ftrack’s General Terms & Conditions
Last updated: February 26, 2021
These general terms and conditions of ftrack (the “Terms“) are applicable to all services provided by ftrack AB, Reg. No. 5568813769, affiliated companies (“ftrack“, “us“, “our” or “we“).
By “Customer“, “you” or “your” we mean the legal entity that is ordering Services under these Terms, any of your affiliates together with your and your affiliates’ employees and representatives.
When we refer to the “parties” we mean you and us together.
These Terms contains the following appendices:
1.3. Agreeing to the terms
By creating an Account or using the Services you agree to the Terms. Please make sure that you have read and understood the Terms before the start of the Subscription Period and use of the Services. If you do not agree to these Terms, you may not create an Account or use the Services.
“Account” means the account that you register and create on the Site and/or in the App.
“App” means our application accessible via computer or mobile device relating to the Services.
“Content” has the meaning set out in Section 4.3.
“Contact Information” means the information set out in Section 16.
“Functions” means the Site, the App, your Account and the Services, jointly.
“Services” means the services described under section “Services” below which we have made available through the Site and the App, together with any such other related goods, equipment, services and information made available by us to you.
“Site” means our website (https://www.ftrack.com) relating to the Services.
“SLA” means Service Level Agreement, described in Appendix SERVICE LEVEL AGREEMENT (SLA).
“Third Party Applications” means, in these Terms, online, web-based applications and offline software products or services that are a) provided by third parties, b) interoperate with us, and c) may be either separate or integrated with us and whether or not such are indicated by us as being third-party applications.
“Subscription Period” is defined under section “Term and termination” below.
2.1. Description of services
We provide a project management, production tracking and media review platform (the “Services“). More information about the Services can be found on the Site and in the App.
2.2. Setting up an account
For ordering of the Services, you can create an Account. You are not allowed to transfer the Account to others, and you may only sign up one (1) Account. Once an Account has been successfully created, and payment has been made where prepayment is required, the Services will be available and ready to use or order, as instructed on the Site and in the App.
2.3. Order Services
The Services shall be ordered in accordance with the instructions on the Site and the App.
Depending on how you order the Services we will confirm your order as presented below.
If you have registered an Account, our confirmation of your order will take place when we email you and/or send you a confirmation in the App, at which point a contract will come into existence between you and us.
If you order by way of any of our Contact Information, we will send you an order confirmation which will include these Terms. When you have accepted our confirmation (i.e. including the Terms), a contract will come into existence between you and us
2.4. Delivery of services
During the order process we will let you know when and where we will provide the Services to you.
3. LIMITATION OF SERVICES
In addition to the other terms and conditions of these Terms, ftrack reserves the right to impose upper limits on various aspects of your use of the Services that goes beyond of fair use (as determined by ftrack), including without limitation: our Third Party Application performing Media Encoding in the cloud, as well as API requests to our cloud infrastructure. For the avoidance of doubt, limitation to media encoding service and API request does not apply if you run the Services On-Premise and are not utilizing our hosted cloud infrastructure.
4. YOUR OBLIGATIONS
4.1 Eligible customers
We offer the Services to companies and other legal entities. You warrant that you are authorised to enter into these Terms on the behalf of the legal entity as well as to use all Functions.
These Terms, together with any License and Sales Agreement, constitute the entire agreement between us in relation to the Services. You warrant that the persons ( e.g. employees and representatives) you authorise to create Accounts and use the Services have read and understand the Terms. You are at all times responsible for the use of Services under these Terms, including by such persons – as if it was you using the Services.
4.2 Use of the functions
When you use the Functions, you must always comply with all applicable laws, regulations and public orders. You shall not access the Site or the App other than through interfaces provided by us and as otherwise expressly authorised under these Terms. You may not use the Functions in a manner contrary to our, or any third party’s, rights and interests. You agree to comply with all instructions and recommendations provided by us from time to time.
You agree to be responsible for all activities that occur under your Account. Credentials for your Account must be kept secure at all times and you are forbidden to share data relating to your Account with any third parties. Should you suspect that your Account or your credentials have been or are being used by a third party you must contact us immediately by using any of our Contact Information.
You also agree not to:
- Defame, abuse, harass, threaten or otherwise violate the legal rights of any third party or us;
- Publish, post or – in any other way express – any material or information that is unlawful;
- Contribute to destructive activities such as dissemination of viruses, spam or any other activity that might harm us, the Site and/or the App in any way;
- Monitor the Services’ availability, performance or functionality for any competitive purpose, meaning, for example that you agree not to access the Services for the purpose of developing or operating a competitive product or service or copying the Services’ features or user interface; or
- Resell or in any way redistribute results generated in the Site and/or the App or use the Services in order to create a competing service or product.
We may have to suspend the supply of any of the Functions to:
- Deal with technical problems or make minor technical changes; or
- Update changes to the Functions to reflect changes in applicable laws regulatory requirement.
We will contact you in advance in the event we need to suspend the supply of any Service. This does not apply if the problem is urgent or an emergency.
