANY shall defend, indemnify and hold harmless Customer and its officers, directors, employees, and agents, from and against any losses, costs, expenses (including reasonable outside attorneys’ fees and costs) and finally awarded damages against Customer resulting from a substantiated claim, demand, suit, action or proceeding brought against Customer by a third party alleging that the Service used in accordance with this Agreement infringes a valid intellectual property right of such third party in the US, EU and/or EEA.

2. By Customer

Customer shall defend, indemnify and hold harmless COMPANY and its officers, directors, employees, and agents, from and against any losses, costs, expenses (including reasonable outside attorneys’ fees and costs) and finally awarded damages against COMPANY resulting from a substantiated claim, demand, suit, action or proceeding brought against COMPANY by a third party alleging that any Customer Data, or the use of the Service in combination with a non-COMPANY application provided by Customer, infringes a valid intellectual property right of such third party in the jurisdictions the Customer use or access the Service.

3. Process

To receive the foregoing indemnifications the indemnified party must give the indemnifying party prompt written notice of the claim, give indemnifying party sole control of the defense and settlement of the claim (except that indemnifying party may not settle any claim unless it unconditionally releases indemnified party of all liability), and give indemnifying party all reasonable assistance at indemnifying party’s expense.

4. COMPANY remedies

If COMPANY receives information about an infringement claim, COMPANY may at its sole discretion either (i) obtain a license for Customer’s continued use of the applicable part of the Service in accordance with this Agreement, or (ii) replace or modify the applicable part of the Service so that it is no longer claimed to infringe a third party right. If COMPANY reasonably determines that the foregoing options are not commercially available, COMPANY may terminate the Customers subscription for relevant part of the Service.

5. Sole remedies

The rights granted under this Section shall be the indemnified party’s sole and exclusive remedy for any alleged infringement covered by this section.

22. MISCELLANEOUS PROVISIONS

1. Compliance

COMPANY provides a standard service that can be accessed in any jurisdiction via a web interface. COMPANY shall provide the Service in accordance with those laws in the country COMPANY is registered that are applicable to COMPANY’s provision of its services in general without regard for Customer’s particular use of the Service. Customer is responsible for its own use of the Service, all activities that occur under User’s account, and that such use is compliant with legal requirements applicable for their business and any local laws that may impact its right to import, export or use the Service.

The Customer shall not be located in, and will not use any Service from, any country subject to U.S. EAR or OFAC restrictions.

2. Assignment

This Agreement may not be assigned by either party without the prior written consent of the non-assigning party. Consent is not required in the context of merger, acquisition, or sale of all or substantially all the assigning party’s stock or assets, provided that the assigning party provides advance written notice thereof to the non-assigning party. Subject to the foregoing, the terms and conditions of this Agreement shall insure to the benefit of and be binding upon the parties’ respective permitted successors and assigns.

3. Force Majeure

Neither party shall be liable for any failure or delay in its performance of its obligations under the Agreement resulting from an event caused by conditions beyond the reasonable control of a party, including governmental action, war, acts of public enemies, strikes or other labor disturbances, civil or military authority, fires, floods, or other natural calamities, acts of God, telecommunications failures, electrical outages, any service failure or disruption caused by third parties, service providers or systems, severe network outages in co-location site networks, error in the coding of electronic files or any causes of like or different kind beyond the reasonable control of such party.

A party experiencing a force majeure event shall provide the other party with prompt written notice of such force majeure event. In the event the force majeure event has lasted or is likely to last for more than three months, either Party may terminate this Agreement immediately without liability to the other party.

4. Entire Agreement

The Agreement constitutes the entire agreement between the parties and supersede all other agreements, proposals, or representations, whether electronic, written, or oral, between the parties concerning its subject matter.

5. Severability

If any provision of this Agreement is held to be ineffective, unenforceable, or illegal for any reason, such decision shall not affect the validity or enforceability of any of the remaining portions thereof.

