Terms and conditions

GENERAL TERMS AND CONDITIONS

  1. GENERAL This Appendix 2 (General Terms and Conditions) forms an integral part of and constitutes along with the Service Order and Appendix 1 (Service Specification) and Appendix 3 (Data Processing Agreement) hereto the Platform Services Agreement (the “Agreement”) between you (the “Customer”) and Prduct ApS, company registration number (CVR-no.) 39368226, having its registered office at Universitetsbyen 7, 2., 8000 Aarhus C, Denmark (the “Supplier”) and governs Customer’s use of the software functionality and services, documentation, data and material forming part of the Supplier services under the Agreement (the “Platform”).
  2. INTELLECTUAL PROPERTY RIGHTS The Platform is protected by copyright laws and international copyright treaties and other applicable legislation on proprietary rights and intellectual property rights. The Supplier and/or the Supplier’s vendors are the sole proprietors and own and retain any and all current and future intellectual property rights in and to the Platform including without limitation copyrights, patent rights, design rights, trademark rights, know-how etc. in and to the Platform.

The Customer is not entitled to change or remove any marks and notices concerning copyright, patents, trademarks or other rights placed on, applied to or otherwise implemented in the Platform.

  1. RIGHT OF USE Subject to the Customer’s acceptance of and compliance with the Agreement, including without limitation payment of applicable charges, the Supplier hereby grants the Customer for the term of the Agreement a limited, non-exclusive, revocable, and non-transferable right to access and use the Platform on a platform-as-a-service (PaaS) basis solely for the Customer’s own internal purposes supporting Customer’s business.
  2. RESTRICTIONS AND LIMITATIONS The Customer is not entitled to copy, distribute, resell, make available, alter, modify, sub-license, rent, lend or dispose of the Platform except as otherwise expressly set out in the Agreement.

The Customer is not entitled to reverse-engineer, disassemble, or decompile the Platform or in any other way attempt to investigate, tamper with and/or discover or recreate the source code and/or the structural framework and/or the principles on which the Platform is based except as otherwise explicitly permitted by applicable mandatory law.

The Customer shall not use the Platform in violation of (i) any third-party intellectual property rights or (ii) any applicable legislation.

  1. SUPPLIER’S OBLIGATIONS The Supplier’s sole and exclusive obligation under the Agreement is to make the Platform and its functionality available to the Customer in accordance with the Agreement and the Platform Service Specification set out in the Service Order and Appendix 1 (Service Specification).

The Supplier shall deliver the Platform in accordance with (i) third-party intellectual property rights and (ii) applicable legislation.

The Supplier undertakes no obligations or liabilities with respect to interoperability, integration or the provision of any upgrades, new versions, fixes, patches, remediation of defects, maintenance, support, telecommunication lines, Internet subscriptions or any other matters not under the sole control of the Supplier pertaining to the use or inability to use the Platform. Any and all liabilities, costs and risks in this respect shall remain solely with the Customer or the relevant third party.

  1. CUSTOMER’S OBLIGATIONS The Customer shall ensure that: a) Any technical requirements for use of the Platform are complied with; b) User profiles are maintained and always correspond to the actual and authorized users of the Platform; and c) User login details and other security details are kept confidential. The Customer shall promptly notify the Supplier in writing if the Customer becomes aware of (i) any breach or alleged breach of the Agreement, (ii) any claim or alleged claim concerning infringement of third-party intellectual property rights from any third party pertaining to the Customer’s use of the Platform and/or (iii) any breach of any applicable legislation in connection with the Customer’s use of the Platform. The Customer shall throughout the term of the Agreement provide the data specified in the Service Order to the Platform via API with XML / JSON / CSV endpoint, file-based sharing with FTP or similar.
  2. USE OF THIRD PARTY RESOURCES The Supplier applies and integrates to third party resources, including databases and software services, in provision of the Services. The Suppliers use of such resources are subject to third party’s specific terms and conditions. To the extent the Customer has been informed of the content, limitations in use or requirements following third party terms and conditions these shall apply and take precedent over the terms and conditions of the Agreement with respect to the resource in question.
  3. HOSTING, MAINTENANCE AND SUPPORT The Supplier hosts and operates the Platform using third party providers at the Suppliers sole discretion, however, always in accordance with Appendix 3 (Data Processing Agreement).

Supplier may in the Supplier’s sole discretion at any time decide to implement upgrades, new versions, patches, or fixes to the Platform. Any unavailability of the Platform due to maintenance shall be excluded from calculation of Platform availability.