We are entitled to decline or adjust an order from you and close down your Account in the event that you provide us with untrue, inaccurate, not current, or incomplete information when creating your Account. This shall also apply if you fail to comply with these Terms (for example if you have not paid for the Services in time) or other mandatory provisions by law. Upon occurrence of any of these events, we will contact you and request that you remedy your breach of these Terms.
4.3 Your provision of content
The Site and/or the App include(s) functions for uploading and storing of files and other information provided by you (“Content“). You are responsible for all distribution and other actions by you and in your Account.
By adding Content to the Site and/or the App, you warrant that you are a) the owner of the uploaded Content or b) entitled to manage the Content in such way and that the Content or your use of the Content in no way violates any applicable legislation. We will not supervise whether any Content is lawfully uploaded or distributed through the Site and/or the App.
We are not liable for any loss of Content and we advise you to always keep your own backup of your Content. We do not take any responsibility with regards to the validity of Content provided by you.
5. PRICES AND PAYMENT
5.1. Price information
Payment for use of the Services are made periodically (based on the applicable Subscription Period) in advance. Each payment will cover a Subscription Period during which you will have access to the Services.
You must pay all applicable fees as set out and described on the Site and/or the App for the Services that you have selected. The prices for the Services are set out on the Site and/or in the App. The prices are stated exclusive of any VAT unless otherwise explicitly stated on the Site and/or in the App. The price of the Services provided to you will be the price indicated on the order pages when you placed your order.
You agree to pay, and indemnify ftrack from claims for, any local, state or national tax (exclusive of taxes based on net income), duty, tariff or other impost related to or arising from the transaction contemplated by these Terms.
We have the right to change the prices for the Services. If we change the prices, we will notify you in advance. Price changes will take effect at the start of the Subscription Period following the date the prices were changed. By continuing to use or access the Services after the price changes come into effect, you agree to be bound by the new charges. You are entitled to cancel your subscription at any time, and you will continue to have access to the Services throughout your current paid Subscription Period. If you have been offered Services for a specific term and price, that price will remain in force for that agreed time.
In case of non-payment we reserve the right to suspend, terminate and cancel our performance and the Subscription Period. We are entitled to charge penalty interest according to applicable law in the event of late payments.
Where you have signed up to use the Services during a trial period, you will have access to all or some of the Services (as further described on the Site and in the App) free of charge during such trial period.
5.2. Payment information
Payment for the Services can be made in accordance with what is set out below.
We offer payments by way of:
- Card payment (default)
- Invoice – Net 30 Days (only for annual subscriptions and by agreement from us)
On your card payment, the third party processor’s/provider’s terms and conditions will apply (https://www.adyen.com/legal/terms-and-conditions). You may be requested to identify yourself and credit reports may be pursued by the third party processor/provider. Where we use a third party for payments, we will not have access to or store any payment information. The Services may be paid for by credit or debit card. You must keep the payment information provided to us accurate and up-to-date.
We invoice you for the Services in advance, with the frequency agreed for the period contracted. You agree that we may issue electronic invoices, which will be sent to the email address you have provided in your Account or upon ordering of the Services. You must keep the payment information provided to us accurate and up-to-date.
We are entitled to perform a credit control when this is needed in order to be able to offer you a credit period.
You agree to pay within the set time for the payment method you choose. We have the right to close down your Account until you have paid for all the charges incurred by you. Payment after the due date can entail late payment fees and interest.
Unless otherwise expressly set out in these Terms, we do not provide refunds, right to return for a purchased subscription, credits for any partially used subscription, credits for any unused Account or credits by reason of your dissatisfaction with the Products and/or the Functions.
6. TERM AND TERMINATION
The term for our Services commences upon creation of an Account with us and shall remain in force during the subscription period (“Subscription Period“). A Subscription Period can be either 30 days (monthly subscription) or 365 days (annual subscription).
At the end of each Subscription Period, your subscription will be automatically renewed for the same period unless terminated by you by written notice before expiration of the Subscription Period.
To terminate the Services go to the user settings under your Account and follow the instructions or by contacting us using the Contact Information.
Upon termination, you will remain to have access to the services until the Subscription Period ends. When the Subscription Period ends, we will delete or anonymise any personal information about you, with exception for any personal information that we are required to keep by law. No refunds are provided for any periods not in use.
Any Services still ongoing upon termination shall be carried through in accordance with these Terms. Obligations arising from any breach of contract during the term of these Terms shall not be affected by termination.
6.3. Early termination
We reserve the right to terminate the contract with you if you:
- Breach or otherwise violate these Terms or any other provisions set up by us or if you becomes bankrupt or insolvent; or
- Use the Site, the App or the Services in any way that does not comply with the intended purposes or is otherwise harmful for us or any third person.
6.4. Trial period
You may sign up to use the Services during a trial period in which case you will have access to all or some of the Services (as further described on the Site and the App). If you would like to continue using the Services following the agreed trial period, you shall notify us upon the expiration of such trial period.