6. Amendment

Amendment or modification of the Agreement shall only be valid or binding upon the parties if made in writing and signed by an officer of each party. No terms, provisions, or conditions of any purchase order will have any effect on the obligations of the parties hereunder or otherwise modify this Agreement.

7. Notices

All notices and other communications required or permitted by this Agreement or by law shall be in writing by e-mail or mail and shall be considered delivered when received if delivered by mail or similar and at the opening of business on the next business day for the recipient if sent by electronic mail.

8. Survival of Certain Provisions

Expiration or termination of this Agreement will not relieve either party from its obligations arising hereunder prior to such expiration or termination. Rights and obligations which by their nature should survive will remain in effect after termination or expiration of this Agreement.

9. Governing Law and legal venue

The governing law and legal venue depend on which COMPANY company Customer has entered into the agreement with. This Agreement and all matters arising hereunder or in connection herewith shall be governed by and construed in accordance with the governing law noted in the below chart and the parties irrevocably consent to the exclusive jurisdiction of- and venue in the locations noted the legal venue columns below.

SERVICE LEVEL AGREEMENT (SLA)

The Service is provided "as is" as standardized service; the right to use is not conditional or tied to a specific version or functionality at a certain time, but allows access to and use of the Service as is at all times.

COMPANY reserves the right to make improvements, add, modify or remove functionality, or correct any errors or defects in the Service at its sole discretion, without any obligation or liability resulting from such act or defects. COMPANY will however not remove functionality which in COMPANY’s reasonable opinion must be considered as core functionalities for a service such as the Service.

COMPANY and the Customer agree that the Service will not always be completely free of errors and that the improvement of the Service is a continuous process. The Customer is also aware that successful use of the Service is dependent on equipment and factors (such as sufficient internet connection) that the Customer has the responsibility for. COMPANY is not liable for the discontinuance or disruption of the operation of the Service caused by the Internet or any third party service the Customer needs in order to access the Service, including operating systems etc.

COMPANY is available on the following browsers:

• Latest major releases of Chrome and major release of Firefox browser. And have the following system requirements for best performance:
• Minimum of 8 GB ram and 2,4Ghz of CPU.

Third party software and operating system updates etc. may influence the usability of the Service, and COMPANY has no responsibility in this regard. COMPANY will however always use best efforts to accommodate and develop the Service for updates etc. on supported operating systems.

COMPANY is only responsible for the functioning of the Service as such, and undertakes the following obligations regarding error handling with regards to the Service:

The repair time stated in the table above starts when the Customer has given COMPANY notice of the error and sufficient information to assess and understand what the error comprises. Notice shall be given by written e-mail to[= [email protected]] or via COMPANY’s online chat channel, available both within the Service and on[= https://www.COMPANY.com.]

If COMPANY has not succeeded in curing a category A or B error within the repair time stated, the Customer is entitled to a period of free extension of the service, and must claim such free extensions within 90 days after the error notification was sent to COMPANY. The free extension for failing to meet the repair time for category A errors shall be 14 days. For category B errors the free extension shall be 4 days. For category C errors no free extension is given. Total free extension periods per year is limited to 28 days. The above described free extensions shall be the only claim the Customer may be entitled to in case of failure to meet the repair times stated above.

A category A error lasting more than 10 days is considered a material breach. The same applies for a category B error lasting more than 20 days.

Planned downtime is not considered an error. Downtime may be necessary to perform updates or maintenance in hardware or software from time to time. COMPANY may have planned downtime up to 10 times each calendar year. Planned downtime shall always be notified at least five (5) business days in advance and shall be done outside of normal business hours (0900-1700 CET) if possible. For planned downtime of up to 24 hours, notification shall be given at least ten (10) days’ in advance. Planned downtime according to this clause is not considered as a breach of contract.

COMPANY may use sub-contractors to provide the Service including all support and maintenance. To the extent a subcontractor processes personal data for which the Customer is a data controller, the Data Processing Agreement sets out requirements in this regard.

COMPANY shall provide backup of the Customer’s data, to restore it after a data loss event.