The Supplier shall provide general support to the Customer with respect to the Platform online and via telephone. Support and maintenance shall be available during regular working hours, i.e. 09:00 to 16:00 Mondays to Fridays excluding public holidays (“Working Hours”).

  1. CHARGES AND PAYMENT The Customer shall pay the agreed charges set out in the Service Order. In addition, the Customer shall pay (i) its own internal costs related to implementation, integration and use of the Services and (ii) any costs for services and deliverables not specifically included in the Platform. Any services and deliverables not specified in the Service Order is subject to the Supplier’s standard hourly rates adjusted from time to time. All prices are in Danish Kroner (DKK) excluding VAT and other taxes and levies. If not otherwise agreed, fixed charges are invoiced monthly in advance. Any other charges shall be invoiced monthly in arrears. Invoices fall due thirty (30) days from the date of invoice. If Customer fails to pay invoiced charges in due time the Supplier shall be entitled to interest according to the Danish law on interest (in Danish: “Renteloven”).

The Supplier shall once a year be entitled to adjust the charges applicable under the Agreement according to the net price index (https://www.dst.dk/en/Statistik/emner/priser-og-forbrug/forbrugerpriser/nettoprisindeks), however, in no event more than 3% annually.

  1. RIGHTS IN DATA The Customer shall exclusively own product data and customer order data which it uploads to, shares or stores on the Platform or uses in relation to the tools available on the Platform. The Supplier shall be entitled to use, store, copy, modify, compile, and in any other way utilize:

i. Customer’s product data in Supplier’s efforts to perform the Agreement, including enhance the product data and increase data quality;

ii. data regarding Customer’s use of the Platform, including the Customer’s use of functionality, errors, and other technical data. The Supplier shall receive and hold a perpetual and irrevocable right to use, store, copy, modify, compile, and in any other way utilize data created by the Supplier including data based on Customer product data provided the Supplier ensures that Customer data cannot be linked to the Customer, or a specific brand or product.

Notwithstanding the foregoing, the Supplier is entitled to process all data which is either anonymized or statistical by nature in accordance with the Data Processing Agreement set out in Appendix 3 (Data Processing Agreement).

  1. INDEMNIFICATION The Customer shall promptly notify the Supplier in writing in the event that Customer becomes aware of (i) any breach or alleged breach of this Agreement, (ii) any claim or alleged claim concerning infringement of third party intellectual property rights from any third party pertaining to Customer’s use of the Platform and/or (ii) any breach of any applicable legislation in connection with Customer’s use of the Platform.

The Customer shall compensate, defend and indemnify the Supplier from and against any claims, damages and losses pertaining to Customer’s, Customer employees, or any Customer authorized third parties’ use of the Platform to the extent that such claims, damages or losses are a result of infringement by Customer, or any Customer authorized third parties’ of any third party intellectual property rights.

The Supplier shall compensate, defend and indemnify the Customer from and against any claims, damages and losses pertaining to the Supplier’s provision of the Platform to the extent that such claims, damages or losses are a result of infringement by Supplier of any third-party intellectual property rights.

  1. DISCLAIMER The Platform is made available by the Supplier “as-is” with all faults and defects, however, the Supplier shall provide the Platform in all materiality in accordance with the service levels and quality standards specifically set out in the Agreement.

The Supplier disclaims any and all warranties whether statutory, express or implied to the maximum extent permitted by applicable law.

  1. LIABILITY AND LIMITATION OF LIABILITY The Parties shall be liable according to applicable principles of Danish law, save for the exceptions and limitations explicitly set out in this section 13.

Neither Party shall be liable towards the other Party or any third party for any indirect, punitive or other damages or losses including, without limitation, damages for loss of profits, business interruption, loss of data (including personal data) or the restoration hereof, product liability or personal injury arising out of the use of or inability to use the Platform. The aforesaid exclusions and limitations shall apply irrespective of whether such damages or losses are caused by acts or omissions by or attributable to the Supplier as negligent (however excluding gross negligence and intent) or as incidental.

The aggregate liability of each of the Parties (irrespective the basis of such liability) to pay any damages, indemnification or other types of compensation shall for the term of the Agreement, including any renewal terms, be limited and capped to a total aggregate amount equal to the fixed charges paid under the Agreement in the twelve (12) months period prior to the event leading to the claim.