7. LIMITED WARRANTY
Our warranty to you will be limited as follows:
- ftrack warrants that, to the best of our knowledge, Customer’s use of the Services will not infringe any third party’s copyright, patent or other intellectual property rights.
- Except as warranted above, the Services are being provided “as is”. THE FOREGOING LIMITED WARRANTY IS IN LIEU OF ALL OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, AND FTRACK DISCLAIMS ANY AND ALL IMPLIED WARRANTIES OR CONDITIONS, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY, QUALITY OR FITNESS FOR A PARTICULAR PURPOSE, REGARDLESS OF WHETHER FTRACK KNOWS OR HAS REASON TO KNOW OF CUSTOMER’S PARTICULAR NEEDS.
- ftrack does not warrant that the Services will meet Customer’s requirements or that Customer’s use of the Services will be uninterrupted or error free.
- No employee or agent of ftrack is authorized to modify this limited warranty, nor to make additional warranties.
Customer agrees to indemnify, hold harmless and defend ftrack and ftrack’s respective affiliates, officers, directors, shareholders, employees, authorized resellers, agents and other representatives (collectively, the “Released Parties”) from all claims, defense costs (including, but not limited to, attorneys’ fees), judgments, settlements and other expenses arising from or connected with the operation of Customer’s business or Customer’s possession or use of the Services.
9. OUR LIABILITY
Our liability to you will be limited as follows:
- we shall not be liable to you, whether in contract, tort (including negligence), breach of statutory duty, the failure of any limited remedy to achieve its essential purpose or otherwise or otherwise, for any loss of profit, or any indirect or consequential loss arising under or in connection with any contract between us; and
- our total liability to you for all other losses arising under or in connection with any contract between us, whether in contract, tort (including negligence), breach of statutory duty, the failure of any limited remedy to achieve its essential purpose or otherwise, shall be limited to the total sums paid by you for Services under the applicable order/contract during the Subscription Period when the damage occurred. If you use the Services under a trial period or otherwise free of charge, we disclaims all liability and no compensation will be paid.
9.2. Complaints and customer support
If you have any complaints, please contact our support department by using any of our Contact Information. Our Service Level Agreement is described in appendix SERVICE LEVEL AGREEMENT (SLA).
We are not liable for damages unless you notify us in writing thereof no later than thirty (30) days after you noticed or should have noticed, the actual damage, however under no circumstances no later than six (6) months from when the damage occurred.
9.4. Defects and delays beyond our control (force majeure)
We are not responsible for delays and defects outside our reasonable control. If our suppliers are delayed by an event outside our reasonable control, then we will contact you as soon as possible to let you know and we will reasonable, appropriate take steps to minimise the effect of the delay. Provided that we do this, we will not be liable for defects and delays caused by the event, but if there is a risk of substantial defect or delay you may contact us to end the agreement and receive a refund for any Services you have paid for but not received.
During the term of these Terms and thereafter as set out below in this Section 10, the parties undertake not to disclose to any third party information regarding these Terms, nor any other information that the parties have learned as a result of these Terms, whether written or oral and irrespective of form (“Confidential Information“).
The parties agree and acknowledge that the Confidential Information may be used solely for the fulfilment of the obligations under these Terms and not for any other purpose. The receiving party further agrees to use, and cause its directors, officers, employees, sub-contractors or other intermediaries to use, the same degree of care (but not less than reasonable care) to avoid disclosure or use of Confidential Information.
The confidentiality undertaking shall not apply to any Confidential Information that the Receiving Party can establish is or becomes available to the public (otherwise than by breach of this agreement or any other confidentiality undertaking.
Each party also undertakes to ensure that any information disclosed under this section, to the extent possible, shall be treated confidentially by anyone receiving such information. This confidentiality undertaking shall remain in force three (3) years the termination of the Terms.
During the term of the Agreement and for a period of twelve (12) months thereafter, you shall refrain from attempting to solicit any individual who is employed by us and with whom you have had contact with in connection with the performance of the Services.
This shall not apply with respect to a) persons that approach you on an unsolicited basis or who respond to general advertisements for employment not specifically directed at you or any of your employees; b) persons who are referred to you in good faith by search firms, employment agencies or similar; and c) persons who have terminated their employment with us prior to their contacts or discussions with you.
12. CHANGES & ADDITIONS ETC.
We may modify these Terms at any time. In the event of changes which are not minor and may affect you, you will be notified via email or via the App. You are responsible for keeping yourself informed of any changes to the Terms. The latest version of the Terms will be available on the Site. Amendments to the terms and conditions become effective the business day following the day they are posted.
All new functionalities, features and content introduced and added to the Services, the Site or the App will be subject to what is stipulated in the Terms.
You may not assign or transfer the rights or obligations under these Terms without our written approval.
In the event that any one or more of the provisions contained in these Terms should for any reason be considered unenforceable, illegal or otherwise invalid in any respect, such unenforceability, illegality or invalidity shall not affect any other provisions of these Terms and the Terms shall then be construed as if such provisions had never been contained herein.
