Decideact Solutions ApS - Terms and Conditions
THESE TERMS AND CONDITIONS (“THE TERMS AND CONDITIONS”) SET FORTH THE OBLIGATIONS AND CONDITIONS BETWEEN YOU (“THE CUSTOMER”) AND DECIDEACT SOLUTIONS APS (“THE PROVIDER”) RELATING TO YOUR USE OF THE SERVICES AS DEFINED HEREIN. YOUR USE OF THE SERVICES IS EXPRESSLY CONDITIONED UPON YOUR COMPLETE ACCEPTANCE OF THESE TERMS AND CONDITIONS. BY MAKING USE OF THE SERVICES, YOU AGREE TO THESE TERMS AND CONDITIONS. THEREFORE, PLEASE READ THE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE SOFTWARE, DECIDEACT. IF YOU DO NOT AGREE WITH THE TERMS AND CONDITIONS, YOU MUST NOT MAKE USE OF THE SERVICES.
1. Use of the Software
1.1. The Provider grants the Customer a limited, non-exclusive, non-transferable right to access and use the Services for the Customer’s business purposes. The Services must not be used by the Customer for, or on behalf of, 3rd parties that are not authorized under these Terms and Conditions. Any rights not expressly granted herein are reserved.
1.2. Pursuant to the Terms and Conditions, the Customer accepts that its right to use the Services will be web- and mobile based only. The Software will not be installed on any hardware of the Customer, except for mobile devices. Also, the Customer accepts to use the most up-to-date version of the system that will be maintained by DecideAct, in order to extend and improve the functionality of the system. Updates are automatically made available by DecideAct and it is the Customer’s responsibility that the employees of the Customer (the User) keep the software version updated on User’s mobile device. Updates to the web-based system are automatically deployed by DecideAct.
2. Intellectual Property Rights and Data Usage
2.1. The Customer accepts that any right, title and interest in and to the Services and the Software, together with its object codes, interfaces, other documentation, derivative works, data (excluding the Customer’s Data), trademarks or other related intellectual property rights and materials (collectively “the Provider’s IPR”), are and shall at all times remain the sole and exclusive property of the Provider.
2.2. Notwithstanding clause 2.1 any data the Customer creates or owns (Customer’s Data) will remain the property of the Customer.
2.3. The Provider’s IPR includes trade secrets and proprietary information protected by applicable copyright laws and other laws related to intellectual property. Except for the right to use the Services, as expressly provided herein, these Terms and Conditions do not, neither directly nor indirectly, grant the Customer any rights to patents, copyrights, database rights, trade secrets, trademarks (whether registered or unregistered) or any other rights or licenses with respect to the Services or the Software.
2.4. The Customer must not, directly or indirectly, attempt or allow any employee, contractor or other 3rd party to copy, modify, duplicate, create derivative works from, frame, mirror, republish, reverse engineer, disassemble, download, transmit or distribute any part of the Services and/or Software in any form or media or by any means.
2.5. In case the Customer’s Data or parts hereof are developed by an employee of the Customer or by a 3rd party using the Software on behalf of the Customer, the right to the Customer’s Data or parts hereof shall be an internal matter for such employee or 3rd party and the Customer to agree on, and not a concern for the Provider.
3. Accessibility and performance of the Services
3.1. The Provider shall use commercially reasonable efforts to make the Services available twenty-four hours per day, seven days a week during the Term.
3.2. Notwithstanding clause 3.1, the Services shall not be available, 1) when scheduled system back-up or other ongoing maintenance as required and scheduled in advance by the Provider are carried out, or 2) if any unforeseen incident beyond the Provider’s reasonable control occurs, including – but not limited to – failure by the Provider’s suppliers, Internet network failures, outdated versions of the Customer’s software, denial of service attacks, similar attacks or any force majeure event.
3.3. The Provider further reserves the right to monitor and reasonably restrict the Customer’s ability to use the Services, if the Customer is using excessive computing resources impacting the performance of the Services for other subscribers. In such case, the Provider will notify the Customer in advance and use commercially reasonable efforts to determine an appropriate alternative or work-around solution.
3.4. For additional information on commitments with respect to the Provider’s terms and conditions for maintenance and Customer support see Service Level Agreement on the Provider’s homepage www.decideact.net.
4. Maintenance and Customer support
4.1. The Provider will maintain the Software, including patches and fixes to the Software and releases of new versions of the Software at no additional cost. Unless otherwise agreed, the maintenance shall not include any additional functionality or custom programming.