  1. TERM AND TERMINATION The Agreement shall come into force and effect on the Effective Date set out in the Service Order.

The Customer may with effect as of each anniversary of the Effective Date terminate the Agreement for convenience by written notice received by the Supplier no later than one (1) month prior to an anniversary of the Effective Date, however, in any event with effect no earlier than twelve (12) months following the Effective Date.

The Supplier may terminate the Agreement for convenience by written notice to the Customer at any time with a notice of no less than six (6) months provided the Supplier refunds any payments received from the Customer relating to the period after the termination effective date, if any. For the avoidance of doubt the Customer shall not be entitled to any other refund or compensation in the event of the Supplier’s termination for convenience of the Agreement.

Either Party may terminate the Agreement for material breach of the Agreement.

The Customer shall not be entitled to any refund of payments made in the event of the Supplier’s termination for Customer’s breach of the Agreement.

Upon termination of the Agreement and irrespective of the reason for such termination, the Customer shall immediately cease to use the Platform. The Customer acknowledges and agrees that in the event of termination of this Agreement for whatsoever reason the Supplier is entitled to delete the Customer as user.

  1. ASSIGNMENT The Parties may assign the Agreement in whole or in part to (i) a company affiliated with the Supplier or (ii) an unaffiliated third party to the extent that such assignment is part of a transaction, restructuring, divestiture, merger, acquisition or the like involving the Party in question.
  2. FORCE MAJEURE Neither Party shall be liable to the other for any failure or delay in performing its obligations under this Agreement (save for obligations in respect of payment of Fees) arising from events beyond the reasonable control of the Party, including disaster, fire, flood, earthquake, acts of war (whether or not war is declared), terrorism or an industrial dispute, interruption or failure of the Internet or of any network, telecommunications, power supply or infrastructure, or any provider of the foregoing provided the Party: i. notifies the other Party in writing as soon as reasonably practicable about the nature and extent of the circumstances and likely effects; and ii. uses all reasonable efforts to mitigate the effects of the circumstances so as to minimise or avoid any adverse impact on the other Party.
  3. CONFIDENTIALITY Either Party shall unless otherwise specifically agreed in the Agreement keep in strict confidence any and all documentation and information received from the other Party with respect of that Party’s business.

The Customer acknowledges that information and data made available through the Platform are considered confidential to the extent that the information and data are not already in the public domain and that the Platform is made strictly available for the Customer’s internal purposes and on a need-to-know basis only. For the avoidance of doubt, the Customer is not entitled to provide access to other organizations or to share any part of the information on the Platform with any of its own customers or collaboration partners.

  1. COMMUNICATION Any and all communication between the Parties with respect to this Agreement shall for each Party be managed by the contact persons set out in the Service Order.
  2. CHOICE OF LAW AND VENUE The Agreement shall be governed by and construed in accordance with Danish law excluding (i) any rules concerning choice of law and (ii) the UN Convention on Contracts for the International Sale of Goods (“CISG”), which shall not apply). Any disputes arising from this Agreement shall be subject to the jurisdiction of the ordinary Danish courts. The aforesaid choice of law and venue shall however not apply to the Parties’ application of any preliminary remedies enforcing the Party’s rights including without limitation filing for grant of a preliminary injunction and/or securing of evidence. APPENDIX 3 DATA PROCESSING AGREEMENT

In this Data Processing Agreement (“DPA”), the Supplier as defined in the Service Order is the “Processor” and the Customer is the ” Controller”. Each party is referred to as a “Party” and together they are referred to as “the Parties”.

  1. BACKGROUND This DPA is entered into and is an integral part of the Parties’ Platform Services Agreement regarding Processor’s cloud-based software solution (SaaS) governing the Controllers’s use of and access to the software (the “Agreement”). The software is designed to give the Controller access to data about the Controller’s products digitally and for the Customer to request the performance of different forms of analyses of the data, including data about purchase orders between the Controller and the Controllers customers provided to the to the Platform by the Controller via API with XML / JSON / CSV endpoint, file-based sharing with FTP or similar. In cases where the Controllers customers are sole proprietorships the above-mentioned data is considered Personal data. Therefore, the Parties have concluded this DPA, which forms an integral part of the Agreement.

This DPA supersedes and replaces any and all prior DPAs concluded between the Parties and supersedes any deviating provisions of the Agreement concerning the subject matter of this DPA, regardless if otherwise stated in the Agreement.