You acknowledge that you are the data controller for any personal data processed by us on your behalf in conjunction with your use of the Services. You also acknowledge that we are considered as your data processor; therefore, by agreeing to the terms we enter into the DATA PROCESSING AGREEMENT (Appendix DPA), which shall remain in effect for as long as we process personal data on your behalf.
14. PROPERTY AND INTELLECTUAL PROPERTY RIGHTS
14.1. Our rights
The Site and the App are owned and operated by ftrack. All copyrights, trademarks, trade names, logos and other intellectual or industrial property rights held and used by us as well as those presented in the Functions (including titles, graphics, icons, scripts, source codes, etc.) are our property or third party licensors’ property and must not be reproduced, distributed, sold, used, modified, copied, limited or used (in whole or in part) without our written consent.
You hereby grant to us an irrevocable, perpetual, non-exclusive, royalty-free, fully-paid, worldwide, sub-licensable and transferable license to identify you as a customer in advertising, media relations, trade shows, and other similar promotional activities using your name and trademarks in accordance with your trademark guidelines, if any.
ftrack grants you a non-transferable, non-exclusive right and license to use the Site, the App and the Services for the sole purpose of us providing the Site, the App and the Services to you to use solely for your internal business purposes. Upon expiry or termination of this agreement/the Subscription Period, this right and license shall end.
14.3. Respect for our property
You must not tamper with, attempt to gain unauthorised access to, modify, hack, repair or otherwise adjust any of our material, hardware, source-codes or other information for any purposes.
14.4. Respect for our intellectual property
The Services and other information, including all associated intellectual property rights, provided and made available by us, remain our exclusive property. You may not use our exclusive property for commercial or any other purposes without our written consent.
15. GOVERNING LAW AND DISPUTES
Swedish law shall apply to these Terms.
Any dispute, controversy or claim arising out of or in connection with these Terms, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (SCC). The Rules for Expedited Arbitrations shall apply, unless the SCC in its discretion determines, taking into account the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the Arbitral Tribunal shall be composed of one or three arbitrators. The seat of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be English, unless the parties have agreed otherwise. The SCC shall appoint the arbitrators. However, if the amount in dispute does not exceed 50,000 euro (or the equivalent amount in the currency in the contract) ftrack may invoke and settle the dispute in the applicable court located where ftrack has its domicile.
16. COMPANY INFORMATION
ftrack AB is an entity registered in Sweden.
Registered address: Mäster Samuelsgatan 36, 111 57 Stockholm
Reg. No.: 5568813769
VAT No.: SE556881376901
You may contact us by using any of the contact details set out below “Contact Information”):
Sales related questions
Email address: [email protected]
Support related questions
Email address: [email protected]
Privacy related questions
Email address: [email protected]
Version history General Terms & Conditions
April 22, 2021
Clarified 4.2 Use of the functions
Removed some unnecessary language
SERVICE LEVEL AGREEMENT (SLA)
This Agreement represents a Service Level Agreement (“Agreement”) between ftrack and the Customer for the provisioning of services required to support and sustain the App.
In the event of any conflict with ftrack’s general terms & conditions (the “Terms”), this Agreement shall prevail.
2. FTRACK’S RESPONSIBILITIES
2.1. Severity Levels
Severity levels are defined as follows:
- Fatal: Complete degradation of the App – all users and critical functions affected. Item or service completely unavailable.
- Severe: Significant degradation of the App – large number of users or critical functions affected.
- Medium: Limited degradation of the App – limited number of users or functions affected. Business processes can continue.
- Minor: Small degradation of the App – few users or one user affected. Business processes can continue.
ftrack shall provide email support for assistance with technical questions related to the App for Customers who have purchased the Services. Such support shall be given by emailing [email protected].
Support Hours for Minor and Medium issues are: M-F 8AM – 6PM CET / M-F 8AM – 6PM PT
Support Hours for Severe* and Fatal* issues are: M-F 8AM – 6PM CET / M-F 8AM – 6PM PT
*You must include the word “urgent” in your email subject title to notify on-call support.
It will be assumed that users of the Services are generally familiar with the Functions. ftrack may restrict the use of this service if the Customer repeatedly makes requests for information, which is contained in the documentation for the Services.
If the Customer discovers a fault in the App and reports it to ftrack, together with any further information such as error messages, circumstances and test material, which ftrack may request, ftrack will investigate and either advise the Customer of a means of successfully undertaking the required operation, or will supply the Customer with a bug number for their reference.
ftrack cannot guarantee resolution or the results of any support services or assistance that may be provided. ftrack will always endeavor to resolve issues as swiftly as possible. It recognizes that the service provided to the Customer is key to its business and that any downtime affects said business. However, ftrack is unable to provide guaranteed resolution times. This is because the nature and causes of problems can vary enormously. In all cases, ftrack will make its best efforts to resolve problems as quickly as possible.
ftrack does not provide on-site support services.
ftrack does not provide support for third party software or plug-ins unless otherwise stated in this agreement.