4.2. If requested by the Customer, the Provider shall offer Customer support to the Customer. Technical support shall be requested and provided by e-mail and be limited to question regarding technical issues of the Software. Service support shall be requested and provided by e-mail and be limited to questions regarding the relationship between the Customer and the Provider. Technical support and Customer support by e-mail can be requested at all times and will be provided as fast as possible.
5. Protection of the Customer’s data
5.1. The Provider will maintain appropriate, physical, organizational and technical safety measures for protection of the security and confidentiality of the Customer’s Data, the data analysed by the Provider (the Analysed Data) and the Customer’s trade secrets.
5.2. The Provider shall not 1) disclose the Customer’s Data or the Customer’s trade secrets except as compelled by applicable laws or as expressly permitted in writing by the Customer or 2) access the Customer’s Data or the Customer’s trade secrets except to provide the Services, prevent or address Service or technical problems or in connection with the purposes listed under clause 5.3.
5.3. The Provider may use Customer’s Data as and to the extent necessary to prepare its invoices, provide support to the Customer and develop statistics. The Provider may also anonymise Customer Data which entails the removal or modification of any personally identifiable information, i.e. data sets that cannot be associated with any one individual. Anonymisation is a component in Provider’s protection of Customer’s Data. Further, by analysing anonymised data sets, Provider can improve and ensure the effectiveness of the Software.
5.4. To the extent that the provider processes any Personal Data on behalf of the Customer that is subject to the General Data Protection Regulation (the “GDPR”), the terms of the Data Processing Agreement, which is annexed to these Terms and Conditions, shall apply (see annex I).
5.5. Upon termination of the Agreement between Customer and Provider, any Customer’s Data that the Provider processes on behalf of Customer will be returned to the Customer. Should the Customer wish for additional services from the Provider, such as the data to be returned in a specific way or format, or to another data Processor, any such assistance should only be provided in return for payment.
6.1. In addition to, but in no way limiting the requirements relating to the Provider’s IPR, the Customer shall use reasonable efforts (but in no case less than the efforts used to protect the Customer’s own proprietary information of a similar nature) to protect all proprietary, confidential and/or non-public information connected to the Software, the Services or the agreement between Customer and Provider (“the Confidential Information”).
6.2. The Customer must not disclose or publish the Confidential Information without the prior written consent of the Provider.
6.3. The restrictions on disclosure shall not apply to information, which was 1) generally available to the public at the time of disclosure, 2) already known to the Customer prior to disclosure pursuant to these Terms and Conditions, 3) obtained at any time lawfully from a 3rd party under circumstances permitting its use or disclosure to others or 4) required by law or court order to be disclosed.
6.4. The Provider is at all times entitled to make reference to the Customer as the Provider’s customer.
7. Limitation of liability
7.1. The Customer represents that it accepts sole and complete responsibility for 1) the selection of the Services to achieve the Customer’s intended business purposes, 2) use of the Services and 3) the Customer’s Data. The Provider shall thus not be responsible for any data or content uploaded, posted, communicated or otherwise made available via the Services by the Customer, the Customer’s employees (the Users) or any other 3rd party using the Software on behalf of the Customer.
7.2. To the maximum extent permitted by applicable law, the Provider shall in no event be liable for any special, incidental, indirect, consequential, punitive, exemplary or damages whatsoever, including – but not limited to – damages for loss of business profits, business interruption, loss of business information or any other pecuniary loss, arising out of the use or inability to use the Services. This limitation also applies to any claim arising out of product liability.
7.3. In any event, under no circumstances shall the Provider be liable for any loss, costs, expenses or damages to the Customer in an amount exceeding the Subscription Fee actually paid to the Provider by the Customer for the previous Subscription Period.
7.4. The Provider does not warrant that the Customer’s use of the Services will be uninterrupted or error free.
7.5. Except where expressly stated otherwise in these Terms and Conditions, the Services are provided “as is”, and the Provider disclaims any and all other warranties, express or implied, elsewhere to the maximum extent permitted by applicable laws.
8. Warranties and indemnifications
8.1. The Customer warrants that the Terms and Conditions are validly entered into and that the Customer has the legal power and authority to do so.