  1. DEFINITIONS Terms used in capitalised letters shall have the meaning defined in the Agreement, in this DPA (including Sub-Annexes hereto), including but not limited to, as indicated below; ”Data Protection Legislation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) as well as national data protection legislation supplementing the GDPR.

”Data Subject” means the identified or identifiable natural person whom the Personal Data relates to, in accordance with the definition in Article 4 of the GDPR.

”Personal Data” means any information, which directly or indirectly relates to a Data Subject and which Processor Processes on behalf of the Customer under this DPA, in accordance with the definition in Article 4 of the GDPR.

”Processing” means any operation or set of operations which is performed on Personal Data, or on sets of Personal Data, whether or not by automated means, in accordance with the definition in Article 4 of the GDPR.

”Sub-Processor” means any person or legal entity Processing Personal Data as engaged by the Processor.

”Supervisory Authority” means the independent public supervisory authority/supervisory authorities, authorised to conduct supervision of the Processing of Personal Data or considered to be a “supervisory authority concerned” in accordance with the Data Protection Legislation.

  1. THE OBLIGATIONS OF THE CONTROLLER The Controller is responsible for ensuring that the processing of the Personal Data takes place in accordance with EU and Member State laws including, by not limited to, the GDPR, the Danish Data Protection Act, and other EU and national member state laws, e.g. as regards ensuring a legal basis for processing and transparency towards the Data Subjects.

The Controller shall regularly inform the Processor of measures taken by third parties in relation to the Processing, including, but not limited to, by the Supervisory Authority and by Data Subjects, if relevant to the Processing undertaken by the Processor.

The Controller shall immediately inform the Processor of any changes that may affect the Processor’s obligations according to this DPA.

  1. THE PROCESSOR ACTS ACCORDING TO INSTRUCTIONS The Processor shall process the personal data only on documented instructions from the Controller, unless required to do so by EU or Member State laws to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The instructions shall be specified in Sub-Annexes A and C to this DPA in addition to the Agreement.

The Processor shall immediately inform the Controller if instructions given by the Controller, in the opinion of the Processor and based on the information made available to the Processor, contravene the GDPR or the applicable EU or Member State laws.

The Processor must not disclose Personal Data, or information about the Processing of Personal Data to any third parties without the Controllers prior permission or instruction as laid out in the Agreement and this DPA.

  1. CONFIDENTIALITY The Processor shall only grant access to the personal data being processed on behalf of the Controller to persons under the Processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need-to-know basis. The confidentiality obligations shall also apply upon termination of this DPA.

The list of persons to whom access has been granted from the Processor shall be kept under periodic review. Based on this review, such access to personal data can be withdrawn, if access is no longer necessary, and personal data shall consequently not be accessible anymore to those persons.

The Processor shall forward requests to the Customer from any Data Subjects, a Supervisory Authority or any other third-party requesting information about the Personal Data and the Processing thereof.

This confidentiality section shall remain in force after termination of this DPA.

  1. SECURITY OF PROCESSING Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller and the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The Processor shall assist the Controller in ensuring compliance with the Controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the Controller with information concerning the technical and organisational measures already implemented by the processor pursuant to Article 32 GDPR along with all other information necessary for the Controller to comply with the Controller’s obligation under Article 32 GDPR. The Controller’s instructions on security measures to the Processor are included in Sub-Annex C.

  1. USE OF SUB-PROCESSORS The Processor shall meet the requirements specified in Article 28(2) and (4) GDPR in order to engage another processor (a sub-processor).

The Processor shall therefore not engage another processor (sub-processor) for the fulfilment of this DPA without the prior, general written authorisation of the Controller.

The Processor hereby has the Controller’s general authorisation for the engagement of sub-processors. The Processor shall inform in writing the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s).

The list of sub-processors already authorised by the Controller is included in Sub-Annex B.

Where the Processor engages a sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this DPA shall be imposed on that sub-processor by way of a contract or other legal act under EU or Member State law, in particular when providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing of the personal data will meet the requirements of this DPA and the GDPR.

Notwithstanding, the Controller acknowledges that, when using Amazon Web Services EMEA SARL as a sub-processor, their terms are non-negotiable and are deemed to comply with this clause if they comply with the minimum standards of Article 28 of the GDPR.

If the sub-processor does not fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for any of the sub-processor’s actions and omissions.

  1. TRANSFERS OF THE PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS Any transfers of the personal data to third countries or international organisations by the Processor shall only occur based on documented instructions from the Controller. It is the sole responsibility of the Controller that the transfer of personal data to third countries or international organisations comply with Chapter V of the GDPR.