2.3. Measurements and penalties
Response times are measured using ftrack’s email support ticketing and CRM system, which tracks all issues from initial reporting to resolution. It is vital the Customer raises every issue via this system. If an issue is not raised in this way, the guaranteed response time does not apply to that issue. If ftrack fails to meet a guaranteed response, a penalty will be applied in the form of a credit for the Customer. This means the following payment period’s fee payable by the Customer will be reduced on a sliding scale.
The level of penalty will be calculated depending on the number of hours by which ftrack missed the response time or failed to uphold minimum service level, minus the downtime permitted by this Agreement:
|Category||Measurement||Measurement window||Minimum Service Level||Service Credit|
|Response time||Severe and Fatal Severity levels response times||N/A||<6h||5% of total monthly** subscription fee paid by Customer to ftrack for each two (2) hours under the specified Minimum Service Level Measure|
|Response time||Minor and Medium Severity levels response times||N/A||<24h||1% of total monthly** subscription fee paid by Customer to ftrack for each two (2) hours under the specified Minimum Service Level Measure|
The following minutes will be excluded from the measurement of compliance with the Minimum Service Level:
- Minutes related to scheduled maintenance;
- Minutes related to any matter pursuant to Section 9.4 in the Terms;
- Minutes resulting from acts by Customer other than in accordance with the Agreement, including but not limited to any negligence, willful misconduct or use of the Platform in breach of the Agreement and
- Minutes resulting from data or transmission quality issues outside of the Company’s reasonable control.
Service Credits are capped at 50% of the total monthly** fee for each month
Response times are measured during support hours for each severity level.
**(or 1/12 of the annual subscription fee for an annual subscription).
- ftrack shall issue updates of the App and documentation as and when required and in whatever form (including, by way of a local fix or patch of the App or a temporary by-pass solution) in the absolute discretion of ftrack.
- ftrack at its sole discretion may plan scheduled maintenance which will be communicated by email to Customer at least 24 hours in advance with notice of how many hours of downtime is expected.
- ftrack shall provide news via email of updates, upgrades and technical support to the technical representatives of ftrack.
4. THE CUSTOMER’S RESPONSIBILITIES
- The Customer will notify ftrack in order to register the names of up to two (2) employees who shall then become the technical representatives of the Customer.
- The Customer will cooperate with ftrack in performing the support services and provide any assistance or information as may reasonably be required by ftrack, including in relation to the diagnosis of any faults.
- The Customer will report faults promptly to ftrack.
5. LIMITED LIABILITY
- The Customer agrees that, in entering into this Agreement, either it did not rely on any representations or warranties (whether written or oral) of any kind or of any person other than those expressly set out in this Agreement or (if it did rely on any representations or warranties, whether written or oral, not expressly set out in this Agreement) that it shall have no remedy in respect of such representations or warranties and (in either case) ftrack shall have no liability otherwise than in accordance with the express terms of this Agreement. For the sake of clarity, the Customer acknowledges that the limitations of liability of ftrack set out in the Terms also apply to this SLA.
- The Customer acknowledges that:
- it is exclusively responsible for:
- ensuring that the staff of the Customer and its Affiliates (if applicable) are trained in the proper use and operation of the Services;
- the selection, use of and results obtained from any other programs, equipment, materials or services used in conjunction with the Services.
- it is in a better position than ftrack to assess and manage its risk in relation to use of the Services.
- it is exclusively responsible for:
- All dates supplied by ftrack for the delivery of the modifications or the provision of support services shall be treated as approximate only. ftrack shall not be liable for any loss or damage arising from any delay in delivery beyond such approximate dates.
- All references to ftrack in this clause shall, for the purposes of this clause only, be treated as including all employees, subcontractors and suppliers of ftrack and its partners all of whom shall have the benefit of the exclusions and limitations of liability set out in this clause.
Version history SLA
April 22, 2021
Clarified 2.3 Measurements and penalties
Added Service Credit as a term
Moved Maximum Response times from 2.2 to table in 2.3
DATA PROCESSING AGREEMENT
This Data Processing Agreement with appendices (the “Agreement“) has been entered between: The Controller, You (“Controller“); and The Processor ftrack AB, Reg. No. 5568813769 (“Processor“),The parties are jointly referred to as the “Parties“, each being a “Party“.