8.2. The Customer shall defend the Provider against any claim, demand, suit of proceeding made or brought against the Provider by a 3rd party alleging that the Customer’s Data, the Analysed Data or the Customer’s use of the Services in breach of these Terms and Conditions, infringes or misappropriates the intellectual property rights of a 3rd party or violates applicable law. In such case, the Customer shall indemnify the Provider for any damages, attorney fees and costs awarded against the Provider or for any amounts paid by the Provider under a court-approved settlement.
9.1. The Customer shall use the Services in accordance with any and all applicable laws.
9.2. With respect to the Services, the Terms and Conditions supersedes any and all prior or contemporaneous understandings or agreements whether written or oral. No amendment or modification of the Terms and Conditions will be binding unless agreed to in writing signed by duly representatives of the Customer and the Provider and such writing makes specific reference to these Terms and Conditions and its intention as an amendment hereto.
9.3. Notwithstanding clause 9.2, the Provider may amend the Terms and Conditions by providing 30 days’ prior written notice to the Customer. The Customer will be bound by such amendments unless they are materially and adversely impacting the Customer and the Customers within 14 days notifies the Provider specifying the amendments which the Customer determines to be materially and negatively affecting the Customer. The parties shall then try to mutually agree on an alternative wording acceptable to the parties. If such agreement cannot be reached within a reasonable timeframe, the Provider may either waive the amendments or terminate the Terms and Conditions as well as any other agreement with the Customer. If the Customer does not provide the aforementioned notice and by continuing payment or use of Services after the amendment has taken effect, the Customer is deemed to have accepted the amendment.
9.4. The following clauses shall survive any termination of the agreement between Customer and Provider: Clause 2 Intellectual Property Rights, Clause 6 Confidentiality, Clause 7 Limitation of Liability, Clause 8 Warranties and indemnifications and Clause 9.4.
9.5. The Provider’s contact details are: DecideAct Solutions ApS, Business Registration Number 36080191 Østre Kajgade 3, 3730 Nexø, Denmark, telephone +4578756550, e-mail firstname.lastname@example.org
Annex - Data Processing Agreement
The following Data Processing Agreement ("DPA") has been entered into by
The Customer (as defined in the Terms and Conditions) (hereinafter “Data Controller”) as the data controller
The Provider (as defined in the Terms and Conditions) (hereinafter “Data Processor”) as the data processor
(hereinafter individually referred to as a “Party” and jointly the “Parties”):
1. Personal data and data processing
1.1. As part of the Data Processor’s services to the Data Controller, the Data Processor will, on behalf of the Data Controller, process data relating to employees of the Data Controller. This is the sole category of data subjects (hereinafter the “Individuals”).
1.2. The Data Processor processes, on behalf of the Data Controller, the following categories of personal data (hereinafter “Personal Data”) concerning the Individuals:
- No Special categories of personal data e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
- No Criminal records.
- No National identification.
- Only other General categories of personal data: Name, email, title, phone, device ID (if the application is installed on User’s (employee of the Customer) mobile device) and job-related data.
1.3. The Data Processor processes, on behalf of the Data Controller, the Personal Data for the following purposes: Strategic implementation, governance and accountability.
1.4. The processing by the Data Processor, on behalf of the Data Controller, of the Personal Data includes the following activities:
- Initialize the service and insert Personal Data
- Providing remote access to the Data Controller’s Customers of DecideAct Services
- Storage of Personal Data, ensuring the accessibility, integrity and confidentiality of the systems
1.5. The Data Processor is responsible for storing the Personal Data within the EU/EEA and not transferring the Personal Data to countries outside the EU/EEA without the prior written acceptance of the Data Controller, except transfers that are subject to appropriate safeguards.
2. Instructions and confidentiality
2.1. The Data Processor may only process the Personal Data in compliance with documented instructions from the Data Controller, including transfer of Personal Data to any third country or international organization. If, in exceptional cases, the Data Processor is instructed to process Personal Data, including transferring Personal Data to a third country or an international organization, and this does not follow from the instructions of the Data Controller but is pursuant to EU or member state law to which the Data Processor is subject, then the Data Processor must notify the Data Controller of such legal requirements before commencing the processing unless such notification is prohibited on important grounds of public interest.
2.2. The Data Processor must ensure that employees or persons under the Data Processor’s authority, that are authorized to process Personal Data, have assumed a contractual confidentiality obligation or are subject to a statutory obligation of secrecy.