Subject to compliance with Clause 7 and 8, the Controller hereby authorizes the Processor to establish and enter into a legal basis for the transfer of personal data to third countries and international organizations on behalf of and in the name of the Controller, including transfers under Article 45 of the GDPR, the European Commission’s Standard Contractual Clauses for international transfers and other legal bases under Article 46(1) and (2) and Article 49 of the GDPR (the “Power of Attorney”). The Processor is entitled to transfer the Power of Attorney to sub-processors so that the sub-processors on behalf of the Controller can establish and enter into a legal basis for the transfer of personal data to third countries and international organizations on behalf of the Controller. If the Processor exercises this right, the Processor must inform the Controller without undue delay.

In case transfers to third countries or international organisations, which the Processor has not been instructed to perform by the Controller, is required under EU or EU Member State law to which the Processor is subject, the Processor shall inform the Controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.

  1. ASSISTANCE TO THE CONTROLLER Taking into account the nature of the processing, the Processor shall assist the Controller by implementing and maintaining appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of the Controller’s obligations to respond to requests for exercising the rights of data subjects laid out in Chapter III GDPR.

If a data subject submits requests related to exercising his or her rights under the GDPR to the Processor, such requests shall be directed to the Controller at [email protected].

Any request from registered persons may not be answered directly by the Processor.

The Processor shall, taking into account the nature of the processing and the information available to the Processor, assist the Controller in ensuring compliance with:

a. the Controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, Datatilsynet, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. the Controller’s obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons; c. the Controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment); d. the Controller’s obligation to consult the competent supervisory authority, Datatilsynet, prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk.

The Processor shall inform the Controller about requests or contact made by a Supervisory Authority concerning the Processing of Personal Data. The Processor will not represent the Controller towards any Supervisory Authority unless otherwise agreed.

The Processor is entitled to payment and coverage of documented costs related to assistance to the Controller in regard to Articles 33 – 36 of the GDPR (items a-d above) except where such assistance has been necessitated because of a breach of contract or a data breach by the Processor (incl. sub-processors).

  1. NOTIFICATION OF PERSONAL DATA BREACH In case of a personal data breach, the Processor shall, without undue delay after having become aware of it and no later than 24 hours from becoming aware of the incident, notify the Controller of the personal data breach.

The Processor’s notification to the Controller shall, if possible, take place to [email protected] and the contact point of Controller under the Agreement without undue delay to enable the Controller to comply with the Controller’s obligation to notify the personal data breach to the competent supervisory authority, cf. Article 33 GDPR.

  1. DELETION AND RETURN OF DATA On termination of the provision of the processing services, the Processor shall be under the obligation to delete all the personal data unless EU or Member State law requires storage of the personal data.

If the Processor irrevocably anonymizes the personal data, the personal data is deemed to be deleted in accordance with this clause 11.

  1. AUDIT AND INSPECTION The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

The Processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the Controller’s and the Processor’s facilities and premises, or representatives acting on behalf of such supervisory authorities, with access to the Processor’s physical facilities and premises upon presentation of appropriate identification.

  1. CHANGES TO THIS DPA If the Data Protection Legislation is changed during the term of this DPA, or if the relevant Supervisory Authority issues guidelines, decisions or regulations concerning the application of the Data Protection Legislation that result in this DPA no longer meeting the requirements for a DPA under the GDPR, the Parties will renegotiate changes to this DPA, in order to meet such new or additional requirements.

Changes and additions to this DPA, must be made in writing and duly signed by both Parties in order to be binding.

  1. SEVERABILITY Any part or section of this DPA which is prohibited or held to be void or unenforceable shall be ineffective to the extent of such prohibition or unenforceability requires it without invalidating the remaining provisions hereof. To the extent permitted by applicable law, the Parties waive any provision of law which prohibits or renders void or unenforceable any provision hereof. The Parties shall hereinafter seek to negotiate, in good faith, a solution which is a close to the intended result as possible under the applicable laws.
  2. COSTS The Processor is entitled to reasonable compensation to be agreed between the Parties for work, costs and expenditures stemming from following the Controller’s instructions, which are not clearly documented in the Agreement, or this DPA and when resulting in work that goes beyond functions and the level of security following from the services that Processor normally provides to its customers and provided that such security level comply with Data Protection Legislation based on the risk assessment carried out by the Processor.
  3. LIABILITY The Parties incur liability in accordance with the Agreement
  4. COMMENCEMENT AND TERMINATION This DPA shall become binding and effective on the date of both Parties’ signature of the Service Order relating to the software and related services, and it shall apply for the duration of the provision of the personal data processing services. The Processor shall process the Personal Data for the duration of this DPA which is for as long as the Personal Data Processing services are provided to the Controller.