1. BACKGROUND The Agreement refers to the Personal Data Processed under the ftrack ABs Terms of Service entered into by the Parties regarding the Processor’s products for project management, production tracking and media reviews (The “Terms“), as a result of which the Processor processes personal data on behalf of the Controller.In the event of any conflict with the Terms, this Agreement shall prevail.The agreement contains the following appendices:
- Appendix 1 – List of sub-processors
- Appendix 2 – Technical and organisational security measures
- Appendix 3 – Contact details
2. DEFINITIONS The terms used in this Agreement shall have the same meaning as ascribed to them in Article 4 of the GDPR.“Applicable Law” refers to the legislation applicable to the processing of Personal data under the Agreement, including the GDPR, supplementary national legislation, as well as practices, guidelines and recommendations issued by a Supervisory Authority. “Controller” means the company / organisation that decides for what purposes and in what way Personal data is to be processed and is responsible for the processing of Personal data in accordance with applicable data protection legislation. “GDPR” refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and movement of such data, and repealing Directive 95/46/EC. “Data Subject” means the natural person whose Personal data is processed. “Personal Data” means any kind of information that can be derived from an identifiable natural person (in the Agreement, “Personal data” is used synonymously with “personal data for which the Controller is responsible and that is processed by the Processor on behalf of the Controller”). “Processing” means any operation or set of operations which is performed on Personal data, e.g. storage, modification, reading, handover and similar. “Processor” means the company / organisation that processes Personal data on behalf of the controller and can therefore only process the Personal data according to the instructions of the controller and Applicable law. “Supervisory Authority” means Swedish or EU authority, such as the Swedish Data Protection Authority, or another supervisory authority which on the basis of law has the authority to conduct supervisory activities over the Controllers operation. Unless otherwise defined herein, all capitalised terms (definitions) used in this Agreement shall have the same meaning as ascribed to them in the Terms. 3. INTRODUCTIONThis Agreement concerns the processing of Personal Data that the Processor performs on behalf of the Controller. It has been drawn up to meet the requirements set out in Article 28 (3) of the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR“). According to this provision, the Processing of Personal Data by the Processor on behalf of the Controller shall be governed by a contract. 4. DESCRIPTION OF PROCESSING4.1. Categories of Data SubjectsThe Controller directs the Processor to process data that identifies the Controllers’:
4.2. Categories of Personal Data
- IP Address
4.3. SourceThe processor is processing Personal Data that:
- The Controller’s employees enter into the Service
- The Controller collects from the data subject
- The Processor collects from the data subject on behalf of the Controller
4.4. The purpose of the processing of Personal Data (the “Purpose”)
- Register user accounts for the Service
Processing of Personal data
- Organization and Structuring
- Erasure and destruction
5. SPECIFIC UNDERTAKING OF THE PROCESSOR
- The Processor undertakes to consider and observe the principles for processing Personal Data set out in Article 5 of the GDPR in connection with each and every Processing.
- By entering into this Agreement, the Processor guarantees that the Controller does not need to take any additional measure to ensure that the Processor meets the requirements for expertise, reliability and resources to carry out the technical and organisational measures required by Applicable law.
- The Processor undertakes to only process Personal Data in accordance with the Agreement, the purposes set out in the Terms, the Controller’s documented instructions and Applicable Law.
- Upon the Controller’s request, the Processor shall a) (by using the appropriate technical and organisational measures) assist the Controller in its duty to respond to the request for the exercise of the rights of Data Subjects and b) with regards to the type of processing and available information, carry out Data Protection Impact Assessments (DPIA) and participate in consultations with Supervisory Authorities in accordance with Applicable Law.
- If the Processor violates Applicable Law by independently determining the purposes and means of the Processing (e.g. processing the Personal Data for purposes other than the Purpose), the Processor shall be regarded as the controller for the new Processing. To clarify, any new Processing shall not affect the Processing made in accordance with this Agreement.
- If there is a conflict between the Controller’s instructions and Applicable law, the Processor has the right to refrain from complying with such instructions. The Processor shall inform the Controller immediately if it considers that the instructions provided by the Controller are incomplete, inadequate or incorrect.
6. SPECIFIC UNDERTAKINGS OF THE CONTROLLER
- The Controller determines the purpose and means for the Processing of the Personal data. The Controller has full ownership and the formal control of the Personal Data Processed by the Processor.
- The Controller is responsible to the Data Subject for the Processing of the Personal data.
- The Controller is responsible for ensuring that the Personal Data is accurate and up to date.
7. PERSONAL DATA BREACH
- In the event of a situation leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed (“Personal Data Breach“), the Processor shall, without undue delay, and no later than eight (8) hours after having become aware of the Personal Data Breach, notify the Controller by sending a written notice to the address provided in appendix 3. The information shall, to the extent that it is available to the Processor, contain the following at least:
- A description of the circumstances surrounding the Personal Data Breach
- A description of the nature of the Personal Data Breach, and, if possible, the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data concerned
- A description of the likely consequences of the Personal Data Breach
- A description of the measures taken or proposed to address the Personal Data Breach, and, where appropriate, measures to mitigate its potential adverse effects
- Contact information to the Data Protection Officer or other contact person who can provide more information to the Controller
2. If it is not possible for the Processor to provide all the information at once, the information may be provided in installments without undue delay.8. AUDIT RIGHTS
- Upon the Controller’s request, the Processor shall give access to all information necessary to show that the Processor’s obligations under Applicable Law and this Agreement have been fulfilled.
- If the information provided in accordance with the previous paragraph cannot reasonably demonstrate that the Processor’s obligations under Applicable law have been fulfilled, the Controller is entitled to carry out physical audits.