2.3. The Data Processor must ensure that access to the Personal Data is limited to employees with a work-related need.
2.4. The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach, and follow the procedures in Article 33 of the EU Regulation 2016/679 on General Data Protection (“GDPR”).
3. Security etc.
3.1. To protect the Personal Data, the Data Processor must implement appropriate technical and organisational measures in such a manner that the processing meets the requirements set out in the GDPR. Such measures are determined and adjusted on a regular basis with due consideration for the current technical level, expenses, and the nature, scope, context and purposes of the processing and the risks to the rights of natural persons, cf. Article 32 of the GDPR.
3.2. The Data Processor must ensure that the Personal Data are deleted from every IT-system, archive etc. when continued storage no longer serves a fair purpose and as instructed by the Data Controller.
3.3. The Data Processor must inform and train relevant employees on confidentiality relating to the processing of Personal Data and must ensure that the processing is in compliance with the purposes of this Agreement and the instructions of the Data Controller.
3.4. In addition, the Data Processor must, as a minimum, take the following measures:
a. Physical security: When equipment and mobile units are not used, the equipment and the units must be locked away and/or locked.
b. Back-up copies: The Personal Data must be backed up routinely. Copies of the Personal Data must be stored separately and with due care in such a manner that the Personal Data can be restored. Instructions to delete Personal Data must include deletion of Personal Data backed up.
c. Control of access: Access to the Personal Data must be limited by way of a technical control of access. User-ID and password must be personal and may not be assigned at any time. Procedures must be in place for the granting and removing of access.
d. Logging: A log or similar over access to and processing of the Personal Data must be kept. A register must be available showing those persons who have had access and the processing the individual has conducted.
e. Communication of data: Communication of the Personal Data must take place, using secure communication lines. Personal Data that are transferred outside a closed network controlled by the Data Processor must be protected by encryption.
f. Destruction of hardware: When equipment or mobile units containing Personal Data are no longer used to process Personal Data, the Personal Data must be permanently deleted from the equipment, ensuring that the data cannot be restored.
4.1. Data Controller hereby confirms its general written authorization for Data Processor’s use of the Sub-processors listed at https://www.decideact.net/sub-processors in accordance with Article 28 of the GDPR to assist it in providing the service and Processing Data provided that such Sub-processors:
a. agree to act only on Data Processor’s instructions when processing the Personal Data (which instructions shall be consistent with Data Controllers Processing instructions to Data Processor)
b. agree to protect the Personal Data to a standard consistent with the requirements of this DPA. Further, such protection obligations shall be imposed on that Sub-processor by way of a contract or other legal act under EU or Member State law.
4.2. Data Processor agrees and warrants to remain liable to Data Controller for the subcontracted processing services. Data Processor shall maintain an up-to-data list of the names and location of all Sub-processors at https://www.decideact.net/sub-processors and also available upon request to email@example.com. Data Processor shall update the list on its website of any Sub-processor to be appointed at least 30 days prior to the date on which the Sub-processor shall commence processing Personal Data. The Data Controller must sign up to receive email notifications of any such changes. The details of the sign-up process described in the aforementioned URL.
4.3. In the event that Data Controller objects to the Processing of its Personal Data by any newly appointed Sub-processor as described in Section 4.2, it shall notify Data Processor within 30 days following the update of its online policy above. In such event, Data Processor will either (a) instruct the Sub-processor to cease any further processing of Data Controller’s Personal Data, in which event this DPA shall continue unaffected, or (b) allow Data Controller to terminate this DPA (and any related services agreement with Data Processor) immediately and provide it with a pro rata reimbursement of any sums paid in advance for Services to be provided but not yet received by Data Controller as of the effective date of termination. Section 7.2 applies upon termination.
4.4. Data-Controller’s Services includes possible integrations with Third Party Services, including, without limitation, certain Third Party Services which may be integrated directly into Data Controller’s account or instance in the Service. If Data Controller elects to enable, access or use such Third Party Services, its access and use of such Third Party Services is governed solely by the terms and conditions and privacy policies of such Third Party Services, and Data Processor does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Third Party Services, including, without limitation, their content or the manner in which they handle Service Data (including Personal Data) or any interaction between Data Controller and the provider of such Third Party Services. Data Processor is not liable for any damage or loss caused or alleged to be caused by or in connection with Data Controller’s enablement, access or use of any such Third Party Services, or Data Controller’s reliance on the privacy practices, data security processes or other policies of such Third Party Services. The providers of Third Party Services shall not be deemed Sub-processors for any purpose under this DPA.