For support purposes, COMPANY has internal administrators who can access Customers’ data. COMPANY will never access Customers’ data without prior approval from the Customer. Logs are kept of any access by COMPANY administrators.

DATA PROCESSING AGREEMENT

1. THE PURPOSE OF THE DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) regulates the parties' rights and obligations in connection with COMPANY (“Data Processor”) processing personal data on behalf of the Customer (“Data Controller”). The purpose of the DPA is to comply with the requirements for data processor agreements according to the General Data Protection Regulation ((EU) 2016/679).

2. THE PROCESSING OF PERSONAL DATA

The Data Processor processes data on behalf of the Data Controller in connection with providing the Service to the Customer.

The Data Processor will process the following types of personal data on behalf of the Data Controller:

• Name, contact information, IP address, title and other data inserted into the Service by the Data Controller or the Data Controller’s representatives or Users.

The personal data is connected to the following categories of data subjects:

• Users added by the Data Controller.

The Data Processor shall only process personal data for the following purposes:

• Entering into and fulfilling the agreement with the Data Controller relating to offering the Service.

The processing involves processing activities necessary to offer the Service to the Customer, including using email-address and password to authenticate and authorize users, email users about product changes, updates, tips and tricks, support, upgrade potential, platform usage as required for payment, logging of usage and access to monitor breaches, showing a user’s Gravatar image (if applicable), and contacting users about potential support issues.

The Data Processor shall not process personal data in any other manner than what is agreed in this DPA which sets out the documented instructions from the Data Controller. This includes that the Data Processor is not allowed to process personal data for other purposes than as stated above or its own purposes or to disclose personal data to third parties.

3. THE DATA PROCESSOR’S DUTIES

When processing personal data on behalf of the Data Controller, the Data Processor shall follow the routines and instructions stipulated in this DPA.

Unless otherwise agreed or pursuant to statutory regulations, the Data Controller is entitled to access all personal data being processed on behalf of the Data Controller and the systems used for this purpose. Such access will be available for the Data Controller through the Service by logging in.

The Data Processor is subject to an obligation of confidentiality regarding documentation and personal data that the Data Processor gets access to under the DPA. This provision also applies after the termination of the DPA. The Data Processor is obliged to ensure that persons who process the data for the Data Processor, have committed themselves to confidentiality (including signing declarations of confidentiality), and shall upon request disclose such declarations to the Data Controller or the authorities.

The Data Processor shall not process personal data outside the EU/EEA, unless otherwise stated in this DPA. If the transferring of personal data to a country outside the EU/EEA or to an international organization outside the EU/EEA is required according to law in a EU/EEA member state which the Data Processor is subject to or EU/EEA law, the Data Processor shall inform the Data Controller of such requirement prior to the processing, unless the law prohibits such information from being given.

4. THE DATA PROCESSOR’S OPPORTUNITY TO USE SUB-PROCESSORS

The Data Processor uses the following sub-processor(s). The applicable data location is the location chosen by the Customer in the Subscription Form.

EU Location:

US Location:

The following entity is a group parent company and provides services to its subsidiaries. Accordingly, the below company functions as a sub-processor in those cases it is not the contracting party to the Agreement.

In addition, the Data Processor has the right to use other sub-processors, but is obliged to inform the Data Controller of any intended changes concerning the addition or replacement of other processors, so that the Data Controller has the opportunity to object to the changes. The information shall be given at least 60 days prior to the planned changes taking effect. If the Data Controller objects to the change, the Data Controller has the right to terminate the DPA with 30 days notice.

The Data Processor shall remain fully liable to the Data Controller for the performance of any sub-processors, and respects the conditions referred to in the General Data Protection Regulation article 28 paragraph 4 for engaging another processor. The Data Controller is aware that the Data Processor uses the sub-processors mentioned in section 4, and that the information security obligations related to the processing performed by these are governed specifically by COMPANY’s internal Information Security Management System.

The Data Processor shall remain fully liable to the Data Controller for the performance of any sub-processors.