- The Processor shall enable and contribute to audits and inspections carried out by the Controller or by an impartial third party appointed by the Controller. The Controller shall notify the Processor in writing of the planned audit at least ten (10) business days in advance.
- The audit shall be carried out:
- During normal business hours
- After the Controller has ensured that the person conducting the review is subject to a confidentiality agreement appropriate in relation to the Personal Data and information to be reviewed
- In accordance with the Processor’s internal policies and security procedures
5. Each party is responsible for its own costs incurred in connection with an audit performed.
6. In the event of any additional audits within one (1) year of a performed audit, the Controller shall be responsible for all costs incurred as a result of such audit(s).9. SUB-PROCESSOR
- The Processor may not appoint a sub-processor without first informing the Controller. Accordingly, the Processor shall inform the Controller if it intends to appoint a sub-processor (or replace an existing sub-processor) at least five (5) business days in advance.
- If there is a reasonable reason for the Controller to object to the appointment of a sub-processor the parties shall endeavour to find a suitable alternative. Should the parties fail to find a suitable alternative, the Controller has the right to terminate this Agreement and (if applicable) the Terms.
- When engaging a sub-processor, the Processor shall ensure that the sub-processor comply with the Processor’s obligations in the Agreement by entering into a contract or other legal act (the “Sub-processor agreement“). The foregoing shall be particularly observed in respect of the Processor’s obligation to provide sufficient guarantees regarding implementing appropriate technical and organisational measures as required to comply with Applicable Law.
- The Controller is always entitled to a copy of the Sub-processor agreement (strictly commercial information may be edited).
- The Processor must keep an updated record of the sub-processors. The record shall be made available to the Controller upon request.
- Processor shall be exclusively responsible towards the Controller if the sub-processor fails to, or omits from, fulfilling its obligations under the Sub-processor agreement.
10. RECORD OF PROCESSING AND DATA PROTECTION OFFICER
- The Processor undertakes to keep a written record of the processing of Personal Data according to Article 30 (2) of the GDPR. The record shall be available to the Controller upon request.
- If the Processing or the nature of the Controller’s business requires the Controller to appoint a Data Protection Officer in accordance with Article 37 of the GDPR, the Data Protection Officer’s contact details shall be included in the appendix 3.
11. CONTACT WITH SUPERVISORY AUTHORITY AND THE DATA SUBJECT
- The Processor shall promptly inform the Controller of all contact it may have with the Data Subject, a Supervisory authority or any other third party concerning the Personal Data that the Processor is Processing.
- In the event a Data Subject makes a request to the Processor regarding his / her rights in respect of the Processing, the Processor shall refer the Data Subject to the Controller.
- The Processor shall allow any inspections that the Supervisory Authority may require to perform in accordance with Applicable law.
- The Processor is not entitled to represent the Controller or otherwise act on behalf of the Controller in respect of the Data Subject, a Supervisory Authority or any other third party.
12. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
- The Processor shall take the appropriate organisational and technical security measures to protect and ensure that the Personal Data included in the scope of this Agreement is protected against any unauthorised or illegal access. This includes ensuring the adequate capacity, technical solutions, skills, financial and human resources, procedures and methods.
- The appropriateness of the technical and organisational security measures shall be assessed taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the Processing as well as the risks (of varying likelihood and severity) for rights and freedoms of natural persons posed by the Processing.
- If the Controller assesses that the Processing operation is of high risk to the rights and freedoms of the Data subject and conducts a DPIA, the Controller shall share the results of the DPIA with the Processor to ensure that this can be taken into account in when determining what constitutes appropriate security measures.
- The Processor must comply with any decisions and consultation opinions that the Supervisory Authority announces regarding measures for complying with the security requirements and all other requirements relating to the Processor under Applicable Law.
- The Processor shall ensure that employees (of the Processor or their sub-contractors) are only allowed access to Personal Data to that extent necessary and that those who have access to Personal data have undertaken to respect the confidentiality of such information (e.g. by signing an individual non-disclosure agreement).
- Only persons employed/engaged as consultants by the Processor and who have been deemed to have the adequate level of knowledge of the nature and extent of the Processing of Personal Data may process the Personal Data.
- Computer equipment, storage media and other equipment used in the Processing of Personal data carried out by the Processor must be kept where/or in such manner that no unauthorised persons can access them.
- The security at the Processor’s facilities where Personal Data is Processed must be appropriate and secure in regards of locking equipment, functioning alarm equipment, protection against fire, water and burglary, protection against power outages and power disturbances. The equipment used to process Personal Data must have good protection against theft and events that may destroy the equipment and / or Personal Data.
13. CONTROL OVER THE PERSONAL DATA
- The Processor shall ensure that Personal Data Processed is not accidentally or unlawfully destroyed, altered or corrupted. All Personal Data shall be protected against any unauthorised access during storage, transfer and other Processing.
- No Personal Data may be provided to the Controller before the identity of the recipient has been duly verified.