5. Assistance to the Data Controller
5.1. The Data Processor must assist the Data Controller to ensure that all obligations under Art. 32-36 of the GDPR and other applicable data protection and information security legislation are met, i.e. security measures, notification of supervisory authorities, notification of individuals, preparation of data protection impact assessments and prior consultation of the supervisory authorities.
5.2. Taking into account the nature of the processing, the Data Processor must, to the extent possible and by means of appropriate technical and organisational measures, assist the Data Controller in meeting the Data Controller’s legal obligations to respond to requests for exercising the individuals’ rights laid down in Chapter III of the GDPR.
5.3. The Data Processor must notify the Data Controller of any personal data breaches without undue delay.
5.4. The Data Processor must immediately notify the Data Controller if the Data Processor believes that an instruction violates the General Data Protection Regulation or other data protection provisions in other EU law or member states’ national law.
6. Demonstration of compliance, audits etc.
6.1. The Data Processor must, upon request and without separate remuneration, make all information necessary available to the Data Controller to demonstrate compliance with the obligations of this Agreement, the GDPR and other special legislation.
6.2. The Data Processor must provide means and contribute to audits, including inspections performed by the Data Controller or auditors authorized by the Data Controller, the Danish public authorities, or another competent jurisdiction. The relevant auditor must be subject to confidentiality obligations, either under an agreement or law.
7. Term and termination
7.1. This DPA shall take effect when entered into and shall be in force until it is terminated by one of the Parties at 3 months’ notice.
7.2. Unless this DPA is superseded by another DPA, termination of this DPA will likewise result in termination of the Agreement.
7.3. Upon termination of this DPA, the Data Processor must return all Personal Data to the Data Controller or assign the Personal Data to a new Processor on the instruction of the Data Controller, cf. clause 5.5 of the Agreement. Thereafter, the Data Processor must delete all existing copies of the Personal Data immediately, unless EU or member state law prescribes requirements for the continued storage of the Personal Data.
7.4. If, following the termination of this DPA, there is uncertainty as to whether the Data Processor has deleted all the Personal Data, the Data Controller may request the Data Processor to, at the expense of the Data Controller, request an auditor’s statement stating that the data processing no longer takes place and that the Personal Data have been deleted.
8.1. Notwithstanding clause 7, this DPA will remain in force as long as Data Processor processes Personal Data on behalf of Data Controller.
9. NO CONSEQUENTIAL DAMAGES
LIMITATION ON LIABILITY
9.1. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE) WILL EITHER PARTY TO THIS DPA, OR THEIR AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SERVICE PROVIDERS, SUPPLIERS OR LICENSORS BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY LOST PROFITS, LOST SALES OR BUSINESS, LOST DATA (BEING DATA LOST IN THE COURSE OF TRANSMISSION VIA DATA CONTROLLER’S SYSTEMS OR OVER THE INTERNET THROUGH NO FAULT OF DATA PROCESSOR), BUSINESS INTERRUPTION, LOSS OF GOODWILL, OR FOR ANY OTHER TYPE OF INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL OR PUNITIVE LOSS OR DAMAGES, OR ANY OTHER INDIRECT LOSS OR DAMAGES INCURRED BY THE OTHER PARTY OR ANY THIRD PARTY IN CONNECTION WITH THIS DPA, OR THE SERVICES, REGARDLESS OF WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF OR COULD HAVE FORESEEN SUCH DAMAGES.
9.2. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS DPA, THE SAAS AGREEMENT OR THE TERMS AND CONDITIONS, DATA PROCESSOR’S AGGREGATE LIABILITY TO DATA CONTROLLER OR ANY THIRD PARTY ARISING OUT OF THIS DPA AND ANY LICENSE, USE OR EMPLOYMENT OF THE SERVICE, SHALL IN NO EVENT EXCEED THE LIMITATIONS SET FORTH IN THE SAAS AGREEMENT OR THE TERMS AND CONDITIONS.
9.3. FOR THE AVOIDANCE OF DOUBT, THIS SECTION SHALL NOT BE CONSTRUED AS LIMITING THE LIABILITY OF EITHER PARTY WITH RESPECT TO CLAIMS BROUGHT BY DATA-SUBJECTS.
LAST UPDATED: November 27, 2020 by LRG, DecideAct