5. TRANSFER OF PERSONAL DATA OUTSIDE THE EU / EEA

The Data Processor uses the sub-processor outside the EU/EEA as documented in section 4.

Apart from this, the Data Processor may not process or use sub-processors that process personal data outside the EU/EEA. Processing outside EU/EEA is subject to prior written approval from the Data Controller. The Data Processor shall ensure that there is a legal basis for the processing of data outside the EU/EEA, or facilitate the establishment of such legal basis.

6. SECURITY

The Data Processor shall fulfil the requirements for security measures in the General Data Protection Regulation article 32 Security of processing. The Data Processor shall through planned and systematic measures implement appropriate technical and organisational measures to ensure a satisfactory level of security, e.g. in relation to confidentiality, integrity and availability.

The Data Processor shall document routines and other measures made to comply with these requirements regarding the information system and security measures. The documentation shall be available at request by the Data Controller and the authorities.

Any notification to the authorities regarding personal data breaches shall be given by the Data Controller, but the Data Processor shall notify any breach directly to the Data Controller. The Data Controller is responsible for reporting the breach to the Data Protection Authorities.

Notifications regarding personal data breaches according to the General Data Protection Regulation shall be notified by the Data Processor to the Data Controller, and the notification shall contain sufficient information so that the Data Controller may assess whether the breach must be notified to the authorities or to the data subjects.

The Data Processor’s obligations to assist the Data Controller in fulfilling the obligations of the General Data Protection Regulation article 32 to 36, is considered fulfilled by the Data Processor’s obligations according to this DPA. Considering the nature of the processing performed by the Data Processor and the information available for Data Processor, this assistance is considered sufficient. To the extent the Data Controller requires additional assistance from the Data Processor, the Data Processor may offer such assistance as a separately paid service. The Data Processor may also refuse, unless the Data Processor’s assistance is necessary in order to be able to fulfil the Data Controller’s obligations.

7. DOCUMENTATION AND SECURITY AUDITS

The Data Processor shall have documentation that proves that the Data Processor complies with its obligations under this DPA and the General Data Protection Regulation. The documentation shall be available for the Data Controller on request. The Data Processor shall regularly conduct security audits, and shall submit the results of the audit to the Data Controller. The Data Controller shall be entitled to conduct audits and inspections regularly, for systems etc. covered by this DPA, in accordance with the requirements of the General Data Protection Regulation. Audits may be carried out by the Data Controller or a third party mandated by the Data Controller in agreement with the Data Processor. To the extent the Data Controller requires additional assistance from the Data Processor, the Data Processor may offer such assistance as a separately paid service. The Data Processor may also refuse, unless the Data Processor’s assistance is necessary in order to be able to fulfil the Data Controller’s obligations.

8. FULFILLING THE RIGHTS OF THE DATA SUBJECTS

The Data Processor’s processing on behalf of the Data Controller is not of a nature which makes it necessary or reasonable for the Data Processor to fulfil or assist in fulfilling the Data Controller’s obligations towards data subjects. To the extent the Data Controller requires assistance from the Data Processor, the Data Processor may offer such assistance as a separately paid service. The Data Processor may also refuse, unless the Data Processor’s assistance is necessary in order to be able to fulfil the Data Controller’s obligations.

9. THE DURATION OF THE DPA AND THE PROCESSING

The DPA applies as long as the Data Processor processes personal data on behalf of the Data Controller according to the subscription terms.

10. TERMINATION

The DPA may be terminated in accordance with the termination clauses in the subscription terms. A termination of the subscription terms also constitutes a termination of the DPA.

11. RETURN, DELETION AND/OR DESTRUCTION OF DATA UPON TERMINATION OF THE DPA

COMPANY provides a standardized format to export the Customer’s data via the built-in export function in the Service. This function may be used by the Customer during the term of the Agreement.

The Data Processor will permanently erase all personal data and other data relating to the Customer and personal data for which the Customer is a Data Controller in accordance with the timelines set out in the subscription terms, unless the Data Processor is required by law to store the personal data.