14. TRANSFER OF DATA OUTSIDE THE EU/EEA
- In the event that the Processor transfers Personal data outside the EU/EEA, the Processor ensures that the level of protection is adequate and in accordance with Applicable Law by controlling that at least one of the following requirements are fulfilled:
- The EU Commission has determined that the level of protection is adequate in the third country where the data is Processed
- The Processor has signed up to the EU Commission’s standard contract clauses (SCCs) for data transfer to non-EU/EEA countries.
- The Processor has taken other appropriate safeguards prior to the transfer and that such safeguards comply with Applicable Law.
- No Party is liable for any delay or failure to perform due to extraordinary circumstances beyond the control of the Party, which the Party could not reasonably expect and which consequences the Party could not reasonably have avoided or overcome.
- The Processor is liable for direct damages that arise as a result of the Processor having Processed Personal Data in violation of the Controller’s instructions in accordance with the Agreement and Applicable law.
- The Processor liability for direct damages be limited to SEK 50 000 SEK. The Controller is not entitled to any compensation for damages related to any Processing that has been approved by, or performed in accordance with the instructions of, the Controller.
- The Processor is not obligated to pay the costs of the Controller’s agent.
- In no event shall the Processor be liable for any indirect or consequential damages such as lost revenue or profits, contracts, customers or business opportunities, loss of goodwill, or expected savings.
- The Processor may not use information or other material to which it is granted access in connection with entering into this Agreement or the Terms for any other purpose than fulfilling its obligations under this Agreement or the Terms.
- The Processor may not disclose information to third parties or any other unauthorised persons about the Processing of Personal data or the content of Personal Data covered by this Agreement or other information to which the Processor has been granted access as a result of, or in connection with entering into, this Agreement. This undertaking does not apply to information that the Processor is required to disclose under mandatory law.
- This confidentiality undertaking is valid from the date this Agreement has been duly signed by both parties and for an indefinite period in time thereafter. The Processor shall ensure that this confidentiality undertaking applies to all employees and other persons working with or on behalf of the Processor and who are authorised to process Personal Data.
17. TERM AND TERMINATION
- The Agreement is valid and in force from the date that the Processor first processes Personal Data on behalf of the Controller to the date when it ceases such Processing or until this Agreement is replaced by another Data Processing Agreement.
- The obligations of the Processor under the Agreement shall continue to apply, regardless of whether the Agreement has been replaced, as long as the Processor processes Personal Data on behalf of the Controller.
18. ERASURE AND RETURNING OF PERSONAL DATA
- Upon the termination of the Agreement, the Processor and any sub-processor shall, at the request of the Controller, either erase or return the Personal Data processed within the scope of this Agreement.
19. GOVERNING LAW AND DISPUTES
- Swedish law shall apply to these Terms.
- The provision regarding disputes set out in the Terms will also apply to the Agreement.
APPENDIX 1 – EXISTING AND APPROVED SUB-PROCESSORSName: Amazon AWS
Service: Data storage
Data processed: E-mail and name
Security measures: The sub-processor has signed up to the EU Commission’s standard contract clauses (SCCs) for data transfer to non-EU/EEA countriesName: Google GCP
Service: Data processing
Data processed: E-mail, name and IP Address
Security measures: The sub-processor has taken other appropriate safeguards prior to the transfer and that such safeguards comply with applicable data protection legislation Name: Intercom, Inc.
Service: Analysing usage of Service
Data processed: E-mail, name and IP address
Security measures: The sub-processor has taken other appropriate safeguards prior to the transfer and that such safeguards comply with applicable data protection legislation Name: Mailchimp
Service: Email processing
Data processed: Email and name
Security measures: The sub-processor has taken other appropriate safeguards prior to the transfer and that such safeguards comply with applicable data protection legislation Name: Mailgun
Service: E-mail processing
Data processed: E-mail and name
Security measures: The sub-processor has signed up to the EU Commission’s standard contract clauses (SCCs) for data transfer to non-EU/EEA countriesName: Recurly
Service: Payment Processing
Data processed: Name, E-mail
Security measures: The sub-processor has taken other appropriate safeguards prior to the transfer and that such safeguards comply with applicable data protection legislation Name: Zendesk
Service: Support platform
Data processed: E-mail and name
Security measures: The sub-processor has taken other appropriate safeguards prior to the transfer and that such safeguards comply with applicable data protection legislation
APPENDIX 2 – TECHNICAL AND ORGANISATIONAL SECURITY MEASURESThe Processor has taken technical and organisational measures to ensure that Personal Data is processed securely and protected from loss, misuse and unauthorised access.Technical security measures are measures implemented through technical solutions.
- Access control level
- Access log
- Secure network
- Regular security inspection
- Two-step verification
Organisational security measures are measures that are implemented in work processes and routines within the organisation.
- Internal governance document (policies/instructions)
- Login and password management
- Information security policy
APPENDIX 3 – CONTACT DETAILSContact Information
E-mail address: [email protected]