Both Parties shall be entitled to require this DPA renegotiated if changes to the law or inexpediency of this DPA should give rise to such renegotiation.

In case of termination of the Agreement, the Processor must delete any existing copies of the Personal Data at the end of the termination notice of the Agreement, which includes this DPA, unless storage of the Personal Data is required by EU law or applicable member state law, and ensure that each Sub Processor does the same.

SUB-ANNEX A DOCUMENTED INSTRUCTIONS ABOUT THE PROCESSING

  1. PURPOSE The purpose of the Processor’s processing of Personal Data on behalf of the Controller is to perform different forms of analyses of the Personal Data when requested to do so by the Controller.
  2. THE NATURE OF THE PROCESSING Personal Data relating to the orders between the Controller and the Controllers customers will be processed within the cloud-based software solution for the purpose of providing different forms of analyses of the Personal Data when requested by the Controller.

The Processor may also process Personal Data, in accordance with the Controller’s separate instructions, to provide the Controller with statistics on the purchases.

Personal Data may also be processed by the Processor for support and maintenance errands.

The Processor is instructed to delete Personal Data at the separate request of the Controller during the term of the Agreement.

The Processor is entitled to copy the Personal Data Processed under the DPA and delete all personal data which makes it identifiable and keep such anonymised and statistical data for its own processing purposes, cf. clause 10 of the General Terms and Conditions (Appendix 1).

  1. CATEGORIES OF PERSONAL DATA Name of company, address, telephone number, e-mail address, purchase order information.
  2. CATEGORIES OF DATA SUBJECTS The Controller’s customers.
  3. LOCATIONS The Personal Data will be processed by Processor’s software and in Processor’s databases and by Processor’s sub-processors subject to Clause 7 of the DPA. SUB-ANNEX B AUTHORISED SUB-PROCESSORS

  1. APPROVED SUB-PROCESSORS The Controller authorises the engagement of the following sub-processors and instructs the Processor to transfer any Personal Data to the sub-processor which is required for the sub-processor to provide its services: NAME COMPANY REG.NO ADDRESS DESCRIPTION OF PROCESSING Amazon Web Services EMEA SARL VAT ID: LU 26888617 38 avenue John F. Kennedy, L-1855 Luxembourg Hosting and support
  2. PRIOR NOTICE FOR THE AUTHORISATION OF SUB-PROCESSORS Any intended changes concerning the addition or replacement of other sub- processors shall be notified to Controller via e-mail to the e-mail address registered on the account.

SUB-ANNEX C – SECURITY OF PROCESSING

  1. GENERAL INFORMATION SECURITY When deciding on the level of security, the Processor shall take into account that the processing only involves Personal Data pursuant to Article 6 of the GDPR; name of company, address, telephone number, e-mail address and purchase order information, which is why a ‘medium’ level of security should be established..

The Processor shall hereinafter be entitled to, and under obligation to, make decisions about the technical and organisational security measures that are to be applied to maintain the necessary and appropriate level of security of processing.

  1. MINIMUM SECURITY MEASURES The Processor shall at least implement the following measures for the processing of personal data:SECURITY MEASURE

Technical measures Identity data and access management: Only Processor’s employees who performs processing of the Personal Data shall have access to the databases and other repositories containing personal data

Dual factor authentication (2FA) is enabled on all systems where supported

Back-up: Backup of Personal Data

Encryption of data communication: Communication containing Personal Data via backend of the System must be encrypted using SSL, minimums TLS 1.2

Firewalls: Standard firewalls must be in place

Antivirus protection: Antivirus protection must be in place on laptops processing the personal data

Password management: Access to systems are enforced with minimum 12 characters passwords that include at least one uppercase letter, one lowercase letter and one number

Physical measures Lock: Office space and storage space must be protected by a lock on the door

Organisational measures Instructions and training of personnel processing personal data

Procedures related to identity data and access management

Procedures for reviewing access logs to verify access rights

Policies and procedures for incident management

Policies and procedures for compliance monitoring, e.g. periodical review of measures